Vault Error - You have insufficient permissions to open the File.

Hello all,

I'm getting a weird error with the vault using a completely out of the box install of Innovator 2023. No new users, changes to itemtypes, etc. We literally just installed Innovator 2023 and logged in.

"Failed to get the File"

"You have insufficient permissions to open the File."

The problem is that it doesn't happen to everyone, and who it happens to changes after an IIS reset or application pool recycle. I can log in to Innovator, using localhost from a browser on the same server the application is installed on, using the admin user, and I can open and add files to a Document no problem. Then my colleague, also on the same server, logs in using localhost, with the admin user, and she can't open the file thanks to this error. She CAN add a file to the Document, and it is properly vaulted, though she is unable to view that file after it's been added. It's like create access still works, but not read access. If we recycle the app pools and she logs in first, then I log in, I will get the error. It's usually the second person to log in that gets the error, though not always. Usually it's just the one person with the error, but that's not always the case either.

Normally when I'd see an error like this I would check the windows folder permissions on the Vault to make sure the user the application pool runs as has access. Everything seemed normal there but to rule it out I added Everyone to the permission with full control. We're both using the admin user to rule out permissions inside the Innovator application as well. Accessing it from a different server, or using a different browser like Chrome makes no difference, clearing the browser cache also doesn't help, and neither does the Admin > Clear Client Metadata Cache option in Innovator..

We turned on all the logging we could and seemed to find the culprit but are at a loss for what is going on and why it's so intermittent. It seems that for whoever Innovator decides shouldn't be able to get files, it's because of an error in the AuthenticationBrokerWebService. It's trying to do Aras.Server.Models.AuthenticationBroker.GetFileDownloadTokenModel but getting an error, "Database configuration was not found for 'dbname'".

Has anyone seen something similar before? I've worked with Innovator for many years now, including installs of this version, Innovator 2023, and never seen something quite like this before.

I also noticed weirdness in the license manager. I log in first, and I see just the one session for admin. Then my colleague logs in and tried to get the file, and when I look at the license manager again I see over a 100 sessions for admin. Maybe it's nothing because I always see multiple sessions per user in other Innovator instances, though 100s of them for a single login and file download attempt seems excessive. I don't know if it's related but since the authenticationBroker seems to be the problem with the file download, I figured I'd mention it since it would also have to do with authentication.

Thanks

-Scott

  • Hi Scott,

    I don´t have seen your error message, but your description sounds familiar. Especially when considering that you know Innovator I expect that the basic configuration was done correct.

    I remember following error message when updating from I11 to I12 -> Multiple Errors: DoPhysicalFiles - Access to the path is denied. -
    It´s not the same text, but somehow similar.

    Do you use Active Directory? Is your Innovator installed at a server that contains another Innovator? Does this other Innovator use Active Directory?

    If yes, go to IIS and check if "Vault" has Windows Authentication enabled. If yes, deactivate it. It can happen that previous installations mess up your latest installation regarding IIS settings. Especially when your new Innovator uses the same IIS paths then the old one. 


    In my case I had to restart the Vault App Pool each single hour otherwise people weren´t able to open files. So file download worked for a certain amount of time. It was fun to restart the app pool 8 times a day for several days. Aras support team really fought hard to find the root cause.

    Angela

  • Hi Angela, Thanks for taking the time to look at this.

    This is a new server with just the one Innovator installed on it, no Active Directory either. I checked the website, the InnovatorServer, and the 5 subfolders including the Vault in IIS and they are all just Anonymous Authentication.

    I have uninstalled and re-installed a couple time to try and figure this out, but the issue has been there since the initial one. We've also reproduced the error on a few different servers now.

    Even more confusing, we installed a new instance of Innovator 2023 on a server that had an existing, and properly working, Innovator 2023 install. The old one was the typical InnovatorServer, and the new one we just called InnovatorServer2. It's under the same Default Web site in IIS and yet the old install works and the new install has the vault issue.

    Thanks,

    -Scott

  • Have you updated all the config files in the code tree? Especially vault.config and the ones in the OAuthServer folder?

  • We've done it a few different ways trying to narrow down the cause of our issue.

    The current server I'm looking at we have all the config files in their out of the box state. We figured it would be easier to find the issue without any changes or customizations involved. So all URLs are left as localhost, the vault path is just E:\Aras\Vault\, etc.

    Our dev server, which we didn't notice the instance in until recently though it may have been there the whole time and we just missed it, is set up differently. In that case, IIS is setup with an SSL certificate and the website is running HTTPS, so the the Vault.config's InnovatorServerUrl key was changed to use that https URL rather than localhost. The OAuth.config also has the https URL in the various places it should be, <redirectUris>, <postLogoutRedirectUris>, <allowedCorsOrigins>. The main InnovatorServerConfig.xml uses the https URL for the OAuthServerDiscovery url as well.

  • To Scott or anyone else facing this issue, this is how I have solved the same error:

    Adding the yellow highlighted section below to your "Innovator/Server/appsettings.json" file, save and restart IIS

    "SessionOptions": {

                "IdleTimeout": "08:00:00",

                "Cookie": {

                            "Path": "/"   

                }

    },