This section contains the following topics:
Response Test or Session Startup Errors
Unable to Reach Siebel Startup or Siebel Login Page
Monitoring the Processing of a Request
Symptom:
An error occurred during the response test or on session startup.
Solution:
Verify the CA SSO Policies by using CA SSO Test Tool.
To verify CA SSO Policies
Symptom:
The web browser shows a 500 Server Error page or the web browser continuously returns to the CA SSO login page.
Solution:
Examine the Web Agent log.
Note: This problem does not relate to the Siebel SSO agent– it is a problem in the site’s Web Agent configuration.
Symptom:
ProviderTest (or ProviderTest75) reported no problems but a message indicates that the server is busy or experiencing difficulties.
Solution:
Examine the Security Adapter logs.
Consider using the AnonUsername and AnonPassword settings.
Symptom:
The symptoms of this problem include an infinite loop in the browser window and the following message that appears in the Policy Server Authentication Log:
Ticket outside acceptance window - replay attack?
The most common problem encountered is an error in response creation, specifically in configuring attribute caching. Another probelm is or the time difference between the SIEBELTICKET generation and its validation by SiebelSSOAuth authentication scheme being higher than the configured PERIOD value in authentication scheme.
Solution:
To correct a ticket outside acceptance window issue, open the response in the CA SSO Administrative UI and adjust the Attribute Caching setting or increase the PERIOD parameter value in the authentication scheme.
Symptom:
Security Adapter attempts to dynamically load the CA SSO Agent API when needed. If the Agent API library cannot be found, the following message appears in the Security Adapter log file:
Agent API Not loaded
This message indicates that the system is unable to locate the relevant CA SSO Agent API file (SmAgentAPI.dll, libsmagentapi.so, libsmagentapi.sl).
Solution:
Check that the Agent API file is present.
If the file is present, but this error persists, do the following, according to your platform:
Note: Within the Security Adapter file (SmSiebelSSO.conf), the settings for LogFile and LogLevel determine what information is logged. Make sure you have defined a log file and a level of logging.
Valid for CA SSO Agent for Siebel for HI client application
Symptom:
An error connecting to server message appears at the top of the Siebel application page when the CA SSO session times out before the Siebel session times out.
Solution:
Set the CA SSO session to a large value, and set the Siebel session timeout to a lower value so that Siebel governs the idle session timeouts.
Set the TurnLoopingOff variable as follows:
Valid when Siebel WSE resides on IIS6
Symptom:
The web agent trace file on the web server does not log additional information.
Solution:
When Siebel WSE resides on IIS6, it creates a virtual folder for the Siebel application within the default website that has a different application associated to it.
Do the following:
Add the ISAPI6WebAgent.dll wildcard application mapping for the Siebel application/folder within the default website. This will cause the additional logging to appear in the webagent trace file.
The following stages in the processing of a request are documented in various log files:
Generation of a Siebel authentication ticket is recorded in the Policy Server trace, as shown in the following example:
. **************************************************** …….Siebel SSO Ticket Generation Parameters ***************************************************** . . Generating SSO ticket WITHOUT DN . [SIEBELTICKET=[NDSEnc-D]IhOoXn6KH6D9GMSQ2yQOywuZa4Hw+Qcr6zYdZ/oqzxM=]
Firing a Siebel user response, which sends a user attribute whose value maps to a valid Siebel user, is recorded in the Policy Server trace, as shown in the following example:
[SIEBELUSER=test]
Anonymous user authentication is recorded in the Siebel Agent Security Provider logs, as shown in the following example:
. Checking for Anonymous user Anonymous user password correct .
The process in which Security Provider contacts Policy Server and accesses the protected resource /SiebelConnector/ can be seen in the Siebel Agent Security Adapter log, as shown in the following example:
. . SecurityLogin8() called Username: 'test' Password: *Not shown* (54 chars) Config file already loaded SmAgentConnection::Connect() Checking for Anonymous user Anonymous user, checking password Invalid Anonymous password - user will be authenticated via SiteMinder SecurityLogin8() calling AuthAzAndCollectResponse() . .
The process in which Policy Server uses the Siebel SSO authentication scheme to verify the user credentials can be seen in the Policy Server traces as shown in the following example:
. . [SiebelConnector: Authentication phase] . [SiebelConnector: Authenticating user with SSO ticket] . [SiebelConnector: Username to be validated is 'test'] . [SiebelConnector: Validating token [NDSEnc-D]LYwrQqKp9mugsmf6mdHid3MRaQch4iilKUzi+PD0oIw= for user test] . [SiebelConnector: Ticket decrypted to 19 bytes] . [SiebelConnector: Decrypted ticket - checking contents] . [SiebelConnector: Ticket parser results:] . [SiebelConnector: Time: 1132825779] . [SiebelConnector: LoginName: test] . [SiebelConnector: Ticket in acceptance window] . [SiebelConnector: Auth succeeded] .
Security provider checks the SIEBELUSER response against the response that was extracted from the HTTP headers. This can be seen in Siebel Agent Security Adapter log, as shown in the following example:
. AuthAzAndCollectResponse - Authentication ACCEPTED AuthAzAndCollectResponse - Authorization ACCEPTED Found SIEBELUSER Response Usernames match There are 0 responses saved Credentials for user 'sadmin' accepted User authenticated - returning SecurityErrOK SecurityGetCredentials8() called Requested credential type is ServerDataSrc Returning SecurityErrOK
Symptom:
The ATTR attribute value that is set in the Active Response is ignored resulting in authentication failure while using the NTLM authentication scheme.
Solution:
Add the following parameter to the Active Response and set the value to Yes.
Specifies that CA SSO Agent for Siebel does not ignore the value set in the ATTR attribute.
Values: Yes, No
Copyright © 2015 CA Technologies.
All rights reserved.
|
|