logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
reisseng  
#1 Posted : Monday, February 13, 2017 3:59:32 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

I have a self-hosted ScreenConnect instance that is up to date.
I recently ran into an issue when activating SSL that I cannot solve. I tried a chat session and they were unable to resolve as well.

My ScreenConnect is hosted on a Windows Server in a domain environment. We'll call my Windows Domain internal.com. ScreenConnect is published and accessed at screenconnect.external.com.
Therefore, the FDQN of my server is screenconnect.internal.com, however it is accessed (both internally and externally) at screenconnect.external.com.

Once I enabled SSL, my support clients could no longer download the ClickOnce deployment file. Upon investigating, I found it was because they were trying to download the client from screenconnect.internal.com

My web.config looks like this

Code:
  <add key="RelayListenUri" value="relay://0.0.0.0:8041/" /> <-- I've also tried relay://+:8041/ & relay://screenconnect.external.com:8041/
  <add key="RelayAddressableUri" value="relay://screenconnect.external.com:8041/" />
  <add key="WebServerListenUri" value="https://+:443/" />
  <add key="WebServerAddressibleUri" value="https://screenconnect.external.com:443/" />


and this is the log file from the failed ClickOnce deployment:


Code:
PLATFORM VERSION INFO
	Windows 			: 10.0.10586.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.6.1078.0 built by: NETFXREL3STAGE
	clr.dll 			: 4.6.1086.0 built by: NETFXREL4STAGE
	dfdll.dll 			: 4.6.1038.0 built by: NETFXREL2
	dfshim.dll 			: 10.0.10586.0 (th2_release.151029-1700)

SOURCES
	Deployment url			: https://screenconnect.internal.com/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect%20Test&e=Support&y=Guest&r=

ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of https://screenconnect.internal.com:443/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect%20Test&e=Support&y=Guest&r= resulted in exception. Following failure messages were detected:
		+ Downloading https://screenconnect.internal.com/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect Test&e=Support&y=Guest&r= did not succeed.
		+ The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
		+ The remote certificate is invalid according to the validation procedure.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	* [2/13/2017 10:30:27 AM] : Activation of https://screenconnect.internal.com:443/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect%20Test&e=Support&y=Guest&r= has started.

ERROR DETAILS
	Following errors were detected during this operation.
	* [2/13/2017 10:30:27 AM] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
		- Downloading https://screenconnect.internal.com/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect Test&e=Support&y=Guest&r= did not succeed.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
			at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
			at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
			at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
			at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
			at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
			at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
		--- Inner Exception ---
		System.Net.WebException
		- The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
		- Source: System
		- Stack trace:
			at System.Net.HttpWebRequest.GetResponse()
			at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
		--- Inner Exception ---
		System.Security.Authentication.AuthenticationException
		- The remote certificate is invalid according to the validation procedure.
		- Source: System
		- Stack trace:
			at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
			at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
			at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
			at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
			at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
			at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
			at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
			at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
			at System.Net.ConnectStream.WriteHeaders(Boolean async)

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.



Eventually, if I can't get it to work, I will disable HTTPS for the guest page, but I don't want to do that if I don't have to.

Any ideas?

Edited by user Monday, February 13, 2017 4:08:07 PM(UTC)  | Reason: Not specified

Scott  
#2 Posted : Tuesday, February 14, 2017 1:58:03 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,468
United States

Thanks: 3 times
Was thanked: 304 time(s) in 261 post(s)
On one of these problematic machines, try deleting the ClickOnce cache by running the following command:

Code:

rundll32 dfshim CleanOnlineAppCache


And then retry joining a session, does it behave any differently?
ScreenConnect Team
reisseng  
#3 Posted : Tuesday, February 14, 2017 2:03:23 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Scott,

This produces the same behavior. Additionally, I've tried it on a computer that has never connected to my SC installation and same results there as well.

EDIT: Also, note- this is on 'support' clients only - my Access clients all work fine and when I connect, they report the relay is 'relay://external.screenconnect.com'

Edited by user Tuesday, February 14, 2017 2:08:04 PM(UTC)  | Reason: Not specified

Scott  
#4 Posted : Tuesday, February 14, 2017 2:16:18 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,468
United States

Thanks: 3 times
Was thanked: 304 time(s) in 261 post(s)
Quote:
https://screenconnect.internal.com/Bin/ScreenConnect.Client.application?h=screenconnect.external.com&p=8041&k=truncated&i=Screenconnect%20Test&e=Support&y=Guest&r=


So this URL they are using tells us that the RelayAddressableUri web.config setting is working fine (h=screenconnect.external.com), meaning the issue is occurring when the request is made by ClickOnce to download/initialize the remainder of the client (not just the bootstrapper).

Are there any possible DNS configurations that may be interfering? Is there perhaps a CNAME for screenconnect.external.com to screenconnect.internal.com?

I see that Access clients do not have this problem, what about if you join a Support session via the WindowsSelector? You have to be quick when clicking through the Join Session modal that appears after initiating the Join, but try to 'Download App' for the option titled 'WindowsInstallerDownload'. Any different behavior?
ScreenConnect Team
Michael L  
#5 Posted : Tuesday, February 14, 2017 2:22:32 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
You're throwing a trust error when the client downloads the ClickOnce application file:

+ The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
+ The remote certificate is invalid according to the validation procedure.

This sounds like there might be an issue with the certificate (root or intermediate certs), though we'll sometimes see trust errors in ClickOnce if you have TLS 1.0 disabled. In order to get ClickOnce to work with TLS 1.1 or 1.2, you need to be running .NET 4.6.2 on your server and all clients/endpoint that are going to be using ClickOnce.

I tried going to your site from here, and it looks like either that URL is an incorrect/internal URL (probably this?), or you are filtering out access to the server by IP address. If that's not the actual URL, would you be able to send it to me in a PM so I can check your cert?
ConnectWise Control (ScreenConnect) Support Team
reisseng  
#6 Posted : Tuesday, February 14, 2017 2:29:40 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Scott,

I've double checked DNS - no funky stuff going on there. Additionally, using the "WindowsInstallerDownload" works fine for support sessions
reisseng  
#7 Posted : Tuesday, February 14, 2017 2:35:26 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Originally Posted by: Michael L Go to Quoted Post
You're throwing a trust error when the client downloads the ClickOnce application file:

+ The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
+ The remote certificate is invalid according to the validation procedure.

This sounds like there might be an issue with the certificate (root or intermediate certs), though we'll sometimes see trust errors in ClickOnce if you have TLS 1.0 disabled. In order to get ClickOnce to work with TLS 1.1 or 1.2, you need to be running .NET 4.6.2 on your server and all clients/endpoint that are going to be using ClickOnce.

I tried going to your site from here, and it looks like either that URL is an incorrect/internal URL (probably this?), or you are filtering out access to the server by IP address. If that's not the actual URL, would you be able to send it to me in a PM so I can check your cert?


Michael,

The Cert error is because ClickOnce is trying to download from screenconnect.internal.com and not screenconnect.external.com
I do not have a cert for internal - but external I do. The actual domain is screenconnect.<myusername>.com
Michael L  
#8 Posted : Tuesday, February 14, 2017 2:47:48 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Aha, thanks, reading comprehension on my part is key - I skimmed over that in your first post :)

I see what you mean now, and I got the same error downloading from your other URL to my test box.

Who is your internet provider? If I navigate directly to this URL, I get redirected to the internal address. It seems like possibly your internet provider and/or router are doing some kind of funky URL caching of the application file:

https://screenconnect.<username>.com/Bin/ScreenConnect.Client.application
ConnectWise Control (ScreenConnect) Support Team
reisseng  
#9 Posted : Tuesday, February 14, 2017 2:53:41 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Originally Posted by: Michael L Go to Quoted Post
Aha, thanks, reading comprehension on my part is key - I skimmed over that in your first post :)

I see what you mean now, and I got the same error downloading from your other URL to my test box.

Who is your internet provider? If I navigate directly to this URL, I get redirected to the internal address. It seems like possibly your internet provider and/or router are doing some kind of funky URL caching of the application file:

https://screenconnect.<username>.com/Bin/ScreenConnect.Client.application


Michael -

I think that may be on your cache Flapper. I tried downloading that direct link from a couple computers outside the org and each time it seems to download correctly.

I'm using Brighthouse/Spectrum though.
reisseng  
#10 Posted : Tuesday, February 14, 2017 2:56:12 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Also, I've tried bypassing my firewall completely a few days back, and the problem still seemed to occur.
Michael L  
#11 Posted : Tuesday, February 14, 2017 3:06:36 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Quote:
Well - I've got 4 separate ISPs on different machines available to me, and I was only able to successfully download the file with that URL on one of them - two that are getting redirected have no cache and have never even interacted with your site before:

1) My test box is running on an AWS instance, and got redirected to the internal network. This is the only one that actually had any cached files from your site.
2) Our office network is on CenturyLink, I was redirected to your internal network.
3) On my cellphone (AT&T), I was able to successfully download the file.
4) In my home network (FIOS), I was redirected to your internal network.


Forget everything I posted here, I need to go get some caffeine! I was using the wrong URL. Cursing

Edited by user Tuesday, February 14, 2017 3:14:18 PM(UTC)  | Reason: Not specified

ConnectWise Control (ScreenConnect) Support Team
reisseng  
#12 Posted : Tuesday, February 14, 2017 3:19:34 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Originally Posted by: Michael L Go to Quoted Post
Quote:
Well - I've got 4 separate ISPs on different machines available to me, and I was only able to successfully download the file with that URL on one of them - two that are getting redirected have no cache and have never even interacted with your site before:

1) My test box is running on an AWS instance, and got redirected to the internal network. This is the only one that actually had any cached files from your site.
2) Our office network is on CenturyLink, I was redirected to your internal network.
3) On my cellphone (AT&T), I was able to successfully download the file.
4) In my home network (FIOS), I was redirected to your internal network.


Forget everything I posted here, I need to go get some caffeine! I was using the wrong URL. Cursing




Haha I was going crazy trying different machines, different VMs, VPNs and it kept working, I thought I was crazy.
Michael L  
#13 Posted : Tuesday, February 14, 2017 6:33:03 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Originally Posted by: reisseng Go to Quoted Post
Originally Posted by: Michael L Go to Quoted Post
Quote:
Well - I've got 4 separate ISPs on different machines available to me, and I was only able to successfully download the file with that URL on one of them - two that are getting redirected have no cache and have never even interacted with your site before:

1) My test box is running on an AWS instance, and got redirected to the internal network. This is the only one that actually had any cached files from your site.
2) Our office network is on CenturyLink, I was redirected to your internal network.
3) On my cellphone (AT&T), I was able to successfully download the file.
4) In my home network (FIOS), I was redirected to your internal network.


Forget everything I posted here, I need to go get some caffeine! I was using the wrong URL. Cursing




Haha I was going crazy trying different machines, different VMs, VPNs and it kept working, I thought I was crazy.



I figured it out. You spelled Addressable wrong in the web.config file :)

Quote:
Code:

  <add key="RelayListenUri" value="relay://0.0.0.0:8041/" /> <-- I've also tried relay://+:8041/ & relay://screenconnect.external.com:8041/
  <add key="RelayAddressableUri" value="relay://screenconnect.external.com:8041/" />
  <add key="WebServerListenUri" value="https://+:443/" />
  <add key="WebServerAddressibleUri" value="https://screenconnect.external.com:443/" />
ConnectWise Control (ScreenConnect) Support Team
reisseng  
#14 Posted : Tuesday, February 14, 2017 6:57:05 PM(UTC)
reisseng


Rank: Guest

Joined: 2/13/2017(UTC)
Posts: 8

Cursing ╯︵ ┻━┻

That'll do it.

Thanks for the help! LOL
Michael L  
#15 Posted : Tuesday, February 14, 2017 6:59:17 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Originally Posted by: reisseng Go to Quoted Post
Cursing ╯︵ ┻━┻

That'll do it.

Thanks for the help! LOL


Haha you're welcome. A lesson for me, get caffeine early next time (preferably before lunch BigGrin)
ConnectWise Control (ScreenConnect) Support Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.