SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier J System Solutions http://www.javasystemsolutions.com JSS SSO Plugin – Troubleshooting Introduction....................................................................................................................... 3 Common investigation methods........................................................................................4 Log files.......................................................................................................................... 4 Fiddler................................................................................................................................ 6 Download Fiddler............................................................................................................6 Installing Fiddler.............................................................................................................6 Configure the browser to use Fiddler..............................................................................7 Starting Fiddler...............................................................................................................7 HTTPS Traffic..................................................................................................................7 Verifying Service Principle Names (SPNs)...........................................................................8 The setspn utility............................................................................................................8 See accounts that are set to which SPN.........................................................................8 Duplicate SPNs...............................................................................................................8 Removing an SPN...........................................................................................................9 Understanding logging in BMC AR System.......................................................................10 Troubleshooting in BMC AR System..................................................................................11 Troubleshooting in HP Service Manager...........................................................................12 Troubleshooting ADFS 2.0 Messages................................................................................13 Frequently asked questions/issues...................................................................................14 Appendix A: Acronyms, Abbreviations & Definitions.........................................................25 Page 3 of 27 Introduction This document provides a list of troubleshooting methods used with the JSS products along with the steps to resolve the most common issues customers face If there are any questions, do not hesitate to contact JSS support. http://www.javasystemsolutions.com Page 4 of 27 Common investigation methods The following section describes the common tasks used to diagnose any issues with SSO Plugin. Log files This section describes the common log files used within SSO Plugin and how to enable them. Product BMC AR System AREA plugin Description The SSO Plugin AREA module writes to this file. Purpose Verification that the SSO Plugin AREA module has loaded and configured correctly. This file is created on AR Server start-up, AR System configuration changes and on every authentication attempt. Default Windows - C:\Program Files\BMC Software\ServerName\Arserver\db location UNIX/Linux - /opt/bmc/ARSystem/db How to Login to the application as an administrative user enable Open the AR System Administration Console Click System from the navigation pane Click General Click Server Information Click Log Files tab Click the Plug-in Server checkbox Make a note of the Plug-in log file name Select ALL from the Plug-in Log Level drop down Click Apply Screenshot example: Product Apache Tomcat Description The SSO Plugin Mid Tier module writes to this file. Purpose Verification that the SSO Plugin Mid Tier module has loaded and configured correctly. This file is written to on Mid Tier start-up, SSO Plugin configuration changes and all Mid Tier authentication requests. Default Windows - C:\Program Files\Apache Software Foundation\Tomcat location 6.0\logs UNIX/Linux: This will depend on the OS and installation method. Here is the example of a default location /opt/apache/tomcat6.0/logs http://www.javasystemsolutions.com Page 5 of 27 Tip: To help find the process Id of Tomcat type: ps -ef | grep tomcat Which will return something like this; note the PID is 404: root 404 1 4 19:41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java -Djava.util.logging.config.file=/opt/apache/tomcat To help find the log file type lsof -p PID where PID is the process id of your Tomcat server. In the above example, it was 404 lsof -p 404 | grep "tomcat6.0/logs" Which will return something like this: java 404 root 1676 27754677 /opt/apache/tomcat6.0/logs/stdout.2013-04-15.log How to Via a browser, enter the following URL: enable http://yourMidTierHost/arsys/jss-sso/index.jsp On the left pane above the Login button: o on BMC Mid Tier, enter the same password used for the configuration E.g. /arsys/shared/config/config.jsp, (the installation default is arsystem). o on other deployments (Analytics, Dashboards etc), enter the SSO Plugin administration password (the installation default is jss). Click Configuration. Select the desired log level from the Log Level menu. It is recommended that Trace be selected for investigating any issues and Severe for normal operating times. Click Set Configuration. When using SSO Plugin 4+, the BMC AR System AREA plugin log file is automatically configured and the location reported through the user interface. Screenshot example: http://www.javasystemsolutions.com Page 6 of 27 Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and more. Download Fiddler To download Fiddler, go here: http://fiddler2.com/get-fiddler Installing Fiddler Select 'Run' from any Security Warning dialog. Agree to the License Agreement. Select the install directory for Fiddler. http://www.javasystemsolutions.com Page 7 of 27 Click 'Close' when installation completes. Configure the browser to use Fiddler Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic. When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings Starting Fiddler Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run HTTPS Traffic If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it. To do so click Tools > Fiddler Options When the dialog appears, select "Decrypt HTTPS traffic" and click OK http://www.javasystemsolutions.com Page 8 of 27 Verifying Service Principle Names (SPNs) The following section will help diagnose SPN specific issues. A common configuration step when establishing a Kerberos authentication method is the use of a Service Principal Name, or SPN, to identify a specific service. The service account configuration is stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie. · http://yourMidTier/arsys/jss-sso/index.jsp on BMC Mid Tier, · http://yourWebTier/webtier/jss-sso/index.jsp on HP Service Manager. Example screenshot here: The setspn utility SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is also available in the Windows Support Tools. You don’t have to download SetSPN to use it. You can run SetSPN from member servers or workstations. It can be used to add and delete Service Principal Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to stop working. See accounts that are set to which SPN To list the SPNs assigned to an account do the following C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j avasystemsolutions,DC=local: HTTP/w7604.dev.javasystemsolutions.local The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the domain account of JSS-SSO-SERVICE. Duplicate SPNs Kerberos will not work if there are duplicate SPNs, ie the same hostname (HTTP/myJava web server.domain.com) is registered to two different computer or user accounts. Microsoft's update to setspn (KB970536) has a new feature which can search for duplicate accounts. Simply run: setspn -X. If any duplicates are listed the remove the incorrect entries using: setspn -D. Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding none C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0 found 0 group of duplicate SPNs. Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding two accounts are assigned to the same Mid Tier. JSS-SSO-S1 and JSS-SSO-SERVICE. This would stop SSO working. http://www.javasystemsolutions.com Page 9 of 27 C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0 HTTP/w7604.dev.javasystemsolutions.local