SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier J System Solutions http://www.javasystemsolutions.com JSS SSO Plugin – Troubleshooting
Introduction...... 3 Common investigation methods...... 4 Log files...... 4 Fiddler...... 6 Download Fiddler...... 6 Installing Fiddler...... 6 Configure the browser to use Fiddler...... 7 Starting Fiddler...... 7 HTTPS Traffic...... 7 Verifying Service Principle Names (SPNs)...... 8 The setspn utility...... 8 See accounts that are set to which SPN...... 8 Duplicate SPNs...... 8 Removing an SPN...... 9 Understanding logging in BMC AR System...... 10 Troubleshooting in BMC AR System...... 11 Troubleshooting in HP Service Manager...... 12 Troubleshooting ADFS 2.0 Messages...... 13 Frequently asked questions/issues...... 14 Appendix A: Acronyms, Abbreviations & Definitions...... 25 Page 3 of 27
Introduction
This document provides a list of troubleshooting methods used with the JSS products along with the steps to resolve the most common issues customers face If there are any questions, do not hesitate to contact JSS support.
http://www.javasystemsolutions.com Page 4 of 27
Common investigation methods
The following section describes the common tasks used to diagnose any issues with SSO Plugin.
Log files
This section describes the common log files used within SSO Plugin and how to enable them.
Product BMC AR System AREA plugin Description The SSO Plugin AREA module writes to this file. Purpose Verification that the SSO Plugin AREA module has loaded and configured correctly. This file is created on AR Server start-up, AR System configuration changes and on every authentication attempt. Default Windows - C:\Program Files\BMC Software\ServerName\Arserver\db location UNIX/Linux - /opt/bmc/ARSystem/db How to Login to the application as an administrative user enable Open the AR System Administration Console Click System from the navigation pane Click General Click Server Information Click Log Files tab Click the Plug-in Server checkbox Make a note of the Plug-in log file name Select ALL from the Plug-in Log Level drop down Click Apply
Screenshot example:
Product Apache Tomcat Description The SSO Plugin Mid Tier module writes to this file. Purpose Verification that the SSO Plugin Mid Tier module has loaded and configured correctly. This file is written to on Mid Tier start-up, SSO Plugin configuration changes and all Mid Tier authentication requests. Default Windows - C:\Program Files\Apache Software Foundation\Tomcat location 6.0\logs
UNIX/Linux: This will depend on the OS and installation method. Here is the example of a default location /opt/apache/tomcat6.0/logs
http://www.javasystemsolutions.com Page 5 of 27
Tip: To help find the process Id of Tomcat type: ps -ef | grep tomcat
Which will return something like this; note the PID is 404: root 404 1 4 19:41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java -Djava.util.logging.config.file=/opt/apache/tomcat
To help find the log file type lsof -p PID where PID is the process id of your Tomcat server. In the above example, it was 404 lsof -p 404 | grep "tomcat6.0/logs"
Which will return something like this: java 404 root 1676 27754677 /opt/apache/tomcat6.0/logs/stdout.2013-04-15.log
How to Via a browser, enter the following URL: enable http://yourMidTierHost/arsys/jss-sso/index.jsp On the left pane above the Login button: o on BMC Mid Tier, enter the same password used for the configuration E.g. /arsys/shared/config/config.jsp, (the installation default is arsystem). o on other deployments (Analytics, Dashboards etc), enter the SSO Plugin administration password (the installation default is jss). Click Configuration. Select the desired log level from the Log Level menu. It is recommended that Trace be selected for investigating any issues and Severe for normal operating times. Click Set Configuration. When using SSO Plugin 4+, the BMC AR System AREA plugin log file is automatically configured and the location reported through the user interface.
Screenshot example:
http://www.javasystemsolutions.com Page 6 of 27
Fiddler
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and more.
Download Fiddler
To download Fiddler, go here: http://fiddler2.com/get-fiddler
Installing Fiddler
Select 'Run' from any Security Warning dialog.
Agree to the License Agreement.
Select the install directory for Fiddler.
http://www.javasystemsolutions.com Page 7 of 27
Click 'Close' when installation completes.
Configure the browser to use Fiddler
Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic. When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings
Starting Fiddler
Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run
HTTPS Traffic
If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it. To do so click Tools > Fiddler Options When the dialog appears, select "Decrypt HTTPS traffic" and click OK
http://www.javasystemsolutions.com Page 8 of 27
Verifying Service Principle Names (SPNs)
The following section will help diagnose SPN specific issues.
A common configuration step when establishing a Kerberos authentication method is the use of a Service Principal Name, or SPN, to identify a specific service. The service account configuration is stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie. http://yourMidTier/arsys/jss-sso/index.jsp on BMC Mid Tier, http://yourWebTier/webtier/jss-sso/index.jsp on HP Service Manager.
Example screenshot here:
The setspn utility
SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is also available in the Windows Support Tools. You don’t have to download SetSPN to use it. You can run SetSPN from member servers or workstations. It can be used to add and delete Service Principal Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to stop working.
See accounts that are set to which SPN
To list the SPNs assigned to an account do the following C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j avasystemsolutions,DC=local: HTTP/w7604.dev.javasystemsolutions.local The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the domain account of JSS-SSO-SERVICE.
Duplicate SPNs
Kerberos will not work if there are duplicate SPNs, ie the same hostname (HTTP/myJava web server.domain.com) is registered to two different computer or user accounts. Microsoft's update to setspn (KB970536) has a new feature which can search for duplicate accounts. Simply run: setspn -X. If any duplicates are listed the remove the incorrect entries using: setspn -D.
Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding none C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0 found 0 group of duplicate SPNs.
Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding two accounts are assigned to the same Mid Tier. JSS-SSO-S1 and JSS-SSO-SERVICE. This would stop SSO working.
http://www.javasystemsolutions.com Page 9 of 27
C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0 HTTP/w7604.dev.javasystemsolutions.local is registered on these accounts: CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local CN=JSS-SSO-S1,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local found 1 group of duplicate SPNs.
Removing an SPN
The above example shows that the computer w7604.dev.javasystemsolutions.local has two SPNs against it. One SPN can be registered against multiple hosts but multiple SPNs cannot be assigned to a single host. Here is an example of how to remove an SPN.
C:\Users\administrator.DEV>setspn -D HTTP/w7604.dev.javasystemsolutions.local JSS-SSO-SERVICE Unregistering ServicePrincipalNames for CN=JSS-SSO- SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local HTTP/w7604.dev.javasystemsolutions.local Updated object
http://www.javasystemsolutions.com Page 10 of 27
Understanding logging in BMC AR System
There are two modules used in SSO Plugin. The first is an AR External Authentication (AREA) plugin which is installed on all AR Servers. This module writes to the standard BMC arplugin log file, enabled through the AR System Administration Console. The module uses three log levels described below.
AR Plug-in Description Log level Config This level is used with these events: AR System startup AR System restart Configuration change via the AR System Configuration Console Configuration change via the SSO Administration Console
This level describes the SSO Plugin AREA plugin configuration including the license information.
Lines within the log file can be identified by the following:
Finest The Finest log level is the most verbose and contains a lot of information. Some information will only be useful to JSS support to understand the flow of the data for example keys and encryption information.
This level is used with these events: AR System startup AR System restart Configuration change via the AR System Configuration Console Configuration change via the SSO Administration Console Authentication attempts
When this level is enabled, failure of SSO attempts will be evident with lines identified by the following:
Severe The Severe log level is typically enabled on production systems and is the least verbose of all the logs. The events which trigger the output of this information to the log file is considered serious and would stop SSO working for all users.
An example of this information is visible in the log file when the SSO Plugin AREA module is unable to communicate with the AR Server it is installed to:
http://www.javasystemsolutions.com Page 11 of 27
Troubleshooting in BMC AR System
The following flow chart details the troubleshooting steps. If the issue is not resolved, collate screenshots and logs and email them to [email protected]
http://www.javasystemsolutions.com Page 12 of 27
Troubleshooting in HP Service Manager
Problems are categories into two areas when integrating SSO Plugin with Service Manager: 1. Performing the SSO integration, ie integrating with Active Directory/SAML Identity Provider/etc. 2. Enabling trusted sign on in the Service Manager service, ie configuring the sm.ini file. When you can view the Test SSO page in the Web Tier interface, and a username has been retrieved from the SSO system, part 1 is complete. If you click on the Service Manager link and see a login page or an access denied message, the issue is more than likely associated with part 2. In this case, send your Service Manager sm.ini file and Web Tier web.xml file to [email protected].
http://www.javasystemsolutions.com Page 13 of 27
Troubleshooting ADFS 2.0 Messages
Active Directory Federation Services failures, that are presented to the user, do not easily explain what the root cause of the issue actually is. Here is an example screenshot of what the user is presented with:
Microsoft has produced a step by step guide to find the information with that reference here: http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx
http://www.javasystemsolutions.com Page 14 of 27
Frequently asked questions/issues
Title java.lang.ClassNotFoundException or NoSuchMethodException appears in the Java web server logs or in the browser Issue Stack traces appear in the logs or web browser that look similar to: java.lang.ClassNotFoundException: com.javasystemsolutions.mt.sso.JSSAuthenticator org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1 387)
11-Apr-2009 15:33:59 org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter spnego java.lang.ClassNotFoundException: com.javasystemsolutions.mt.sso.SPNEGOHttpFilter org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1 387) Possible The jss-sso.jar file was not found in the WEB-INF/lib directory of the Java causes web server (Tomcat), or is the wrong version after an upgrade. Solutions This error typically indicates that not all files have been copied into the correct directory in the Java web applicaiton server. All files within the SSO Plugin download midtier or webtier directory must be copied to the Java web application installation directory.
If still Email a screenshot of the WEB-INF/lib directory to unresolve [email protected] d
Title Windows credentials dialog pop-up when attempting to authenticate Issue When attempting to authenticate via a browser, the user is prompted for Windows credentials. Screenshot example from IE:
http://www.javasystemsolutions.com Page 15 of 27
Possible In order to use Single Sign On (SSO), the client machine needs to be causes logged into the domain. The dialog is appearing because the browser believes that the user is not logged into the same domain that is configured or trusted with in the SSO Plugin configuration page. Solutions Confirm the following: The user is logged into the same domain or trusted with, that is configured in the Mid Tier SSO configuration page. Typically http://yourMidTierHost/arsys/jss-sso/index.jsp Check the users domain by pressing ctrl+alt+del and review the "You are logged in as" dialog. The Windows domain shown must be the target domain and not the local machine name If the above is not present. Run cmd.exe and type the following: net config workstation Make sure the Logon domain is the short domain name and not the local machine name The domain controller should be running Active Directory If using IE o Within IE, click Tools -> Internet Options -> Security -> Local Intranet Zone o Add the Mid Tier host name to the list o Click Tools -> Internet Options -> Security -> Custom Level o Scroll to the bottom and select "Automatic logon only in Intranet zone" If using FireFox o In the URL bar, type about:config o Then type trusted-uri o You will be presented with network.automatic-ntlm- auth.trusted-uris and network.negotiate-auth.trusted-uris. Type the Mid Tier hostname from the URL into these fields If your browser is configured to use a proxy server, the target website may need to be added to the proxy exceptions list as SSO is known to be problematic through some proxies Ensure the clocks on the workstation and the AD are set correctly. Kerberos authentication can fail if the clocks are skewed If still Click here for instructions on how to capture a Fiddler trace and email unresolve the .saz file to [email protected] d
Title Browser presents HTTP status code of 400 Issue Some users are seeing HTTP status code of 400. Especially when using BMC ITSM. A Fiddler trace is showing HTTP/1.1 400 Bad Request
Possible By default, Tomcat has a hard coded HTTP header limit of 4Kb. If the causes Kerberos token exceeds 4Kb then Tomcat returns the status code 400 without passing the request to the Java web server. The Kerberos token contains group information. IF the user is a member of many groups then this token can become large. Solutions Increase the header size in Tomcat. Open the Tomcat server.xml in a text editor Search for the HTTP connector http://www.javasystemsolutions.com Page 16 of 27 bytes (65536 is 64Kb) If still Email the server.xml to [email protected] unresolve d Title My Windows account keeps getting locked out Issue Error messages appear that the users account is locked out in Active Directory. Possible This possibly indicates that one or more of the AR Servers are not causes correctly configured to use SSO Plugin. If the BMC AREA LDAP plugin is being used, the correct configuration employs the BMC AREA Hub, of which the SSO Plugin is used first and the BMC AREA LDAP is second. If SSO is incorrectly configured, the SSO tokens are passed to the domain controller as passwords, which will always be incorrect for any user. Therefore some domain policies, such that a number of incorrect passwords, will lock the account. Solutions All AR Servers that are processing user authentication requests must be SSO enabled and correctly configured. This can be investigated by enabling the AR System Plug-in logging and setting the Plug-in Log Level to ALL. It is typical to see the following in this instance: Typically, this indicates that the Windows User Tool SSO module is either out of date, or is using an out of date ARSSSOInfo.ini file. To resolve, ensure the latest DLL is installed with the Windows User Tool user.exe file and re-generate the ARSSSOInfo.ini file using the setup.exe tool. If still Email the full AR plug-in log file to [email protected] unresolve d Title Pre-authentication information was invalid (24) / KDC has no support for encryption type (14) Issue When clicking Set Configuration on the SSO Plugin configuration page, you are presented with the following text: Pre-authentication information was invalid (24) / KDC has no support for encryption type (14) Possible This error is possibly caused by a number of issues. Either the causes Solutions Check the service account details are correct in the SSO Plugin configuration page The “service user” and password should be verified with the AD administrators. http://www.javasystemsolutions.com Page 17 of 27 If a krb5.conf file is being used, then please compare it with the example provided in the SSO Plugin evaluation download. This can be found in the WEB-INF/classes directory. If the above account details are correct. Then create a new service user account and assign the SPNs to the new account. To do so, you have to remove the existing SPNs from the old service user before assigning the new values. Example: Using the above Service User example SSOKERBMT01 and the Mid Tier host name is mthost01 and there is a load balancer in front called lb01 Remove the existing SPNs Syntax Example : setspn -d HTTP/midTierHostName yourDomain\serviceUserName setspn -d HTTP/mthost01 mydomain\SSOKERBMT01 setspn -d HTTP/lb01 mydomain\SSOKERBMT01 Create a new service user account in the domain and assign a password o For instruction purposes, let’s assume the new account is called SSOKERBMTNEW o Ask the AD administrators to tick “Do not require Kerberos preauthentication” in the user account options. Add the SPNs to the new service account o Set the SPNs for the Mid Tier host NetBOIS name and fully qualified domain name . setspn -A HTTP/mthost01.mydomain.com mydomain\SSOKERBMTNEW . setspn -A HTTP/mthost01 mydomain\SSOKERBMTNEW o Set the SPNs for the load balancer NetBOIS name and fully qualified domain name . setspn -A HTTP/lb01.mydomain.com mydomain\SSOKERBMTNEW . setspn -A HTTP/lb01 mydomain\SSOKERBMTNEW Update the SSO Plugin configuration page with the new service user name and password. Click Set Configuration In the event the above doesn’t work ask the AD administrator to send a screenshot of the group policy for Computer configuration -> Windows settings -> Security settings -> Local policies -> Security options -> Network security: Configuration encryption types allowed for Kerberos, as seen in this screenshot: http://www.javasystemsolutions.com Page 18 of 27 If still Email the full Java web engine (e.g Tomcat) stdout log file and a unresolve screenshots of http://yourMidTierHostname/arsys/jss-sso/testsso.jsp d http://yourMidTierHostname/arsys/jss-sso/setup.jsp to [email protected] Title This computer account is in use by another SSO Plugin configuration Issue When submitting the SSO Plugin configuration page in Mid Tier, the following message can appear: This computer account is in use by another SSO Plugin configuration. Possible Service (Computer) accounts cannot be used by more than one Mid Tier causes instance. This means the NTLMv2 computer account is in use by another Mid Tier registered with AR System. However, due to the way SSO Plugin matches the configuration (in the JSS:SSO:MidTierConfig form within the AR System) with a Mid Tier instance, it is possible for a duplicate row to be generated (if a Mid Tier is re-installed, for example) and hence SSO Plugin believes two Mid Tiers share the same computer account. Solutions If there are more than one Mid Tier instance connecting to the same AR System. Then follow these steps Create a unique service (computer) account for all Mid Tier instances. This can be done using the set-service-account.cmd script found in the evaluation download or it can be created manually. Instructions and more information can be found in the following online document: http://www.javasystemsolutions.com/documentation/ssoplugin/jss- sso-active-directory-integration.pdf Once the account has been created, apply the service account name and password to the SSO Plugin configuration page typically found at http://yourMidTierHost/arsys/jss-sso/index.jsp under the configuration link If there is only one instance of Mid Tier connecting to the same AR System or all Mid Tier SSO configurations have been verified to have unique service (Computer) accounts, then follow these steps To resolve this warning if it is due to duplicate entries, locate and http://www.javasystemsolutions.com Page 19 of 27 delete the duplicate entry in the form. Field 8 contains the unique key (in the format hostname-ID), and the ID of a Mid Tier can be found in the Mid Tier config.properties file. Or you can delete all the rows that refer to the host and resubmit the configuration. This warning can be safely ignored if it due to duplicate configurations. If still Login to the application as an administrative user. unresolve Open the JSS:SSO:MidTierConfig form d Search for all entries Take a screenshot of the unique values. Example screenshot below: Email the screenshot and the Java web server (Tomcat) stdout file to [email protected] # Kerberos error: Channel binding mismatch Issue The following error is displayed in the SSO Plugin configuration form when clicking Set Configuration. The following error was in the Java web server log. Possible Various Kerberos errors relating to channels can appear on older 1.6 JVMs. causes Solutions Please upgrade to the latest 1.6 or 1.7 JVM from the Oracle website. If still Browse to http://yourMidTierHost/arsys/jss-sso/debug.jsp replacing unresolve yourMidTierHost with your own Mid Tier hostname and email the results d to [email protected] Title SSO Fails for users with administrator permissions Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing to Mid Tier home redirects to the login page. Possible If the users BMC AR System user account has a password then SSO causes cannot work. This is the applications way of having an SSO on/off switch per user. The setting Cross-Ref-Blank-Password found in the ar.cfg/ar.conf files on the BMC AR System server mean that if a user with a blank password in the user form attempts to login, the standard authentication method is not used and to pass on the information to an external source. In this example it will be single sign on. This does not mean someone typing a user name and a blank password can login. SSO Plugin has a feature called "Automatically SSO enable accounts" which will automatically remove the password in the user form. However this does not work if the user has administrator permissions. http://www.javasystemsolutions.com Page 20 of 27 Solutions Remove the password of the users account in the BMC AR System user form. If still Enable the arplugin logging within the AR System Administration Console. unresolve Set the plug-in log level to ALL. If using a server group then do this on all d AR Servers. Attempt the authentication then email the full plug-in log file(s) and a screenshot of http://yourMidTierHostname/arsys/jss- sso/testsso.jsp to [email protected] Title SSO Plugin feature "Automatically SSO enable accounts" not working Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing to Mid Tier home redirects to the login page. Possible SSO Plugin has a feature called "Automatically SSO enable accounts" causes which will automatically remove the password in the user form which will enable the user to use SSO. However this does not work if the user has administrator permissions. Solutions Remove the password of the users account in the BMC AR System user form. If still Enable the arplugin logging within the AR System Administration Console. unresolve Set the plug-in log level to ALL. If using a server group then do this on all d AR Servers. Attempt the authentication then email the full plug-in log file(s) and a screenshot of http://yourMidTierHostname/arsys/jss- sso/testsso.jsp to [email protected] Title "Force password change on login" not being updated by SSO Plugin Issue When the SSO Plugin feature "Automatically SSO enable accounts" is enabled in the SSO Plugin configuration screen, some accounts still have the "Force Password Change On Login" checkbox checked. Possible User accounts are only updated, to clear the checkbox, if the group field causes does not contain the Administrator permission. Solutions Manually update the user account to de-select the "Force Password Change On Login" feature. If still Take screenshots of the users account in the user form and email it to unresolve [email protected] d Title Using an F5 load balancer, the users is directed to the login screen even when testsso.jsp works Issue We have noticed some odd behaviour in the way IP addresses are reported to AR System server when using an F5 load balancer. When the Test SSO functionality attempted to make a connection to AR System server, the IP address of the host running Mid Tier was passed and when accessing Mid Tier home, the IP address of the F5 was passed. Possible The F5 is somehow modifying the Mid Tier IP address. causes Solutions Login to the application as an administrative user. Open the SSO http://www.javasystemsolutions.com Page 21 of 27 Administration Console. Add the F5 IP address to the list of IP Addresses, separated by a semi-colon. Click Save If still Enable the arplugin logging within the AR System Administration Console. unresolve Set the plug-in log level to ALL. If using a server group then do this on all d AR Servers. Attempt the authentication then email the full plug-in log file(s) and a screenshot of http://yourMidTierHostname/arsys/jss- sso/testsso.jsp to [email protected] Title I can view the default IIS home page but I can't access the Java web server at all. Issue Whilst the Java web server on Tomcat appears to be running, and IIS serves static files like /iisstart.htm correctly, attempting to connect to Java web server via IIS gives an IE "Cannot find server or DNS Error" error page. Checking the Windows Event Viewer shows that IIS is crashing when an attempt is made to access Tomcat via the Jakarta ISAPI Redirector. The server in question was a 64-bit Windows 2003 Server Hyper-V VM, with IIS configured to run 32-bit ISAPI extensions. However other VMs with the same setup have not demonstrated this behaviour. Possible It is not a well-known bug or one that has affected us before. It occurs causes whether or not SSO Plugin is installed. Solutions The version of Java web server installed was 7.1. The solution is to replace the isapi_redirect.dll file with an up-to-date version from Apache, such as: http://www.apache.org/dist/tomcat/tomcat- connectors/jk/binaries/win32/jk-1.2.30/isapi_redirect-1.2.30.dll (For a 64-bit machine running native 64-bit ISAPI extensions, the file under 'win64' should be used instead.) To replace the ISAPI extension, go to Administrative Tools -> Services and shut down the World Wide Web Publishing service and HTTPS SSL. Find the DLL in 'Program Files' - (x86) if running 32-on-64 - 'Apache Software Foundation\Jakarta ISAPI Redirector\bin' and rename it to isapi_redirect- old.dll. Save the new DLL here and rename it simply isapi_redirect.dll. Restart the stopped services. If still Email screenshots to [email protected] unresolve d Title We are using IIS and I am prompted for my Windows login and they are not accepted Issue The customer is running IIS and browsing to the Mid Tier home page. A standard Windows authentication dialog appears. Upon entering the users credentials the same box appears as if the details were wrong even though the customer confirms the details are correct. Possible If you have run the set-service-account.cmd script on the Active Directory causes and entered the hostname of the machine running IIS, the IIS server will not be able to authenticate the tokens sent to it by your browser. Running this script is not required when using an IIS front end – it's only used when configuring SSO Plugin's built-in authentication (i.e. that provides Windows authentication without the need for IIS). Solutions To resolve the problem, remove the JSS-SSO-SERVICE Computer account created in the Active Directory by the set-service-account.cmd script, and then clear the Kerberos tokens cached on the client desktop using the kerbtray.exe tool provided in the Windows 2000 Resource Kit, or wait ten minutes for the local machine to remove the tokens from its cache. If still Email screenshots to [email protected] unresolve http://www.javasystemsolutions.com Page 22 of 27 d Title NTLM authentication sometimes fails through an F5 load balancer Issue According to a Fiddler trace, NTLM authentication is failing for some users. Possible The F5 product has a feature called OneConnect. Due to a bug in some causes versions of F5, it must be switched off if NTLM is in use, as it will be with an IIS front end to Tomcat. Solutions The issue is discussed in this support entry: http://support.f5.com/kb/en- us/solutions/public/5000/000/sol5050.html If still Email screenshots to [email protected] unresolve d Title The following message is seen in the arplugin log "[81211] ARERR90 Unable to connect to AR System, sleeping 30 seconds...." Issue If you see the following in the arplugin log file, then this indicates that there is a connection problem for the plugin to communicate back the the AR Server. Possible Look at the log for If this error persists then this could mean the AR Server is not working, crashed or too busy. If still Enable the arplugin logging within the AR System Administration Console. unresolve Set the plug-in log level to ALL. If using a server group then do this on all d AR Servers. Attempt the authentication then email the full plug-in log file(s) to [email protected] Title HTTP Error Code: 500 JSPG0049E: /jss-sso/index.jsp failed to compile : Issue Using IBM Websphere and browsing to pages within the jss-sso application, the user is presented with the above error. Possible causes Solutions If you are using IBM Websphere 7, use WAS to ensure the com.ibm.ws.jsp.jdkSourceLevel custom property is set to 16 on the web extension file If still Email all Websphere logs to [email protected] unresolve d http://www.javasystemsolutions.com Page 23 of 27 Title BMC Midtier fails to start after applying BMC patch / hotfix "8.1.00 201312191114 Hotfix " Issue After applying the above BMC hotfix, SSO fails with the following data in the Java servlet engine logs: java.lang.ExceptionInInitializerError at com.remedy.arsys.stubs.ServerLoginHost.customEquals(Unknown Source) The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp and displaying the above version. Possible BMC broke some functionality within Midtier in the latest release. This causes functionality allowed us to get a connection to AR System server during Midtier startup. Solutions Please update SSO Plugin to a minimum version of 3.6.18 http://www.javasystemsolutions.com/jss/downloads If still If you are on a SSO Plugin version equal or higher than 3.6.18 and are still unresolve seeing the above issue then please zip all the Java servlet engine e.g. d Tomcat logs and email them to [email protected] Title BMC Midtier fails to start after applying BMC patch / hotfix "8.1.01 " Issue After applying the above BMC hotfix, SSO fails with the following data in the Java servlet engine logs: Context initialization failed java.lang.NoClassDefFoundError: com.remedy.arsys.stubs.GoatHttpServlet And the browser reports HTTP Status 404 The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp and displaying the above version. Possible BMC broke some functionality within Midtier in the latest release. This causes functionality allowed us to get a connection to AR System server during Midtier startup. Solutions Please update SSO Plugin Mid Tier files to a minimum version of 3.6.20 http://www.javasystemsolutions.com/jss/downloads Once downloaded follow these instructions: Shutdown the Java servlet engine e.g. Tomcat Delete the Catalina directory found under the Tomcat\Work directory As per screenshot example below, copy the <3.6.20 download>\midtier folders to the AR system midtier folder. Making sure you overwrite all files. Do not make any backups of .jar files Start Tomcat Verify new version by browsing to \arsys\jss-sso\index.jsp http://www.javasystemsolutions.com Page 24 of 27 If still If you are on a SSO Plugin version equal or higher than 3.6.20 and are still unresolve seeing the above issue then please zip all the Java servlet engine e.g. d Tomcat logs and email them to [email protected] Title Browsing to /arsys/jss-sso/index.jsp displays the following error ARERR [9217]File not found. Either the file requested is not present or the URL supplied is bad. Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error Possible The web.xml was not patched causes Solutions Please update SSO Plugin Mid Tier files to a current release http://www.javasystemsolutions.com/jss/downloads If still Please zip all the Java servlet engine e.g. Tomcat logs and email them to unresolve [email protected] d Title Error 500--Internal Server Error java.lang.NoClassDefFoundError: com/javasystemsolutions/sso/ImplementationFactory Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error Possible The Java servlet engine e.g. Tomcat cache directory needs refreshing causes Solutions Delete the of the Tomcat\Work directory and restart If still Please zip all the Java servlet engine e.g. Tomcat logs and email them to unresolve [email protected] d Title “The SAML Service Provider could not retrieve a username from the Identity Provider: Error during processing the SAML Handler Chain.” Issue The following error is displayed and in the logs after upgrading BMC Mid Tier 8.1.01 SP1 201404010757 Hotfix Possible The xerces jar that the BMC hotfix deploys is very old and no longer causes needed. This is included within the Java standard library. Solutions Remove the xerces jar from the midtier/web-inf/lib directory and restart Tomcat If still Please zip all the Java servlet engine e.g. Tomcat logs and email them to unresolve [email protected] d Title WebSphere shows testsso working but browsing to the application redirects to the login page Issue A fiddler trace shows something like Error 500: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as {0} has attempted to access a session owned by {1}.(foo,bar) Possible http://www-01.ibm.com/support/docview.wss?uid=swg21515473 causes Note the error comes from a websphere class and not JSS. The above page describes the resolution in detail Solutions InfoSphere Information Server requires that WebSphere Application http://www.javasystemsolutions.com Page 25 of 27 Server persists the subject information for unprotected URIs when the session security integration is enabled. To enable "persist the subject information for unprotected URIs", from the WebSphere administrative console: Click Security > Global security > Web and SIP security to open the General settings panel. Select the Use available authentication data when an unprotected URI is accessed option. Click OK and save the change. Restart WebSphere Application Server. If still Please zip all the WebSphere logs and take a fiddler trace replicating the unresolve issue and email them to [email protected] d Title HTTP Status 500 - java.lang.NoClassDefFoundError Issue Browsing to the SSO setup page displays the above Possible Not all the midtier/webtier files were copied to the correct location or the causes Java web engine, e.g. Tomcat, is using a cached version of the files. Solutions Make sure all the files are copied from the download to the Java engine. E.g. for BMC Mid Tier using Tomcat: Stop Tomcat Delete the contents of the Work directory Copy the folders jss-sso and WEB-INF to the midtier directory. Start Tomcat If still Please zip all the Tomcat logs and email them to unresolve [email protected] d Title org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [javasystemsolutions-testsso] in context with path [/arsys] Issue Browsing to the test SSO page displays the above plus: java.lang.NoSuchMethodError: org.apache.xml.security.utils.resolver.ResourceResolver.getInstance(Lorg/w3c/dom/Attr;Lj ava/lang/String;Z)Lorg/apache/xml/security/utils/resolver/ResourceResolver; Possible BMC having included an older "xml security" API in the causes websvcjava81_build001.jar Solutions Open the above jar and remove the org/apache/xml/security directory If still Please zip all the Tomcat logs and email them to unresolve [email protected] d Title org.apache.catalina.core.ContainerBase.[Catalina].[localhost]. [/ux]: Exception starting filter ssoplugin-identity-federation- acceptor java.lang.NoClassDefFoundError: org/apache/commons/logging/impl/Log4JLogger at com.javasystemsolutions.LoggingUtils.a Issue BMC is using more than one incompatible logging jars Possible BMC having included an older "xml security" API in the causes websvcjava81_build001.jar Solutions Find the following jar in the web-inf\lib directory and remove it log4j-over- slf4j-1.7.12.jar If still Please zip all the Tomcat logs, list the .jar files in the web-inf\lib directory unresolve and email them to [email protected] http://www.javasystemsolutions.com Page 26 of 27 d http://www.javasystemsolutions.com Page 27 of 27 Appendix A: Acronyms, Abbreviations & Definitions Description JSS Company name Java System Solutions SSO Product name for Single Sign On (SSO) Plugin Tomcat Java web server produced by the Apache Foundation IIS Internet Information Service produced by Microsoft Webspher IBM WebSphere is a brand of software products e Fiddler Free web debugging tool which logs all HTTP(S) traffic between your computer and the Mid Tier. Service Before the Kerberos authentication service can use an SPN to Principle authenticate a service, the SPN must be registered on the account object Name that the service instance uses to log on. (SPN) BMC ARS BMC Remedy Action Request System is the workflow engine produced by BMC Mid Tier HTTP middleware from BMC. http://www.javasystemsolutions.com