jameswatson3 Absent Member.
Absent Member.
1167 views

Rest URI for CLE not working?


I am evaluating CLE 3.8.1 integrated with SSPR 3.2.<latest> integrated
with AD. I am testing with Win8.1 Enterprise.

After install of CLE I can gain access to the Forgotten Password link
and access SSPR in the secure browser. I have enabled web services in
SSPR and allowed login with expired passwords as described in the
prereqs. I am not using the optional CLE tile on the login screen.

However it appears if my "Enable SSPR Configurations" is not working
correctly and I'm curious if there could be an issue with my REST uri.
I'm using the example listed in the documentation, but I just don't have
any way to verify if it is correct.

The primary symptom is that after install, CLE appears to "take over"
the Local or Domain Account Password Sign-In option at Ctl-Alt-Del and
now no user can login. It is as if login has to pass through SSPR first
before being allowed to AD and my SSPR config is not yet correct? Does
that seem accurate?

My REST URI is set to:
https://xxxxxxxxxxxxxxxxxxxxx:8443/sspr/public/rest

I have 3rd party certificate configured and working successfully (ie no
cert prompting) for the forgotten password LINK URL at:
https://xxxxxxxxxxxxxxxxxxx:8443/sspr/public/ForgottenPassword

Any suggestions for further troubleshooting? How can I confirm REST
access?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53509

0 Likes
4 Replies
jameswatson3 Absent Member.
Absent Member.

Re: Rest URI for CLE not working?


To clarify, there does not seem to be a rest issue as I can get to the
various documenation urls like
https://xxxx:8443/sspr/public/rest/challenges.

Still the "Enable SSPR Configurations" functionality of CLE is not
working.

Any ideas for how to troubleshoot?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53509

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Rest URI for CLE not working?


jameswatson3;257294 Wrote:
> To clarify, there does not seem to be a rest issue as I can get to the
> various documenation urls like
> https://xxxx:8443/sspr/public/rest/challenges.
>
> Still the "Enable SSPR Configurations" functionality of CLE is not
> working.
>
> Any ideas for how to troubleshoot?


Do you see any activity in the SSPR logs during a CLE login? You may
need to set the log level to TRACE.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=53509

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: Rest URI for CLE not working?


The log shows a pretty continuous sting of this:


Code:
--------------------
2015-05-21T19:46:13Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user cn=SSPR TestUser,ou=resources,ou=lisd,dc=leanderisd,dc=org: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090CB9, comment: Error in attribute conversion operation, data 0, v2580]
2015-05-21T19:46:11Z, ERROR, queue.SmsQueueManager, unexpected exception while processing EmailQueueManager queue: unexpected localDB error while modifying queue: 5052 ERROR_LOCALDB_UNAVAILABLE (No current connection.)
2015-05-21T19:46:10Z, ERROR, queue.EmailQueueManager, unexpected exception while processing EmailQueueManager queue: unexpected localDB error while modifying queue: 5052 ERROR_LOCALDB_UNAVAILABLE (No current connection.)
--------------------


But the closest thing to specific error generated by one of the failed
attempts is this:


Code:
--------------------
2015-05-21T19:47:15Z, ERROR, servlet.TopServlet, 5035 ERROR_INCORRECT_REQUEST_SEQUENCE (expectedPageID=t2msz7, submittedPageID=kkdszg, url=/sspr/public/CommandServlet) [10.191.2.75/CETECH00A9511D]
--------------------


We are using remote SQL database and not extending AD schema.


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53509

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Rest URI for CLE not working?


jameswatson3;257307 Wrote:
> The log shows a pretty continuous sting of this:
>
> >

Code:
--------------------
> > 2015-05-21T19:46:13Z, ERROR, ldap.LdapOperationsHelper, error adding objectclass 'pwmUser' to user cn=SSPR TestUser,ou=resources,ou=lisd,dc=leanderisd,dc=org: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090CB9, comment: Error in attribute conversion operation, data 0, v2580]

> 2015-05-21T19:46:11Z, ERROR, queue.SmsQueueManager, unexpected exception while processing EmailQueueManager queue: unexpected localDB error while modifying queue: 5052 ERROR_LOCALDB_UNAVAILABLE (No current connection.)
> 2015-05-21T19:46:10Z, ERROR, queue.EmailQueueManager, unexpected exception while processing EmailQueueManager queue: unexpected localDB error while modifying queue: 5052 ERROR_LOCALDB_UNAVAILABLE (No current connection.)

--------------------
> >

>
>


This is superflous for your configuration and can be ignored. If you
want cleaner log files you can clear the value in the setting 'Auto Add
Object Classes'.
But the closest thing to specific error generated by one of the failed
attempts is this:

jameswatson3;257307 Wrote:
>
> >

Code:
--------------------
> > 2015-05-21T19:47:15Z, ERROR, servlet.TopServlet, 5035 ERROR_INCORRECT_REQUEST_SEQUENCE (expectedPageID=t2msz7, submittedPageID=kkdszg, url=/sspr/public/CommandServlet) [10.191.2.75/CETECH00A9511D]

--------------------
> >

>
> We are using remote SQL database and not extending AD schema.


This also is probably unrelated to your issue. It's caused by the
setting 'Enable Back Button Detection' being enabled (it is by default)
and SSPR detecting a browser that is not correctly submitting forms
against the current dynamically generated page. This can happen if a
user clicks back, reload or otherwise navigates during an SSPR session.
You can try disabling this setting but it probably won't fix your
issue.

Try lowering the debug log setting to "TRACE" and see if you see any
request activity from the CLE. Search for the string "/status" as the
CLE will attempt to call the /status REST endpoint in SSPR, and this
should appear in the logs. If it doesn't, then the http request from
CLE isn't making it to SSPR.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=53509

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.