Community
Vault Forum
Welcome to Autodesk’s Vault Forums. Share your knowledge, ask questions, and explore popular Vault topics.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vault Basic 2015 SSL Problem

7 REPLIES 7
SOLVED
Reply
Message 1 of 8
HorstBort
1507 Views, 7 Replies

Vault Basic 2015 SSL Problem

Hi,

after finally finishing my upgrade from Vault 2011 to Vault Basic 2015 Server I'm facing this problem:

Vault 2015 refuses to communicate via SSL.

My Vault instance runs on Windows Server 2008 R2, IIS is configured to serve http in port 80 and HTTPS on port 443, which works fine. Everything can be accessed via browsers over http and https.

The certificate is self-signed by my own CA and issued to my servers fqdn.

However, when I try to connect with Vault Basic 2015 Client, after a long long time I get the following error:

Vault client login error: "Cannot find data management services on [Servername]"


Things I've tried:

 

  • Installed SP1 on server and client
  • opened https://server-fqdn/AutodeskDM/Services/InformationService.asmx in IE, shows this:

   

You have created a service.

    To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:

        svcutil.exe https://server-fqdn/AutodeskDM/Services/InformationService.svc?wsdl

    You can also access the service description as a single file:

        https://server-fqdn/AutodeskDM/Services/InformationService.svc?singleWsdl

    This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example: ...

    

  • set sslRequired to true in web.config
  • With this, in AVFS-log I get:

        

Error: WebServiceError [8005] (https://quantus/)
        Exception: WebServiceError [8005] (https://quantus/)
        Stacktrace:    at Connectivity.Server.Proxies.ServiceAccessor`3.Execute(String remoteServer, Action`1 action)
           at Connectivity.Filestore.Licensing.GetProductTier()
           at Connectivity.Filestore.Licensing.Initialize()

        Exception(Inner): Could not establish trust relationship for the SSL/TLS secure channel with authority 'quantus'.
        Stacktrace(Inner):
        Server stack trace:
           at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
           at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
           at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
           at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
           at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
           at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

        Exception rethrown at [0]:
           at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
           at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
           at Connectivity.Server.Proxies.SiteService.SiteService.SignInSite2(SignInSite2Request request)
           at Connectivity.Server.Proxies.SiteAuthenticator.SignIntoSite(String remoteServer, String vaultname)
           at Connectivity.Server.Proxies.ServerTokenCache.Get(Lazy`1 authenticator, String remoteServer, IResourceStore vault, SecurityHeader expiredToken)
           at Connectivity.Server.Proxies.ServiceAccessor`3._service(String remoteServer, Boolean reSignin)
           at Connectivity.Server.Proxies.ServiceAccessor`3.tryexecute(String remoteServer, Action`1 action, Int32 attemptCount)
           at Connectivity.Server.Proxies.ServiceAccessor`3.Execute(String remoteServer, Action`1 action)

        Exception(Inner): The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
        Stacktrace(Inner):    at System.Net.HttpWebRequest.GetResponse()
           at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

        Exception(Inner): The remote certificate is invalid according to the validation procedure.
        Stacktrace(Inner):    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
           at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
           at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
           at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
           at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
           at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
           at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
           at System.Net.ConnectStream.WriteHeaders(Boolean async)

 

  • Trying to activate "SSL compatibility" always gives me the error "please configure SSL in IIS first", though I've already done that.
  • Created my own CA and issued a certificate to the internal network address to rule out certificate errors
  • Added CA to Cert Store in IE, which gets rid of the certificate warnings and was the trick to get it running with Vault Server 2011
  • multiple restarts of course

 
 Is there a known problem with my configuration? Or is SSL just broken in 2015? The exact same configuration was working perfectly in Vault 2011.
 
 Thanks in advance,
 Hauke

Tags (3)
7 REPLIES 7
Message 2 of 8
olearya
in reply to: HorstBort

Hi Hauke, 

 

You may be experience we identified recently with the HTTPS connection being denied due to a time out on a number of authentication sessions.  We have a fix in the works for this and hope it will be delivered in the near future.

 

If you have a support case open on this issue I would expect support to update you when this is available otherwise please check back in on this thread and I will update status.  

 

At the moment I am not aware of any work arounds.



Allan
Product Manager
Autodesk, Inc.
Message 3 of 8
HorstBort
in reply to: olearya

Hi Allan,

 

thanks for the advice. Meanwhile, I tried upgrading my server to Windows Server 2012 R2 and got the same behaviour. SSL connections work only connecting from localhost using the computer name. Even from the local network, the same error as described above occurs.

 

Indeed, it seems to be related to authentication. This is the last request the client sends:

 

GET /AutodeskDM/Services/Filestore/v19/AuthService.svc

There, the server hangs.

 

Since it sure would be nice to have encrypted transfers in this day and age, is there any way to have the vault server running behind a reverse proxy which then handles SSL? I tried with apache but of cource ran into problems when the vault tells the client to speak plain http. Handling the internal connection between reverse proxy and IIS over SSL fails with the authentication problem again.

 

Best regards,

Hauke

Message 4 of 8
olearya
in reply to: HorstBort

Hi Hauke, 

 

This is not a server issue - it seems one of my colleagues may have a work around - will look to provide some details here for you.



Allan
Product Manager
Autodesk, Inc.
Message 5 of 8
smithmat
in reply to: HorstBort

Hauke,

 

There is a known client side (Vault Explorer / Vault SDK) issue when using SSL.  We are not certain that the problem you are experiencing is the same as this issue.  While we are working on providing a fix for this issue, I do have a (client side) workaround that you can try for Vault Explorer:

 

  • Edit the appropriate Vault Explorer configuration file (e.g. Connectivity.Vault.exe.config).  Before doing so, backup the original.
  • Add the bolded text below (anywhere) under the Configuration element:

<configuration>
...
<system.net>
<connectionManagement>
<add address = "*" maxconnection = "1000" />
</connectionManagement>
</system.net>
...
</configuration>

 

When we eventually provide the fix, you'll want to back-out this configuration change.

 

If possible, please report back letting us know if this workaround addressed your issue.

Thanks,

- Matt

 

Message 6 of 8
HorstBort
in reply to: smithmat

Hi Matt,

 

that seems to actually do the trick, thanks!

 

One remark: Placing the highlighted part *anywhere* in the configuration section threw an error, pasting it around line 260 worked though. So my config looks like this now:

 

  ...
  <system.web>
    <webServices>
      <soapExtensionTypes>
        <add type="DataManagement.Common.Logging.Utils.LogServerSoapExtension,DataManagement.Common.Logging" priority="1" group="High"/>
        <add type="DataManagement.Common.Logging.Utils.LogClientSoapExtension,DataManagement.Common.Logging" priority="1" group="High"/>
      </soapExtensionTypes>
    </webServices>
  </system.web>

  <system.net>
    <connectionManagement>
      <add address = "*" maxconnection = "1000" />
    </connectionManagement>
  </system.net>

  <appSettings>
  ...

 

Thanks,

 

Hauke

Message 7 of 8
HorstBort
in reply to: HorstBort

One addendum:

 

To make it work with Inventor 2015, I had to add the same to C:\Program Files\Autodesk\Inventor 2015\Bin\Inventor.exe.config.

Message 8 of 8
smithmat
in reply to: HorstBort

Yes.  This workaround would require performing the steps for each executable where the Vault SDK is used (which is the case for Inventor).

 

Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Autodesk Design & Make Report