Solutions for InfoPath web service connection problems behind SSL enabled TMG or hardware Load Balancer in Sharepoint 2010

Hi Everyone,

In this article i will explain a well known problem about web service connection problem on your sharepoint servers behind SSL offload Load Balancer or TMG reverse proxy enabled topologies.

What is SSL Offload and Acceleration:
Depending on the workload, processing the encryption and authentication requirements of an SSL request can become a major part of the demand on the Web Server’s CPU and as the demand increases the users will see slower response times. To remove this demand from the Web Server a Load Balancer may be used to terminate the SSL at the Load Balancer. Some Load Balancer appliances include specialized hardware to process SSL. When a Load Balancer terminates the SSL connections the requests are converted from HTTPS to HTTP in the Load Balancer before being passed to the Web Server. So long as the Load Balancer itself is not overloaded this feature will not noticeably degrade the performance perceived by the end users.

For More information about Reverse proxy publishing:
So lets explain our topology. We have 2 WFE server and a Hardware Load Balancer.

WFE01 : Sharepoint Web Front End Server  which serving and our custom web service

WFE02: Sharepoint Web Front End Server  which serving and our custom web service

HLB : Hardware load balacer device which is configured SSL Offload.

for this topology needed configuration fallowing Alternate Access Mappings …

Internal URL:
Zone: Default
Public URL for zone:  

Internal UR:  
Zone: Default
Public URL for zone:  

For more information about How do I configure a load balancer to accept only SSL requests please read fallowing article:
Ok. If you establish your AAM correctly, you can able to browse our sharepoint site well. First of all all client computer in your domain must use HTTPS protocol for browsing
our portal even if they write it will redirected to SSL httpS:// according AAM configuration. But on the server’s browsers i mean if you connect to WFE1 or WFE2 you can not browse the site with using SSL because there is not any SSL implementation configured on your sharepoint servers.(also this is which we want for performace) unless redirect to outside port of HLB which is mostly prohibited for security. So you can browse your portal using HTTP protocol only on WFE server’s browsers reversly client action.

Ok so far so good What is the problem ?
You have a developer machine outside of the server farm and can able to create Infopath Web Forms using Sharepoint Designer or Infopath 2010  .And they can publish their form to sharepoint and see all forms are working correctly by instead of SSL communication. But what if one of the InfoPath form needs to connect a web service which is already publishing on our sharepoint portal “/_layouts/CustomWebService/myservice.asmx” it can be built in sharepoint web service too but in this scenario is customized asmx file.

You will get the 5566 connection problem when you try to open this infopath form after publish to server.

Why ?
Because when you working with your infopath form in InfoPath2010 (in client machine) you can able to configure your web service connection with HTTPS.
For example
if you test form your client computer’s browser you can see WSDL without any problem.
yes on client machine you can able to reach this service without any error and develop your form as you want.But After you deploy/publish it to sharepoint server the form
(also publish ends successfully)  and assume that the user request this form ,wfe server process the pipeline and requests to connect webservice for getting data not the client !!! So as i told you before there is not any SSL connection can be done in server network but your published web service url is starting with https , and all requestes are redirected HTTPS according Alternate Access Mappings. You got the problem 🙂

So what we could do for resolving this issue

The first solution 

you can configure a rule for HLB (if it is configurable) that server request can over through directly load balancer by using https .mean you should allow the server requests pass through HLB even if requester machine itself. (But this time you may encounter with double-hop scenario).But somehow if you can not configure your LB or prohibited by security reson or faced with double hop  you need second solution which is a little complicated.

The Second Solution

1)  You can add another Host header to your site from IIS console which is using protocol of HTTP
http://myblogserviceDo not add any AAM record for it. If you create an AAM record it will rewrite your service url as https again.

2) Adding host file record of all request can be redirected to same machine (for preventing double hop)
For WFE1  ->    wfe1
For WFE2  ->    wfe2

3) Give only the developer machines to direct access http://myblogservice for able to create their infopath form correctly.

4) Enable Cross Domain options for InfoPath Services.
Central Administration –> General Application Settings –> InfoPath Forms Services –> Configure InfoPath Forms Services:
Note :If this is an administrator-approved form template, the security level of the form must be set to full trustAbout  InfoPath Security Model:

5) Create and use Data Connection Library for storing infopath connection information
How to: Create and Use a Data Connection Library

6) Configure your InfoPath forms as use connections udcx files. And use your new host header for connecting web service like

7) And publish your forms.

If you completed all steps correctly, when a user browse an infopath form from your site one of wfe server handle the request by using https when the server need to connect
web service it will use http protocol which can be used by servers and you can able to browse your infopath for correctly without any connection error.

A simple code impersonation in Sharepoint

Hello Everyone,

In this article i share with you a sample function that provide us code impersonation.For example you have login to sharepoint as system account and what to add an item to a custom list but you impersonate it by another user. As you know SPSecurity.RunWithElevatedPrivileges can provide us to run code as Sharepoint\system account.
So what if you impersonate with another user. The main key point is SPSite object constructor has parameter as SPUserToken, if you pass this token to the constructor,
it provide execute code with related user rights as defined with SPUserToken. For a real code impersonation you should better to use some native dll references (AdvApi32 DLL) . but this is also work for simple operations well.

Here the RunAsAdmin static class that contains ImpersonateRun fuction getting 2 parameters .
1) Account : the account to use rights
2) RunWithAdminDelegate : which is a delegate that provide us writing less codding for our implementations using lambda functions

Code Impersonation Sample
  1. public static class RunAsAdmin
  2. {
  3.     public delegate void RunWithAdminDelegate(SPSite site, SPWeb web);
  4.     public static void ImpersonateRun(string account,RunWithAdminDelegate myDelegate)
  5.     {
  6.         Guid webID = SPContext.Current.Web.ID;
  7.         Guid siteID = SPContext.Current.Site.ID;
  8.         SPUser privilegedAccount =null ;
  9.         if(string.IsNullOrEmpty(account))
  10.         {
  11.             privilegedAccount = SPContext.Current.Web.CurrentUser;
  12.         }
  13.         else
  14.         {
  15.             privilegedAccount = SPContext.Current.Web.EnsureUser(account);
  16.         }
  17.         SPUserToken privilegedToken = privilegedAccount.UserToken;
  18.         using (SPSite site = new SPSite(siteID, privilegedToken))
  19.         {
  20.             site.AllowUnsafeUpdates = true;
  21.             using (SPWeb web = site.OpenWeb(webID))
  22.             {
  23.                 //SPWebApplication webApp = web.Site.WebApplication;
  24.                 //  webApp.FormDigestSettings.Enabled = false;
  25.                 web.AllowUnsafeUpdates = true;
  26.                 myDelegate.Invoke(site, web);
  27.                 web.AllowUnsafeUpdates = false; ;
  28.                 //   webApp.FormDigestSettings.Enabled = true;
  29.             }
  30.         }
  31.     }
  32. }

the usage is very simple , Less coded less simple .

The usage
  1. protected void Page_Load(object sender, EventArgs e)
  2. {
  3.     RunAsAdmin.ImpersonateRun(“BLOG\\bpostaci”, (site, web) =>
  4.     {
  5.         SPList list = web.Lists[“MyList”];
  6.         foreach (SPListItem item in list.Items)
  7.         {
  8.             //Add Some items.
  9.         }
  10.     });
  11. }

see you next time.

Istanbul Sharepoint Summit 2011

Hello Everyone,

Istanbul Sharepoint Summit 2011 is starting at 6th of December .I will introduce 300 level “Developing and Managing SharePoint Solutions with Visual Studio ” session:

Want to know how to best take advantage of Visual Studio 2010’s built in support for SharePoint?  In this demo heavy session we will explore Visual Studio 2010’s tightly integrated SharePoint development tools.  You will see Visual Studio’s built in support for creating the most common customizations including custom web parts, event receivers, Workflows and more.  We will also see how Visual Studio’s ALM capabilities available in Visual Studio Ultimate and Team Foundation Server can be applied when working with SharePoint.

For more information about event please visit :

See you in the event 🙂