You are viewing limited content. For full access, please sign in.

Question

Question

Workflow Forms Web Service Test Giving Could Not Establish Trust Error

Workflow Installation and Upgrades Version 11
Updated March 8, 2023
asked on March 4, 2023 Show version history

We just upgraded our Laserfiche environments from version 10 to 11. After doing so, Forms can connect to the Workflow server without an issue, but Workflow is throwing the error:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

The certificate that is assigned to the Default web site on the Forms server does not include the FQDN of the Forms server, but for the web service in Workflow I have selected the option "Accept invalid certificates".

Any ideas how to get around this issue?

If I change the Forms URL for the Web Service to http I get the error:

"The remote server returned an error: (401) Unauthorized."

0 0

Answer

SELECTED ANSWER
replied on March 7, 2023

From: https://go.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFWorkflow/Content/Resources/Configuration/External%20Objects/Web%20Services.htm

Note: To connect to a Laserfiche Forms server, you must first specify your Workflow Server on the Forms Server Configuration page. If the Workflow Server is not specified in Forms, Workflow will receive an HTTP (401) Unauthorized error when connecting to the Forms server, and the Forms server will record a "WFAPIAccessDenied" event log message with additional details.

Check that out you haven't already. Especially the Forms event log stack trace.

Also make sure that the Workflow Web Service config URl is pointing directly to the Primary Forms node at http(s)://primaryFormsFQDN.example.com/Forms/ and not to your reverse proxy/load balancer/cluster address. I recall that somewhere in the auth flow there's a check that validates the WF web service address for Forms resolves to the same IP that Forms sends messages to Workflow from (which is the primary Routing Service instance).

0 0

Replies

replied on March 5, 2023

Upgrade the forms server to TLS 1.2.  We just encountered this during an upgrade last week.  LF also provides a powershell script to make all the registry settings for TLS 1.2.

0 0
View 8 previous replies
replied on March 5, 2023

It appears the SSL/TLS secure channel error was from an issue with the certificate on the Forms server. The domain is .local, but the LB URL is .com and Workflow doesn't like that so we had to get a little creative until we can figure out what to do to get it to work the way it should.

The "The remote server returned an error: (401) Unauthorized." error is still happening on one of our Workflow servers in a different environment. The weird thing is, that the environment has 2 workflow servers and 1 of them works and 1 doesn't.

0 0
replied on March 6, 2023

Do they have the same authentication methods enabled in IIS?

0 0
replied on March 6, 2023 Show version history

Are the webservice URLs the same on both workflow servers?

0 0
replied on March 6, 2023

@████████, yes. For the WF and Workflow applications all are disabled except for Windows Authentication. For the Default Website all are disabled except for Anonymous Authentication.

 

0 0
replied on March 6, 2023

@████████, yes, they are the same on both servers. I just checked again to make sure.

 

0 0
replied on March 6, 2023

Then it's probably time for support case so we can take a look at WF/IIS logs and get some Fiddler traces.

 

0 0
SELECTED ANSWER
replied on March 7, 2023

From: https://go.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFWorkflow/Content/Resources/Configuration/External%20Objects/Web%20Services.htm

Note: To connect to a Laserfiche Forms server, you must first specify your Workflow Server on the Forms Server Configuration page. If the Workflow Server is not specified in Forms, Workflow will receive an HTTP (401) Unauthorized error when connecting to the Forms server, and the Forms server will record a "WFAPIAccessDenied" event log message with additional details.

Check that out you haven't already. Especially the Forms event log stack trace.

Also make sure that the Workflow Web Service config URl is pointing directly to the Primary Forms node at http(s)://primaryFormsFQDN.example.com/Forms/ and not to your reverse proxy/load balancer/cluster address. I recall that somewhere in the auth flow there's a check that validates the WF web service address for Forms resolves to the same IP that Forms sends messages to Workflow from (which is the primary Routing Service instance).

0 0
replied on March 7, 2023

Sam, it's like we were on the same wavelength. I had planned to test that today and sure enough that fixed the error. It is interesting that the paragraph you note in the version 10 documentation does not exist in the version 11 documentation. There is a note, but it just says that you must configure it, nothing about the error you might receive. Any chance the version 11 documentation could be updated with the same paragraph?

0 0
replied on March 8, 2023

I see the same note on the page Sam linked above and the equivalent one in V11:
https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Default.htm#../Subsystems/LFWorkflow/Content/Resources/Configuration/External%20Objects/Web%20Services.htm#tabs-1

Now, the page is not where i would've expected it to be and we'll definitely fix that. But it's in the same (wrong) place in both versions.

0 0
replied on March 8, 2023

That is my bad. I was looking at the Forms documentation.

0 0
replied on March 8, 2023

Good point. We'll fix that one too.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...