/
Troubleshooting TLS and SSL

Troubleshooting TLS and SSL

Owned by William Boyd
Last updated: Dec 02, 2024
3 min read

The default T4S Server configuration should be that the T4S web app Authentication has only Windows Authentication enabled, and SSL Settings has Require SSL and Require Client Certificate enabled.

The T4S service T4SExecuteService.asmx should have Authentication Anonyomous enabled.
Plus the default SSL Settings has Require SSL and Require Client Certificate enabled.

To help troubleshoot T4S connections from Salesforce, you can run this script from an anonymous window.

fuseit_t4s__Trim__c trim = [Select Id, fuseit_t4s__Trim_Light_IP_Address__c, fuseit_t4s__ClientCertificateName__c from fuseit_t4s__Trim__c limit 1]; try { Http h = new Http(); HttpRequest req = new HttpRequest(); req.setHeader('Content-Type','application/json'); req.setEndpoint(trim.fuseit_t4s__Trim_Light_IP_Address__c); req.setMethod('GET'); req.setClientCertificateName(trim.fuseit_t4s__ClientCertificateName__c); req.setTimeout(60000); HttpResponse res = h.send(req); Integer code = res.getStatusCode(); System.Debug('Status code = ' + code); if(code != 200) { throw new fuseit_t4s.TrimException('HTTP Error code ' + code + ' connecting to ' + trim.fuseit_t4s__Trim_Light_IP_Address__c); } } catch(Exception e) { System.Debug('Error Line ' + + e.getLineNumber() + ' Msg ' + e.getMessage()); }

 

On the T4SExecuteService.asmx SSL Settings, you can change the Client Certificate to “Ignnore“ and test to see if you then receive a 200 OK response.

image-20241202-024032.png

If you receive a 200 OK response with Client certificate set to “Ignore“ and a 403 error when set to “Require“, make your Salesforce self-signed certificate is located in the “Trusted Root Certification Authority”

Check your CA-signed certificate is listed in IIS Server Certificates.

image-20241202-025026.png

 

To help diagnose whether the issue is a TLS or client certificate issue, you could add the following custom variables to the IIS Logging.

This will output the TLS negotiation and the client certificate being passed in with the request.

If you receive a 403 response, check your IIS logs to see the sub-status value. e.g.

sc-status sc-substatus
403 7
Or
sc-status sc-substatus
403 16

 

NOTE: if the IIS logs out “- - -“ for any of the client certificate variables, then no certificate is being passed to IIS with the request.
Please check your load balancer/proxy server etc. to make sure the client certificate is being passed through to the server.

 

Check the sc-win32-status, if the value is 2148204809
This indicates certificate chain was processed, but terminated in a root certificate which is not trusted by the trust provider.

 

Check you have no intermediate CA certificates into the Trusted Root CA store by running this command in PowerShell

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

If any certificates are listed, then move the problem certificates out of the Trusted Root CA store and into the Intermediate CA store

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA