locked
Problem while accessing a DSS service running in another node RRS feed

  • Question

  • Hi All,

     

    I have four services. They are TestService, CalculatorService, TranscedentalService and BinaryArithmeticService. TestService, CalculatorService and TranscedentalService run on one machine (say Machine A). BinaryArithmeticService runs on another machine with the name "keckcontroller". Machine A has robotics studio installed. BinaryArithmeticService was originally in Machine A and was deployed in "keckcontroller" using "dssdeploy". TestService partners with CalculatorService using the partner attribute. CalculatorService in turn partners with TranscedentalService (using the partner attribute) and BinaryArithmeticService (programmatically by finding the directory service of the other machine and finding this service from the directory service). I started the BinaryArithmeticService on "keckcontroller" using DssHost that came with dssdeploy. After that, when I run the TestService on machine A, I am getting the error message. The error occurs when my CalculatorService tries to find the directory service of "keckcontroller:50000" so that it can partner with the BinaryArithmeticService.

     DsspForwarder:OutboundFailureHandler. Exception:HttpTransport.ProcessOutboundPacket: Failure writing to stream after N retries. Action:http://schemas.microsoft.com/xw/2004/10/dssp.html:QueryRequest Body Type:Microsoft.Dss.Services.Directory.Proxy.QueryRequest Target Service:http://keckcontroller:50000/directory Source Service:http://bio4072953.asurite.ad.asu.edu:50000/calculatorservice/e813101d-7afd-454e-bce8-4f735fabbddd

    As you said before, it appears the packets are not accepted at "keckcontroller" because of some firewall settings.

    Based on some tips from online sources, I turned "off" the firewall in the "keckcontroller" machine. However, now I seem to get a different error when my CalculatorService tries to find the directory service of "keckcontroller:50000"

    ### DsspForwarder:OutboundFailureHandler. Exception:System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Dss.Services.Transports.Http.HttpTransportService.HandleHttpPostResponse(IAsyncResult Res) Action:http://schemas.microsoft.com/xw/2004/10/dssp.html:QueryRequest Body Type:Microsoft.Dss.Services.Directory.Proxy.QueryRequest Target Service:http://keckcontroller:50000/directory Source Service:http://bio4072953.asurite.ad.asu.edu:50000/calculatorservice/1c0fdb7f-be11-4ae1-86e3-4b34c25a5db2

     

    It appears that I need to give some user credentials. I tried to access the service in the other machine directly from the browser by typing  "http://keckcontroller:50000/directory". It prompted for an user id and password. I entered "keckcontroller\admin" (one of the admin users for the keckcontroller machine that I am trying to connect to) and the password. It does not seem to accept.

    Firstly,  I am not very comfortable with turning the firewall off as it makes the system vulnerable. Hence, can you please tell me the "best" and "secure" way of doing what I am trying to do.

     

    Thanks,

    Venkat

    Monday, November 14, 2011 5:45 PM
    Moderator

Answers

  • Hi Venkat,

    Try to use the credentials of the account running the service (i.e. the account underwhich the dss node was created).  By default permissions are only granted to NT AUTHORITY\SELF.

    Look here for more guidance on the security model: http://msdn.microsoft.com/library/bb483066.aspx

    If the remote service cannot be ran under same account, then you would have to add permissions to the node to allow for the different account or security group.

     

    As far as the Firwall is concerned if you add Inbound TCP entries for the port under which you are running the node (e.g. 50000), then you should be able to access it remotely w/o disabling the firewall.

    Example:
    Windows Key + R

    => firewall.cpl

    => Advanced settings

    => Select Inbound Rules

    => Click New Rule...

    => Select Port and click Next

    => Select TCP, leave Specific local ports selected and specify the ports (or port range) and click Next

    => Select Allow the connection and click Next

    => Check profiles you would like the entry to be allowed on (if any, then check all boxes) and click Next

    => Give it a name for your own reference and click Finish

     

    This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Hope this helps

    Thursday, November 17, 2011 5:42 PM

All replies

  • Hi All,

    I was wondering if anyone had an opportunity to look at this.

    Thanks,

    Venkat

    Thursday, November 17, 2011 10:52 AM
    Moderator
  • Hi Venkat,

    Try to use the credentials of the account running the service (i.e. the account underwhich the dss node was created).  By default permissions are only granted to NT AUTHORITY\SELF.

    Look here for more guidance on the security model: http://msdn.microsoft.com/library/bb483066.aspx

    If the remote service cannot be ran under same account, then you would have to add permissions to the node to allow for the different account or security group.

     

    As far as the Firwall is concerned if you add Inbound TCP entries for the port under which you are running the node (e.g. 50000), then you should be able to access it remotely w/o disabling the firewall.

    Example:
    Windows Key + R

    => firewall.cpl

    => Advanced settings

    => Select Inbound Rules

    => Click New Rule...

    => Select Port and click Next

    => Select TCP, leave Specific local ports selected and specify the ports (or port range) and click Next

    => Select Allow the connection and click Next

    => Check profiles you would like the entry to be allowed on (if any, then check all boxes) and click Next

    => Give it a name for your own reference and click Finish

     

    This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Hope this helps

    Thursday, November 17, 2011 5:42 PM
  • If it says that you are not authorized, are you running as an Administrator or a User? You might need to log in as an Administrator and use the httpreserve utility to reserve the port(s) for the normal User account that you use. Look in the Help file for more info.

    Trevor

     

    Saturday, November 19, 2011 6:07 AM