Highlighted
Absent Member.. Absent Member..
Absent Member..
4782 views

SSO error

Jump to solution

Hi Experts ..,

 

i am getting error

 



Authentication failed. Contact your system administrator for assistance.

Authentication failure

 

while tryin to login to web using SSO , version is SM 9.30

0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi,

 

The SM (server and client) configuration files seem to be OK. I only have a question regarding the SM ports. In your sm.cfg you have the following:

 

sm -loadBalancer -httpPort:13080 -httpsPort:13443 -sslConnector:1 -ssl:1
sm -httpPort:13083 -httpsPort:13082 -sslConnector:1 -ssl:0
sm -httpPort:13085 -httpsPort:13086 -sslConnector:1 -ssl:0
sm -httpPort:13087 -httpsPort:13088 -sslConnector:1 -ssl:0

 

And you are pointing the webtier (on the web.xml file) to the 13080 port which is your load balancer (LB). So when the LB receives the connection/request, it will be sent to any of the available ports where you have disabled SSL (-ssl:0) and the SSL connection would fail, therefore SSO would not work either.

 

Here is what I recommend: Modify the sm.cfg as follows (the ports):

sm -loadBalancer -httpPort:13080 -httpsPort:13443
sm -httpPort:13083 -httpsPort:13082
sm -httpPort:13085 -httpsPort:13086
sm -httpPort:13087 -httpsPort:13088

 

As you can see, I just removed the ssl and sslConnection parameters on each of them since you have ssl:1 in the sm.ini file so that will work. Also, in the sm.ini file please add the sslConnector:1 parameter. Once you have saved these changes, proceed to recycle SM, then stop tomcat, clear the cache, start tomcat again and test again.

 

Hope this helps. In case it still doesn't work, we would need to go deeper and check additional details, probably get a trace or something so I would suggest you to go ahead and open a support ticket for further assistance.

 

Regards,

Roberto.

View solution in original post

18 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi,

 

There could be many reasons why you are receiving this message that it would be difficult to tell you what to check and what exactly is happening on your system.

 

SInce SM 9.30 requires SSL to be enabled to be able to login with SSO, I would suggest you to first confirm if SSL is working.

 

SSL involves many details such as certificates(keystores), configuration files and client configuration; so take a look at all of that and make sure SSL is fine, otherwise you need to fix and get SSL to work. If you are able to login with SSL enabled, you should see a message in the sm.log file saying "SSL Connection accepted"

 

Once SSL is working, go ahead and test SSO (also requires some configuration on the server and client).

 

Regards,

Roberto

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Roberto ,

 

Thanks for the mail .

 

SSL is working and i am recieving that in sm.log .

 

Please can you let me know where else i need to check further .

 

i can see below error in log .

 

RTE W Exception occurred for method recordset and XML request <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><recordset name="info" operation="open" query="format=&quot;info.company&quot;"/></SOAP-ENV:Body></SOAP-ENV:Envelope>
   436(  1420) 10/21/2014 16:10:18  RTE W Sending 401 Not Authorized challenge
   436(   648) 10/21/2014 16:10:18 JRTE W Send error response: A CXmlApiException was raised in native code : error 20 : scxmlapi(20) - Authentication failure
   436(  1420) 10/21/2014 16:10:18 JRTE I Termination signal: 0

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

OK, I would suggest you first to test SSO then from the Windows Client (if possible) to make sure everything is going well between the server and the client and all the configuration is correct.

 

In regards of the web client, remember you would additionally need to configure the application-context.xml file. Also, the web application server (e.g: Tomcat, Websphere, any other) requires to receive the user credentials on the HTTP request that comes from the user's browser in order to be able to make SSO to work and automatically login. To be able do to this, you need a web HTTP server (such as Apache HTTP server, IIS, or other) that takes the user's request coming from his browser and send that request, which must include the user credentials to the web application server and finally connect.

 

Did you configure any web HTTP server already? Have you confirmed if the user credential are being sent on the HTTP request?

 

As I mentioned, I would suggest first to test SSO on windows client just to confirm it works and then test on the webtier and check all those details.

 

Regards,

Roberto.

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Roberto ..,

 

For my client also when i clicked on Require SSL i am able to login successfully but when i click on use trusted sign on i am getting the same authentication error .

 

Also i have installed apache 2.2 and also edited the necessary files .

 

Please find the log for your reference ,\

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi,

 

Please attach all your configuration files (of the server and client), I would like to see if you are not missing anything.

 

Regards,

Roberto

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

hi roberto ..,

 

Please find the files , kidnly do let me know if you need anything else .

 

 Also my Application and web are in different server , i also tried a host entry in drivers/etc  .

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi,

 

The SM (server and client) configuration files seem to be OK. I only have a question regarding the SM ports. In your sm.cfg you have the following:

 

sm -loadBalancer -httpPort:13080 -httpsPort:13443 -sslConnector:1 -ssl:1
sm -httpPort:13083 -httpsPort:13082 -sslConnector:1 -ssl:0
sm -httpPort:13085 -httpsPort:13086 -sslConnector:1 -ssl:0
sm -httpPort:13087 -httpsPort:13088 -sslConnector:1 -ssl:0

 

And you are pointing the webtier (on the web.xml file) to the 13080 port which is your load balancer (LB). So when the LB receives the connection/request, it will be sent to any of the available ports where you have disabled SSL (-ssl:0) and the SSL connection would fail, therefore SSO would not work either.

 

Here is what I recommend: Modify the sm.cfg as follows (the ports):

sm -loadBalancer -httpPort:13080 -httpsPort:13443
sm -httpPort:13083 -httpsPort:13082
sm -httpPort:13085 -httpsPort:13086
sm -httpPort:13087 -httpsPort:13088

 

As you can see, I just removed the ssl and sslConnection parameters on each of them since you have ssl:1 in the sm.ini file so that will work. Also, in the sm.ini file please add the sslConnector:1 parameter. Once you have saved these changes, proceed to recycle SM, then stop tomcat, clear the cache, start tomcat again and test again.

 

Hope this helps. In case it still doesn't work, we would need to go deeper and check additional details, probably get a trace or something so I would suggest you to go ahead and open a support ticket for further assistance.

 

Regards,

Roberto.

View solution in original post

Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Roberto

 

Thanks a lot ..,

 

Will try this suggestion and let you know tomorrow .

 

 

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Roberto ..,

 

Thanks a lot .

 

I am able to login automatically and also on Web server is login automatically through both web and client .

 

 

But now i am not able to login from  Clients from different machine , please can you help me on that .

 

The users in another machine they just need to login normally without any SSL or SSO  in the client

 

Please find the trace log .

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Mandar,


That is because your system is configured to require SSL to connect and if other client machines are not configured for that and do not have a certificate, then they won't be able to login to SM.


On this case, you need to decide which ports you want to have SSL and which ports doesn't, because you can't connect SSL and non-SSL clients to the same port.


I would suggest you to consider how many users will connect to the web client and how many will connect through the windows client. For what I understand, the SSL users (which are the majority I guess) come through the web client and non-SSL users come through the windows client, so based on that I would suggest the following:


1) Leave the web client as it is right now, pointing to the LB and having the ports configured as mentioned yesterday:
sm -loadBalancer -httpPort:13080 -httpsPort:13443
sm -httpPort:13083 -httpsPort:13082
sm -httpPort:13085 -httpsPort:13086
sm -httpPort:13087 -httpsPort:13088

 

2) For the windows client users (which are non-SSL), get them connect to a separate port with ssl disabled, so add a new servlet on the sm.cfg file similar to this:
sm -httpPort:13090 -httpsPort:13091 -debugnode -ssl:0
So on the windwos client, they will have to connect to the 13090 port instead of 13080 and will be able to connect without SSL.

 

Regards,
Roberto

Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Roberto ..,

 

Thanks a lot it worked .

 

now one query i had whether if any user manually created want to access web can they access with 8080 port or we need to do anything else 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.