Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Enterprise Vault Mobile Search 10 - Impersonation Issue

Created: 08 Mar 2012 • Updated: 08 Mar 2012 | 32 comments

Ok, I am once again working on trying to get Mobile Search 10 to work (gave up last time). I have done a fresh install on Windows 2008 R2 SP1, Windows 2003 SP2...same result with both..."Access Denied". It appears that the application is not properly passing the impersonation settings to the backend Enterprise Vault server. My question is this...does ANYBODY have EV10 and EV Mobile Search 10 working? I have a case open, but I have a strong feeling there is a bug in it. If you have EV 10, but no mobile search, can you try installing it and see if you can get it working?...takes about 10 minutes in all if you have to install IIS too. I have been installing it with "Basic Authentication" (Blackberry mode during setup...you'll see what I mean).

Symantec Case # 416-559-498

Comments 32 CommentsJump to latest comment

JesusWept3's picture

You did enable impersonation on your IIS, right?

BigPhil's picture

Yes. The install is by the book and I have verified all settings tons of times. I simply want to know if anybody else has this working on EV 10. 

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

I haven't used it and don't know of anyone else that's used it either to be honest
I was just asking just due to the fact with IIS 7.5 a lot of people don't know that things like impersonation can be toggled on and off or such

Personally if it were me I'd bust out AuthDiag and get traces of AuthServer and possibly some procmons too

BigPhil's picture

No worries at all. When installing Mobile Search, it installs as a web application and sets everything properly anyways (<identity impersonate="true"/>). I have verified all settings through GUI as well as web.config...its all perfect. I can already see exactly what it is doing as it does log an error on the backend EV server, so I KNOW it is not properly passing the authenticated users credentials. Mobile Search always worked perfectly for me when on EV 9.0.x.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

Just as a matter of interest, what user is it trying to use when it authenticates?

BigPhil's picture

The machine account. By default, when you install mobile search, it sets the application pool identity to "Local System", and that account cannot request network resources. Its like it doesnt care what is set and is trying to use the "Network Service" account.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

Network service makes sense as that is what asp.net runs under
I'll see if I can get a lab together quickly and try and repro it

Just for repro purposes, it fails internally as well right? Or is it external only etc?

BigPhil's picture

The web app will run under whatever the application pool identity is set
to, not just network service. But...problem is both internal and external. Thanks for the
Help JW!

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

but thats what i'm trying to say, the application pool doesn't matter in terms of what NET Framework runs under, it will always run under the network service account, so for instance if you run the app pool under the domain admin account, and then remove the NETWORK SYSTEM from having rights to the Temporary ASP Net folders on NTFS, you would find the aspx pages would fail to compile etc

 

but anywho, will let you know at least if i can reproduce...last question :)
i should be able to repro just using IE right? or do i need to use a BB simulator?

BigPhil's picture

Nope, ie was all I was testing with.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

OK so i got it all set up and its working fine on my machine.

So what i have is

AdExch.Enterprise.Vault (192.168.100.1)
 - Running on Windows Server 2003 w/ IIS6
 - Exchange Server 2003
 - Has the OWA and MobileSearch app
 - Has the EV10 API installed
 - Uses HTTPS with a self signed cert through SelfSSL

ev10server (sqlev.enterprise.vault / 192.168.100.5)
 - Running on Windows Server 2008 R2 x64
 - Installed EV10 and all the hotfixes related to indexing
 - Uses HTTPS with a self signed cert through SelfSSL
 

I created an SSL Certificate through SelfSSL and placed them in the trusted root authorities on both the EV Server and the Exchange Server and my client machine.

The issues i faced were
1. gave me a 404 2 1206 error in the IIS logs when trying to hit Search.aspx, this was due to an ISAPI filter not being recognised, so i just allowed it for the moment
2. After that it told me the NT AUTHORITY\NETWORK SERVICE didn't have access to the Temporary ASPNET folder, so i gave it the permissions

After that everything ran fine.
So just to come back to this, are you absolutely 100% sure that you have impersonation enabled in IIS?

If you open up your IIS Manager for 7, then expand out MachineName -> Sites -> Default Web Site
Then click "EnterpriseVault" and in the middle, under IIS, click Authentication
Is "ASP.NET Impersonation" set to Enabled or Disabled?
And is it also set that way on your /mobilesearch/ page?
 

BigPhil's picture

Yes, positive...impersonation is setup correctly. I'll double check the temp asp.net folder permissions, but its a default install...nothing special here

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

I tried turning off impersonation and all it did was tell me there were no vaults in red
No errors were logged in the event viewer though

CareFreeX's picture

It works for me as well. You are actually getting "Access Denied". Test user can access the archive from search.asp right? Any error in the event log?

BigPhil's picture

"Temporary ASP.NET Files" (under .NET 2.0.50727) has the correct permissions...EVMobileSearchAppPool application pool is configured for .Net 2.0, Classic pipeline, LocalSystem Identity. The only difference I can see between my setup vs your's JW, is that my EV server is not configured for HTTPS, only HTTP.

CareFreeX...yes, there is one event logged on the EV server...same as it has always been since EV 10/Mobile Search 10. Also yes, the users have no problem using any other method to search their archives...only Mobile Search is an issue.

 

Log Name:      Symantec Enterprise Vault
Source:        Enterprise Vault
Date:          3/8/2012 4:49:30 PM
Event ID:      7263
Task Category: Index Server
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      EVSERVER.Company.com
Description:
Search request refused because the user does not have sufficient permissions to search any folder in the archive.

User: Domain\WEBSERVER$
Required Permissions: Read
Archive: Some Guy
Archive Id: 183CCEDECB2F48A468AF205D8DD4F682F1110000CompanyEV

 

JW...can you setup your lab environment so that the EV server uses HTTP instead of HTTPS and see if it still works?

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

TypoProne's picture

I am trying to test this for you When running through the install it states "unable to detect an SSL Certificicate on the HTTPS binding of the default web site. Error 1.

 

I have not read the install instructiosn but it seems to me that SSL may be a pre-req for this. Because of that I would ask if you have tried with SSL?

BigPhil's picture

You can only install with SSL, so yes...I have a third party cert installed. I have a feeling it is a problem with the EV server as I have built three Mobile Search servers with different OS' and they all do the same thing.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

FreKac2's picture

It's probably not the problem here but you may want to double check in IIS and the virtual directories->advanced settings->Physical Path Credentials that it's not some weird account set in that property.

Had one customer with that setting set on one of the EV servers (don't know why) which created some "funny" issues when everything was done using that account.

Rather than the account that tried to access the server.

BigPhil's picture

Just double checked, all web applications are configured for pass-through authentication already.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

AWMorris's picture

I have installed MobileSearch 10.0.1, with all default IIS settings, and got the same error as indicated in this post.  I then changed the EVMobileSearchAppPool to run under the NetworkService identity rather than the LocalSystem.  I then recycled my app pool and am able to access archived contents.  So the only variable with my setup is the Identity that the app pool runs under.

AWMorris's picture

However, I have just run IISRESET and it is broken again.......

BigPhil's picture

@AWMorris, I have been unable to find a solution to this still...I have tried it all. The AppPool should be set to LocalSystem because it you have Impersonation configured correctly, it will use the impersonated account and not the computer account (network service). I have a feeling its something to do with the Enterprise Vault server itself and not the web server. This was a fresh install of Windows 2008 R2 and EV 10 when it first came out. If you ever find a fix, please post back here with your findings! smiley

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

JesusWept3's picture

the more i read about this, the more im convinced this is a Kerberos issue on the server running the mobile search webapp

BigPhil's picture

I have installed MobileSearch fresh on at least three freshly built servers (two Win2008R2 and one Windows 2003, all up-to-date and freshly built). From our last correspondence via pm, it appeared to me that kerberos was working correctly as I can see it properly passing my credentials to EV via kerberos. Two sessions are created, one for the impersonated account and one for the web servers machine account. EV is for some reason picking the web server machine account session when checking permissions on the archive.

Philip Nunn EV 10.0.3 on Windows 2008 R2 SP1, Exchange 2007 SP3 RU 10 CCR on Win2008 x64, ESXi 5.1, Mircosoft TMG, NetApp/EqualLogic storage

If this response answers your question, please mark it as solution

AWMorris's picture

A Dtrace on the Mobile Search server reveals the following

 

112 19:00:08.941  [3336] (w3wp) <1444> EV:L WinHttpRequest::OnCallback. WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE.
113 19:00:08.941  [3336] (w3wp) <1444> EV:L WinHttpRequest::OnCallback. WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE. Status code=500
114 19:00:08.941  [3336] (w3wp) <1444> EV:H WinHttpRequest::OnCallback. WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE. X-EV-HRESULT = 0x80070005
115 19:00:08.941  [3336] (w3wp) <1444> EV:H WinHttpRequest::OnCallback exit. ERROR HR=0x80070005.
116 19:00:08.941  [3336] (w3wp) <1444> EV:M WinHttpRequest::Callback from WinHttp. pRequest->OnCallback failed with HR=0x80070005. Calling pRequest->OnResponseComplete.
117 19:00:08.941  [3336] (w3wp) <1444> EV:M IndexQueryServerRequest: OnResponseComplete - HR=Access is denied.  (0x80070005)
118 19:00:08.941  [3336] (w3wp) <1256> EV:L IndexQueryServerRequest: WaitForSingleObject returned 0.
119 19:00:08.941  [3336] (w3wp) <1256> EV:M IndexQueryServerRequest: Waiting for 120000ms for request to complete.
120 19:00:08.941  [3336] (w3wp) <1256> EV:L IndexQueryServerRequest: WaitForSingleObject returned 0.
121 19:00:08.941  [3336] (w3wp) <1256> EV:H IQSFederatedSearchItem::GetResults2. Request FAILED HR=0x80070005.

 

I am going to test this on a Server 2003 box to see if the results differ.  Maybe something with the version of IIS is causing all of this.

AWMorris's picture

Additionally, the following errors are logged on the Mobile Search server.

 

7002

Web Application (WP)

Application: EVSMD

EvWrapper::Search() : Details: Access is denied.  (0x80070005)

 

7002

Web Application (WP)

Application: EVSMD

EvWrapper::GetSearchResults() : Details: Access is denied. (0x80070005)

 

7002

Web Application (WP)

Application: EVSMD

SearchResult::Page_Load() : Details: Access is denied. (0x80070005)

 

 

AWMorris's picture

OK.  So the problem is the same when Mobile Search is installed on a Server 2003 SP2 box.

MichelZ's picture

Hi

Any luck with that?
I got a kinda similar problem...  ASP.NET app not properly impersonating to the EV API.
 

Cheers
Michel

MichelZ's picture

Oh, and yes... I also think it's some sort of Kerberos issue... :(

AWMorris's picture

Unfortunately, no.  I had a case open with Symantec and they had begun troubleshooting the issue.  The customer that I was working with decided to scrap Mobile Search so we haven't investigated it further.

AndrewB's picture

just out of curiosity, any updates on this issue?

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

AWMorris's picture

This article was discovered by UMSystems (Symantec Connect profile) today which might help out.

 

http://www.symantec.com/docs/TECH188383

 

Apparently, the EV API isn't sufficient enough to host Mobile Search in EV 10 SP 1.