Follow

Issue: Removing port 80 binding in IIS breaks some elements of Venafi TPP

Applies To

All versions of TPP, at least up to 19.2 

Symptom

When the binding for port 80 is removed in IIS some components of Venafi stop functioning.

Affected components include:

  • Agent check-in (fails to start at all.  When running in interactive mode, you literally see no activity)
  • WebSDK (Receive 500 error during authentication and you don't get an API key)
  • SCEP/NDES

Cause

Despite the fact the the clients in these components are not sending any traffic over port 80 to the Venafi TPP server the web.config for the API of these components requires port 80 to be open. There is, however, a modification that can be made to the web.config files for the affected components which will allow the binding to be removed.

NOTE: Removal of this binding MAY stop other unrelated processes.  For instance, SCEP clients often only support HTTP.  Additionally, if a CRL is actually STORED on the TPP server, then a CRL check may fail, since CRL's are only published for LDAP and HTTP.

Resolution

There are two resolutions to this. The recommended resolution is to leave port 80 bound or add it back in.  The other is to follow these steps to allow us to ignore that it's missing as follows:

Edit the following Web.config files:

  • <TPPInstallPath>\Venafi\Web\Client\Web.config
  • <TPPInstallPath>\Venafi\Web\WebSDK\Web.config
  • <TPPInstallPath>\Venafi\Web\VScep\Web.config

By adding the following clause right after “ <system.serviceModel>” in each file.

<bindings>
    <webHttpBinding>
        <binding>
            <security mode="Transport" />
        </binding>
    </webHttpBinding>
</bindings>

Restart IIS (e.g. IISReset)

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments