Single Sign On Plugin: Remote installation pre-requisites · 2018-03-07 · Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web

SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier

J System Solutions http://www.javasystemsolutions.com

JSS SSO Plugin – Troubleshooting

Introduction.................................................................................................................................. 3

Common investigation methods ..................................................................................................... 4

Log files ................................................................................................................................... 4

Fiddler .......................................................................................................................................... 6

Download Fiddler ...................................................................................................................... 6

Installing Fiddler ....................................................................................................................... 6

Configure the browser to use Fiddler .......................................................................................... 7

Starting Fiddler ......................................................................................................................... 7

HTTPS Traffic ........................................................................................................................... 7

Verifying Service Principle Names (SPNs) ........................................................................................ 8

The setspn utility ...................................................................................................................... 8

See accounts that are set to which SPN...................................................................................... 8

Duplicate SPNs.......................................................................................................................... 8

Removing an SPN ..................................................................................................................... 9

Understanding logging in BMC AR System .................................................................................... 10

Troubleshooting in BMC AR System .............................................................................................. 11

Troubleshooting in HP Service Manager ........................................................................................ 12

Troubleshooting ADFS 2.0 Messages ............................................................................................ 13

Frequently asked questions.......................................................................................................... 14

Appendix A: Acronyms, Abbreviations & Definitions ....................................................................... 25

Page 3 of 25

http://www.javasystemsolutions.com

Introduction

This document provides a list of troubleshooting methods used with the JSS products along with the

steps to resolve the most common issues customers face

If there are any questions, do not hesitate to contact JSS support.

mailto:[email protected]

Page 4 of 25


Common investigation methods

The following section describes the common tasks used to diagnose any issues with SSO Plugin.

Log files

This section describes the common log files used within SSO Plugin and how to enable them.

Product BMC AR System AREA plugin

Description The SSO Plugin AREA module writes to this file.

Purpose Verification that the SSO Plugin AREA module has loaded and configured

correctly.

This file is created on AR Server start-up, AR System configuration changes and

on every authentication attempt.

Default

location

Windows - C:\Program Files\BMC Software\ServerName\Arserver\db

UNIX/Linux - /opt/bmc/ARSystem/db

How to enable Login to the application as an administrative user

Open the AR System Administration Console

Click System from the navigation pane

Click General

Click Server Information

Click Log Files tab

Click the Plug-in Server checkbox

Make a note of the Plug-in log file name

Select ALL from the Plug-in Log Level drop down

Click Apply

Screenshot example:

Product Apache Tomcat

Description The SSO Plugin Mid Tier module writes to this file.

Purpose Verification that the SSO Plugin Mid Tier module has loaded and configured

correctly.

This file is written to on Mid Tier start-up, SSO Plugin configuration changes

and all Mid Tier authentication requests.

Default

location

Windows - C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs

UNIX/Linux: This will depend on the OS and installation method. Here is the

example of a default location /opt/apache/tomcat6.0/logs

Tip: To help find the process Id of Tomcat type:

ps -ef | grep tomcat

Page 5 of 25


Which will return something like this; note the PID is 404:

root 404 1 4 19:41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java -

Djava.util.logging.config.file=/opt/apache/tomcat

To help find the log file type lsof -p PID where PID is the process id of your

Tomcat server. In the above example, it was 404

lsof -p 404 | grep "tomcat6.0/logs"

Which will return something like this:

java 404 root 1676 27754677

/opt/apache/tomcat6.0/logs/stdout.2013-04-15.log

How to enable Via a browser, enter the following URL:

http://yourMidTierHost/arsys/jss-sso/index.jsp

On the left pane above the Login button:

o on BMC Mid Tier, enter the same password used for the

configuration E.g. /arsys/shared/config/config.jsp, (the

installation default is arsystem).

o on other deployments (Analytics, Dashboards etc), enter the

SSO Plugin administration password (the installation default is

jss).

Click Configuration.

Select the desired log level from the Log Level menu. It is

recommended that Trace be selected for investigating any issues and

Severe for normal operating times.

Click Set Configuration. When using SSO Plugin 4+, the BMC AR System

AREA plugin log file is automatically configured and the location

reported through the user interface.

Screenshot example:

Page 6 of 25


Fiddler

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla

Firefox, Opera, and more.

Download Fiddler

To download Fiddler, go here:

http://fiddler2.com/get-fiddler

Installing Fiddler

Select 'Run' from any Security Warning dialog.

Agree to the License Agreement.

Select the install directory for Fiddler.

Page 7 of 25


Click 'Close' when installation completes.

Configure the browser to use Fiddler

Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic.

When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings

Starting Fiddler

Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run

HTTPS Traffic

If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it.

To do so click Tools > Fiddler Options

When the dialog appears, select "Decrypt HTTPS traffic" and click OK

Page 8 of 25


Verifying Service Principle Names (SPNs)

The following section will help diagnose SPN specific issues.

A common configuration step when establishing a Kerberos authentication method is the use of a

Service Principal Name, or SPN, to identify a specific service. The service account configuration is

stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie.

http://yourMidTier/arsys/jss-sso/index.jsp on BMC Mid Tier,

http://yourWebTier/webtier/jss-sso/index.jsp on HP Service Manager.

Example screenshot here:

The setspn utility

SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is

also available in the Windows Support Tools. You don’t have to download SetSPN to use it. You can

run SetSPN from member servers or workstations. It can be used to add and delete Service Principal

Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to

stop working.

See accounts that are set to which SPN

To list the SPNs assigned to an account do the following

C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE

Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j

avasystemsolutions,DC=local:

HTTP/w7604.dev.javasystemsolutions.local

The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the

domain account of JSS-SSO-SERVICE.

Duplicate SPNs

Kerberos will not work if there are duplicate SPNs, ie the same hostname (HTTP/myJava web

server.domain.com) is registered to two different computer or user accounts.

Microsoft's update to setspn (KB970536) has a new feature which can search for duplicate accounts.

Simply run: setspn -X. If any duplicates are listed the remove the incorrect entries using: setspn -D.

Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding none

C:\Users\administrator.DEV>setspn -x

Checking domain DC=dev,DC=javasystemsolutions,DC=local

Processing entry 0

found 0 group of duplicate SPNs.

Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding two accounts

are assigned to the same Mid Tier. JSS-SSO-S1 and JSS-SSO-SERVICE. This would stop SSO working.

C:\Users\administrator.DEV>setspn -x

Checking domain DC=dev,DC=javasystemsolutions,DC=local

Processing entry 0

Page 9 of 25


HTTP/w7604.dev.javasystemsolutions.local is registered on these accounts:

CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local

CN=JSS-SSO-S1,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local

found 1 group of duplicate SPNs.

Removing an SPN

The above example shows that the computer w7604.dev.javasystemsolutions.local has two SPNs

against it. One SPN can be registered against multiple hosts but multiple SPNs cannot be assigned to

a single host. Here is an example of how to remove an SPN.

C:\Users\administrator.DEV>setspn -D HTTP/w7604.dev.javasystemsolutions.local JSS-SSO-SERVICE

Unregistering ServicePrincipalNames for CN=JSS-SSO-

SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local

HTTP/w7604.dev.javasystemsolutions.local

Updated object

Page 10 of 25


Understanding logging in BMC AR System

There are two modules used in SSO Plugin. The first is an AR External Authentication (AREA) plugin

which is installed on all AR Servers. This module writes to the standard BMC arplugin log file, enabled

through the AR System Administration Console. The module uses three log levels described below.

AR Plug-in Log

level

Description

Config This level is used with these events:

AR System startup

AR System restart

Configuration change via the AR System Configuration Console

Configuration change via the SSO Administration Console

This level describes the SSO Plugin AREA plugin configuration including the

license information.

Lines within the log file can be identified by the following:

<JSS.AREA.SSO> <CONFIG>

Finest The Finest log level is the most verbose and contains a lot of information.

Some information will only be useful to JSS support to understand the flow of

the data for example keys and encryption information.

This level is used with these events:

AR System startup

AR System restart

Configuration change via the AR System Configuration Console

Configuration change via the SSO Administration Console

Authentication attempts

When this level is enabled, failure of SSO attempts will be evident with lines

identified by the following:

<JSS.AREA.SSO> <FINEST>

Severe The Severe log level is typically enabled on production systems and is the least

verbose of all the logs.

The events which trigger the output of this information to the log file is

considered serious and would stop SSO working for all users.

An example of this information is visible in the log file when the SSO Plugin

AREA module is unable to communicate with the AR Server it is installed to:

<JSS.AREA.SSO> <SEVERE> Error: messageNum:90 messageText:Cannot

establish a network connection to the AR System server

appendedText:<YourServerName>

Page 11 of 25


Troubleshooting in BMC AR System

The following flow chart details the troubleshooting steps. If the issue is not resolved, collate screenshots and logs and email them to [email protected]

Page 12 of 25


Troubleshooting in HP Service Manager

Problems are categories into two areas when integrating SSO Plugin with Service Manager:

1. Performing the SSO integration, ie integrating with Active Directory/SAML Identity

Provider/etc.

2. Enabling trusted sign on in the Service Manager service, ie configuring the sm.ini file.

When you can view the Test SSO page in the Web Tier interface, and a username has been retrieved

from the SSO system, part 1 is complete.

If you click on the Service Manager link and see a login page or an access denied message, the issue

is more than likely associated with part 2. In this case, send your Service Manager sm.ini file and Web

Tier web.xml file to [email protected].

Page 13 of 25


Troubleshooting ADFS 2.0 Messages

Active Directory Federation Services failures, that are presented to the user, do not easily explain

what the root cause of the issue actually is. Here is an example screenshot of what the user is

presented with:

Microsoft has produced a step by step guide to find the information with that reference here:

http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx

Page 14 of 25


Frequently asked questions

Title java.lang.ClassNotFoundException or NoSuchMethodException appears in

the Java web server logs or in the browser

Issue Stack traces appear in the logs or web browser that look similar to:

java.lang.ClassNotFoundException:

com.javasystemsolutions.mt.sso.JSSAuthenticator

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1

387)

11-Apr-2009 15:33:59 org.apache.catalina.core.StandardContext filterStart

SEVERE: Exception starting filter spnego

java.lang.ClassNotFoundException:

com.javasystemsolutions.mt.sso.SPNEGOHttpFilter

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1

387)

Possible

causes

The jss-sso.jar file was not found in the WEB-INF/lib directory of the Java web server

(Tomcat), or is the wrong version after an upgrade.

Solutions This error typically indicates that not all files have been copied into the correct

directory in the Java web applicaiton server. All files within the SSO Plugin download

midtier or webtier directory must be copied to the Java web application installation

directory.

If still

unresolved

Email a screenshot of the WEB-INF/lib directory to [email protected]

Title Windows credentials dialog pop-up when attempting to authenticate

Issue When attempting to authenticate via a browser, the user is prompted for Windows

credentials. Screenshot example from IE:

Possible In order to use Single Sign On (SSO), the client machine needs to be logged into

Page 15 of 25


causes the domain. The dialog is appearing because the browser believes that the user is

not logged into the same domain that is configured or trusted with in the SSO

Plugin configuration page.

Solutions Confirm the following:

The user is logged into the same domain or trusted with, that is configured

in the Mid Tier SSO configuration page. Typically

http://yourMidTierHost/arsys/jss-sso/index.jsp

Check the users domain by pressing ctrl+alt+del and review the "You are

logged in as" dialog. The Windows domain shown must be the target

domain and not the local machine name

If the above is not present. Run cmd.exe and type the following:

net config workstation

Make sure the Logon domain is the short domain name and not the local machine name

The domain controller should be running Active Directory

If using IE

o Within IE, click Tools -> Internet Options -> Security -> Local

Intranet Zone

o Add the Mid Tier host name to the list

o Click Tools -> Internet Options -> Security -> Custom Level

o Scroll to the bottom and select "Automatic logon only in Intranet

zone"

If using FireFox

o In the URL bar, type

about:config

o Then type

trusted-uri

o You will be presented with network.automatic-ntlm-auth.trusted-

uris and network.negotiate-auth.trusted-uris. Type the Mid Tier

hostname from the URL into these fields

If your browser is configured to use a proxy server, the target website may

need to be added to the proxy exceptions list as SSO is known to be

problematic through some proxies

Ensure the clocks on the workstation and the AD are set correctly. Kerberos

authentication can fail if the clocks are skewed

If still

unresolved

Click here for instructions on how to capture a Fiddler trace and email the .saz file

to [email protected]

Title Browser presents HTTP status code of 400

Issue Some users are seeing HTTP status code of 400. Especially when using

BMC ITSM.

A Fiddler trace is showing HTTP/1.1 400 Bad Request

Possible

causes

By default, Tomcat has a hard coded HTTP header limit of 4Kb. If the Kerberos

token exceeds 4Kb then Tomcat returns the status code 400 without passing the

request to the Java web server. The Kerberos token contains group information. IF

the user is a member of many groups then this token can become large.

Solutions Increase the header size in Tomcat.

Open the Tomcat server.xml in a text editor

Search for the HTTP connector

<Connector port="8080" protocol="HTTP/1.1"

Add a maxHttpHeaderSize attribute, which is given a value in bytes (65536

is 64Kb)

<Connector port="8080" protocol="HTTP/1.1"

maxHttpHeaderSize="65536"

Page 16 of 25


Save and restart Tomcat

If you are using Weblogic then depending on the version you can modify in the

configuration screens, look for the setting HTTP Max Message Size or open the

weblogic.properties (detailed here

http://docs.oracle.com/cd/E13222_01/wls/docs45/admindocs/properties.html ) and

set the value 65536

If still

unresolved

Email the server.xml to [email protected]

Title My Windows account keeps getting locked out

Issue Error messages appear that the users account is locked out in Active

Directory.

Possible

causes

This possibly indicates that one or more of the AR Servers are not correctly

configured to use SSO Plugin. If the BMC AREA LDAP plugin is being used, the

correct configuration employs the BMC AREA Hub, of which the SSO Plugin is used

first and the BMC AREA LDAP is second. If SSO is incorrectly configured, the SSO

tokens are passed to the domain controller as passwords, which will always be

incorrect for any user. Therefore some domain policies, such that a number of

incorrect passwords, will lock the account.

Solutions All AR Servers that are processing user authentication requests must be SSO

enabled and correctly configured.

This can be investigated by enabling the AR System Plug-in logging and setting the

Plug-in Log Level to ALL. It is typical to see the following in this instance:

<JSS.AREA.SSO> <FINEST> The token is not valid for this user: administrator

Typically, this indicates that the Windows User Tool SSO module is either out of

date, or is using an out of date ARSSSOInfo.ini file.

To resolve, ensure the latest DLL is installed with the Windows User Tool user.exe

file and re-generate the ARSSSOInfo.ini file using the setup.exe tool.

If still

unresolved

Email the full AR plug-in log file to [email protected]

Title Pre-authentication information was invalid (24) / KDC has no support for

encryption type (14)

Issue When clicking Set Configuration on the SSO Plugin configuration page, you are

presented with the following text: Pre-authentication information was invalid (24) /

KDC has no support for encryption type (14)

Possible

causes

This error is possibly caused by a number of issues. Either the

Solutions

Check the service account details are correct in the SSO Plugin

configuration page

The “service user” and password should be verified with the AD

administrators.

Page 17 of 25


If a krb5.conf file is being used, then please compare it with the example provided

in the SSO Plugin evaluation download. This can be found in the WEB-INF/classes

directory.

If the above account details are correct. Then create a new service user account

and assign the SPNs to the new account. To do so, you have to remove the existing

SPNs from the old service user before assigning the new values.

Example:

Using the above Service User example SSOKERBMT01 and the Mid Tier host name

is mthost01 and there is a load balancer in front called lb01

Remove the existing SPNs

Syntax Example : setspn -d HTTP/midTierHostName

yourDomain\serviceUserName

setspn -d HTTP/mthost01 mydomain\SSOKERBMT01

setspn -d HTTP/lb01 mydomain\SSOKERBMT01

Create a new service user account in the domain and assign a password

o For instruction purposes, let’s assume the new account is called

SSOKERBMTNEW

o Ask the AD administrators to tick “Do not require Kerberos

preauthentication” in the user account options.

Add the SPNs to the new service account

o Set the SPNs for the Mid Tier host NetBOIS name and fully qualified

domain name

setspn -A HTTP/mthost01.mydomain.com

mydomain\SSOKERBMTNEW

setspn -A HTTP/mthost01 mydomain\SSOKERBMTNEW

o Set the SPNs for the load balancer NetBOIS name and fully

qualified domain name

setspn -A HTTP/lb01.mydomain.com

mydomain\SSOKERBMTNEW

setspn -A HTTP/lb01 mydomain\SSOKERBMTNEW

Update the SSO Plugin configuration page with the new service user name

and password.

Click Set Configuration

In the event the above doesn’t work ask the AD administrator to send a screenshot

of the group policy for Computer configuration -> Windows settings -> Security

settings -> Local policies -> Security options -> Network security: Configuration

encryption types allowed for Kerberos, as seen in this screenshot:

Page 18 of 25


If still

unresolved

Email the full Java web engine (e.g Tomcat) stdout log file and a screenshots of

http://yourMidTierHostname/arsys/jss-sso/testsso.jsp

http://yourMidTierHostname/arsys/jss-sso/setup.jsp to

[email protected]

Title This computer account is in use by another SSO Plugin configuration

Issue When submitting the SSO Plugin configuration page in Mid Tier, the following

message can appear:

This computer account is in use by another SSO Plugin configuration.

Possible

causes

Service (Computer) accounts cannot be used by more than one Mid Tier instance.

This means the NTLMv2 computer account is in use by another Mid Tier registered

with AR System.

However, due to the way SSO Plugin matches the configuration (in the

JSS:SSO:MidTierConfig form within the AR System) with a Mid Tier instance, it is

possible for a duplicate row to be generated (if a Mid Tier is re-installed, for

example) and hence SSO Plugin believes two Mid Tiers share the same computer

account.

Solutions If there are more than one Mid Tier instance connecting to the same AR System.

Then follow these steps

Create a unique service (computer) account for all Mid Tier instances. This

can be done using the set-service-account.cmd script found in the

evaluation download or it can be created manually. Instructions and more

information can be found in the following online document:

http://www.javasystemsolutions.com/documentation/ssoplugin/jss-sso-

active-directory-integration.pdf

Once the account has been created, apply the service account name and

password to the SSO Plugin configuration page typically found at

http://yourMidTierHost/arsys/jss-sso/index.jsp under the configuration link

If there is only one instance of Mid Tier connecting to the same AR System or all

Mid Tier SSO configurations have been verified to have unique service (Computer)

accounts, then follow these steps

To resolve this warning if it is due to duplicate entries, locate and delete

the duplicate entry in the form. Field 8 contains the unique key (in the

format hostname-ID), and the ID of a Mid Tier can be found in the Mid Tier

config.properties file.

Or you can delete all the rows that refer to the host and resubmit the

configuration.

This warning can be safely ignored if it due to duplicate configurations.

If still

unresolved

Login to the application as an administrative user.

Open the JSS:SSO:MidTierConfig form

Search for all entries

Take a screenshot of the unique values. Example screenshot below:

http://yourmidtierhostname/arsys/jss-sso/testsso.jsp

http://yourmidtierhostname/arsys/jss-sso/setup.jsp

Page 19 of 25


Email the screenshot and the Java web server (Tomcat) stdout file to

[email protected]

# Kerberos error: Channel binding mismatch

Issue The following error is displayed in the SSO Plugin configuration form when

clicking Set Configuration.

The following error was in the Java web server log.

Possible

causes

Various Kerberos errors relating to channels can appear on older 1.6 JVMs.

Solutions Please upgrade to the latest 1.6 or 1.7 JVM from the Oracle website.

If still

unresolved

Browse to http://yourMidTierHost/arsys/jss-sso/debug.jsp replacing

yourMidTierHost with your own Mid Tier hostname and email the results to

[email protected]

Title SSO Fails for users with administrator permissions

Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing

to Mid Tier home redirects to the login page.

Possible

causes

If the users BMC AR System user account has a password then SSO cannot work.

This is the applications way of having an SSO on/off switch per user.

The setting Cross-Ref-Blank-Password found in the ar.cfg/ar.conf files on the BMC

AR System server mean that if a user with a blank password in the user form

attempts to login, the standard authentication method is not used and to pass on

the information to an external source. In this example it will be single sign on. This

does not mean someone typing a user name and a blank password can login.

SSO Plugin has a feature called "Automatically SSO enable accounts" which will

automatically remove the password in the user form. However this does not work if

the user has administrator permissions.

Solutions Remove the password of the users account in the BMC AR System user form.

If still

unresolved

Enable the arplugin logging within the AR System Administration Console. Set the

plug-in log level to ALL. If using a server group then do this on all AR Servers.

Attempt the authentication then email the full plug-in log file(s) and a screenshot of

http://yourMidTierHostname/arsys/jss-sso/testsso.jsp to

[email protected]

Title SSO Plugin feature "Automatically SSO enable accounts" not working

Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing

to Mid Tier home redirects to the login page.

Possible

causes

SSO Plugin has a feature called "Automatically SSO enable accounts" which will

automatically remove the password in the user form which will enable the user to

use SSO. However this does not work if the user has administrator permissions.

Solutions Remove the password of the users account in the BMC AR System user form.

http://yourmidtierhost/arsys/jss-sso/debug.jsp

mailto:[email protected]


Page 20 of 25


If still

unresolved





[email protected]

Title "Force password change on login" not being updated by SSO Plugin

Issue When the SSO Plugin feature "Automatically SSO enable accounts" is enabled in the

SSO Plugin configuration screen, some accounts still have the "Force Password

Change On Login" checkbox checked.

Possible

causes

User accounts are only updated, to clear the checkbox, if the group field does not

contain the Administrator permission.

Solutions Manually update the user account to de-select the "Force Password Change On

Login" feature.

If still

unresolved

Take screenshots of the users account in the user form and email it to

[email protected]

Title Using an F5 load balancer, the users is directed to the login screen even

when testsso.jsp works

Issue We have noticed some odd behaviour in the way IP addresses are reported to AR

System server when using an F5 load balancer. When the Test SSO functionality

attempted to make a connection to AR System server, the IP address of the host

running Mid Tier was passed and when accessing Mid Tier home, the IP address of

the F5 was passed.

Possible

causes

The F5 is somehow modifying the Mid Tier IP address.

Solutions Login to the application as an administrative user. Open the SSO Administration

Console. Add the F5 IP address to the list of IP Addresses, separated by a semi-

colon. Click Save

If still

unresolved





[email protected]

Title I can view the default IIS home page but I can't access the Java web

server at all.

Issue Whilst the Java web server on Tomcat appears to be running, and IIS serves static

files like /iisstart.htm correctly, attempting to connect to Java web server via IIS

gives an IE "Cannot find server or DNS Error" error page.

Checking the Windows Event Viewer shows that IIS is crashing when an attempt is

made to access Tomcat via the Jakarta ISAPI Redirector.

The server in question was a 64-bit Windows 2003 Server Hyper-V VM, with IIS

configured to run 32-bit ISAPI extensions. However other VMs with the same setup

have not demonstrated this behaviour.

Possible

causes

It is not a well-known bug or one that has affected us before. It occurs whether or

not SSO Plugin is installed.

Solutions The version of Java web server installed was 7.1.

The solution is to replace the isapi_redirect.dll file with an up-to-date version from

Apache, such as:

http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-

1.2.30/isapi_redirect-1.2.30.dll

(For a 64-bit machine running native 64-bit ISAPI extensions, the file under 'win64'

should be used instead.)



Page 21 of 25


To replace the ISAPI extension, go to Administrative Tools -> Services and shut

down the World Wide Web Publishing service and HTTPS SSL. Find the DLL in

'Program Files' - (x86) if running 32-on-64 - 'Apache Software Foundation\Jakarta

ISAPI Redirector\bin' and rename it to isapi_redirect-old.dll. Save the new DLL here

and rename it simply isapi_redirect.dll.

Restart the stopped services.

If still

unresolved

Email screenshots to [email protected]

Title We are using IIS and I am prompted for my Windows login and they are

not accepted

Issue The customer is running IIS and browsing to the Mid Tier home page. A standard

Windows authentication dialog appears. Upon entering the users credentials the

same box appears as if the details were wrong even though the customer confirms

the details are correct.

Possible

causes

If you have run the set-service-account.cmd script on the Active Directory and

entered the hostname of the machine running IIS, the IIS server will not be able to

authenticate the tokens sent to it by your browser. Running this script is not

required when using an IIS front end – it's only used when configuring SSO Plugin's

built-in authentication (i.e. that provides Windows authentication without the need

for IIS).

Solutions To resolve the problem, remove the JSS-SSO-SERVICE Computer account created

in the Active Directory by the set-service-account.cmd script, and then clear the

Kerberos tokens cached on the client desktop using the kerbtray.exe tool provided

in the Windows 2000 Resource Kit, or wait ten minutes for the local machine to

remove the tokens from its cache.

If still

unresolved


Title NTLM authentication sometimes fails through an F5 load balancer

Issue According to a Fiddler trace, NTLM authentication is failing for some users.

Possible

causes

The F5 product has a feature called OneConnect. Due to a bug in some versions of

F5, it must be switched off if NTLM is in use, as it will be with an IIS front end to

Tomcat.

Solutions The issue is discussed in this support entry: http://support.f5.com/kb/en-

us/solutions/public/5000/000/sol5050.html

If still

unresolved


Title The following message is seen in the arplugin log "[81211] ARERR90

Unable to connect to AR System, sleeping 30 seconds...."

Issue If you see the following in the arplugin log file, then this indicates that there is a

connection problem for the plugin to communicate back the the AR Server.

Possible

causes

Look at the log for <JSS.AREA.SSO> <SEVERE> AR Server Connection ...

And verify the connection details including the TCP and RPC port.

Solutions You may see this at the start of your arplugin log but then after a few 30 second

intervals the plugin continues. This is due to some AR Servers being slow to start

up which is fine and thus can ignore this error.

If this error persists then this could mean the AR Server is not working, crashed or

too busy.

If still

unresolved



Attempt the authentication then email the full plug-in log file(s) to

Page 22 of 25


[email protected]

Title HTTP Error Code: 500

JSPG0049E: /jss-sso/index.jsp failed to compile :

Issue Using IBM Websphere and browsing to pages within the jss-sso application, the

user is presented with the above error.

Possible

causes

Solutions If you are using IBM Websphere 7, use WAS to ensure the

com.ibm.ws.jsp.jdkSourceLevel custom property is set to 16 on the web extension

file

If still

unresolved

Email all Websphere logs to [email protected]

Title BMC Midtier fails to start after applying BMC patch / hotfix

"8.1.00 201312191114 Hotfix "

Issue After applying the above BMC hotfix, SSO fails with the following data in the Java

servlet engine logs:

java.lang.ExceptionInInitializerError

at com.remedy.arsys.stubs.ServerLoginHost.customEquals(Unknown Source)

The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp

and displaying the above version.

Possible

causes

BMC broke some functionality within Midtier in the latest release. This functionality

allowed us to get a connection to AR System server during Midtier startup.

Solutions Please update SSO Plugin to a minimum version of 3.6.18

http://www.javasystemsolutions.com/jss/downloads

If still

unresolved

If you are on a SSO Plugin version equal or higher than 3.6.18 and are still seeing

the above issue then please zip all the Java servlet engine e.g. Tomcat logs and

email them to [email protected]

Title BMC Midtier fails to start after applying BMC patch / hotfix

"8.1.01 "

Issue After applying the above BMC hotfix, SSO fails with the following data in the Java

servlet engine logs:

Context initialization failed

java.lang.NoClassDefFoundError: com.remedy.arsys.stubs.GoatHttpServlet

And the browser reports HTTP Status 404

The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp

and displaying the above version.

Possible

causes

BMC broke some functionality within Midtier in the latest release. This functionality

allowed us to get a connection to AR System server during Midtier startup.

Page 23 of 25


Solutions Please update SSO Plugin Mid Tier files to a minimum version of 3.6.20


Once downloaded follow these instructions:

Shutdown the Java servlet engine e.g. Tomcat

Delete the Catalina directory found under the Tomcat\Work directory

As per screenshot example below, copy the <3.6.20 download>\midtier

folders to the AR system midtier folder. Making sure you overwrite all files.

Do not make any backups of .jar files

Start Tomcat

Verify new version by browsing to \arsys\jss-sso\index.jsp

If still

unresolved

If you are on a SSO Plugin version equal or higher than 3.6.20 and are still seeing

the above issue then please zip all the Java servlet engine e.g. Tomcat logs and


Title Browsing to /arsys/jss-sso/index.jsp displays the following error ARERR

[9217]File not found. Either the file requested is not present or the URL

supplied is bad.

Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error

Possible

causes

The web.xml was not patched

Solutions Please update SSO Plugin Mid Tier files to a current release


If still

unresolved

Please zip all the Java servlet engine e.g. Tomcat logs and email them to

[email protected]

Title Error 500--Internal Server Error

java.lang.NoClassDefFoundError:

com/javasystemsolutions/sso/ImplementationFactory

Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error

Possible

causes

The Java servlet engine e.g. Tomcat cache directory needs refreshing

Solutions Delete the of the Tomcat\Work directory and restart

If still

unresolved


[email protected]

Title “The SAML Service Provider could not retrieve a username from the

Identity Provider: Error during processing the SAML Handler Chain.”

Issue The following error is displayed and in the logs after upgrading BMC Mid Tier 8.1.01

SP1 201404010757 Hotfix

Possible

causes

The xerces jar that the BMC hotfix deploys is very old and no longer needed. This is

included within the Java standard library.

Page 24 of 25


Solutions Remove the xerces jar from the midtier/web-inf/lib directory and restart Tomcat

If still

unresolved


[email protected]

Title WebSphere shows testsso working but browsing to the application

redirects to the login page

Issue A fiddler trace shows something like Error 500: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as {0} has attempted to access a session owned by {1}.(foo,bar)

Possible

causes

http://www-01.ibm.com/support/docview.wss?uid=swg21515473

Note the error comes from a websphere class and not JSS. The above page

describes the resolution in detail

Solutions InfoSphere Information Server requires that WebSphere Application Server persists

the subject information for unprotected URIs when the session security integration

is enabled.

To enable "persist the subject information for unprotected URIs", from the

WebSphere administrative console:

Click Security > Global security > Web and SIP security to open the General

settings panel.

Select the Use available authentication data when an unprotected URI is accessed

option.

Click OK and save the change.

Restart WebSphere Application Server.

If still

unresolved

Please zip all the WebSphere logs and take a fiddler trace replicating the issue and


Title HTTP Status 500 - java.lang.NoClassDefFoundError

Issue Browsing to the SSO setup page displays the above

Possible

causes

Not all the midtier/webtier files were copied to the correct location or the Java web

engine, e.g. Tomcat, is using a cached version of the files.

Solutions Make sure all the files are copied from the download to the Java engine. E.g. for

BMC Mid Tier using Tomcat:

Stop Tomcat

Delete the contents of the Work directory

Copy the folders jss-sso and WEB-INF to the midtier directory.

Start Tomcat

If still

unresolved

Please zip all the Tomcat logs and email them to [email protected]

Page 25 of 25


Appendix A: Acronyms, Abbreviations & Definitions

Description

JSS Company name Java System Solutions

SSO Plugin Product name for Single Sign On (SSO)

Tomcat Java web server produced by the Apache Foundation

IIS Internet Information Service produced by Microsoft

Websphere IBM WebSphere is a brand of software products

Fiddler Free web debugging tool which logs all HTTP(S) traffic between your computer and

the Mid Tier.

Service

Principle

Name

(SPN)

Before the Kerberos authentication service can use an SPN to authenticate a

service, the SPN must be registered on the account object that the service instance

uses to log on.

BMC ARS BMC Remedy Action Request System is the workflow engine produced by BMC

Mid Tier HTTP middleware from BMC.

Documents

Single Sign On Plugin: Remote installation pre-requisites · 2018-03-07 · Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web