Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier
J System Solutions http://www.javasystemsolutions.com
JSS SSO Plugin – Troubleshooting
Introduction.................................................................................................................................. 3
Common investigation methods ..................................................................................................... 4
Log files ................................................................................................................................... 4
Fiddler .......................................................................................................................................... 6
Download Fiddler ...................................................................................................................... 6
Installing Fiddler ....................................................................................................................... 6
Configure the browser to use Fiddler .......................................................................................... 7
Starting Fiddler ......................................................................................................................... 7
HTTPS Traffic ........................................................................................................................... 7
Verifying Service Principle Names (SPNs) ........................................................................................ 8
The setspn utility ...................................................................................................................... 8
See accounts that are set to which SPN...................................................................................... 8
Duplicate SPNs.......................................................................................................................... 8
Removing an SPN ..................................................................................................................... 9
Understanding logging in BMC AR System .................................................................................... 10
Troubleshooting in BMC AR System .............................................................................................. 11
Troubleshooting in HP Service Manager ........................................................................................ 12
Troubleshooting ADFS 2.0 Messages ............................................................................................ 13
Frequently asked questions.......................................................................................................... 14
Appendix A: Acronyms, Abbreviations & Definitions ....................................................................... 25
Page 3 of 25
http://www.javasystemsolutions.com
Introduction
This document provides a list of troubleshooting methods used with the JSS products along with the
steps to resolve the most common issues customers face
If there are any questions, do not hesitate to contact JSS support.
Page 4 of 25
http://www.javasystemsolutions.com
Common investigation methods
The following section describes the common tasks used to diagnose any issues with SSO Plugin.
Log files
This section describes the common log files used within SSO Plugin and how to enable them.
Product BMC AR System AREA plugin
Description The SSO Plugin AREA module writes to this file.
Purpose Verification that the SSO Plugin AREA module has loaded and configured
correctly.
This file is created on AR Server start-up, AR System configuration changes and
on every authentication attempt.
Default
location
Windows - C:\Program Files\BMC Software\ServerName\Arserver\db
UNIX/Linux - /opt/bmc/ARSystem/db
How to enable Login to the application as an administrative user
Open the AR System Administration Console
Click System from the navigation pane
Click General
Click Server Information
Click Log Files tab
Click the Plug-in Server checkbox
Make a note of the Plug-in log file name
Select ALL from the Plug-in Log Level drop down
Click Apply
Screenshot example:
Product Apache Tomcat
Description The SSO Plugin Mid Tier module writes to this file.
Purpose Verification that the SSO Plugin Mid Tier module has loaded and configured
correctly.
This file is written to on Mid Tier start-up, SSO Plugin configuration changes
and all Mid Tier authentication requests.
Default
location
Windows - C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs
UNIX/Linux: This will depend on the OS and installation method. Here is the
example of a default location /opt/apache/tomcat6.0/logs
Tip: To help find the process Id of Tomcat type:
ps -ef | grep tomcat
Page 5 of 25
http://www.javasystemsolutions.com
Which will return something like this; note the PID is 404:
root 404 1 4 19:41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java -
Djava.util.logging.config.file=/opt/apache/tomcat
To help find the log file type lsof -p PID where PID is the process id of your
Tomcat server. In the above example, it was 404
lsof -p 404 | grep "tomcat6.0/logs"
Which will return something like this:
java 404 root 1676 27754677
/opt/apache/tomcat6.0/logs/stdout.2013-04-15.log
How to enable Via a browser, enter the following URL:
http://yourMidTierHost/arsys/jss-sso/index.jsp
On the left pane above the Login button:
o on BMC Mid Tier, enter the same password used for the
configuration E.g. /arsys/shared/config/config.jsp, (the
installation default is arsystem).
o on other deployments (Analytics, Dashboards etc), enter the
SSO Plugin administration password (the installation default is
jss).
Click Configuration.
Select the desired log level from the Log Level menu. It is
recommended that Trace be selected for investigating any issues and
Severe for normal operating times.
Click Set Configuration. When using SSO Plugin 4+, the BMC AR System
AREA plugin log file is automatically configured and the location
reported through the user interface.
Screenshot example:
Page 6 of 25
http://www.javasystemsolutions.com
Fiddler
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla
Firefox, Opera, and more.
Download Fiddler
To download Fiddler, go here:
http://fiddler2.com/get-fiddler
Installing Fiddler
Select 'Run' from any Security Warning dialog.
Agree to the License Agreement.
Select the install directory for Fiddler.
Page 7 of 25
http://www.javasystemsolutions.com
Click 'Close' when installation completes.
Configure the browser to use Fiddler
Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic.
When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings
Starting Fiddler
Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run
HTTPS Traffic
If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it.
To do so click Tools > Fiddler Options
When the dialog appears, select "Decrypt HTTPS traffic" and click OK
Page 8 of 25
http://www.javasystemsolutions.com
Verifying Service Principle Names (SPNs)
The following section will help diagnose SPN specific issues.
A common configuration step when establishing a Kerberos authentication method is the use of a
Service Principal Name, or SPN, to identify a specific service. The service account configuration is
stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie.
http://yourMidTier/arsys/jss-sso/index.jsp on BMC Mid Tier,
http://yourWebTier/webtier/jss-sso/index.jsp on HP Service Manager.
Example screenshot here:
The setspn utility
SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is
also available in the Windows Support Tools. You don’t have to download SetSPN to use it. You can
run SetSPN from member servers or workstations. It can be used to add and delete Service Principal
Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to
stop working.
See accounts that are set to which SPN
To list the SPNs assigned to an account do the following
C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE
Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j
avasystemsolutions,DC=local:
HTTP/w7604.dev.javasystemsolutions.local
The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the
domain account of JSS-SSO-SERVICE.
Duplicate SPNs
Kerberos will not work if there are duplicate SPNs, ie the same hostname (HTTP/myJava web
server.domain.com) is registered to two different computer or user accounts.
Microsoft's update to setspn (KB970536) has a new feature which can search for duplicate accounts.
Simply run: setspn -X. If any duplicates are listed the remove the incorrect entries using: setspn -D.
Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding none
C:\Users\administrator.DEV>setspn -x
Checking domain DC=dev,DC=javasystemsolutions,DC=local
Processing entry 0
found 0 group of duplicate SPNs.
Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding two accounts
are assigned to the same Mid Tier. JSS-SSO-S1 and JSS-SSO-SERVICE. This would stop SSO working.
C:\Users\administrator.DEV>setspn -x
Checking domain DC=dev,DC=javasystemsolutions,DC=local
Processing entry 0
Page 9 of 25
http://www.javasystemsolutions.com
HTTP/w7604.dev.javasystemsolutions.local is registered on these accounts:
CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local
CN=JSS-SSO-S1,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local
found 1 group of duplicate SPNs.
Removing an SPN
The above example shows that the computer w7604.dev.javasystemsolutions.local has two SPNs
against it. One SPN can be registered against multiple hosts but multiple SPNs cannot be assigned to
a single host. Here is an example of how to remove an SPN.
C:\Users\administrator.DEV>setspn -D HTTP/w7604.dev.javasystemsolutions.local JSS-SSO-SERVICE
Unregistering ServicePrincipalNames for CN=JSS-SSO-
SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local
HTTP/w7604.dev.javasystemsolutions.local
Updated object
Page 10 of 25
http://www.javasystemsolutions.com
Understanding logging in BMC AR System
There are two modules used in SSO Plugin. The first is an AR External Authentication (AREA) plugin
which is installed on all AR Servers. This module writes to the standard BMC arplugin log file, enabled
through the AR System Administration Console. The module uses three log levels described below.
AR Plug-in Log
level
Description
Config This level is used with these events:
AR System startup
AR System restart
Configuration change via the AR System Configuration Console
Configuration change via the SSO Administration Console
This level describes the SSO Plugin AREA plugin configuration including the
license information.
Lines within the log file can be identified by the following:
<JSS.AREA.SSO> <CONFIG>
Finest The Finest log level is the most verbose and contains a lot of information.
Some information will only be useful to JSS support to understand the flow of
the data for example keys and encryption information.
This level is used with these events:
AR System startup
AR System restart
Configuration change via the AR System Configuration Console
Configuration change via the SSO Administration Console
Authentication attempts
When this level is enabled, failure of SSO attempts will be evident with lines
identified by the following:
<JSS.AREA.SSO> <FINEST>
Severe The Severe log level is typically enabled on production systems and is the least
verbose of all the logs.
The events which trigger the output of this information to the log file is
considered serious and would stop SSO working for all users.
An example of this information is visible in the log file when the SSO Plugin
AREA module is unable to communicate with the AR Server it is installed to:
<JSS.AREA.SSO> <SEVERE> Error: messageNum:90 messageText:Cannot
establish a network connection to the AR System server
appendedText:<YourServerName>
Page 11 of 25
http://www.javasystemsolutions.com
Troubleshooting in BMC AR System
The following flow chart details the troubleshooting steps. If the issue is not resolved, collate screenshots and logs and email them to [email protected]
Page 12 of 25
http://www.javasystemsolutions.com
Troubleshooting in HP Service Manager
Problems are categories into two areas when integrating SSO Plugin with Service Manager:
1. Performing the SSO integration, ie integrating with Active Directory/SAML Identity
Provider/etc.
2. Enabling trusted sign on in the Service Manager service, ie configuring the sm.ini file.
When you can view the Test SSO page in the Web Tier interface, and a username has been retrieved
from the SSO system, part 1 is complete.
If you click on the Service Manager link and see a login page or an access denied message, the issue
is more than likely associated with part 2. In this case, send your Service Manager sm.ini file and Web
Tier web.xml file to [email protected].
Page 13 of 25
http://www.javasystemsolutions.com
Troubleshooting ADFS 2.0 Messages
Active Directory Federation Services failures, that are presented to the user, do not easily explain
what the root cause of the issue actually is. Here is an example screenshot of what the user is
presented with:
Microsoft has produced a step by step guide to find the information with that reference here:
http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx
Page 14 of 25
http://www.javasystemsolutions.com
Frequently asked questions
Title java.lang.ClassNotFoundException or NoSuchMethodException appears in
the Java web server logs or in the browser
Issue Stack traces appear in the logs or web browser that look similar to:
java.lang.ClassNotFoundException:
com.javasystemsolutions.mt.sso.JSSAuthenticator
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1
387)
11-Apr-2009 15:33:59 org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter spnego
java.lang.ClassNotFoundException:
com.javasystemsolutions.mt.sso.SPNEGOHttpFilter
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1
387)
Possible
causes
The jss-sso.jar file was not found in the WEB-INF/lib directory of the Java web server
(Tomcat), or is the wrong version after an upgrade.
Solutions This error typically indicates that not all files have been copied into the correct
directory in the Java web applicaiton server. All files within the SSO Plugin download
midtier or webtier directory must be copied to the Java web application installation
directory.
If still
unresolved
Email a screenshot of the WEB-INF/lib directory to [email protected]
Title Windows credentials dialog pop-up when attempting to authenticate
Issue When attempting to authenticate via a browser, the user is prompted for Windows
credentials. Screenshot example from IE:
Possible In order to use Single Sign On (SSO), the client machine needs to be logged into
Page 15 of 25
http://www.javasystemsolutions.com
causes the domain. The dialog is appearing because the browser believes that the user is
not logged into the same domain that is configured or trusted with in the SSO
Plugin configuration page.
Solutions Confirm the following:
The user is logged into the same domain or trusted with, that is configured
in the Mid Tier SSO configuration page. Typically
http://yourMidTierHost/arsys/jss-sso/index.jsp
Check the users domain by pressing ctrl+alt+del and review the "You are
logged in as" dialog. The Windows domain shown must be the target
domain and not the local machine name
If the above is not present. Run cmd.exe and type the following:
net config workstation
Make sure the Logon domain is the short domain name and not the local machine name
The domain controller should be running Active Directory
If using IE
o Within IE, click Tools -> Internet Options -> Security -> Local
Intranet Zone
o Add the Mid Tier host name to the list
o Click Tools -> Internet Options -> Security -> Custom Level
o Scroll to the bottom and select "Automatic logon only in Intranet
zone"
If using FireFox
o In the URL bar, type
about:config
o Then type
trusted-uri
o You will be presented with network.automatic-ntlm-auth.trusted-
uris and network.negotiate-auth.trusted-uris. Type the Mid Tier
hostname from the URL into these fields
If your browser is configured to use a proxy server, the target website may
need to be added to the proxy exceptions list as SSO is known to be
problematic through some proxies
Ensure the clocks on the workstation and the AD are set correctly. Kerberos
authentication can fail if the clocks are skewed
If still
unresolved
Click here for instructions on how to capture a Fiddler trace and email the .saz file
Title Browser presents HTTP status code of 400
Issue Some users are seeing HTTP status code of 400. Especially when using
BMC ITSM.
A Fiddler trace is showing HTTP/1.1 400 Bad Request
Possible
causes
By default, Tomcat has a hard coded HTTP header limit of 4Kb. If the Kerberos
token exceeds 4Kb then Tomcat returns the status code 400 without passing the
request to the Java web server. The Kerberos token contains group information. IF
the user is a member of many groups then this token can become large.
Solutions Increase the header size in Tomcat.
Open the Tomcat server.xml in a text editor
Search for the HTTP connector
<Connector port="8080" protocol="HTTP/1.1"
Add a maxHttpHeaderSize attribute, which is given a value in bytes (65536
is 64Kb)
<Connector port="8080" protocol="HTTP/1.1"
maxHttpHeaderSize="65536"
Page 16 of 25
http://www.javasystemsolutions.com
Save and restart Tomcat
If you are using Weblogic then depending on the version you can modify in the
configuration screens, look for the setting HTTP Max Message Size or open the
weblogic.properties (detailed here
http://docs.oracle.com/cd/E13222_01/wls/docs45/admindocs/properties.html ) and
set the value 65536
If still
unresolved
Email the server.xml to [email protected]
Title My Windows account keeps getting locked out
Issue Error messages appear that the users account is locked out in Active
Directory.
Possible
causes
This possibly indicates that one or more of the AR Servers are not correctly
configured to use SSO Plugin. If the BMC AREA LDAP plugin is being used, the
correct configuration employs the BMC AREA Hub, of which the SSO Plugin is used
first and the BMC AREA LDAP is second. If SSO is incorrectly configured, the SSO
tokens are passed to the domain controller as passwords, which will always be
incorrect for any user. Therefore some domain policies, such that a number of
incorrect passwords, will lock the account.
Solutions All AR Servers that are processing user authentication requests must be SSO
enabled and correctly configured.
This can be investigated by enabling the AR System Plug-in logging and setting the
Plug-in Log Level to ALL. It is typical to see the following in this instance:
<JSS.AREA.SSO> <FINEST> The token is not valid for this user: administrator
Typically, this indicates that the Windows User Tool SSO module is either out of
date, or is using an out of date ARSSSOInfo.ini file.
To resolve, ensure the latest DLL is installed with the Windows User Tool user.exe
file and re-generate the ARSSSOInfo.ini file using the setup.exe tool.
If still
unresolved
Email the full AR plug-in log file to [email protected]
Title Pre-authentication information was invalid (24) / KDC has no support for
encryption type (14)
Issue When clicking Set Configuration on the SSO Plugin configuration page, you are
presented with the following text: Pre-authentication information was invalid (24) /
KDC has no support for encryption type (14)
Possible
causes
This error is possibly caused by a number of issues. Either the
Solutions
Check the service account details are correct in the SSO Plugin
configuration page
The “service user” and password should be verified with the AD
administrators.
Page 17 of 25
http://www.javasystemsolutions.com
If a krb5.conf file is being used, then please compare it with the example provided
in the SSO Plugin evaluation download. This can be found in the WEB-INF/classes
directory.
If the above account details are correct. Then create a new service user account
and assign the SPNs to the new account. To do so, you have to remove the existing
SPNs from the old service user before assigning the new values.
Example:
Using the above Service User example SSOKERBMT01 and the Mid Tier host name
is mthost01 and there is a load balancer in front called lb01
Remove the existing SPNs
Syntax Example : setspn -d HTTP/midTierHostName
yourDomain\serviceUserName
setspn -d HTTP/mthost01 mydomain\SSOKERBMT01
setspn -d HTTP/lb01 mydomain\SSOKERBMT01
Create a new service user account in the domain and assign a password
o For instruction purposes, let’s assume the new account is called
SSOKERBMTNEW
o Ask the AD administrators to tick “Do not require Kerberos
preauthentication” in the user account options.
Add the SPNs to the new service account
o Set the SPNs for the Mid Tier host NetBOIS name and fully qualified
domain name
setspn -A HTTP/mthost01.mydomain.com
mydomain\SSOKERBMTNEW
setspn -A HTTP/mthost01 mydomain\SSOKERBMTNEW
o Set the SPNs for the load balancer NetBOIS name and fully
qualified domain name
setspn -A HTTP/lb01.mydomain.com
mydomain\SSOKERBMTNEW
setspn -A HTTP/lb01 mydomain\SSOKERBMTNEW
Update the SSO Plugin configuration page with the new service user name
and password.
Click Set Configuration
In the event the above doesn’t work ask the AD administrator to send a screenshot
of the group policy for Computer configuration -> Windows settings -> Security
settings -> Local policies -> Security options -> Network security: Configuration
encryption types allowed for Kerberos, as seen in this screenshot:
Page 18 of 25
http://www.javasystemsolutions.com
If still
unresolved
Email the full Java web engine (e.g Tomcat) stdout log file and a screenshots of
http://yourMidTierHostname/arsys/jss-sso/testsso.jsp
http://yourMidTierHostname/arsys/jss-sso/setup.jsp to
Title This computer account is in use by another SSO Plugin configuration
Issue When submitting the SSO Plugin configuration page in Mid Tier, the following
message can appear:
This computer account is in use by another SSO Plugin configuration.
Possible
causes
Service (Computer) accounts cannot be used by more than one Mid Tier instance.
This means the NTLMv2 computer account is in use by another Mid Tier registered
with AR System.
However, due to the way SSO Plugin matches the configuration (in the
JSS:SSO:MidTierConfig form within the AR System) with a Mid Tier instance, it is
possible for a duplicate row to be generated (if a Mid Tier is re-installed, for
example) and hence SSO Plugin believes two Mid Tiers share the same computer
account.
Solutions If there are more than one Mid Tier instance connecting to the same AR System.
Then follow these steps
Create a unique service (computer) account for all Mid Tier instances. This
can be done using the set-service-account.cmd script found in the
evaluation download or it can be created manually. Instructions and more
information can be found in the following online document:
http://www.javasystemsolutions.com/documentation/ssoplugin/jss-sso-
active-directory-integration.pdf
Once the account has been created, apply the service account name and
password to the SSO Plugin configuration page typically found at
http://yourMidTierHost/arsys/jss-sso/index.jsp under the configuration link
If there is only one instance of Mid Tier connecting to the same AR System or all
Mid Tier SSO configurations have been verified to have unique service (Computer)
accounts, then follow these steps
To resolve this warning if it is due to duplicate entries, locate and delete
the duplicate entry in the form. Field 8 contains the unique key (in the
format hostname-ID), and the ID of a Mid Tier can be found in the Mid Tier
config.properties file.
Or you can delete all the rows that refer to the host and resubmit the
configuration.
This warning can be safely ignored if it due to duplicate configurations.
If still
unresolved
Login to the application as an administrative user.
Open the JSS:SSO:MidTierConfig form
Search for all entries
Take a screenshot of the unique values. Example screenshot below:
Page 19 of 25
http://www.javasystemsolutions.com
Email the screenshot and the Java web server (Tomcat) stdout file to
# Kerberos error: Channel binding mismatch
Issue The following error is displayed in the SSO Plugin configuration form when
clicking Set Configuration.
The following error was in the Java web server log.
Possible
causes
Various Kerberos errors relating to channels can appear on older 1.6 JVMs.
Solutions Please upgrade to the latest 1.6 or 1.7 JVM from the Oracle website.
If still
unresolved
Browse to http://yourMidTierHost/arsys/jss-sso/debug.jsp replacing
yourMidTierHost with your own Mid Tier hostname and email the results to
Title SSO Fails for users with administrator permissions
Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing
to Mid Tier home redirects to the login page.
Possible
causes
If the users BMC AR System user account has a password then SSO cannot work.
This is the applications way of having an SSO on/off switch per user.
The setting Cross-Ref-Blank-Password found in the ar.cfg/ar.conf files on the BMC
AR System server mean that if a user with a blank password in the user form
attempts to login, the standard authentication method is not used and to pass on
the information to an external source. In this example it will be single sign on. This
does not mean someone typing a user name and a blank password can login.
SSO Plugin has a feature called "Automatically SSO enable accounts" which will
automatically remove the password in the user form. However this does not work if
the user has administrator permissions.
Solutions Remove the password of the users account in the BMC AR System user form.
If still
unresolved
Enable the arplugin logging within the AR System Administration Console. Set the
plug-in log level to ALL. If using a server group then do this on all AR Servers.
Attempt the authentication then email the full plug-in log file(s) and a screenshot of
http://yourMidTierHostname/arsys/jss-sso/testsso.jsp to
Title SSO Plugin feature "Automatically SSO enable accounts" not working
Issue Browsing to the testsso.jsp link works and shows the green status bar but browsing
to Mid Tier home redirects to the login page.
Possible
causes
SSO Plugin has a feature called "Automatically SSO enable accounts" which will
automatically remove the password in the user form which will enable the user to
use SSO. However this does not work if the user has administrator permissions.
Solutions Remove the password of the users account in the BMC AR System user form.
Page 20 of 25
http://www.javasystemsolutions.com
If still
unresolved
Enable the arplugin logging within the AR System Administration Console. Set the
plug-in log level to ALL. If using a server group then do this on all AR Servers.
Attempt the authentication then email the full plug-in log file(s) and a screenshot of
http://yourMidTierHostname/arsys/jss-sso/testsso.jsp to
Title "Force password change on login" not being updated by SSO Plugin
Issue When the SSO Plugin feature "Automatically SSO enable accounts" is enabled in the
SSO Plugin configuration screen, some accounts still have the "Force Password
Change On Login" checkbox checked.
Possible
causes
User accounts are only updated, to clear the checkbox, if the group field does not
contain the Administrator permission.
Solutions Manually update the user account to de-select the "Force Password Change On
Login" feature.
If still
unresolved
Take screenshots of the users account in the user form and email it to
Title Using an F5 load balancer, the users is directed to the login screen even
when testsso.jsp works
Issue We have noticed some odd behaviour in the way IP addresses are reported to AR
System server when using an F5 load balancer. When the Test SSO functionality
attempted to make a connection to AR System server, the IP address of the host
running Mid Tier was passed and when accessing Mid Tier home, the IP address of
the F5 was passed.
Possible
causes
The F5 is somehow modifying the Mid Tier IP address.
Solutions Login to the application as an administrative user. Open the SSO Administration
Console. Add the F5 IP address to the list of IP Addresses, separated by a semi-
colon. Click Save
If still
unresolved
Enable the arplugin logging within the AR System Administration Console. Set the
plug-in log level to ALL. If using a server group then do this on all AR Servers.
Attempt the authentication then email the full plug-in log file(s) and a screenshot of
http://yourMidTierHostname/arsys/jss-sso/testsso.jsp to
Title I can view the default IIS home page but I can't access the Java web
server at all.
Issue Whilst the Java web server on Tomcat appears to be running, and IIS serves static
files like /iisstart.htm correctly, attempting to connect to Java web server via IIS
gives an IE "Cannot find server or DNS Error" error page.
Checking the Windows Event Viewer shows that IIS is crashing when an attempt is
made to access Tomcat via the Jakarta ISAPI Redirector.
The server in question was a 64-bit Windows 2003 Server Hyper-V VM, with IIS
configured to run 32-bit ISAPI extensions. However other VMs with the same setup
have not demonstrated this behaviour.
Possible
causes
It is not a well-known bug or one that has affected us before. It occurs whether or
not SSO Plugin is installed.
Solutions The version of Java web server installed was 7.1.
The solution is to replace the isapi_redirect.dll file with an up-to-date version from
Apache, such as:
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-
1.2.30/isapi_redirect-1.2.30.dll
(For a 64-bit machine running native 64-bit ISAPI extensions, the file under 'win64'
should be used instead.)
Page 21 of 25
http://www.javasystemsolutions.com
To replace the ISAPI extension, go to Administrative Tools -> Services and shut
down the World Wide Web Publishing service and HTTPS SSL. Find the DLL in
'Program Files' - (x86) if running 32-on-64 - 'Apache Software Foundation\Jakarta
ISAPI Redirector\bin' and rename it to isapi_redirect-old.dll. Save the new DLL here
and rename it simply isapi_redirect.dll.
Restart the stopped services.
If still
unresolved
Email screenshots to [email protected]
Title We are using IIS and I am prompted for my Windows login and they are
not accepted
Issue The customer is running IIS and browsing to the Mid Tier home page. A standard
Windows authentication dialog appears. Upon entering the users credentials the
same box appears as if the details were wrong even though the customer confirms
the details are correct.
Possible
causes
If you have run the set-service-account.cmd script on the Active Directory and
entered the hostname of the machine running IIS, the IIS server will not be able to
authenticate the tokens sent to it by your browser. Running this script is not
required when using an IIS front end – it's only used when configuring SSO Plugin's
built-in authentication (i.e. that provides Windows authentication without the need
for IIS).
Solutions To resolve the problem, remove the JSS-SSO-SERVICE Computer account created
in the Active Directory by the set-service-account.cmd script, and then clear the
Kerberos tokens cached on the client desktop using the kerbtray.exe tool provided
in the Windows 2000 Resource Kit, or wait ten minutes for the local machine to
remove the tokens from its cache.
If still
unresolved
Email screenshots to [email protected]
Title NTLM authentication sometimes fails through an F5 load balancer
Issue According to a Fiddler trace, NTLM authentication is failing for some users.
Possible
causes
The F5 product has a feature called OneConnect. Due to a bug in some versions of
F5, it must be switched off if NTLM is in use, as it will be with an IIS front end to
Tomcat.
Solutions The issue is discussed in this support entry: http://support.f5.com/kb/en-
us/solutions/public/5000/000/sol5050.html
If still
unresolved
Email screenshots to [email protected]
Title The following message is seen in the arplugin log "[81211] ARERR90
Unable to connect to AR System, sleeping 30 seconds...."
Issue If you see the following in the arplugin log file, then this indicates that there is a
connection problem for the plugin to communicate back the the AR Server.
Possible
causes
Look at the log for <JSS.AREA.SSO> <SEVERE> AR Server Connection ...
And verify the connection details including the TCP and RPC port.
Solutions You may see this at the start of your arplugin log but then after a few 30 second
intervals the plugin continues. This is due to some AR Servers being slow to start
up which is fine and thus can ignore this error.
If this error persists then this could mean the AR Server is not working, crashed or
too busy.
If still
unresolved
Enable the arplugin logging within the AR System Administration Console. Set the
plug-in log level to ALL. If using a server group then do this on all AR Servers.
Attempt the authentication then email the full plug-in log file(s) to
Page 22 of 25
http://www.javasystemsolutions.com
Title HTTP Error Code: 500
JSPG0049E: /jss-sso/index.jsp failed to compile :
Issue Using IBM Websphere and browsing to pages within the jss-sso application, the
user is presented with the above error.
Possible
causes
Solutions If you are using IBM Websphere 7, use WAS to ensure the
com.ibm.ws.jsp.jdkSourceLevel custom property is set to 16 on the web extension
file
If still
unresolved
Email all Websphere logs to [email protected]
Title BMC Midtier fails to start after applying BMC patch / hotfix
"8.1.00 201312191114 Hotfix "
Issue After applying the above BMC hotfix, SSO fails with the following data in the Java
servlet engine logs:
java.lang.ExceptionInInitializerError
at com.remedy.arsys.stubs.ServerLoginHost.customEquals(Unknown Source)
The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp
and displaying the above version.
Possible
causes
BMC broke some functionality within Midtier in the latest release. This functionality
allowed us to get a connection to AR System server during Midtier startup.
Solutions Please update SSO Plugin to a minimum version of 3.6.18
http://www.javasystemsolutions.com/jss/downloads
If still
unresolved
If you are on a SSO Plugin version equal or higher than 3.6.18 and are still seeing
the above issue then please zip all the Java servlet engine e.g. Tomcat logs and
email them to [email protected]
Title BMC Midtier fails to start after applying BMC patch / hotfix
"8.1.01 "
Issue After applying the above BMC hotfix, SSO fails with the following data in the Java
servlet engine logs:
Context initialization failed
java.lang.NoClassDefFoundError: com.remedy.arsys.stubs.GoatHttpServlet
And the browser reports HTTP Status 404
The BMC hotfix can be identified by browsing to the /arsys/shared/config/config.jsp
and displaying the above version.
Possible
causes
BMC broke some functionality within Midtier in the latest release. This functionality
allowed us to get a connection to AR System server during Midtier startup.
Page 23 of 25
http://www.javasystemsolutions.com
Solutions Please update SSO Plugin Mid Tier files to a minimum version of 3.6.20
http://www.javasystemsolutions.com/jss/downloads
Once downloaded follow these instructions:
Shutdown the Java servlet engine e.g. Tomcat
Delete the Catalina directory found under the Tomcat\Work directory
As per screenshot example below, copy the <3.6.20 download>\midtier
folders to the AR system midtier folder. Making sure you overwrite all files.
Do not make any backups of .jar files
Start Tomcat
Verify new version by browsing to \arsys\jss-sso\index.jsp
If still
unresolved
If you are on a SSO Plugin version equal or higher than 3.6.20 and are still seeing
the above issue then please zip all the Java servlet engine e.g. Tomcat logs and
email them to [email protected]
Title Browsing to /arsys/jss-sso/index.jsp displays the following error ARERR
[9217]File not found. Either the file requested is not present or the URL
supplied is bad.
Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error
Possible
causes
The web.xml was not patched
Solutions Please update SSO Plugin Mid Tier files to a current release
http://www.javasystemsolutions.com/jss/downloads
If still
unresolved
Please zip all the Java servlet engine e.g. Tomcat logs and email them to
Title Error 500--Internal Server Error
java.lang.NoClassDefFoundError:
com/javasystemsolutions/sso/ImplementationFactory
Issue Browsing to the JSS SSO Mid Tier status or testsso page displays the above error
Possible
causes
The Java servlet engine e.g. Tomcat cache directory needs refreshing
Solutions Delete the of the Tomcat\Work directory and restart
If still
unresolved
Please zip all the Java servlet engine e.g. Tomcat logs and email them to
Title “The SAML Service Provider could not retrieve a username from the
Identity Provider: Error during processing the SAML Handler Chain.”
Issue The following error is displayed and in the logs after upgrading BMC Mid Tier 8.1.01
SP1 201404010757 Hotfix
Possible
causes
The xerces jar that the BMC hotfix deploys is very old and no longer needed. This is
included within the Java standard library.
Page 24 of 25
http://www.javasystemsolutions.com
Solutions Remove the xerces jar from the midtier/web-inf/lib directory and restart Tomcat
If still
unresolved
Please zip all the Java servlet engine e.g. Tomcat logs and email them to
Title WebSphere shows testsso working but browsing to the application
redirects to the login page
Issue A fiddler trace shows something like Error 500: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as {0} has attempted to access a session owned by {1}.(foo,bar)
Possible
causes
http://www-01.ibm.com/support/docview.wss?uid=swg21515473
Note the error comes from a websphere class and not JSS. The above page
describes the resolution in detail
Solutions InfoSphere Information Server requires that WebSphere Application Server persists
the subject information for unprotected URIs when the session security integration
is enabled.
To enable "persist the subject information for unprotected URIs", from the
WebSphere administrative console:
Click Security > Global security > Web and SIP security to open the General
settings panel.
Select the Use available authentication data when an unprotected URI is accessed
option.
Click OK and save the change.
Restart WebSphere Application Server.
If still
unresolved
Please zip all the WebSphere logs and take a fiddler trace replicating the issue and
email them to [email protected]
Title HTTP Status 500 - java.lang.NoClassDefFoundError
Issue Browsing to the SSO setup page displays the above
Possible
causes
Not all the midtier/webtier files were copied to the correct location or the Java web
engine, e.g. Tomcat, is using a cached version of the files.
Solutions Make sure all the files are copied from the download to the Java engine. E.g. for
BMC Mid Tier using Tomcat:
Stop Tomcat
Delete the contents of the Work directory
Copy the folders jss-sso and WEB-INF to the midtier directory.
Start Tomcat
If still
unresolved
Please zip all the Tomcat logs and email them to [email protected]
Page 25 of 25
http://www.javasystemsolutions.com
Appendix A: Acronyms, Abbreviations & Definitions
Description
JSS Company name Java System Solutions
SSO Plugin Product name for Single Sign On (SSO)
Tomcat Java web server produced by the Apache Foundation
IIS Internet Information Service produced by Microsoft
Websphere IBM WebSphere is a brand of software products
Fiddler Free web debugging tool which logs all HTTP(S) traffic between your computer and
the Mid Tier.
Service
Principle
Name
(SPN)
Before the Kerberos authentication service can use an SPN to authenticate a
service, the SPN must be registered on the account object that the service instance
uses to log on.
BMC ARS BMC Remedy Action Request System is the workflow engine produced by BMC
Mid Tier HTTP middleware from BMC.