Resolution of White-page and attachment issues with Mid-tier

Version 4
    Share:|

    Resolution of White-page and attachment issues with Mid-tier

     

    If you are seeing users with problems adding attachments, or logging back in after a session time-out, adding the IIS metabase setting of SSLAlwaysNegoClientCert = TRUE may resolve this.

     

    From Microsoft:
    ( http://technet.microsoft.com/en-us/library/cc778630.aspx)

     

    The SSLAlwaysNegoClientCert property controls SSL client connection negotiations. If this property is set to true, any time SSL connections are negotiated, the server will immediately negotiate a client certificate, preventing an expensive renegotiation. Setting SSLAlwaysNegoClientCert also helps eliminate client certificate renegotiation deadlocks, which may occur when a client is blocked on sending a large request body when a renegotiation request is received.

     

    Description of problem:


    (Issue 1):
    We've been having sporadic issues in our Production environment where users sometimes can't add an attachment to a ticket. No obvious error, no indication that really large files caused the issue.
    (sometime back we found that an IE setting of "Use HTTP 1.1 through proxy connections" was not consistently set. Setting it resolved sporadic problems with attaching larger files. Not the issue this time).

     

    Closing the ticket window (and\or closing IE entirely and loggin back in), re-opening the ticket and the attachments were usually successful.

     

    (Issue 2)
    Over the past 6 to 9 months we occasionally had users complain that they could not log back into Remedy after their session expired (30 minutes idle time). This might correspond to our migration from IIS 5 to IIS 6;). apparently IIS 5 doesn't present this issue because of a bug.


    The issue was:

    They refreshed the page as instructed after the message "Your session has expired. Refresh the page to login".
    the login screen appeared;
    They entered their login credentials;
    The page title changed to reflect (our)  Control Console page instead of the login page;
    No content appeared (white page only).

    Refresh, etc did not change this.


    -- if we released their license by using the Remedy Administrator tool they could log in.


    --we found a workaround - enter a (different) valid Remedy form url on the address bar;
    --  the message "This user is currently connected from another machine. Would you like to attempt to override the existing connection?"
    -- selecting YES or OK would produce the expected results;
    -- using the address bar history to select the Control Panel would now display that succesfully (sometimes Refresh had to be selected as well).
    (Sometimes it seemed that closing all browsers and/or rebooting the machine did not resolve this - our default settings for IE caching might be responsible).

     

    More info:
    After upgrading our Test system from ARS 6.3 to ARS 7.1 we found that we could not add attachments over 50k or so in size ("Failed to add attachment" might have been displayed, but no obvious cause).


    We eventually found that IIS was sending (and logging) a 413 error:

     

    HTTP/1.1 413 Request Entity Too Large
    Researching this led me to
    (http://securitythroughabsurdity.com/2008/01/screen-bug-in-ie-with-aspnet.html)

     

    And eventually to the SSLAlwaysNegoClientCert setting.

     

    This resolved the attachment issue in our Test system.
    We applied it to our Production system and haven't seen any more 413 errors in its IIS logs, and haven't heard any more from our users (but it's only been a few days, too short a time to be sure this is resolved).

     

     

    Resolution:

     

    add the IIS metabase setting of SSLAlwaysNegoClientCert = TRUE for each site (doesn't seem to be allowed at the IIS Server level):

     

    To check the setting:
    (might have to cd to the folder with the adsutil.vbs script or use the full path for its name):

     

            cscript adsutil.vbs get w3svc/(iis identifier#)/SSLAlwaysNegoClientCert

     

    To change:

     

            cscript adsutil.vbs set w3svc/(iis identifier#)/SSLAlwaysNegoClientCert TRUE
            possibly for the entire WWW server: Set W3SVC/SSLAlwaysNegoClientCert

     

    (Haven't verified this issue or resolution on IIS 7).
    -in IIS 7 :

    1. Run the following in an admin command prompt: netsh http show sslcert > desktop/IIS-SSLConfig.txt
    2. Save the output in a text file. Will look something like this:
    IP:port : 0.0.0.0:443 
    Certificate Hash : [a hash value] 
    Application ID : {[a GUID]} 
    Certificate Store Name : MY 
    Verify Client Certificate Revocation : Enabled 
    Verify Revocation Using Cached Client Certificate Only : Disabled 
    Usage Check : Enabled 
    Revocation Freshness Time : 0 
    URL Retrieval Timeout : 0 
    Ctl Identifier : (null) 
    Ctl Store Name : (null) 
    DS Mapper Usage : Disabled 
    Negotiate Client Certificate : Disabled

     

    1. Create a batch file using that info:

     

    netsh http show sslcert
     netsh http delete sslcert ipport=0.0.0.0:443
     netsh http add sslcert ipport=0.0.0.0:443 certhash=[your cert hash from above] appid={[your GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
     netsh http show sslcert 

    (Yes, you have to delete and re-add; you can't just alter clientcertnegotiation in-place. That's why it's important to save the hash and GUID, so it knows what to re-add.)