02-08-23 08:23 AM
I am hoping someone can shed some light on an issue we are seeing.
We are seeing the following error when attempting to connect to a BPserver WCF Soap connection:
Error: Could not connect to 'Development'.
SOAP security negotiation with 'https://aws*****.***.*****.***.***.uk:8197/bpserver' for target 'https://aws*****.***.*****.***.***.uk:8197/bpserver' failed. See inner exception for more details.
The full inner error is as below:
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'https://aws*****.***.*****.***.***.uk:8197/bpserver' for target 'https://aws*****.***.*****.***.***.uk:8197/bpserver' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'HTTP/aws*****.***.*****.***.***.uk:8197/BPServer'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetNextOutgoingMessage(Message incomingMessage, T negotiationState)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
at System.ServiceModel.Channels.ClientReliableChannelBinder`1.Request(Message message, TimeSpan timeout, MaskingMode maskingMode)
at System.ServiceModel.Channels.RequestReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableRequestSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
Exception rethrown at [0]:
at BluePrism.AutomateAppCore.ServerFactory.CurrentConnectionValid()
at AutomateUI.frmApplication.bsa(Boolean a, Boolean b)
------------------------------
The Blue Prism software is version 7.2 on both the Application Server instance and the Resource PC robot.
The ports 8197 and 8181 are open as required. The Service on the application server is running with an account that has local administrator access, it has it's SPN set correctly for the above URL and the URLACL permission for that service account is set. However the identity portion of the error leads me to believe this is authentication issue that is sourced on the Robot PC, the certificate used by the Application server was produced by our Issuing CA in a 2-tier PKI infrastructure. We are using WCF: SOAP with Transport Encryption & Windows Authentication for the connection mode.
When we run the automate.exe application on the Application Server itself there are no issues at all. The Robot PC is Windows 22H2 and the Application Server is Windows Server 2019 Datacenter.
Many thanks.
11-08-23 09:48 AM
Hi Kevin,
I understand you have set the SPN against the service yet you are still getting the SOAP error message.
As you may know the details of setting the SPN and the background information to this is detailed in the article below:
https://support.blueprism.com/en/support/solutions/articles/7000078869-after-applying-windows-update-users-failed-to-log-in-with-an-error-soap-security-negotiation-with-
I would recommend following the troubleshooting guidance at the bottom of this page and also reviewing the domain configuration in this environment. For example the SPN will only work with users that are within the same domain as the account set to run the service and will not work in a multi-domain environment.
If you are still experiencing this issue then I would recommend raising a support ticket with us so that the support team so we can further investigate this with you.
Kind regards,
Beau
11-08-23 10:45 AM
Many thanks for your assistance. The service ticket can now be closed as SOAP is working.
Kind Regards,