cancel
Showing results for 
Search instead for 
Did you mean: 
cvuppala
Nintex Newbie

Issue with Nintex workflow web service

Hi,

Our workflow requirements call for a need to call the Nintex workflow webservice using either "call web service" action or "web request" action. 

This wsdl for the web service can be accessed using: {siteURL}/_vti_bin/NintexWorkflow/Workflow.asmx

I can access the WSDL using browser successfully. However, when we access this web service using one of the actions like "Call web service" or "web request" action, we get  "401 - unauthorized error" on a server farm that has Load balancer set up. However, it works fine on our Development environment where we don't have a "Load balancer".

Our Farm Topology:

We have a load balanced server with two web front ends and Nintex is installed on both WFE. We use NTLM authentication and not Kerberos. 

ULS logs:

We have replicated the problem and collected ULS logs. Below is the excerpt of the Log that indicates a "double hop" issue when the request is being executed in series on the two WFE.

SPSecurityContext: Could not retrieve a valid windows identity for username 'contoso\jdoe' with UPN 'jdoe@contoso.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ComponentModel.Win32Exception (0x80004005): Access is denied    Server stack trace:    

 at System.ServiceModel.Channels.AppContainerInfo.RunningInAppContainer()   

 at System.ServiceModel.Channels.AppContainerInfo.get_IsRunningInAppContainer()   

 at System.ServiceModel.Channels.PipeSharedMemory.get_PipeName()   

 at System.ServiceModel.Channels.PipeSharedMemory.GetPipeName(AppContainerInfo appInfo)   

 at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)   

 at System.ServiceModel.Channels.NamedPipeConnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)   

 at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout)   

 at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)   

 at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)   

 at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)   

 at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)   

 at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)   

 at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)   

 at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)   

 at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)   

 at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)   

 at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown

at [0]:    

 at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)   

 at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)   

 at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)   

 at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)   

Blog posts which indicate similar Issues

http://technotes.robocop.se/2013/04/nintex-workflows-2010-web-service-calls.html

https://askmanisha.wordpress.com/2013/08/05/unauthorized-error-401-in-info-path-form-while-accessing...

 

The solutions recommended in this blog post aren't really an optimal way of fixing this issue because it forces the request to use only one WFE where it defeats the purpose of having a load balancer.

Question:

What does Nintex recommend when such issues arise?

Please advise,

Regards,

 

 

 

0 Kudos
Reply
2 Replies
Not applicable

Re: Issue with Nintex workflow web service

You can either enable Kerberos, or setup session affinity on the load balancer. Indeed, while sharepoint 2013+ does not need this anymore, any form technology with a state will need you to stay on the same server, unless the state is stored in a distributed repository. Guess it isn't the case with nintex or infopath

Reply
cvuppala
Nintex Newbie

Re: Issue with Nintex workflow web service

We resolved this by relaxing loop backsecurity on the WFE which solved our problem.

0 Kudos
Reply