Hi,
Our workflow requirements call for a need to call the Nintex workflow webservice using either "call web service" action or "web request" action.
This wsdl for the web service can be accessed using: {siteURL}/_vti_bin/NintexWorkflow/Workflow.asmx
I can access the WSDL using browser successfully. However, when we access this web service using one of the actions like "Call web service" or "web request" action, we get "401 - unauthorized error" on a server farm that has Load balancer set up. However, it works fine on our Development environment where we don't have a "Load balancer".
Our Farm Topology:
We have a load balanced server with two web front ends and Nintex is installed on both WFE. We use NTLM authentication and not Kerberos.
ULS logs:
We have replicated the problem and collected ULS logs. Below is the excerpt of the Log that indicates a "double hop" issue when the request is being executed in series on the two WFE.
SPSecurityContext: Could not retrieve a valid windows identity for username 'contosojdoe' with UPN 'jdoe@contoso.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied Server stack trace:
at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()
at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()
at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()
at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)
at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)
at System.ServiceModel.Channels.NamedPipeConnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)
at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Objectr] ins, Objecto] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at l0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
Blog posts which indicate similar Issues
http://technotes.robocop.se/2013/04/nintex-workflows-2010-web-service-calls.html
The solutions recommended in this blog post aren't really an optimal way of fixing this issue because it forces the request to use only one WFE where it defeats the purpose of having a load balancer.
Question:
What does Nintex recommend when such issues arise?
Please advise,
Regards,
