Web Server-to-Mid-Tier Authentication Issue

Discussions concerning general integration topics.

Moderator: Phil Barton

Post Reply
dlerickson
Posts: 80
Joined: Tue Jan 21, 2014 11:35 am
Location: Austin, TX

Web Server-to-Mid-Tier Authentication Issue

Post by dlerickson »

Here's the scenario: I'm developing a web app (.NET MVC, Framework version 4) which references the various Select DLLs locally. It attempts to open an order and perform various operations via the API.

On my local build machine, running as localhost, this works fine. However, when deployed out to one of the test web servers, authentication fails, throwing a SecurityException with the super helpful message "Security error." We attributed this to a possible double-hop authentication issue, so the server admins set up Kerberos delegation between the web server where the call to SelectServer.TryAuthenticate() originated and the Mid-Tier server that was targeted by the request (the web server was already set up to use Windows Authentication within IIS).

We're still getting the authentication failures, and have ensured that our credentials are set up within Select for the target Mid-Tier. What steps are we missing?
BobRichards
Posts: 1376
Joined: Wed Jan 15, 2014 3:50 pm
Location: Raleigh, NC
Contact:

Re: Web Server-to-Mid-Tier Authentication Issue

Post by BobRichards »

It is unfortunate (though a best practice for security reasons) that the the authentication failure message is not helpful. Can you try and remove Active Directory from the equation by setting up a simple Select user/password and see how that works. Are you running the same versions of Select in all environments?
Bob Richards, Senior Software Developer, SoftPro
enendza
Posts: 75
Joined: Wed Oct 16, 2019 12:22 pm

Re: Web Server-to-Mid-Tier Authentication Issue

Post by enendza »

We are getting the same error after upgrading from Sdk 4.3.50811.31 (4.3.7) to SDK 4.3.60210.108 (4.3.38)
Have tried changing the .NET framework from 4.7.2 to 4.6.0 but its still the same. All the SoftPro dlls are pointing to the new version in the References. So, is there anything else that we can try to make this work ?

Code: Select all

private static NetworkCredential auth = new NetworkCredential("Username", "Password", "[SERVER]");
private static string serverUri = "http://url/";

using (var server = new SelectServer(serverUri, auth))
            {
                string reason;
                if (!server.TryAuthenticate(out reason)) 
             /* Code is failing HERE when connected through the API. Localhost works fine deployed locally. IIS deployment on test server fails with Security Error */
                {
                    System.Console.WriteLine(reason);
                    throw new Exception(reason);
                }
...
Please let us know if there is anything that we can do to fix this issue.
epotts
Posts: 4
Joined: Fri Nov 13, 2020 3:28 pm

Re: Web Server-to-Mid-Tier Authentication Issue

Post by epotts »

Have you set the PIN for the Select server on that machine?

Steps Select Client Takes to Validate PIN
This is the logic that occurs in the client when it connected to the server. PIN refers to the token passed back to the Select client from the server.

If the user belongs to the "Windows" authority and is not required to enter username/password in the Select client login form then the client ignores the PIN and allows connection.

If the environment variable SPS_DISABLECERTPIN is set to 1 then the client ignores the server PIN and allows connection.

Set PowerShell environment variable: PS> $env:SPS_DISABLECERTPIN=1
Set from DOS shell: c:\> set SPS_DISABLECERTPIN=1

If the environment variable SPS_CERTPINS has the required server/PIN pair then the client will allow connection. See additional Server/PIN examples.

Example SPS_CERTPINS: http://localhost:8080/|F351BA;http://lo ... dev|F351BA

Set PowerShell environment variable: PS> $env:SPS_CERTPINS={settings}

If the registry key CertificatePins in node HKLM\SOFTWARE\WOW6432Node\SoftPro\Select exists and has the required server/PIN pair then the client will allow connection. See additional Server/PIN examples.

Example CertificatePins: http://localhost:8080/|F351BA;http://lo ... dev|F351BA

If the user configuration file has the required server/PIN pair then the client will allow the connection.

The list of server/PIN pairs is stored in the CertificatePinMapping key in the SoftPro.Select.Settings section. See additional Server/PIN examples.

Example user config file: %AppData%\SoftPro\Select\4.3\Select.user.config or %AppData%\SoftPro\Select\4.3\Select(Exp).user.config

Example key in config file: <add key="CertificatePinMapping" value="HTTP://SPRO-L300777:8080|96F241" />

If the Client application configuration file has the required server/PIN pair then the client will allow the connection. (Typically C:\Program Files (x86)\SoftPro\Select\Select.exe.config) See additional Server/PIN examples.

The list of server/PIN pairs is stored in the CertificatePinMapping key in the SoftPro.Select.Settings section.

Example user config file: Select.exe.config or Select(Exp).exe.config

Example key in config file: <add key="CertificatePinMapping" value="HTTP://SPRO-L300777:8080|96F241" />

User is prompted for PIN. User must enter PIN.
Post Reply