Skip to main content
Kofax

The KTM Thin Client Validation is generating the following error message when attempting to validate a field: "Your connection to the server has timed out" . How can I resolve this issue?

13520

QAID # 13520 Published

Question / Problem:

The KTM Thin Client Validation is generating the following error message when attempting to validate a field:

"Your connection to the server has timed out".

How can I resolve this issue?

Answer / Solution:

Like any other Capture module, the server component of the KTM Thin Client requires access to the CaptureSV share. Permissions to this share are determined by the user running the module. In the case of the KTM Thin Client server module, the user that runs it is the user defined on the Identity tab of the IIS App Pool.

This user defaults to NETWORK SERVICE. In a scenario where IIS and the CaptureSV share are on the same machine, it is sufficient to add permissions for NETWORK SERVICE to the CaptureSV share (SCENARIO 1, below). Where these are not on the same machine, the IIS App Pool identity should be changed to a domain user which is granted permissions to the CaptureSV share (SCENARIO 2, below).

SCENARIO 1

This issue has been resolved by configuring the file and share permissions for the \\<Server_Name>\CaptureSV share for the Network Service account.

The NETWORK SERVICE account should have Full Control permissions to the CaptureSV share, and it is recommended, when specifying this permission, to perform a “Replace permissions entries on all child objects with entries shown here that apply to child object” action.

It is also recommended to have “Inherit from parent the permission entries that apply to child objects. Includes these with entries explicitly defined here” selected. These options may be selected by right-clicking on the CaptureSV share, going to the Security Tab, clicking on the Advanced Tab, selecting the domain/network account that is being used by IIS in the Permission entries portion, and checking the checkboxes in the bottom portion of the window.

This account is the default account that is used by IIS/ASP.NET to connect for accessing and modifying Batch information and files.

To verify if the issue is related to this particular security configuration, a Process Monitor Trace can be run per QAID 9385.

SCENARIO 2

  1. The default account specified on the Identity tab for the Default Application Pool of IIS should be a domain account (if a domain exists) or at least a network account that has sufficient permissions to access the CaptureSV share (in the situation where a domain does not exist).
  2. The account specified should have Full Control permissions to the CaptureSV share, and it is recommended, when specifying this permission, to perform a “Replace permissions entries on all child objects with entries shown here that apply to child object” action. It is also recommended to enable the “Inherit from parent the permission entries that apply to child objects. Includes these with entries explicitly defined here” option.
    These options may be selected by right-clicking on the CaptureSV share, going to the Security tab, clicking on the Advanced tab, selecting the domain/network account that is being used by IIS in the Permission entries portion, and checking the checkboxes in the bottom portion of the window.
  3. It is also recommended to add the default IIS identity account to the IIS_WPG group, which is a local group on the IIS system.
  4. Next, bring up the Local Security Policies (Start ¦ Run ¦ “secpol.msc”, without the quotes ¦ [Enter].)
    Check the Local Security Policies to ensure that the account being specified has sufficient permission to:
    • Logon as a Service
      Make sure the account is not added to:
    • Deny Logon as a Service
  5. Finally, if this error persists, there are two logs files that may assist in further troubleshooting.
    • Take a Process Monitor trace and review for ACCESS DENIED results.
      Please review QAID 9385 for further information on using Process Monitor.
    • Check the log in c:\Windows\system32\logfiles\W3SVC1\.
      Review the log for the date(s) that the error occurred. To enable IIS logging, please see:
      Microsoft Support ¦ How to configure Web site logging in Windows Server 2003.
      In the IIS log, the last number in each entry is the IIS error or status code. Typically with this error, Error 550 is seen.
      For example:
      2010-06-23 23:10:16 10.14.87.148 POST /KTMThinClientServer/BatchService.svc/GetBatchList - 80 - 10.14.87.148 Mozilla/4.0+
      (compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+
      3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 550

      The 550 code is a requested action not taken or file unavailable (for example, file not found, no access). At this point, it is recommended to review the Process Monitor traces to specific files for which the specified account does not have access.

Applies To: 

Product Version Category
AXPRO 4.5 Thin Client Validation
AXPRO 4.5 Validation
AXPRO 5.0 Thin Client Validation
AXPRO 5.0 Validation
AXPRO 5.5 Thin Client Validation
AXPRO 5.5 Validation