SoftPro Developer Forum

Here's the scenario: I'm developing a web app (.NET MVC, Framework version 4) which references the various Select DLLs locally. It attempts to open an order and perform various operations via the API.

On my local build machine, running as localhost, this works fine. However, when deployed out to one of the test web servers, authentication fails, throwing a SecurityException with the super helpful message "Security error." We attributed this to a possible double-hop authentication issue, so the server admins set up Kerberos delegation between the web server where the call to SelectServer.TryAuthenticate() originated and the Mid-Tier server that was targeted by the request (the web server was already set up to use Windows Authentication within IIS).

We're still getting the authentication failures, and have ensured that our credentials are set up within Select for the target Mid-Tier. What steps are we missing?

It is unfortunate (though a best practice for security reasons) that the the authentication failure message is not helpful. Can you try and remove Active Directory from the equation by setting up a simple Select user/password and see how that works. Are you running the same versions of Select in all environments?

We are getting the same error after upgrading from Sdk 4.3.50811.31 (4.3.7) to SDK 4.3.60210.108 (4.3.38)
Have tried changing the .NET framework from 4.7.2 to 4.6.0 but its still the same. All the SoftPro dlls are pointing to the new version in the References. So, is there anything else that we can try to make this work ?

Please let us know if there is anything that we can do to fix this issue.

Have you set the PIN for the Select server on that machine?

Steps Select Client Takes to Validate PIN
This is the logic that occurs in the client when it connected to the server. PIN refers to the token passed back to the Select client from the server.

If the user belongs to the "Windows" authority and is not required to enter username/password in the Select client login form then the client ignores the PIN and allows connection.

If the environment variable SPS_DISABLECERTPIN is set to 1 then the client ignores the server PIN and allows connection.

Set PowerShell environment variable: PS> $env:SPS_DISABLECERTPIN=1
Set from DOS shell: c:\> set SPS_DISABLECERTPIN=1

If the environment variable SPS_CERTPINS has the required server/PIN pair then the client will allow connection. See additional Server/PIN examples.

Example SPS_CERTPINS: http://localhost:8080/|F351BA;http://lo ... dev|F351BA

Set PowerShell environment variable: PS> $env:SPS_CERTPINS={settings}

If the registry key CertificatePins in node HKLM\SOFTWARE\WOW6432Node\SoftPro\Select exists and has the required server/PIN pair then the client will allow connection. See additional Server/PIN examples.

Example CertificatePins: http://localhost:8080/|F351BA;http://lo ... dev|F351BA

If the user configuration file has the required server/PIN pair then the client will allow the connection.

The list of server/PIN pairs is stored in the CertificatePinMapping key in the SoftPro.Select.Settings section. See additional Server/PIN examples.

Example user config file: %AppData%\SoftPro\Select\4.3\Select.user.config or %AppData%\SoftPro\Select\4.3\Select(Exp).user.config

Example key in config file: <add key="CertificatePinMapping" value="HTTP://SPRO-L300777:8080|96F241" />

If the Client application configuration file has the required server/PIN pair then the client will allow the connection. (Typically C:\Program Files (x86)\SoftPro\Select\Select.exe.config) See additional Server/PIN examples.

The list of server/PIN pairs is stored in the CertificatePinMapping key in the SoftPro.Select.Settings section.

Example user config file: Select.exe.config or Select(Exp).exe.config

Example key in config file: <add key="CertificatePinMapping" value="HTTP://SPRO-L300777:8080|96F241" />

User is prompted for PIN. User must enter PIN.