<Item type='FileType' action='get' orderBy='priority'> <OR> <extension condition='eq'><![CDATA[svg]]></extension> <extension condition='like'><![CDATA[svg,%]]></extension> <extension condition='like'><![CDATA[%,svg]]></extension> <extension condition='like'><![CDATA[%,svg,%]]></extension> </OR> </Item>But, that aml was never sent when a normal user searched after 10 minutes. Trying to replicate this issue in a clean, newly installed Aras environment was unsuccessful, meaning everything works fine. This let us to believe that something was amiss with the Vault Server, but what was it sending? We installed Burp Proxy and set up a proxy forward for localhost and configured the Vault Server to send its Aras requests to the proxy address instead. These are the request headers for a normal user in our environment that had the issue at hand:
POST /InnovatorServer/Server/InnovatorServer.aspx HTTP/1.1 Content-Type: text/xml SOAPACTION: GetItem AUTHUSER: vadmin AUTHPASSWORD: C264E88F8ED2BAFBBC5EC79197FF2CCB DATABASE: 12.3 LIKEVALIDATEUSER: 1 VAULTTOKEN: B8j09Gbpng0SyruLPbppSq3K5azYsEtFuMiq04PjvAKqAhFYvlnVSA2 Host: localhost:8080 Cookie: ASP.NET_SessionId=tosjxk13jwrwfcrf4h23ytbm Content-Length: 347 Expect: 100-continue Connection: closeand this is the request's payload:
<?xml version='1.0' encoding='utf-8' ?><Item type='FileType' action='get' orderBy='priority'> <OR> <extension condition='eq'><![CDATA[svg]]></extension> <extension condition='like'><![CDATA[svg,%]]></extension> <extension condition='like'><![CDATA[%,svg]]></extension> <extension condition='like'><![CDATA[%,svg,%]]></extension> </OR></Item>The response we got was:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="">schemas.xmlsoap.org/.../"><SOAP-ENV:Body><SOAP-ENV:Fault xmlns:af="">www.aras.com/.../faultcode><faultstring><![CDATA[Password is expired]]></faultstring><detail><af:legacy_detail><![CDATA[Password is expired]]></af:legacy_detail><af:exception message="Password is expired" type="Aras.Server.Core.PasswordExpiredException" /><message key="password_validation_info" value="<Item type="Variable" id="A4EFCB3197604DDAAF0E7CAA2BED9738"><name>User_pwd_symbols_min_number</name><value>-1</value></Item><Item type="Variable" id="188B86F49F8B4D6FB31FBEF8F606BD8E"><name>User_pwd_digits_min_number</name><value>-1</value></Item><Item type="Method" id="71C5E99F04F9413FBB3F89F9C910B640"><name>User_pwd_checkPolicy</name><method_code>//function User_pwd_checkPolicy(plainPwd, variablesXML[optional])

return standardCheckPlainPwdPolicy(plainPwd, variablesXML);

function standardCheckPlainPwdPolicy(plainPwd, variablesXML) {
	var varMinNumberNm = 'User_pwd_symbols_min_number';
	var varMinDigitsNm = 'User_pwd_digits_min_number';
	var failedSymbolTests = {};
	var failedDigitsTests = {};
	var valuesHash = {};
	var resXml;
	var wrongSymbolsVar = false;
	var wrongDigitsVar = false;

	if (variablesXML === undefined) {
		var conditionStr = '\'' + varMinNumberNm + '\',\'' + varMinDigitsNm + '\'';
		var aml = '&lt;Item type=\'Variable\' action=\'get\' select=\'name,value\'&gt;&lt;name condition=\'in\'&gt;' + conditionStr + '&lt;/name&gt;&lt;/Item&gt;';
		var res = aras.soapSend('ApplyItem', aml);
		if (res.getFaultCode() !== 0) {
			return res.getFaultString();
		}
		resXml = res.getResultsBody();
	} else {
		resXml = variablesXML;
	}

	if (resXml.indexOf('&lt;Result') &lt; 0) {
		resXml = '&lt;Result&gt;' + resXml + '&lt;/Result&gt;';
	}

	var d = aras.createXMLDocument();
	d.loadXML(resXml);

	var nd = d.selectSingleNode('//Item[name=\'' + varMinNumberNm + '\']/value');
	var val = (nd) ? parseInt(nd.text) : '';
	valuesHash[varMinNumberNm] = val;
	if (val &amp;&amp; (!plainPwd || plainPwd.length &lt; val)) {
		failedSymbolTests[varMinNumberNm] = true;
	} else {
		wrongSymbolsVar = true;
	}

	nd = d.selectSingleNode('//Item[name=\'' + varMinDigitsNm + '\']/value');
	val = (nd) ? parseInt(nd.text) : '';
	valuesHash[varMinDigitsNm] = val;
	if (val &amp;&amp; val &gt; 0) {
		failedDigitsTests[varMinDigitsNm] = testStr(plainPwd, /[0-9]{1}/g, val);
	} else {
		wrongDigitsVar = true;
	}

	var retVal = '';
	var k;
	for (k in failedDigitsTests) {
		if (failedDigitsTests[k]) {
			if (!wrongSymbolsVar) {
				retVal = aras.getResource('', 'imports_core.password_policy_requirements_missed', valuesHash[varMinNumberNm], valuesHash[varMinDigitsNm]);
				return retVal;
			} else {
				retVal = aras.getResource('', 'imports_core.password_policy_requirements_missed2', valuesHash[varMinDigitsNm]);
				return retVal;
			}
		}
	}

	for (k in failedSymbolTests) {
		if (failedSymbolTests[k]) {
			if (!wrongDigitsVar) {
				retVal = aras.getResource('', 'imports_core.password_policy_requirements_missed', valuesHash[varMinNumberNm], valuesHash[varMinDigitsNm]);
				return retVal;
			} else {
				retVal = aras.getResource('', 'imports_core.password_policy_requirements_missed2', valuesHash[varMinNumberNm]);
				return retVal;
			}
		}
	}
	return retVal;

	function testStr(s, re4s, cnts) {
		var retVal = false;
		var arr = s.match(re4s);
		var i = 0;

		while (arr &amp;&amp; arr[i] &amp;&amp; cnts &gt; 0) {
			i++;
			cnts--;
		}

		if (cnts &gt; 0) {
			retVal = true;
		}

		return retVal;
	}
}
</method_code></Item>" /></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>This request never got logged when debugging was on, presumably because it never got past checking the password. So our first question: why was the password expired? We confirmed that everything started working as normal again in our environment after we changed the password for vadmin, but why did we need to change its password? It has no maximum password age, it has no password history length configured, and bot User_pwd_symbols_min_number and User_pwd_digits_min_number are set to -1. The second question we have: We noticed that when admin performs a search on tp_Image, the Vault Server sets/sends a different header:
AUTHUSERTOKEN: XeiVKxP9ywNWqL1SKrtVjD6PgWOSeLs2_3hvl1AfmzmGZqYstlzpqaK4WRA9qHwPcVkgr3COGXpf_1-f6d0GexVDyaZrtgOmO2GdhC5vE9utA0PtBrfBbvWYufTRD9euDt9nUqKbMeC77VIraYCWa0iv_wYPwF7DbErEtlTUAmGf8nm9aEdEx5jD8cJh9D5CN9mCh373BAYGZVP2WcyQ_Tg3w70FFiuiKFwthjDpVIlOGxRm4QJqto2r0GkqdTja0Instead of the AUTHUSER / AUTHPASSWORD combination, which makes us wonder, have we configured the Vault Server correct?
