Common worker installation issues

No response from dropdown/webservice

There can be a number of possible reasons as for why dropdown/webservice are not responding.

  • No DNS record exists for Client web service (e.g cws.example.com)
  • Incorrect token/data signing configuraiton
  • Private Key missing for Data signing certificate
  • Token/Data signing certificates not imported to Zervicepoint worker
  • Service account does not have permissions to read private key from data signing certificate.

No DNS records exists for Client web service

Console log in web browser shows messages such as 'ERR_NAME_NOT_RESOLVED' hints towards that a DNS record is missing for client web service.

Ensure that the URL in Edit Store > Worker Authentication > Client Web Service URL can be resolved via a DNS record and is available.

Name not resolved

If the DNS records exist and is correct, ensure that the Client Web Service URL is correct.

name-not-resolved

https://cws.example.com:443/ProviderService.svc/CallProvider

Incorrect token/data signing configuraiton

Console log in web browser shows messages such as "Unexpected end of JSON input" or "Uncaught (in promise) Error: SyntaxError: Unexpected end of JSON input"

Zervicepoint Application log shows errors with Event Id 2 or 107 with messages such as:

Message: Could not find a certificate with matching thumbprint
Source: Client web service
Category: Common
EventId: 2
Message: There was an error trying to execute: System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
  at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.Sign(Byte[] data)
  at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.Sign(String salt, Object data)
  at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.GetSignedResult(IList results, String key, String salt)
  at Zipper.ZervicePoint.ProvisioningSystem.ClientWebService.Services.ProviderService.CallProvider(String serviceName, String arguments, String data, String rawToken, String callback)
Source: Cient web service
Category: Provisioning.Provider
EventId: 107

This error is most likely due to incorrect thumbprint/missing certificate in LocalMachine\My on the Zervicepoint Worker.

Ensure that the thumbprint values for Token Signing and Data Signing in your Worker Authentication settings matches with the configuration in C:\Program Files\Zipper\Zervicepoint\Web\ClientWebService\web.config

<appSettings>
    <add key="TokenCertThumbPrint" value="268E5C976EECFE260324EE9CCDD0DE7E4CB7C68D"/>
    <add key="DataSignCertThumbPrint" value="A23AB134CE472095D39A13975F362D0ADA94D700"/>
</appSettings>

thumbprints

Private Key missing for Data signing certificate / InvalidKey_OrCertificateForSigning

This error shows up when thumbprints are correct and a certificate is imported to LocalMachine\My, but the certificate itself does not contain the Private Key of the certicate.

This can occur if the certificate was not generated from the worker itself and instead generated in the admin web or if the imported certificate is missing the private key of the certificate. You should generate the data signing certificate as described in install worker.

Info

The functionality for generating the token/data signing certificates in the Admin Web are more for on-premise installation of Zervicepoint, where the client web service endpoint may be located on the same server as the other Zervicepoint components.

Message: There was an error trying to execute: System.ArgumentException: InvalidKey_OrCertificateForSigning
Parameter name: certificate
   at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.Sign(Byte[] data)
   at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.Sign(String salt, Object data)
   at Zipper.ZervicePoint.Common.Security.ProviderDataSignature.GetSignedResult(IList results, String key, String salt)
   at Zipper.ZervicePoint.ProvisioningSystem.ClientWebService.Services.ProviderService.CallProvider(String serviceName, String arguments, String data, String rawToken, String callback)
Category: Provisioning.Provider
EventId: 107

Private Key missing for Data signing certificate

The thumbprints are correct, I have the private key of the certificate but I'm still receiving event id 107.

Message: There was an error trying to execute: System.Security.Cryptography.CryptographicException: Keyset does not exist
EventId: 107

This error is due to service account running the application pool, does not have access to the "private key" on the certificate. This can be solved by either explicity granting access to the certificate as shown in the screenshots below, or granting local administrator rights to the service account.

privatekey01 privatekey02

ProvisioningSystem

  • Incorrect/Missing worker key for ProvisioningSystem
  • Incorrect credential identifier
  • Credential is not created in the context of the service account running the ProvisioningSystem service.

Incorrect/Missing worker key for ProvisioningSystem

EventId 85, 92, 224 can hint towards that the worker key is incorrect.

Message: Error creating token with provisioningKey for url https://portal.zervicepoint.com/. System.Configuration.ConfigurationErrorsException: Couldn't locate credentials ('WorkerKey') for getting security token.
   at Zipper.ZervicePoint.ProvisioningSystem.Service.ProvisioningServiceBase.GetProvisioningKey(String credentialName)
   at Zipper.ZervicePoint.ProvisioningSystem.Service.ProvisioningServiceBase.GetSecurityTokenProvisioningKey(String appliesTo, String credentialName)
Category: All Events
Priority: -1
EventId: 244
Severity: Error
Message: Could not report provider inventory status: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.

When installing the worker, you specify an identifier for worker key(Default: WorkerKey). This is the identifer of the stored in a Windows Vault, accessible via Credential Manager or our Zervicepoint PowerShell Mgmt module.

Verify the identifier name by looking up the value in CredentialIdentifier in C:\Program Files\Zipper\ZervicePoint\ClientWebService\Zipper.ZervicePoint.ProvisioningSystem.Inventory.exe.config or C:\Program Files\Zipper\ZervicePoint\ProvisioningSystem\Zipper.ZervicePoint.ProvisioningSystem.Service.exe.config

Add worker key to service account