NetServer scripts and Single-Signon?

PARTNER Frode Lillerud

Hi,

we've got a NetServer script that works in my local demo environment, but when I add it at the customer it doesn't work. They use single-signon (Windows authentication in IIS).

The logfile contains lots of these kind of errors when the script is supposed to run:

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at SuperOffice.ApplicationDomain.SoRemoteLoader.CallStaticMethod(String typeName, String methodName, Type[] parameterTypes, Object[] methodParams)
   at SuperOffice.Scripting.ScriptEngine.SendEvent(String methodName, Boolean async, Object& state, SendEventArguments& arguments)
   at SuperOffice.Events.SoEventManager.SendEvent(String methodName, Boolean async, Object& state, SendEventArguments& arguments)

Inner Element:
Message: Invalid token for impersonation - it cannot be duplicated.
Type:    System.ArgumentException
Details:
   at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)
   at System.Security.Principal.WindowsIdentity..ctor(SerializationInfo info)

Is there any problem running NetServer scripts when IIS is set up to use Windows authentication?

/de/My-Page/6135/

RE: NetServer scripts and Single-Signon?

Hello Frode. 

This looks similar to 43908. Which event do you see in the log file? 

--

HansO

Von: Hans Oluf Waaler 29. Aug 2016
PARTNER /de/My-Page/5028/

RE: NetServer scripts and Single-Signon?

Hi, not exactly sure which event you mean?

My script is listening for BeforeSaveSaleEntity.In the logfile it says the methodname is: BeforeSaveCurrents and AfterSaveCurrents.

Tony wanted me to test enabling the <ReauthenticateOnDeserialization> setting, but that didn't make any difference.

Von: Frode Lillerud 30. Aug 2016
/de/My-Page/6135/

RE: NetServer scripts and Single-Signon?

SaveCurrents was the event I was kinda "hoping" for. It seems you have the same issue as mentioned in my previous post. I have been able to reproduce it when Windows Authentication and Netserver scripting are enabled. 

The main reason why you see this error is that when the currents have changed, we will try to store them (so the history lists are updated for other clients). We try to do this in a separate thread so the performance for the user is not affected. Unfortunately, due to the combination of ASP.NET, appdomain boundaries and serialization, the original identity is destroyed before it is used. That is why you see the invalid token for impersonation - it cannot be duplicated. I don't think there is any setting you can set to prevent this error. A workaround has to be implemented in code. 

If you are not using the event {Before|Save}SaveCurrents, it is possible, though far from optimal, to set LogErrors to false in the config file. This will of course mask any other errors. 

 

--

HansO

Von: Hans Oluf Waaler 30. Aug 2016
PARTNER /de/My-Page/5028/

RE: NetServer scripts and Single-Signon?

Thanks, but...my script isn't executed. Are you saying that the script is still supposed to work as intended even with this error? And that the only consequence is that the logfile is filled up?

If so I need to continue my debugging to figure out why the script doesn't do what it should. There are no other errors in the logfile, so I think the compilation of the .cs file works, and no runtime exceptions are logged from the script either, so I just assumed that this bug caused the script not to execute.

Von: Frode Lillerud 30. Aug 2016
/de/My-Page/6135/

RE: NetServer scripts and Single-Signon?

Hm, in the other case there were no reports of other scripts not executing. The error condition only occurs when the currents have changed. Can you check if you have <identity impersonate="true"> in the web.config file at the customer? (it should NOT be there if this is SuperOffice 8.x). Does it work if you turn off Windows Authentication at the customer site? 

Von: Hans Oluf Waaler 30. Aug 2016
PARTNER /de/My-Page/10221/

RE: NetServer scripts and Single-Signon?

Hi,

We are seeing the same error in the log in 8.4 dated 11.02.2019.  Also, when the user saves the sale and the trigger is run, they get an error in the GUI saying "The remote server returned an error: (401) Unauthorized".

Are there any news on this issue, or did you find a fix for it?

 

Espen

Von: Espen Steen 31. Jan 2020
PARTNER /de/My-Page/11000/

RE: NetServer scripts and Single-Signon?

Hello,

If you get this error when an CS Trigger is executed, then take a look at this thread: https://community.superoffice.com/en/technical/Forum/rooms/topic/superoffice-product-group/customer-service/new-requirements-for-service-and-sso-installations/

Von: David Hollegien 31. Jan 2020