Hyland Connect

Kirk_Sumpter · ‎06-03-2019

We recently stood up an OnBase version 18 test environment, and I happened upon this issue by accident: when we purge a scan batch from the batch processing window, for each document in the batch Diagnostics console shows "FindInIdFile error: \\UNCSHARE\OBDG\XXXXXX\OnBase.id [Error accessing file - ERRNO13] Permission Denied".

We have impersonation running, the app pool is running under the Network Service account as suggested in the MRG.

Every other operation we have tried works flawlessly in the environment, no issues with impersonation accessing or doing anything else on the disk groups.

The impersonated account has full control of the disk group/subfolders and OnBase ID files.

When viewing the worker process via process monitor, the specific line where the worker process tries to access the OnBase ID file for the purge, that task does not show an impersonated account, which is why the error occurs. But, every other operation that impacts that disk group shows the impersonated account in proc mon as the one taking the action.

FLOS is saying this is something in the configuration of the server or the network (i.e. "not an OnBase issue"), but I don't understand how that can be since the worker process typically uses the correct impersonation account, just not for this exact action (purging scan batch).

In Unity, the user receives no errors, no messages that anything has gone wrong. The batch itself is removed from OnBase as expected, but behind the scenes the files are left on the disk group as orphans and if you are unaware this is happening could be a potential issue.

Two questions;

1) does anyone have any suggestions as to what we might check on the network or server side that would impact this from an impersonation perspective? We run impersonation on all of our environments running V16 without issue, and FLOS has checked everything they know to check from an OnBase impersonation perspective. I've run out of search terms googling impersonation and haven't come up with anything.

2) has anyone, or would anyone running impersonation on version 18 (we're running build 149) test or Dev environment be willing to test this to see if it behaves the same way in your environment? All you need is to run diagnostics console on your app server, load a scan batch in the batch processing window, right click to purge it and see if the errors appear in diagnostics.

Any ideas are welcome!

Kirk_Sumpter · ‎06-14-2019

Per FLOS, they have agreed this is an issue they need to address; my rep on the ticket has written up SCR# 320446 to address this issue, the SCR is currently in internal review status as of 6/11/2019.

The SCR does not yet show against my support issue, but I'm assuming in the near future you can add your organization to this once it gets published if need be.

View answer in original post

Kirk_Sumpter · ‎06-03-2019

Followup 1: I just tested this in version 16 and it looks like it exhibits the same behavior (which we've never seen, and you won't either unless you're specifically looking for it)...I receive a permission denied by OS error when purging a scan batch in Unity.

Kirk_Sumpter · ‎06-04-2019

Followup 2: FLOS was able to replicate this issue in their environment. Per support, the only options we have are to:

1) disable impersonation (not an option as certain functions we need only work with impersonation on...I believe it's export to network location in workflow)

2) give the account running the application pool full control of the disk groups. Since we're using the recommended Network Service account, which isn't truly a domain account as far as I understand it, I'm hard pressed to think I can get our info security folks to sign off on that idea.

I did ask the tech rep to submit a change to the documentation for the app server, as I believe this should certainly be documented.

For those of you who do purge batches routinely, I would recommend avoid doing it in Unity Client if possible, since it's the app server access that gets denied...at least in our environment doing a purge in the thick client works fine, and does delete the files from the disk group.

The last note I'll make, for anyone else who may stumble upon this topic, in my reading regarding impersonation there were a number of notes regarding needing to enabled Active Directory delegation for the computer (server) running the impersonation, so I may attempt that and see if that fixes the issue. If I end up doing that testing I'll update the thread.

Alan_Vidmar · ‎06-05-2019

Thanks for the write-up Kirk.

I have seen some of that behavior as well, but didn't know the root cause. In our case since we run DDS this causes the App server to switch over to using DDS to complete the purge. At that point the App server stays on DDS till the next reset. Rinse/repeat.

Let us know when/what the SCR is so that we can get added.

Alan

Daniel_Johnson1 · ‎06-06-2019

We've experienced similar issues after upgrading to v18. While not your issue specifically what we did may help.

1. Change the user account in IIS App Pool advanced settings to a domain account with proper access, or
2. Add the account and password to the registry, then change the App Servers Web.config file Impersonation line to include the userName and password pointing to the registry entries.

This can be done through WAMCOM though if you add ASPNET to the Registry:
- Run regedit as Admin
- HKLM | Software | Hyland | WOW6432Node | Hyland | AppNet | Identity | ASPNET_SETREG
- R-Click “ASPNET_SETREG” | Permissions
- Add | {Authenticated Users}
- Advanced (for special permissions) | Type = Allow, Applies To = This key only, Basic permissions: Read and Special Permissions | OK
- Apply | OK | OK

Because of our specific issues, we've utilized both methods. I'm not aware of an SCR but that doesn't mean, of course, there isn't one. Hope this helps!

Hyland Connect

Impersonation - Worker process doesn't use impersonated account only for purging scan batches