Failed to Authenticate the Sso Server. Please Try Again Later

• Was this page helpful?
• Comments

Troubleshooting authentication issues

This topic provides information for troubleshooting authentication issues of Remedy Unmarried Sign-On.

Generic hallmark issue

Effect	Description	Workaround
A not-existing domain is mapped to a realm	When a user asking is redirected to the Remedy SSO login URL, the post-obit message is displayed: Unexpected fault happened. Non possible to define a realm. This error happens when the administrator deletes the default realm "*'" so adds another realm, but does not configure a domain of the new realm.	Add together the application host name or FQDN in the realm domain if the realm ID is not "*".

Authentication issues for applications hosted on dissimilar domains

Issue	Description	Workaround
Unable to outcome id_token	Subsequently configuring the Remedy SSO agent for using the OpenID scope, the Remedy SSO server fails to generate id_token in the following scenarios, and an exception is logged in the Remedy SSO amanuensis logs: If y'all do not generate the JSON spider web key (JWK), the Remedy SSO server does not notice the private key to sign and cannot generate the upshot id_token. You lot practice not provide the URL of the server issuing the id_token. For more information near the exception, run into the Remedy SSO agent logs.	After configuring the Remedy SSO agent for using the OpenID telescopic, make sure that yous: Provide the URL of the server issuing the id_token in theOpenID IssuerURL  field on theOAuth2 > Settingstab. Generate the JWK from theOAuth2 > OpenIDtab.
An OAuth2 client cannot apply the OpenID scope	At the time of registering a customer every bit an OAuth2 client, if y'all do not select the openid (Scope used for OpenID connect) check box, the customer cannot use the OpenID scope. The Remedy SSO server logs a message mentioning that the specified OAuth2 client is not allowed to use the OpenID telescopic.	On the Admin Console, edit the OAuth2 client details and select the openid (Scope used for OpenID connect)  check box for that client.
id_token is invalid	The user cannot log in and gets the following mistake message: An mistake occurred. Delight contact your ambassador or retry later. The post-obit exception is logged in the log files: id_token is invalid. Bulletin: id_token is issued at 'Wed Jan thirty 22:46:39GMT-12:00 2019', at present is 'Wed Jan 30 22:46:29 GMT-12:00 2019)	Synchronize the time on the Remedy SSO server and Remedy SSO agent machines.

Issue	Clarification	Workaround
The cantankerous launch link is not displayed. In Chrome, no text is displayed in the iframe. The following message is displayed in the programmer console (F12): Refused to display '<originating_app_host>:<port>/rsso/cantankerous-sso? goto=<target_app_host>#jwt=<jwt_value>' in a frame considering an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". The post-obit message is displayed in Firefox: Blocked by Content Security Policy. The following bulletin is displayed in Microsoft Internet Explorer: This content cannot be displayed in an frame. The following message is displayed in Microsoft Border: This content can't be shown in an frame.	The target Remedy SSO server is not configured correctly.	On the target Remedy SSO server, for the Preauth authentication method, make certain that yous enter the name of the originating Remedy SSO server in theALLOW-FROM Domain(s) field. For information almost how to configure this field, see Configuring preauthentication.
The post-obit error message is displayed in an iframe: Unexpected error happened. Failed to login. Please contact the Administrator.	A incorrect document is configured for a realm with the Preauth authentication method on the target Remedy SSO server.	Enable the DEBUG log level on the target Remedy SSO server and reproduce the issue. Check the logs. The following statements might be displayed: Authentication failed. Reason: 'Could not parse document: java.io.IOException: java.lang.IllegalArgumentException: Input byte array has wrong 4-byte ending unit' Authentication failed. Reason: 'JWT signature does not match locally computed signature. JWT validity cannot be asserted and should non be trusted.' Configure the correct certificate for the Preauth authentication method on the target Remedy SSO server.

Remedy AR authentication problems

Effect	Clarification	Workaround
AREA plugin error after AR user credentials were submitted	The user completes a Remedy SSO login (on the Remedy SSO login page for AR authentication or on the IdP login page) and is redirected back to BMC application URL. Then, the application might brandish an authentication error. The AR Expanse plugin log file ( ARSystemInstallFolder/Arserver/Db/arjavaplugin.log ) might contain the post-obit or similar fault logs: 2015-09-13 17:04:21,324 Error [pool-iv-thread-10] com.bmc.arsys.pluginsvr.plugins.ARPluginContext (?:?) - <ARSYS.AREA.RSSO> Could non validate userId with Service Provider. Could not think user from authentication cord. 2015-09-13 17:04:21,324 ERROR [pool-4-thread-10] com.bmc.arsys.pluginsvr.plugins.ARPluginContext (?:?) - <ARSYS.AREA.RSSO> Return Code:two	Check the contents of the ARSystemInstallFolder /Conf/rsso.cfg file, and verify that the value of the sso-service-url property corresponds to the Remedy SSO server URL. Check that the sso-service-url is accessible from the AR server node. You can use coil to exam network connectivity from the AR server node to the Remedy SSO server URL. If the connection test works, utilise curl get to the next step. Bank check if any proxy is used on the AR System plugin server for the outgoing network connection. The proxy option must be defined in the Java options in armonitor.cfg. The startup cord for the Coffee plugin server would have Java parameters for enabling proxy. If the proxy server is defined in the Java plugin server, strength a bypass of the proxy for the Remedy SSO server host proper noun.
No groups for authenticated users	Remedy AR System is integrated with Remedy SSO, and authenticated users have no groups afterward login.	Uncomment the following setting in the ARSystemInstallFolder /Conf/rsso.cfg file: AR-USER-GROUPS-FIX: truthful
AR Hallmark on Remedy SSO does not work when Premium Encryption is enabled on AR System Server	After installing Encryption Premium or Performance security on AR Organisation Server, Remedy SSO can no longer connect to AR System Server with encryption enabled.	Install the same Premium or Operation security application on the Remedy SSO server. For data virtually how to set up Premium or Functioning security awarding, see Installing encryption on BMC Remedy applications . To integrate Remedy SSO with Premium Encryption, see Doc-128148 .

SAML authentication issues

Issue	Description	Workaround
IdP fault on SAML request if SAML IdP login URL contains a query parameter	If the IdP login URL contains a query parameter (a question marking [?] is in the URL), an error might appear when the browser is redirected to the IdP login URL. For instance, if you are trying to access https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=XXX , you will not be able to log in.	Not applicable
SAML IdP returns NameID with an encrypted string	Some IdPs might return an encrypted string in the NameID of the response.	If the NameID in a SAML response returned by IdP exceeds 255 characters, increase the size of the NameId column in the IssuesTokens table of the Remedy SSO database. For example, if the NameID length is 300 characters, set the NameId cavalcade to at least VARCHAR(300).

LDAP authentication issues

Consequence	Description	Workaround
LDAP authentication failure	When using LDAP over SSL in an environment that uses Java 8+, users are not authenticated. The the following records are available in the Remedy SSO server logs: javax.naming.CommunicationException: uncomplicated bind failed: <LDAP SERVER NAME>:PORT [Root exception is javax.net.ssl.SSLHandshakeException: server certificate alter is restricted during renegotiation]	Add together the Coffee proprerties for the JVM that Tomcat uses. -Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true Linux instance: Create or edit the TomcatInstallFolder/bin/setenv.sh file. JAVA_OPTS="-Djdk.tls.allowUnsafeServerCertChange=true" JAVA_OPTS="$JAVA_OPTS - D sun.security.ssl.allowUnsafeRenegotiation=true" export JAVA_OPTS Microsoft Windows example: Employ thetomcatXw.exe GUI. Create a likesetenv.bat file with similar content.
	If the LDAP server uses a self-signed certificate, the JVM that Tomcat uses on the Remedy SSO server does not trust this certificate.	To utilise TLS/SSL connection to the LDAP server, import the LDAP server certificates (cacerts) to the truststore ( JavaHome \jre\lib\security ) of the Apache Tomcat used by the Remedy SSO server .  Import the certificates by using third-party utilities such as Keystore explorer .
The login request is redirected to an emptyrsso/beginning URL	When the Remedy SSO server and the integrated awarding both use self-signed TLS/SSL certificates for the HTTPS connection, the certificate confirmation dialog box breaks the flow, and you cannot log in past using Microsoft Edge and Safari browsers.	Use another browser to log in, or open the application URL again afterward confirming the exception for the document.

Kerberos authentication issues

You can notice the events and log information related to Kerberos in the following files, which are usually located in the log directory for Tomcat:

• rsso.log—The main log file of the Remedy SSO server.
• tomcat8-stdout.*.log —A file that contains Kerberos related events from Java Authentication and Authorization Service, which theRemedy SSO server uses internally to authenticate users.

Outcome	Description	Workaround
Invalid keytab alphabetize number for Kerberos	An exception is generated in the logs when the keytab file is generated with a key version number (KVNO) dissimilar from the one specified in the ticket. The log file might look something like this: amJAAS:x/18/2011 09:35:00:435 AM PDT: Thread[http 8443-1,5,master] Exception: com.sun.identity.authentication.spi.AuthLoginException: Failed to hallmark. Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not bachelor (44))	Regenerate the keytab file. You must specify the /kvno 0 option to ensure that the KVNO value is compatible.
Browser sends NTLM instead of SPNEGO	The token that the Remedy SSO server receives from the client is a Microsoft Windows NT LAN Manager (NTLM) token and not the Kerberos token. If this issue happens, the post-obit entry is recorded in the log file: The entry Authentication token is NTLM just not SPNEGO.	Ensure that the Remedy SSO server host name or domain is added to the list of websites for Kerberos authentication. The failure could happen due to the following reasons: A browser is not correctly configured to use Kerberos authentication. For information about how to configure the browser correctly, encounter Configuring Kerberos hallmark. A service token for the Remedy SSO server was non obtained. Brand sure that a Kerberos service ticket is obtained when it tries to admission theRemedy SSO server on a client's machine. Click hither to view more details Cheque that customer's estimator asked for the Remedy SSO server from the fundamental distribution center (KDC), and and then issued a service ticket: c:\Windows\system32\klist.exe ... #ane> Customer: dev_adei @ QA2R.LOCAL Server: HTTP/access.bmc.com @ QA2R.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 11/three/2016 ix:00:43 (local) Stop Time: 11/iii/2016 19:00:43 (local) Renew Time: eleven/10/2016 nine:00:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 ...
Keytab file does non contain an entry to decrypt a service ticket	The keytab file does not comprise an entry to decrypt a service ticket. The logs might look something like this: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) Caused by: KrbException: Checksum failed Acquired past: coffee.security.GeneralSecurityException: Checksum failed	Examine items and make certain that the service principal names (SPNs) are valid. If an SPN password is used in the Remedy SSO Admin Console, ensure that the Service Principal Name is specified as HTTP/access.bmc.com@RSSO.COM. To meet content of the existing keytab file, run thektab command. Click hither to view the command details c:\java sun.security.krb5.internal.tools.Ktab -fifty -e -t -grand all.keytab Keytab proper noun: all.keytab KVNO Timestamp Principal ---- ----------------- ------------------------------------------------------------------------------------ 0 12/31/69 12:00 PM HTTP/admission.bmc.com@RSSO.COM (1:DES CBC manner with CRC-32) 0 12/31/69 12:00 PM HTTP/admission.bmc.com@RSSO.COM (iii:DES CBC manner with MD5) 0 12/31/69 12:00 PM HTTP/access.bmc.com@RSSO.COM (23:RC4 with HMAC) 0 12/31/69 12:00 PM HTTP/access.bmc.com@RSSO.COM (18:AES256 CTS mode with HMAC SHA1-96) 0 12/31/69 12:00 PM HTTP/admission.bmc.com@RSSO.COM (17:AES128 CTS mode with HMAC SHA1-96) This keytab file contains five entries for the same principal, merely each entry has a unlike encryption type. You must use the /crypto all option with the ktpass utility to generate the keytab file.
The following error appears in the rsso.log file: Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96 (or AP REP - AES128 CTS)		Install JCE Unlimited Strength Jurisdiction Policy Files for JDK/JRE to support AES128 and AES256 encryption types. You can find the policy files at the following links: Coffee Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JRE 8 Coffee Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JRE vii Also, install these policy files in the JRE that is used by the Tomcat server on which the Remedy SSO runs.
The login fails because of the large size, and the browser displays an error	The Kerberos service ticket is passed equally a header value in the HTTP asking. Though the default maximum header size in Tomcat is 4096 bytes (4 KB), the header size may go upwardly to 28 KB under some circumstances. The login fails because of the large size, and the browser displays an mistake message because Tomcat does not reply to such requests.	Specify the maxHttpHeaderSize  attribute on the HTTPS connector, and set a large enough value in bytes.

To debug Kerberos authentication issues

1. To ensure that customer's machine has joined the domain and the domain user is used, run the following command:

                       C:\whoami DOMAIN\userID                  

2. Ensure that you have other internal resources with Kerberos authentication, and you can successfully log in to them and apply them.
   For this, y'all must accept service tickets in the output of theklist utility.
3. Ensure that the Remedy SSO server is configured to utilize the same domain that your machine has joined.
4. Ensure that yous are trying to access the Remedy SSO server by using its FQDN (for example, http://access.instance.com/rsso/). Also, make certain that the host name used in the FQDN is identical to the host name used in the service master name (SPN) for a service account created in the key distribution center (KDC). In this case, the SPN volition be HTTP/access.instance.com.
5. Ensure that y'all have obtained the Kerberos ticket-granting ticket (TGT).
6. Ensure that the browser is configured properly, see Configuring browser settings for Kerberos authentication.
7. Ensure that the KDC domain is defined in upper-case letter in the Remedy SSO Admin Console.
8. Ensure that the time departure between the KDC and your motorcar is no more than 5 minutes.
9. Ensure that the Kerberos service ticket obtained on the automobile accessing the Remedy SSO server looks like HTTP/access.bmc.com@RSSO.COM whereaccess.bmc.com@RSSO.COM is the host name of the auto that hosts the Remedy SSO server.

Was this page helpful? Yes No Submitting... Cheers

Failed to Authenticate the Sso Server. Please Try Again Later

Source: https://docs.bmc.com/docs/rsso1911/troubleshooting-authentication-issues-897552931.html

Share this post