January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?

BrentonWestwood · ‎12-01-22

Hello all. On any desktop where the January 2022 Windows Security Patches have been installed, I can no longer sign into Blue Prism. On desktops where the security patch is not installed, everything works as normal. The patches were installed on 2 of my desktops last night but others have not been patched yet. We use single sign-on (AD setup). I get this error:

Error: Could not connect to '{connection name}'.

SOAP security negotiation with 'http://{appserver}.southernco.com:8187/bpserver' for target 'http:/{appserver}.southernco.com:8187/bpserver' failed. See inner exception for more details.

System.ComponentModel.Win32Exception: Either the client credential was invalid or there was an error collecting the client credentials by the SSPI.
at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetOutgoingBlobProxy.GetOutgoingBlob(ChannelBinding channelBinding)
at System.ServiceModel.Security.RequestSecurityToken.GetBinaryNegotiation()
at System.ServiceModel.Security.WSTrust.Driver.WriteRequestSecurityToken(RequestSecurityToken rst, XmlWriter xmlWriter)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.WriteTo(XmlWriter writer)
at System.ServiceModel.Security.RequestSecurityToken.OnWriteBodyContents(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BodyWriterMessage.OnWriteBodyContents(XmlDictionaryWriter writer)

------------------------------
Brenton Westwood
Systems Analyst
Southern Company
------------------------------

cesscabral · ‎26-01-22

Thank you Diane,

Somehow I missed the PORT number in the command.

Now, I think we have just set the SPN well on the Application Server:

>SETSPN -S HTTP/200000356-APP1.ptportugal-dev.local:8199/BPServer PTPORTUGAL-DEV\PULSO-TABLEAU

>SETSPN -L ptportugal-dev\pulso-tableau

Registered ServicePrincipalNames for CN=PULSO-TABLEAU,OU=Pulso,OU=LSB-PIC,OU=DC_PT,DC=ptportugal-dev,DC=local:

HTTP/200000356-APP1.ptportugal-dev.local:8199/BPServer

But, still got this on the Clients, after purging the KERBEROS Tickets:

>Klist purge

Current LogonId is 0:0x2424ff

Deleting all tickets:

Ticket(s) purged!

Still asks for credentials

And results on this:

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

diane.sanzone · ‎26-01-22

Interesting. I see that you're using the FQDN in your command, but your configuration and error message both use the IP address of the server. Perhaps try changing your connection string to use the server name or, alternatively, change your command to use the server IP? Everything else looks correct to me as per what worked for us.

------------------------------
Diane Sanzone
------------------------------

cesscabral · ‎26-01-22

It just change the response on the erros message:

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

eric.lim · ‎27-01-22

For those who are having problems applying the Blue Prism setspn fix, we have been told by other users that the Microsoft Jan 17, 2022 Out-Of-Band patch fixes this issue without requiring the setspn fix.

We have applied the Blue Prism setspn fix so I cannot personally verify this.

Might be worth a try if you are having trouble getting the setspn fix to work.

------------------------------
Eric Lim
Assistant Director
Australian Government Department of Finance
------------------------------

kez2fab · ‎27-01-22

Hello Eric,

Our Development team did confirm that the Microsoft Jan 17, 2022 Out-Of-Band patch does not fix the issue.

They did confirm that no new or additional issues are introduced by this Out-Of-Band patch if SPN is configured as directed.

Are these other users connecting to the same Blue Prism Application Server where you deployed the setspn fix?

------------------------------
Anthony Ringot
Customer Support, Team Manager, APJ
------------------------------

eric.lim · ‎27-01-22

Hi Anthony,

The other users are operating on a completely different network and Blue Prism instance.
There should be no possibility that they are connecting to the same App Server that we deployed the setspn fix to.

Does Blue Prism think that running setspn will be an ongoing part of installing Blue Prism into the future?
Trying to decide if I need to include this in our documentation as it will be an easy step to forget.

------------------------------
Eric Lim
Assistant Director
Australian Government Department of Finance
------------------------------

diane.sanzone · ‎27-01-22

Hi Carlos,

I didn't want to let you think I forgot about you. I've been thinking about this and the only thing different I see in your string from mine is that you have the domain in front of the GSA account name. I don't see how that would change things, but it might. Alternatively, things I can't confirm from your provided information are:
1. Are you running this on the server named in the command, or somewhere else? My understanding is that it needs to be executed from the named server
2. Are you running this with an account that is a domain admin? If not, the settings will not apply
3. Are you running this through a command prompt launched with elevated (domain admin) permissions? If not, the settings will not apply

Additionally, I checked with an engineer here and he believes that the /BPServer is the virtual directory where the Blue Prism service resides on your system. If for some reason you have renamed or moved that directory, you might need to update that value.

If you meet all those criteria and this still doesn't fix the issue, I highly recommend opening a support ticket with Blue Prism for assistance in creating the command string and executing it in your environment. There might be some other configuration that they'll see which is causing a problem.

I hope you get this fixed soon!

------------------------------
Diane Sanzone
------------------------------

cesscabral · ‎27-01-22

Hi Diane,

The BP Server is this 200000356-APP1.ptportugal-dev.local and has IP=10.131.87.130 and the BP Service is running with this account PTPORTUGAL-DEV\PULSO-TABLEAU.
Note that the Server and the Account both belongs to AD DOMAIN ptportugal-dev.
The account PTPORTUGAL-DEV\PULSO-TABLEAU belongs to Administration Group on the Server, but it is NOT an DOMAIN ADMIN account. I can not ask IT Department to give this account DOMAIN ADMIN privileges.
The SETSPN command was done by an DOMAIN ADMIN User in our IT Department, not me.

[Yesterday 17:05] Carlos Eduardo Cabral

Pedro Manuel Robalo Nabais

coloco outro ticket?

Carlos Cabral
Security Analytics, Data Science and RPA Consultant

Altice Portugal

Cyber Security & Privacy (DCY)

Email: carlos-s-cabral@telecom.pt
Tlm: 966025853
Av. Fontes Pereira de Melo, 38/40
1069-300 LISBOA
meo.pt

AVISO DE CONFIDENCIALIDADE
Esta mensagem e quaisquer ficheiros anexos a ela contêm informação confidencial, propriedade da Altice Portugal e/ou das demais sociedades que com ela se encontrem em relação de domínio, Fundação Altice Portugal e ACS, destinando-se ao uso exclusivo do destinatário. Se não for o destinatário pretendido, não deve usar, distribuir, imprimir ou copiar este e-mail. Se recebeu esta mensagem por engano, por favor informe o emissor e elimine-a imediatamente.
Obrigado

kez2fab · ‎28-01-22

That is very strange indeed. Be curious to know if, maybe, SPN was already set in this environment, hence why the patch didn't affect these users.

To answer your question, my understanding is that we will document setting SPN in our documentation going forward.
This is something that was discussed and have advised our Documentation team to review and handle.
I do not have an estimated timeline when this will be live in our online help.

Regards,

------------------------------
Anthony Ringot
Customer Support, Team Manager, APJ
Blue Prism
Australia/Sydney
------------------------------

SS&C Blue Prism Community

January 2021 Windows Security Patches - Breaking Single Sign-on to Blue Prism?