DocuSign Signature Appliance - Web App and external site unable to communicate

Product
 

DocuSign Signature Appliance Web App


Summary

Recently Microsoft has released a Windows update (KB4530689 & KB4532931) which includes some reliability improvements related to ASP.NET cookies.
Cookies coming from a different site than the site browsed are rejected, unless they are marked explicitly as "SameSite=None" and "Secure=true"
As a result, when addressing a DSA Web App from a different site (like DocuSign), the cookies are rejected and a user session cannot be established, resulting in the login operation failing.


Solution

The latest version (9.301) of the DocuSign Signature Appliance Web App includes the modification by default and does not require any changes.


Other Known Workarounds:
 

Uninstalling those KBs will fix the problem but only temporarily as the recent (February 2020) Chrome version treats the cookies the same manner by default (with other browsers to follow or having already done so).

Another solution is to use a IIS rewrite module to modify the cookies' code coming from the WebApp. To do so:

  1. If not installed, install Microsoft URL Rewrite Module for IIS from https://www.microsoft.com/en-us/download/details.aspx?id=47337

  2. Close and re-open IIS manager

  3. In Web.config, under <system.webServer></system.webServer> section, add the <rewrite></rewrite> section below

  4. Perform a restart of the website


<rewrite>
      <outboundRules>
            <rule name="Remove SameSite">
                  <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)(SameSite=Lax|SameSite=Strict|SameSite=None)(.*)" />
                  <action type="Rewrite" value="{R:1}{R:3}" />
            </rule>
            <rule name="Add SameSite=None">
                  <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                  <action type="Rewrite" value="{R:0}; SameSite=None;" />
            </rule>
            <rule name="Add Secure">
                  <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                  <action type="Rewrite" value="{R:0}; Secure;" />
                  <conditions>
                        <add input="{R:0}" pattern="Secure" negate="true" />
                  </conditions>
            </rule>
      </outboundRules>
</rewrite>
 

This will add 3 rewrite rules to the URL Rewrite configuration, accessible in the IIS control window.





Have an issue? To send us an email, please submit this form.