000013364 - Allow more than 5 IIS Virtual Directories (Maximum of 10) with single RSA Archer Configuration

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013364
Issue

Running more than 5 different IIS virtual directories (pointing to one physical location) to accommodate single sign-on for different Instances and Active Directory domains.


Prior to 5.2 SP1 and 5.3 RSA Archer release upgrades, browsing all virtual directories worked without any issues.


Since the upgrade, one of the virtual directories will fail show login page. Problem will occur with any virtual directory when initialized (binding to RSA Archer Configuration) 6th in line.


 

Errors in Browser


Unexpected error has occurred.



Errors in Windows System event log


Error initializing log center - ArcherTech.Configuration.ConfigurationServiceException: Unexpected failure when broadcasting or receiving. ---> System.Exception: All specified ports are in use
   at ArcherTech.Configuration.ConfigurationReader.FreeTcpPort()
   at ArcherTech.Configuration.WCF.get_ClientMessageServiceEndpointUri()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetProxyInfo()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy(EndpointInfo endpointInfo)
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   --- End of inner exception stack trace ---
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy()
   at ArcherTech.Configuration.PropertyServiceClient.GetListeners()
   at ArcherTech.Configuration.PropertyServiceClient.ArcherTech.Configuration.ICommunicationProvider.GetListeners()


Errors in Archer.w3wp.log


<ApplicationData>
        <TraceData>
            <DataItem>
                <TraceRecord Severity="Error" xmlns="
http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                    <TraceIdentifier>Archer.NET</TraceIdentifier>
                    <Description>A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - A system shutdown is in progress.)
SQL statement: usp_insert_security_event @userToken = 'LOGIN_SESSION', @securityEventId = SecurityEventsStopped, @userId = , @groupId = , @reportId = , @roleId = , @paramId = , @statusId = , @moduleId = , @configId = , @createDate = '#/##/#### #:##:## PM'</Description>
                    <AppDomain>/LM/W3SVC/1/ROOT/#####</AppDomain>
                    <Exception>
                        <ExceptionType>ArcherTech.Kernel.Utility.Data.ArcherDbException, ArcherTech.Kernel, Version=5.2.1.31018, Culture=neutral, PublicKeyToken=null</ExceptionType>
                        <Message>A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - A system shutdown is in progress.)
SQL statement: usp_insert_security_event @userToken = 'LOGIN_SESSION', @securityEventId = SecurityEventsStopped, @userId = , @groupId = , @reportId = , @roleId = , @paramId = , @statusId = , @moduleId = , @configId = , @createDate = '#/##/#### #:##:## PM'</Message>
                        <Source>ArcherTech.Kernel</Source>
                        <StackTrace>   at ArcherTech.Kernel.Utility.Data.ArcherSqlDatabase.WrapDatabaseCall(DbCommand command, Action methodToWrap)
   at ArcherTech.Kernel.Utility.Data.ArcherSqlDatabase.ExecuteNonQuery(DbCommand command)
   at ArcherTech.Kernel.DataSource.Db.SecurityEventDataSource.LogEvent(SecurityEventType securityEventType, Nullable`1 userId, Nullable`1 groupId, Nullable`1 reportId, Nullable`1 roleId, Nullable`1 parameterId, Nullable`1 statusId, Nullable`1 moduleId, Nullable`1 configId)
   at ArcherTech.Kernel.Brokers.SecurityEventBroker.LogEventForInstances(SecurityEventType securityEventType)
   at ArcherTech.Kernel.Managers.TaskHitManager.Insert(SecurityEventType securityEventType)</StackTrace>


                    </Exception>
                </TraceRecord>
            </DataItem>
        </TraceData>
    </ApplicationData>


    <ApplicationData>
        <TraceData>
            <DataItem>
                <TraceRecord Severity="Error" xmlns="
http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                    <TraceIdentifier>Archer.NET</TraceIdentifier>
                    <Description>The type initializer for 'ArcherTech.Kernel.Providers.ProviderAssembler' threw an exception.</Description>
                    <AppDomain>/LM/W3SVC/1/ROOT/####</AppDomain>
                    <Exception>
                        <ExceptionType>System.TypeInitializationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                        <Message>The type initializer for 'ArcherTech.Kernel.Providers.ProviderAssembler' threw an exception.</Message>
                        <Source>ArcherTech.Kernel</Source>
                        <StackTrace>  
   at ArcherTech.Kernel.Factory.DataSourceFactory.CreateDatabaseContainer(String instanceName)
   at System.Collections.Concurrent.ConcurrentDictionary`2.GetOrAdd(TKey key, Func`2 valueFactory)
   at ArcherTech.Kernel.Factory.DataSourceFactory.CreateDatabase(String instanceName)
   at ArcherTech.Kernel.Factory.DataSourceFactory.CreateSecurityEventDataSource(InternalSessionContext sessionContext)
   at ArcherTech.Kernel.Brokers.SessionlessBroker.LogEvent(SecurityEventType securityEventType, Nullable`1 userId, Nullable`1 groupId, Nullable`1 reportId, Nullable`1 roleId, Nullable`1 parameterId, Nullable`1 statusId, Nullable`1 moduleId, Nullable`1 configId)
   at ArcherTech.Kernel.Brokers.SecurityEventBroker.LogEventForInstances(SecurityEventType securityEventType)
   at ArcherTech.Kernel.Managers.TaskHitManager.Insert(SecurityEventType securityEventType)</StackTrace>
                        <InnerException>
                            <ExceptionType>System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                            <Message>exePath must be specified when not running inside a stand alone exe.</Message>
                            <Source>System.Configuration</Source>
                            <StackTrace>  
   at System.Configuration.ConfigurationManager.OpenExeConfigurationImpl(ConfigurationFileMap fileMap, Boolean isMachine, ConfigurationUserLevel userLevel, String exePath)
   at ArcherTech.Common.Configuration.ConfigurationSectionHelper.GetSection[SectionType](String appSettingSectionName, String defaultSectionName, String sectionGroupName)
   at ArcherTech.Kernel.Providers.ProviderAssembler..ctor()
   at ArcherTech.Kernel.Providers.ProviderAssembler..cctor()</StackTrace>
                        </InnerException>
                    </Exception>
                </TraceRecord>
            </DataItem>
        </TraceData>
    </ApplicationData>

CauseDefault RSA Archer Configuration allows maximum of 5 IIS web applications to talk to single Archer configuration though reserved ports and URLs. Each web application will utilize different port to binding with Archer configuration. Error could occur on any virtual directory that initializes 6th in line - binding will only reset on 'iisreset'. Change in Archer service behavior is due to vulnerability fixes.
Resolution

To allow maximum of 10 IIS virtual directories with single RSA Archer Configuration:


- Edit web.config file location under: ?..\inetpub\wwwroot\Archer?.


- Locate this node in web.config file ?<clientMessageServicePortRange lowerInclusive="13300" upperInclusive="13304" />?. Section will look like:


 


<ArcherConfigurationService applicationType="WebApp" retryWaitInterval="5" retryAttempts="1">
   <users>
     <add username="ConfigurationService-Notifier" password="jfYP0XSn2lte3MLy81IMFA==" />
   </users>
   <clientMessageServicePortRange lowerInclusive="13300" upperInclusive="13304" />
   <lastConnection username="TestUser" password="jPv+lsqMcGAlUUXwL37haeJ7odK+Uh4QoqdHdjJOYNs=" />
  </ArcherConfigurationService>


 

- Change the node?s # values to  <clientMessageServicePortRange lowerInclusive="13351" upperInclusive="13360" />. And Section will look like:


 


  <ArcherConfigurationService applicationType="WebApp" retryWaitInterval="5" retryAttempts="1">
    <users>
      <add username="ConfigurationService-Notifier" password="jfYP0XSn2lte3MLy81IMFA==" />
    </users>
    <clientMessageServicePortRange lowerInclusive="13351" upperInclusive="13360" />
    <lastConnection username="TestUser" password="jPv+lsqMcGAlUUXwL37haeJ7odK+Uh4QoqdHdjJOYNs=" />
  </ArcherConfigurationService>


 

- Save changes to web.config file.


- Open Command prompt and run following command: ?netsh http show urlacl?. Look for all URL reservations that have port #s between 13300- 13304. All of them should have same user listed for them. Take note of that complete user identity with domain. Reservations may look similar to one below ? User value is the impersonation identity, network service in this case (same as application pool identity).


 


Reserved URL: http://+:13301/ClientMessageService/
User: NT AUTHORITY\NETWORK SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;NS)


- Create a .bat file and add following entries (user tag in these lines will use the same identity - found in above step):


 


netsh http add urlacl url=http://+:13351/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13352/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13353/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13354/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13355/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13356/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13357/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13358/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13359/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"
netsh http add urlacl url=http://+:13360/ClientMessageService user="NT AUTHORITY\NETWORK SERVICE"


- Run that .bat file. Confirm newly add reservations by running the command in command prompt: ?netsh http show urlacl?.


- Reset IIS and Restart RSA Archer service for changes to take effect.

Legacy Article IDa61921

Attachments

    Outcomes