Previous Topic: How Do I?


Troubleshooting

Many things can happen when APS is not properly configured. A few of the more common issues are described below.

In all cases, the first thing that should be examined is SiteMinder’s Authentication Service Console Log on the Policy Server. APS records all significant activity into this log. If something is happening that you suspect should not be happening, always check this log first.

Always make sure that you have applied all of the latest patches/service packs to your APS installation. Often, a given problem has already been found at another site and fixed in a patch. Patches are available for download from the Netegrity support site.

If you still cannot resolve the issue, open a case using Netegrity’s support Web Site. In order to optimize response time from Netegrity, be sure to do the following:

  1. Make sure that the case clearly identifies the issue as an APS issue (both in the text and as the product/component).
  2. Make sure to identify the correct versions of APS, SiteMinder and your Operating System platform(s).
  3. Attach your entire APS.cfg and SmPortal.cfg files to the case.
  4. Attach a complete copy of the SiteMinder Authentication Service Console Log to the case. Please do not just cut/paste important lines, sometimes the issue requires that we see the entire authentication process.

    A site can request that additional information (traces) be written to this log. To do so, set the "Trace" keyword in the APS Configuration File. To turn off this tracing, delete the "Trace" keyword.

    In APS Version 4.0, all of the entries placed into the Authentication Log were reviewed and their format standardized. Each specifically identifies its source as APS. Please note that it would be impossible to document the information logged, since it changes from release to release.

  5. Be sure to properly prioritize your case. The rules of thumb are:
    1. Priority ONE is reserved for PRODUCTION SERVER OUTAGES ONLY and require immediate attention.
    2. Priority TWO is for serious outages that will impact rollouts, are holding up development or testing efforts, or are considerable inconveniences in production (such as requiring frequent server restarts, etc).
    3. Priority THREE is for all other issues.
    4. Capabilities questions (such as "Can APS do this…?") should be directed to your sales engineer or sales representative, rather than logged to our support site.

    Unfortunately, a few customers have been known to overstate the priority of their cases intentionally, in an effort to get more immediate response.

    Rather than being productive, this has two adverse effects:

This section contains the following topics:

Connectivity Problems

Connectivity Problems

Various APS components communicate with the Policy Server via SmPortal/SmTransact. This is the troubleshooting section for those connectivity issues.

This kit provides a comprehensive set of error codes that can be used to determine and resolve problems with services.

These errors are distinct from application errors and should not be confused with them. The errors displayed by SmPortalTest are all tunnel errors and that makes SmPortalTest a good tool for validating configuration.

A zero error return indicates success (though the service itself may have failed and thus returned a non-zero application error).

Negative numbers indicate client side (SmPortal) errors. These errors typically indicate an invalid configuration.

Positive errors indicate an error that occurred on the Policy Server when SmTransact attempted to execute the Service Provider (back-end) code. These are typically errors in service code.

A typical problem is that either multiple copies of SmPortal.cfg exist or that it does not exist on the same directory with SmPortal.dll. Only a copy on the same directory with SmPortal.dll will ever be used. Be careful of multiple copies of SmPortal.dll, because then it is difficult to determine which copy Windows elected to use.

Client Side (SmPortal) Errors

AGENT_FAILURE(-1)

This is, by far, the most frequent error encountered. It indicates that the SiteMinder Policy Server could either not be contacted (rare) or that the Policy Server refused the connection (very common). This is caused by either the agent not being defined on the Policy Server or a mismatch on the shared secret.

The best way to troubleshoot this error is to examine the SiteMinder console log (usually of the Authentication service), looking for entries denying a connection by an agent. The messages there are often cryptic, so check carefully the definition of the agent, especially the name of the agent (it is case-sensitive) and its shared secret.

This error should be considered equivalent to error -17, described below. Different versions of the SiteMinder Agent API return different errors, so you might see either error.

NOT_IMPLEMENTED (-11)

The application requested a function that is not currently implemented in SmPortal. This generally means that the service either requires a later version of SmPortal or that there is a significant problem with the application. Contact your application (or API) developer for resolution.

ERROR (-12)

This error indicates that a fault was detected during processing. This generally indicates a programming error.

ACCESS_DENIED (-13)

Indicates that the application program is not authorized to call into the Portal. This indicates a programming error in the application or API. Contact your application (or API) developer for resolution.

NO_AGENT (-14)

This error indicates that the Agent entry specified for the service could not be located in SmPortal.cfg. Check to make sure that the agent configured for this service is defined in the file.

NO_SECRET (-15)

SmPortal was unable to determine the shared secret for the specified agent. Check to ensure that a secret is defined for this service's agent.

NO_SERVERS (-16)

This error indicates that there are no servers defined for this agent in the SmPortal.cfg file.

AGENT_INIT (-17)

This error indicates that the SiteMinder Agent API could not be initialized. Typically, this error is returned if:

  1. The server could not be found at the specified IP address;
  2. The wrong port is configured for the server;
  3. The agent name is undefined on that SiteMinder Policy Server;
  4. The agent defined on the SiteMinder Policy Server should not be coming from that IP address;
  5. The shared secret is wrong.

The Agent API intentionally does not distinguish between these errors. To do so would make cracking security significantly easier. To determine which of these cases is the actual cause, examine the Authentication Server's console log (on the Policy Server).

NO_SERVER_IP (-18)

This error indicates that one of the servers defined for the agent was not defined elsewhere in the SmPortal.cfg file. Make sure that all of the servers defined for the Agent are defined with, minimally, an IP address (and that the IP address is not blank).

INVALID_CALL_HANDLE (-19)

This is an internal application error indicating that the application passed an invalid handle to the SmPortal API. This indicates a programming error in the application or API. Contact your application (or API) developer for resolution.

NO_DYNAMIC_LIBRARY (-20)

The dynamic library (SmPortal.dll on Windows NT, libSmPortal.so on Solaris) could not be located. Update your PATH (Windows) or LD_LIBRARY_PATH (Solaris) environment variable in the context of the running user so that the dynamic library can be found. This error may also occur if the library can be located, but cannot be loaded because of another dependency.

NO_CONFIGURATION (-21)

The SmPortal configuration file (usually SmPortal.cfg) could not be located or opened. This usually means that the file either doesn't exist, is in the wrong place, or there is a missing or improperly set environment variable.

Server Side (SmTransact) Errors

All of these errors indicate a problem on the Policy Server.

INPUT_TOO_SMALL (1)

This error occurs when attempting to communicate with SmTransact without using SmPortal. It should never occur under normal circumstances.

NO_SERVICE (2)

This error occurs when attempting to communicate with SmTransact without using SmPortal. It should never occur under normal circumstances.

NOT_INSTALLED (3)

The service is not installed on the Policy Server.

BUFFER_VIOLATION (4)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

APPLICATION (5)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

BAD_SERVICE (6)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

LIB_PROBLEM (7)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

OUTPUT (8)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

NOBUFFER (9)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

CHUNKING (10)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

LIB_INIT (11)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

LENGTH_MISMATCH (12)

This indicates a programming error in the service provider. Contact your service provider developer for resolution.

VERSION (13)

Indicates that the version of SmPortal.dll and the version of SmTransact.dll do not match. You will need to upgrade one or the other.

SiteMinder Authentication Log

SmTransact keeps logs of virtually all of its activities. Most operational activity and errors are logged in the SiteMinder Policy Server console log (by default, in the Authentication Service log).

If trace and debug logging are enabled for a service, the messages are also placed into the SiteMinder console log.

New passwords chosen by users are always rejected

The password policy may be too strict or improperly configured. Review your password policy defined in APS.CFG. Check the Content Minimums options for consistency: if the sum of Letters plus Digits, for example, is greater than Maximum Password Length, no password could meet the criteria and all passwords will be rejected. Use the APSTestSettings utility to determine the settings in effect for the user having the problem.

Also check the SiteMinder Authentication Service Console Log. APS almost always logs even more information about a password content rejection to the log that it displays to the user. For example, if the password is rejected because it matches all or part of the user's profile, the actual attribute that matched is logged to the console log.

User Accounts are mistakenly disabled

No users in any user directory may have exactly the same username. If accounts with identical usernames exist in these separate directories, some or all of these accounts may be disabled at random. See the description associated with the "Failure Count Timeout" setting in the APS Configuration File for more information, restrictions and related issues.

All (or many) accounts are disabled when a single user fails authentication

This occurred at one site when the User prefix/suffix combination was incorrectly defined in the User Directory entry in SiteMinder's Policy database. The prefix had a wildcard that caused all (or many) user accounts to be checked during authentication.

APS does not disable LDAP user accounts

LDAP directories must not be read-only. Advanced Password Services saves information to each user's record in the LDAP directory, so the directory must not prevent active writing.

If you are using multiple LDAP Directory servers in a Master/Slave replication arrangement, you will have to use the write back settings. See the associated settings in the chapter entitled The APS Configuration File.

Automated Email Notification does not send email

Verify that your SMTP settings are configured correctly. Check the SiteMinder Authentication Server Console log (with maximum tracing enabled) to see if any messages are logged from Advanced Password Services or from APSMail. Use APSMailTest to determine if your settings are correct. Try logging mail to a log file.

Verify that the automated email settings in the APS Configuration File are set properly.

Ensure that an email file exists for the proper event for the particular language and that its format is correct and complete. You can use APSMailTest to check this.

Check the error logs on your SMTP server.

Windows NT Users cannot change passwords

When using Windows NT domains, ensure that the global password policy does not require users to log in to the domain in order to change their passwords. CA is working with Microsoft to determine why 0x8007054B (and other) errors occur when this flag is set and the user attempts to change their own password. This problem only occurs for Windows NT domains; it does not occur for other directory types.

"Change Password Service is not configured correctly"

This error message is displayed by SmCPW if the SMCPW response is not connected (or returning data) to the SmCPW page. SmCPW requires that a specific SiteMinder response be sent to it by SiteMinder. This response is an Active Attribute obtained via a call into the "smaps" library to a function called "SMCPW". If this response does not exist, is improperly formed, or is not connected to the SmCPW rule within the SiteMinder Policy, this error will occur. Note that the text of the error may vary if the Language file translates the text.

Error reading user entry ("Not Found") during password change

This is usually caused by bad Access Control Information (ACI) that prevents a user from reading their own record. During password change operations, APS uses the user's own credentials to bind to the LDAP directory. If these credentials have insufficient access, the Directory Provider will report that the record could not be found. There is no way for APS to identify the difference.

User is asked to authenticate during the FPS process

This means that the presentation pages or one of their components are protected. Check the SiteMinder authorization (AZ) log to see what page is being accessed.

Usually, the culprit is a cascading style sheet, a frame, or a graphic.