Connect ServiceInsight to a remote Service Control instance

We have ServiceControl running on a virtual machine and Service Pulse installed in IIS. ServicePulse reaches ServiceControl through a redirect in IIS. Also, we have a valid certificate set up in the IIS site.

This configuration works fine for ServicePulse. The problem is that when I try to access ServiceControl from ServiceInsight in url https://sp.mydomain.com/api, I get the error in the screenshot:

image

Any idea on how to resolve it? Note that the SSL certificate is valid.

You can tell ServiceInsight to skip the certificate validation check like this: https://docs.particular.net/serviceinsight/self-signed-certificate-connection

Is this a self-signed certificate or is its certificiate authority trusted on the machine/user level?

– Ramon

I tried it and the same message appeared.

No, it’s issued by Godaddy.

I have the feeling that the problem is not the certificate itself. Note that I’m trying to access a remote url (hosted in IIS), not localhost, configured following https://docs.particular.net/servicepulse/install-servicepulse-in-iis and using Windows Authentication.

If I paste the url https://sp.mydomain.com/api in Chrome, the response shows something like:

{"description":"The management backend for the Particular Service Platform",
"endpoints_error_url":"http://localhost:33320/api/endpoints/{name}/errors/{?page, ...

Note that the url is the internal localhost url, not the one with the domain name. I’m wondering if ServiceInsight is trying to access these localhost urls…

Can you share a redacted version of your redirect rules web.config?

@WilliamBZA

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ProxyAPICallsToServiceControl" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://localhost:33300/api/{R:1}" />
                </rule>
            </rules>		
            <outboundRules>
                <rule name="Allow SIGNALR traffic" preCondition="JSON" enabled="true" stopProcessing="true">
                    <match filterByTags="None" pattern="\&quot;Url\&quot;:\&quot;(.+?)\&quot;" />
                    <conditions>
                        <add input="{URL}" pattern="(.*)/api/" />
                    </conditions>
                    <action type="Rewrite" value="&quot;Url&quot;:&quot;{C:1}{R:1}&quot;" />
                </rule>
                <preConditions>
                    <preCondition name="JSON">
                        <add input="{URL}" pattern="/api/messagestream/negotiate" />
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/json" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
    </configuration>

Any ideas on this one? Anything that I could try or more information I could provide?

Did you try to turn off windows authentication just to see if that works?
This will narrow down the issue…

I have tested this on my environment and indeed the issue is authentication, if I allow anonymous access it works fine in ServiceInsight…

Right. I just tested the same thing… I got stuck on the message, which confused me. Is there anyway this can work with a (relatively) secured service control API?

@fcastells Is it correct that you have this working with only encryption but without any form of authentication?

What type of authentication did you test? You said you have Windows Authentication enabled in IIS but is the Windows client part of that same domain?

Workaround:

A workaround although not really friednly is to install ServiceInsight on the same box as ServiceControl and RDP into that machine. Alternatively, you could install it on its own VM and make that machine trusted to access the ServiceControl API directly via for example the IP address from that machine. Control access via your active directory users/groups to that RDP/VM.