Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
placlair Absent Member.
Absent Member.
4989 views

Broken by ZCM 10.3

We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on the server or workstations. A few hours after said update, though, clients started receiving errors that they could not authenticate upon ZCM Adaptive Agent refresh ("user authentication failed during refresh...etc."), at which time ZCM completely stopped working for them.

Now, nobody can login to the ZCM Adative Agent, as they receive an error "Unable to log into the network because the login credentials or the server certificate is incorrect."

I've completely unregistered/uninstalled then reinstalled/reregistered ZCM and the Novell client on a few workstations, and tried applying the latest Novell client patch (as per TID#5071490), all to no avail. We have a mix of Win7 and WinXP workstations, so this problem cuts across multiple OSes. The workstations successfully register upon zcm reinstall, but nobody can login to the adaptive agent.

Our user source appears completely fine and browseable from within the ZCM administrative portal, into which I can login just fine via LDAP, as a designated ZCM administrator.

zmd-messages.log is offering me virtually no leads.

Can anyone out there offer up any advice to get us running again?
Labels (2)
0 Likes
14 Replies
Micro Focus Expert
Micro Focus Expert

Re: Broken by ZCM 10.3

Step#1 - Look to see if the Casa service is running.

On 4/1/2010 3:26 PM, placlair wrote:
>
> We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on the
> server or workstations. A few hours after said update, though, clients
> started receiving errors that they could not authenticate upon ZCM
> Adaptive Agent refresh ("user authentication failed during
> refresh...etc."), at which time ZCM completely stopped working for
> them.
>
> Now, nobody can login to the ZCM Adative Agent, as they receive an
> error "Unable to log into the network because the login credentials or
> the server certificate is incorrect."
>
> I've completely unregistered/uninstalled then reinstalled/reregistered
> ZCM and the Novell client on a few workstations, and tried applying the
> latest Novell client patch (as per TID#5071490), all to no avail. We
> have a mix of Win7 and WinXP workstations, so this problem cuts across
> multiple OSes. The workstations successfully register upon zcm
> reinstall, but nobody can login to the adaptive agent.
>
> Our user source appears completely fine and browseable from within the
> ZCM administrative portal, into which I can login just fine via LDAP, as
> a designated ZCM administrator.
>
> zmd-messages.log is offering me virtually no leads.
>
> Can anyone out there offer up any advice to get us running again?
>
>


--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Broken by ZCM 10.3

on the server, dont recall the URL off the top of my head, but its in a
few of the login tids.

On 4/1/2010 3:26 PM, placlair wrote:
>
> We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on the
> server or workstations. A few hours after said update, though, clients
> started receiving errors that they could not authenticate upon ZCM
> Adaptive Agent refresh ("user authentication failed during
> refresh...etc."), at which time ZCM completely stopped working for
> them.
>
> Now, nobody can login to the ZCM Adative Agent, as they receive an
> error "Unable to log into the network because the login credentials or
> the server certificate is incorrect."
>
> I've completely unregistered/uninstalled then reinstalled/reregistered
> ZCM and the Novell client on a few workstations, and tried applying the
> latest Novell client patch (as per TID#5071490), all to no avail. We
> have a mix of Win7 and WinXP workstations, so this problem cuts across
> multiple OSes. The workstations successfully register upon zcm
> reinstall, but nobody can login to the adaptive agent.
>
> Our user source appears completely fine and browseable from within the
> ZCM administrative portal, into which I can login just fine via LDAP, as
> a designated ZCM administrator.
>
> zmd-messages.log is offering me virtually no leads.
>
> Can anyone out there offer up any advice to get us running again?
>
>


--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
placlair Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

Thanks, Craig. We can browse to https://server:2645/CasaAuthTokenSvc/ without receiving any errors (just a directory listing), and I have verified that everything is kosher with the keystorefile and keystore password, as per TID #7005140.

I'm looking at TID #3418069 right now to increase logging levels and hopefully ascertain more useful information.

craig_wilson;1956601 wrote:
on the server, dont recall the URL off the top of my head, but its in a
few of the login tids.

On 4/1/2010 3:26 PM, placlair wrote:
>
> We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on the
> server or workstations. A few hours after said update, though, clients
> started receiving errors that they could not authenticate upon ZCM
> Adaptive Agent refresh ("user authentication failed during
> refresh...etc."), at which time ZCM completely stopped working for
> them.
>
> Now, nobody can login to the ZCM Adative Agent, as they receive an
> error "Unable to log into the network because the login credentials or
> the server certificate is incorrect."
>
> I've completely unregistered/uninstalled then reinstalled/reregistered
> ZCM and the Novell client on a few workstations, and tried applying the
> latest Novell client patch (as per TID#5071490), all to no avail. We
> have a mix of Win7 and WinXP workstations, so this problem cuts across
> multiple OSes. The workstations successfully register upon zcm
> reinstall, but nobody can login to the adaptive agent.
>
> Our user source appears completely fine and browseable from within the
> ZCM administrative portal, into which I can login just fine via LDAP, as
> a designated ZCM administrator.
>
> zmd-messages.log is offering me virtually no leads.
>
> Can anyone out there offer up any advice to get us running again?
>
>
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Broken by ZCM 10.3

If you can, I find taking a LAN Trace on the Primary Server to Capture
LDAP Traffic between the Server and the UserSource is often useful.

This will let you see if

#1 - The LDAP Server is make the request to the User Source for the User.

#2 - If the LDAP Server responds properly with the user found.



On 4/1/2010 3:56 PM, placlair wrote:
>
> Thanks, Craig. We can browse to https://server:2645/CasaAuthTokenSvc/
> without receiving any errors (just a directory listing), and I have
> verified that everything is kosher with the keystorefile and keystore
> password, as per TID #7005140.
>
> I'm looking at TID #3418069 right now to increase logging levels and
> hopefully ascertain more useful information.
>
> craig_wilson;1956601 Wrote:
>> on the server, dont recall the URL off the top of my head, but its in a
>> few of the login tids.
>>
>> On 4/1/2010 3:26 PM, placlair wrote:
>>>
>>> We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on

>> the
>>> server or workstations. A few hours after said update, though,

>> clients
>>> started receiving errors that they could not authenticate upon ZCM
>>> Adaptive Agent refresh ("user authentication failed during
>>> refresh...etc."), at which time ZCM completely stopped working for
>>> them.
>>>
>>> Now, nobody can login to the ZCM Adative Agent, as they receive an
>>> error "Unable to log into the network because the login credentials

>> or
>>> the server certificate is incorrect."
>>>
>>> I've completely unregistered/uninstalled then

>> reinstalled/reregistered
>>> ZCM and the Novell client on a few workstations, and tried applying

>> the
>>> latest Novell client patch (as per TID#5071490), all to no avail. We
>>> have a mix of Win7 and WinXP workstations, so this problem cuts

>> across
>>> multiple OSes. The workstations successfully register upon zcm
>>> reinstall, but nobody can login to the adaptive agent.
>>>
>>> Our user source appears completely fine and browseable from within

>> the
>>> ZCM administrative portal, into which I can login just fine via LDAP,

>> as
>>> a designated ZCM administrator.
>>>
>>> zmd-messages.log is offering me virtually no leads.
>>>
>>> Can anyone out there offer up any advice to get us running again?
>>>
>>>

>
>


--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
placlair Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

Thanks for the suggestion, Craig. I'll work on the LAN trace as soon as I can. FWIW, enabling more advanced logging on the client yielded this bit of information:

[DEBUG] [04/02/2010 08:47:57.936] [1664] [ZenworksWindowsService] [25] [] [RemotingService] [] [ZENLogin took exception: Novell.Zenworks.Zmd.ZenAuthenticationException: Invalid user name and/or password.
at Novell.Zenworks.Registration.RegistrationManager.RegisterUser(IService() services, Boolean ignoreRandomRefresh, Boolean retry, String authTokenHost)
at Novell.Zenworks.Registration.RegistrationManager.RegisterUser(String host)
at Novell.Zenworks.Registration.RegistrationModule.RegisterUser(Session session, String host)
at Novell.Zenworks.Native.RemotingService.RemotingServiceImp.ZENLoginUser(String SessionID, String Realm, String Username, String Password, String Host, String AuthToken, Boolean bZIconLogin)] [] []

One strange thing that I've noticed is that that our XP clients can login to ZCM after a full reboot. Upon ZCM refresh, though, they receive the errors about not being able to authenticate, and then they're toast until they reboot. The whole cycle starts again once zcm refreshes. Win7 and Server2K8 cannot login at all.

Very strange.

craig_wilson;1956620 wrote:
If you can, I find taking a LAN Trace on the Primary Server to Capture
LDAP Traffic between the Server and the UserSource is often useful.

This will let you see if

#1 - The LDAP Server is make the request to the User Source for the User.

#2 - If the LDAP Server responds properly with the user found.



On 4/1/2010 3:56 PM, placlair wrote:
>
> Thanks, Craig. We can browse to https://server:2645/CasaAuthTokenSvc/
> without receiving any errors (just a directory listing), and I have
> verified that everything is kosher with the keystorefile and keystore
> password, as per TID #7005140.
>
> I'm looking at TID #3418069 right now to increase logging levels and
> hopefully ascertain more useful information.
>
> craig_wilson;1956601 Wrote:
>> on the server, dont recall the URL off the top of my head, but its in a
>> few of the login tids.
>>
>> On 4/1/2010 3:26 PM, placlair wrote:
>>>
>>> We just deployed ZCM 10.3 (from 10.2.2) with no errors indicated on

>> the
>>> server or workstations. A few hours after said update, though,

>> clients
>>> started receiving errors that they could not authenticate upon ZCM
>>> Adaptive Agent refresh ("user authentication failed during
>>> refresh...etc."), at which time ZCM completely stopped working for
>>> them.
>>>
>>> Now, nobody can login to the ZCM Adative Agent, as they receive an
>>> error "Unable to log into the network because the login credentials

>> or
>>> the server certificate is incorrect."
>>>
>>> I've completely unregistered/uninstalled then

>> reinstalled/reregistered
>>> ZCM and the Novell client on a few workstations, and tried applying

>> the
>>> latest Novell client patch (as per TID#5071490), all to no avail. We
>>> have a mix of Win7 and WinXP workstations, so this problem cuts

>> across
>>> multiple OSes. The workstations successfully register upon zcm
>>> reinstall, but nobody can login to the adaptive agent.
>>>
>>> Our user source appears completely fine and browseable from within

>> the
>>> ZCM administrative portal, into which I can login just fine via LDAP,

>> as
>>> a designated ZCM administrator.
>>>
>>> zmd-messages.log is offering me virtually no leads.
>>>
>>> Can anyone out there offer up any advice to get us running again?
>>>
>>>

>
>
0 Likes
jbericks Contributor.
Contributor.

Re: Broken by ZCM 10.3

10.3 added an "Authentication Servers" section to the closest server rules. I had to configure that in order for 10.3 devices to be able to log in.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Broken by ZCM 10.3

Thanks.

On 4/1/2010 4:06 PM, jbericks wrote:
>
> 10.3 added an "Authentication Servers" section to the closest server
> rules. I had to configure that in order for 10.3 devices to be able to
> log in.
>
>


--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
chasb73 Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

did you resolve this issue? We are having the same problem. Either a user gets a secondary Zenworks login box, or user authentication failed during a refresh... Any ideas?
0 Likes
placlair Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

chasb73;2020703 wrote:
did you resolve this issue? We are having the same problem. Either a user gets a secondary Zenworks login box, or user authentication failed during a refresh... Any ideas?


Take a look here: http://forums.novell.com/novell-product-support-forums/zenworks/configuration-management/zcm-server-install/408106-broken-10-3-more-information.html
0 Likes
chasb73 Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

You, my friend, might be a lifesaver... will take a look at it, and try and translate linux commands/folder structure into Windows!!
0 Likes
placlair Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

Thanks for the suggestion, but we've got an extremely small/simple setup, and utilize the default closest server rule, which appears to include a proper "Authentication Servers" configuration.

jbericks;1956618 wrote:
10.3 added an "Authentication Servers" section to the closest server rules. I had to configure that in order for 10.3 devices to be able to log in.
0 Likes
jbericks Contributor.
Contributor.

Re: Broken by ZCM 10.3

placlair;1956627 wrote:
Thanks for the suggestion, but we've got an extremely small/simple setup, and utilize the default closest server rule, which appears to include a proper "Authentication Servers" configuration.


My CSR's are set to exclude the default rule...that's probably why I had the issue.
0 Likes
skaceli Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

Where is this setting in ZCM 103 server? I am having the same problem described here. The problem appears to be starting after the server has been rebooted the first time (i.e. the clients connect when you first create the user source. However, you reboot the server, they can no longer authenticate).

jbericks;1956618 wrote:
10.3 added an "Authentication Servers" section to the closest server rules. I had to configure that in order for 10.3 devices to be able to log in.
0 Likes
placlair Absent Member.
Absent Member.

Re: Broken by ZCM 10.3

So, we're still having authentication problems after updating to 10.3.0 (not 10.3.0a, although we have applied the schema update patch). After enabling CASA logging client-side, we have discovered the following errors:

[6B0-16C8] [09:45:57] CASA_AuthToken -Rpc- Start
[6B0-16C8] [09:45:57] CASA_AuthToken -InternalRpc- Start
[6B0-16C8] [09:45:57] CASA_AuthToken -CopyMultiToWideAlloc- Start
[6B0-16C8] [09:45:57] CASA_AuthToken -CopyMultiToWideAlloc- End, retStatus = 00000000
[6B0-16C8] [09:45:57] CASA_AuthToken -InvalidCertsFromHostAllowed- Start
[6B0-16C8] [09:45:57] CASA_AuthToken -InvalidCertsFromHostAllowed- End, retStatus = 0
[6B0-16C8] [09:45:57] CASA_AuthToken -InternalRpc- HTTP request did not complete successfully, status = 404
[6B0-16C8] [09:45:57] CASA_AuthToken -InternalRpc- End, retStatus = C7FF0001
[6B0-16C8] [09:45:57] CASA_AuthToken -Rpc- End, retStatus = C7FF0001
[6B0-16C8] [09:45:57] CASA_AuthToken -ObtainAuthTokenFromServer- GetAuthPolicy Rpc failure, error = C7FF0001
[6B0-16C8] [09:45:57] CASA_AuthToken -CloseRpcSession- Start
[6B0-16C8] [09:45:57] CASA_AuthToken -CloseRpcSession- End

and

[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteAuthTokenEntriesInCache- Start
[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteAuthTokenEntriesInCache- miCASADeleteCredential error = FFFFFCDE
[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteAuthTokenEntriesInCache- End
[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteSessionTokenEntriesInCache- Start
[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteSessionTokenEntriesInCache- miCASADeleteCredential error = FFFFFCDE
[6B0-16C8] [09:45:59] CASA_AuthToken -DeleteSessionTokenEntriesInCache- End

We have verified that the 7 zcm services that need to be are running as the designated ./z* local user (which was not the case pre-update - they were set to run as System) and that our local ./z* user has been granted the rights to logon as a service on the zcm server.

After completing the above steps, we blew away the user source and re-created it, then verified that we can browse to https://servername:2645/CasaAuthTokenSvc/ without incident.

We've tried every combination of unregistering/uninstalling the zcm client that you can imagine.

Given the 404 error in the CASA log, the problem does not seem to be with LDAP, correct?

Thanks in advance for any suggestions.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.