SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

Transcription

1 SSO Plugin Troubleshooting SSO Plugin - BMC AR System & Mid Tier J System

2 JSS SSO Plugin Troubleshooting Introduction... 3 Common investigation methods... 4 Log files... 4 Fiddler... 6 Download Fiddler... 6 Installing Fiddler... 6 Configure the browser to use Fiddler... 7 Starting Fiddler... 7 HTTPS Traffic... 7 Verifying Service Principle Names (SPNs)... 9 The setspn utility... 9 See accounts that are set to which SPN... 9 Duplicate SPNs... 9 Removing an SPN Understanding logging in BMC AR System Troubleshooting steps Troubleshooting Appendix A: Acronyms, Abbreviations & Definitions... 22

3 Page 3 of 22 Introduction This document provides a list of troubleshooting methods used with the JSS products along with the steps to resolve the most common issues customers face If there are any questions, do not hesitate to contact JSS support.

4 Page 4 of 22 Common investigation methods The following section describes the common tasks used to diagnose any issues with SSO Plugin. Log files This section describes the common log files used within SSO Plugin and how to enable them. Product Description Purpose Default location How to enable Product Description Purpose Default location BMC AR System AREA plugin The SSO Plugin AREA module writes to this file. Verification that the SSO Plugin AREA module has loaded and configured correctly. This file is written to on AR Server start-up, AR System configuration changes and on every authentication attempt. Windows - C:\Program Files\BMC Software\ServerName\Arserver\db UNIX/Linux - /opt/bmc/arsystem/db Login to the application as an administrative user Open the AR System Administration Console Click System from the navigation pane Click General Click Server Information Click Log Files tab Click the Plug-in Server checkbox Make a note of the Plug-in log file name Select ALL from the Plug-in Log Level drop down Click Apply Apache Tomcat The SSO Plugin Mid Tier module writes to this file. Verification that the SSO Plugin Mid Tier module has loaded and configured correctly. This file is written to on Mid Tier start-up, SSO Plugin configuration changes and all Mid Tier authentication requests. Windows - C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs UNIX/Linux: This will depend on the OS and installation method. Here is the example of a default location /opt/apache/tomcat6.0/logs Tip: To help find the process Id of Tomcat type: ps -ef grep tomcat Which will return something like this; note the PID is 404: root :41 00:00:39 /usr/jdk1.7.0_02/jre/bin/java - Djava.util.logging.config.file=/opt/apache/tomcat To help find the log file type lsof -p PID where PID is the process id of your Tomcat server. In the above example, it was 404 lsof -p 404 grep "tomcat6.0/logs" Which will return something like this: java 404 root /opt/apache/tomcat6.0/logs/stdout log How to enable Via a browser, enter the following URL:

5 Page 5 of 22 On the left pane above the Login button: o on BMC Mid Tier, enter the same password used for the configuration eg /arsys/shared/config/config.jsp, (the installation default is arsystem). o on other deployments, enter the SSO Plugin administration password (the installation default is jss). Click Configuration. Select the desired log level from the Log Level menu. It is recommended that Trace be selected for investigating any issues and Severe for normal operating times. Click Set Configuration.

6 Page 6 of 22 Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and a web engine e.g. Tomcat running Mid Tier. Fiddler is freeware and can debug traffic from virtually any application that supports a proxy, including Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, Opera, and more. Download Fiddler To download Fiddler, go here: Installing Fiddler Select 'Run' from any Security Warning dialog. Agree to the License Agreement. Select the install directory for Fiddler.

7 Page 7 of 22 Click 'Close' when installation completes. Configure the browser to use Fiddler Follow these steps for the following browsers: IE, Chrome and Safari. To capture traffic from most browsers, enable File > Capture Traffic. When using FireFox: Click Tools > Options > Advanced > Network > Settings > Use System Proxy Settings Starting Fiddler Find Fiddler2 from the Windows start menu or type fiddler2 in the Start button >> Run HTTPS Traffic If you are using secure socket layer (SSL), you will be accessing the BMC Mid Tier with https in the URL bar. This encrypts traffic and therefore you need to tell Fiddler to decrypt it. To do so click Tools > Fiddler Options When the dialog appears, select "Decrypt HTTPS traffic" and click OK.

8 Page 8 of 22

9 Page 9 of 22 Verifying Service Principle Names (SPNs) The following section will help diagnose SPN specific issues. A common configuration step when establishing a Kerberos authentication method is the use of a Service Principal Name, or SPN, to identify a specific service. The service account configuration is stored in the SSO Plugin configuration linked from the SSO Plugin status page, ie. on BMC Mid Tier, on HP Service Manager. Example screenshot here: The setspn utility SetSPN is a built in utility with Windows Server 2008 and Server 2008 R2 for most releases, and is also available in the Windows Support Tools. You don t have to download SetSPN to use it. You can run SetSPN from member servers or workstations. It can be used to add and delete Service Principal Names to/from an Active Directory account, and search for duplicate SPNs that cause Kerberos to stop working. See accounts that are set to which SPN To list the SPNs assigned to an account do the following C:\Users\administrator.DEV>setspn -L JSS-SSO-SERVICE Registered ServicePrincipalNames for CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=j avasystemsolutions,dc=local: HTTP/w7604.dev.javasystemsolutions.local The example above shows the SPN of HTTP/w7604.dev.javasystemsolutions.local is set to the domain account of JSS-SSO-SERVICE. Duplicate SPNs Kerberos will not work if there are duplicate SPNs, ie the same hostname (HTTP/myJava web server.domain.com) is registered to two different computer or user accounts. Microsoft's update to setspn (KB970536) has a new feature which can search for duplicate accounts. Simply run: setspn -X. If any duplicates are listed the remove the incorrect entries using: setspn -D. Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding none C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0 found 0 group of duplicate SPNs. Example use of using setspn to find duplicates SPNs for the same Mid Tier and finding two accounts are assigned to the same Mid Tier. JSS-SSO-S1 and JSS-SSO-SERVICE. This would stop SSO working. C:\Users\administrator.DEV>setspn -x Checking domain DC=dev,DC=javasystemsolutions,DC=local Processing entry 0

10 Page 10 of 22 HTTP/w7604.dev.javasystemsolutions.local is registered on these accounts: CN=JSS-SSO-SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local CN=JSS-SSO-S1,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local found 1 group of duplicate SPNs. Removing an SPN The above example shows that the computer w7604.dev.javasystemsolutions.local has two SPNs against it. One SPN can be registered against multiple hosts but multiple SPNs cannot be assigned to a single host. Here is an example of how to remove an SPN. C:\Users\administrator.DEV>setspn -D HTTP/w7604.dev.javasystemsolutions.local JSS-SSO-SERVICE Unregistering ServicePrincipalNames for CN=JSS-SSO- SERVICE,CN=Computers,DC=dev,DC=javasystemsolutions,DC=local HTTP/w7604.dev.javasystemsolutions.local Updated object

11 Page 11 of 22 Understanding logging in BMC AR System There are two modules used in SSO Plugin. The first is an AR External Authentication (AREA) plugin which is installed on all AR Servers. This module writes to the standard BMC arplugin log file, enabled through the AR System Administration Console. The module uses three log levels described below. AR Plug-in Log level Config Description This level is used with these events: AR System startup AR System restart Configuration change via the AR System Configuration Console Configuration change via the SSO Administration Console This level describes the SSO Plugins AREA Plugin modules configuration including the license and the SSO enabled Mid Tier IP addresses. Lines within the log file can be identified by the following: <JSS.AREA.SSO> <CONFIG> Finest The Finest log level is the most verbose and contains a lot of information. Some information will only be useful to JSS support to understand the flow of the data for example keys and encryption information. This level is used with these events: AR System startup AR System restart Configuration change via the AR System Configuration Console Configuration change via the SSO Administration Console Authentication attempts When this level is enabled, failure of SSO attempts will be evident with lines identified by the following: <JSS.AREA.SSO> <FINEST> Severe The Severe log level is typically enabled on production systems and is the least verbose of all the logs. The events which trigger the output of this information to the log file is considered serious and would stop SSO working for all users. An example of this information is visible in the log file when the SSO Plugin AREA module is unable to communicate with the AR Server it is installed to: <JSS.AREA.SSO> <SEVERE> Error: messagenum:90 messagetext:cannot establish a network connection to the AR System server appendedtext:<yourservername>

12 Page 12 of 22 Troubleshooting steps The following flow chart details the troubleshooting steps. If the issue is not resolved, collate screenshots and logs and them to

13 Page 13 of 22 Troubleshooting java.lang.classnotfoundexception or NoSuchMethodException appears in the Java web server logs or in the browser Stack traces appear in the logs or web browser that look similar to: java.lang.classnotfoundexception: com.javasystemsolutions.mt.sso.jssauthenticator org.apache.catalina.loader.webappclassloader.loadclass(webappclassloader.java:1 387) 11-Apr :33:59 org.apache.catalina.core.standardcontext filterstart SEVERE: Exception starting filter spnego java.lang.classnotfoundexception: com.javasystemsolutions.mt.sso.spnegohttpfilter org.apache.catalina.loader.webappclassloader.loadclass(webappclassloader.java:1 387) The jss-sso.jar file was not found in the WEB-INF/lib directory of the Java web server (Tomcat), or is the wrong version after an upgrade. This error typically indicates that not all files have been copied into the correct directory in the Java web applicaiton server. All files within the SSO Plugin download midtier or webtier directory must be copied to the Java web application installation directory. a screenshot of the WEB-INF/lib directory to support@javasystemsolutions.com Windows credentials dialog pop-up when attempting to authenticate When attempting to authenticate via a browser, the user is prompted for Windows credentials. Screenshot example from IE:

14 Page 14 of 22 In order to use Single Sign On (SSO), the client machine needs to be logged into the domain. The dialog is appearing because the browser believes that the user is not logged into the same domain that is configured or trusted with in the SSO Plugin configuration page. Confirm the following: The user is logged into the same domain or trusted with, that is configured in the Mid Tier SSO configuration page. Typically Check the users domain by pressing ctrl+alt+del and review the "You are logged in as" dialog. The Windows domain shown must be the target domain and not the local machine name If the above is not present. Run cmd.exe and type the following: net config workstation Make sure the Logon domain is the short domain name and not the local machine name The domain controller should be running Active Directory If using IE o Within IE, click Tools -> Internet Options -> Security -> Local Intranet Zone o Add the Mid Tier host name to the list o o Click Tools -> Internet Options -> Security -> Custom Level Scroll to the bottom and select "Automatic logon only in Intranet zone" If using FireFox o In the URL bar, type about:config o Then type trusted-uri o You will be presented with network.automatic-ntlm-auth.trusteduris and network.negotiate-auth.trusted-uris. Type the Mid Tier hostname from the URL into these fields If your browser is configured to use a proxy server, the target website may need to be added to the proxy exceptions list as SSO is known to be problematic through some proxies Ensure the clocks on the workstation and the AD are set correctly. Kerberos authentication can fail if the clocks are skewed Click here for instructions on how to capture a Fiddler trace and the.saz file to support@javasystemsolutions.com Browser presents HTTP status code of 400 Some users are seeing HTTP status code of 400. Especially when using BMC ITSM. A Fiddler trace is showing HTTP/ Bad Request By default, Tomcat has a hard coded HTTP header limit of 4Kb. If the Kerberos token exceeds 4Kb then Tomcat returns the status code 400 without passing the request to the Java web server. The Kerberos token contains group information. IF the user is a member of many groups then this token can become large. Increase the header size in Tomcat. Open the Tomcat server.xml in a text editor Search for the HTTP connector <Connector port="8080" protocol="http/1.1" Add a maxhttpheadersize attribute, which is given a value in bytes (65536 is 64Kb) <Connector port="8080" protocol="http/1.1"

15 Page 15 of 22 maxhttpheadersize="65536" Save and restart Tomcat the server.xml to My Windows account keeps getting locked out Error messages appear that the users account is locked out The plug-in log file has the following: The clients IP x.x.x.x was not in the list of Mid Tier addresses configured in the SSO Administration Console. The plug-in log file has the following: The clients network address is x.x.x.x which is not in the list of SSO enabled Midtier IP addresses This possibly indicates that one or more of the AR Servers are not correctly configured to use SSO Plugin. If the BMC AREA LDAP plugin is being used, the correct configuration employs the BMC AREA Hub, of which the SSO Plugin is used first, then the BMC AREA LDAP is second. If SSO is incorrectly configured, the SSO tokens are passed to the domain controller as passwords, which will always be incorrect for any user. Therefore some domain policies, such that a number of incorrect passwords, will lock the account. All AR Servers that are processing user authentication requests must be SSO enabled and correctly configured. This can be investigated by enabling the AR System Plug-in logging and setting the Plug-in Log Level to ALL. It is typical to see the following in this instance: <JSS.AREA.SSO> <FINEST> The clients IP x.x.x.x was not in the list of Mid Tier addresses configured in the SSO Administration Console. Then you may see: The plug-in log file has the following: The clients network address is x.x.x.x which is not in the list of SSO enabled Midtier IP addresses To resolve this, follow these steps: Login to the application as an administrative user Open the SSO Administration Console Add the above IP address to the list of IP addresses, separated by semi - colon. E.g ; the full AR plug-in log file to support@javasystemsolutions.com Test SSO works but the Mid Tier home takes me to a login screen Test SSO works but the Mid Tier home takes me to a login screen The test SSO link, displays a successful authentication to the authentication service configured. It does not attempt to connect to the AR Server. Browsing to the application, for example the home page, will cause SSO Plugin to contact the AR Server and in doing so, will cause the SSO Plugin AREA module to verify the connection is coming from a verified SSO enabled Mid Tier. One of those checks includes verifying the IP address is in a list in the SSO Administration Console. If it isn t then the connection is refused. All AR Servers that are processing user authentication requests must be SSO enabled and correctly configured. This can be investigated by enabling the AR System Plug-in logging and setting the Plug-in Log Level to ALL.

16 Page 16 of 22 It is typical to see the following in this instance: <JSS.AREA.SSO> <FINEST> The clients IP x.x.x.x was not in the list of Mid Tier addresses configured in the SSO Administration Console. Then you may see: The plug-in log file has the following: The clients network address is x.x.x.x which is not in the list of SSO enabled Midtier IP addresses To resolve this, follow these steps: Login to the application as an administrative user Open the SSO Administration Console Add the above IP address to the list of IP addresses, separated by semi - colon. E.g ; Enable the arplugin logging within the AR System Administration Console. Set the plug-in log level to ALL. If using a server group then do this on all AR Servers. Attempt the authentication then the full plug-in log file(s) and a screenshot of to support@javasystemsolutions.com Pre-authentication information was invalid (24) / KDC has no support for encryption type (14) When clicking Set Configuration on the SSO Plugin configuration page, you are presented with the following text: Pre-authentication information was invalid (24) / KDC has no support for encryption type (14) This error is possibly caused by a number of issues. Either the Check the service account details are correct in the SSO Plugin configuration page The service user and password should be verified with the AD administrators. If a krb5.conf file is being used, then please compare it with the example provided in the SSO Plugin evaluation download. This can be found in the WEB-INF/classes directory. If the above account details are correct. Then create a new service user account and assign the SPNs to the new account. To do so, you have to remove the existing SPNs from the old service user before assigning the new values. Example: Using the above Service User example SSOKERBMT01 and the Mid Tier host name is mthost01 and there is a load balancer in front called lb01 Remove the existing SPNs Syntax Example : setspn -d HTTP/midTierHostName yourdomain\serviceusername setspn -d HTTP/mthost01 mydomain\ssokerbmt01 setspn -d HTTP/lb01 mydomain\ssokerbmt01

17 Page 17 of 22 Create a new service user account in the domain and assign a password o For instruction purposes, let s assume the new account is called SSOKERBMTNEW o Ask the AD administrators to tick Do not require Kerberos preauthentication in the user account options. Add the SPNs to the new service account o Set the SPNs for the Mid Tier host NetBOIS name and fully qualified domain name setspn -A HTTP/mthost01.mydomain.com mydomain\ssokerbmtnew setspn -A HTTP/mthost01 mydomain\ssokerbmtnew o Set the SPNs for the load balancer NetBOIS name and fully qualified domain name setspn -A HTTP/lb01.mydomain.com mydomain\ssokerbmtnew setspn -A HTTP/lb01 mydomain\ssokerbmtnew Update the SSO Plugin configuration page with the new service user name and password. Click Set Configuration In the event the above doesn t work ask the AD administrator to send a screenshot of the group policy for Computer configuration -> Windows settings -> Security settings -> Local policies -> Security options -> Network security: Configuration encryption types allowed for Kerberos, as seen in this screenshot: the full Java web engine (e.g Tomcat) stdout log file and a screenshots of to support@javasystemsolutions.com This computer account is in use by another SSO Plugin configuration When submitting the SSO Plugin configuration page in Mid Tier, the following message can appear: This computer account is in use by another SSO Plugin configuration. Service (Computer) accounts cannot be used by more than one Mid Tier instance. This means the NTLMv2 computer account is in use by another Mid Tier registered with AR System.

18 Page 18 of 22 However, due to the way SSO Plugin matches the configuration (in the JSS:SSO:MidTierConfig form within the AR System) with a Mid Tier instance, it is possible for a duplicate row to be generated (if a Mid Tier is re-installed, for example) and hence SSO Plugin believes two Mid Tiers share the same computer account. If there are more than one Mid Tier instance connecting to the same AR System. Then follow these steps Create a unique service (computer) account for all Mid Tier instances. This can be done using the set-service-account.cmd script found in the evaluation download or it can be created manually. Instructions and more information can be found in the following online document: /documentation/ssoplugin/jss-ssoactive-directory-integration.pdf Once the account has been created, apply the service account name and password to the SSO Plugin configuration page typically found at under the configuration link If there is only one instance of Mid Tier connecting to the same AR System or all Mid Tier SSO configurations have been verified to have unique service (Computer) accounts, then follow these steps To resolve this warning if it is due to duplicate entries, locate and delete the duplicate entry in the form. Field 8 contains the unique key (in the format hostname-id), and the ID of a Mid Tier can be found in the Mid Tier config.properties file. Or you can delete all the rows that refer to the host and resubmit the configuration. This warning can be safely ignored if it due to duplicate configurations. Login to the application as an administrative user. Open the JSS:SSO:MidTierConfig form Search for all entries Take a screenshot of the unique values. Example screenshot below: the screenshot and the Java web server (Tomcat) stdout file to support@javasystemsolutions.com # Kerberos error: Channel binding mismatch The following error is displayed in the SSO Plugin configuration form when clicking Set Configuration. The following error was in the Java web server log. Various Kerberos errors relating to channels can appear on older 1.6 JVMs. Please upgrade to the latest 1.6 or 1.7 JVM from the Oracle website. Browse to replacing yourmidtierhost with your own Mid Tier hostname and the results to support@javasystemsolutions.com

19 Page 19 of 22 SSO Fails for users with administrator permissions Browsing to the testsso.jsp link works and shows the green status bar but browsing to Mid Tier home redirects to the login page. If the users BMC AR System user account has a password then SSO cannot work. This is the applications way of having an SSO on/off switch per user. The setting Cross-Ref-Blank-Password found in the ar.cfg/ar.conf files on the BMC AR System server mean that if a user with a blank password in the user form attempts to login, the standard authentication method is not used and to pass on the information to an external source. In this example it will be single sign on. This does not mean someone typing a user name and a blank password can login. SSO Plugin has a feature called "Automatically SSO enable accounts" which will automatically remove the password in the user form. However this does not work if the user has administrator permissions. Remove the password of the users account in the BMC AR System user form. Enable the arplugin logging within the AR System Administration Console. Set the plug-in log level to ALL. If using a server group then do this on all AR Servers. Attempt the authentication then the full plug-in log file(s) and a screenshot of to support@javasystemsolutions.com SSO Plugin feature "Automatically SSO enable accounts" not working Browsing to the testsso.jsp link works and shows the green status bar but browsing to Mid Tier home redirects to the login page. SSO Plugin has a feature called "Automatically SSO enable accounts" which will automatically remove the password in the user form which will enable the user to use SSO. However this does not work if the user has administrator permissions. Remove the password of the users account in the BMC AR System user form. Enable the arplugin logging within the AR System Administration Console. Set the plug-in log level to ALL. If using a server group then do this on all AR Servers. Attempt the authentication then the full plug-in log file(s) and a screenshot of to support@javasystemsolutions.com "Force password change on login" not being updated by SSO Plugin When the SSO Plugin feature "Automatically SSO enable accounts" is enabled in the SSO Plugin configuration screen, some accounts still have the "Force Password Change On Login" checkbox checked. User accounts are only updated, to clear the checkbox, if the group field does not contain the Administrator permission. Manually update the user account to de-select the "Force Password Change On Login" feature. Take screenshots of the users account in the user form and it to support@javasystemsolutions.com

20 Page 20 of 22 Using an F5 load balancer, the users is directed to the login screen even when testsso.jsp works We have noticed some odd behaviour in the way IP addresses are reported to AR System server when using an F5 load balancer. When the Test SSO functionality attempted to make a connection to AR System server, the IP address of the host running Mid Tier was passed and when accessing Mid Tier home, the IP address of the F5 was passed. The F5 is somehow modifying the Mid Tier IP address. Login to the application as an administrative user. Open the SSO Administration Console. Add the F5 IP address to the list of IP Addresses, separated by a semicolon. Click Save Enable the arplugin logging within the AR System Administration Console. Set the plug-in log level to ALL. If using a server group then do this on all AR Servers. Attempt the authentication then the full plug-in log file(s) and a screenshot of to support@javasystemsolutions.com I can view the default IIS home page but I can't access the Java web server at all. Whilst the Java web server on Tomcat appears to be running, and IIS serves static files like /iisstart.htm correctly, attempting to connect to Java web server via IIS gives an IE "Cannot find server or DNS Error" error page. Checking the Windows Event Viewer shows that IIS is crashing when an attempt is made to access Tomcat via the Jakarta ISAPI Redirector. The server in question was a 64-bit Windows 2003 Server Hyper-V VM, with IIS configured to run 32-bit ISAPI extensions. However other VMs with the same setup have not demonstrated this behaviour. It is not a well-known bug or one that has affected us before. It occurs whether or not SSO Plugin is installed. The version of Java web server installed was 7.1. The solution is to replace the isapi_redirect.dll file with an up-to-date version from Apache, such as: k /isapi_redirect dll (For a 64-bit machine running native 64-bit ISAPI extensions, the file under 'win64' should be used instead.) To replace the ISAPI extension, go to Administrative Tools -> Services and shut down the World Wide Web Publishing service and HTTPS SSL. Find the DLL in 'Program Files' - (x86) if running 32-on-64 - 'Apache Software Foundation\Jakarta ISAPI Redirector\bin' and rename it to isapi_redirect-old.dll. Save the new DLL here and rename it simply isapi_redirect.dll. Restart the stopped services. screenshots to support@javasystemsolutions.com We are using IIS and I am prompted for my Windows login and they are not accepted The customer is running IIS and browsing to the Mid Tier home page. A standard Windows authentication dialog appears. Upon entering the users credentials the same box appears as if the details were wrong even though the customer confirms the details are correct. If you have run the set-service-account.cmd script on the Active Directory and entered the hostname of the machine running IIS, the IIS server will not be able to

21 Page 21 of 22 authenticate the tokens sent to it by your browser. Running this script is not required when using an IIS front end it's only used when configuring SSO Plugin's built-in authentication (i.e. that provides Windows authentication without the need for IIS). To resolve the problem, remove the JSS-SSO-SERVICE Computer account created in the Active Directory by the set-service-account.cmd script, and then clear the Kerberos tokens cached on the client desktop using the kerbtray.exe tool provided in the Windows 2000 Resource Kit, or wait ten minutes for the local machine to remove the tokens from its cache. screenshots to NTLM authentication sometimes fails through an F5 load balancer According to a Fiddler trace, NTLM authentication is failing for some users. The F5 product has a feature called OneConnect. Due to a bug in some versions of F5, it must be switched off if NTLM is in use, as it will be with an IIS front end to Tomcat. The issue is discussed in this support entry: screenshots to support@javasystemsolutions.com The following message is seen in the arplugin log "[81211] ARERR90 Unable to connect to AR System, sleeping 30 seconds..." If you see the following in the arplugin log file, then this indicates that there is a connection problem for the plugin to communicate back the the AR Server. Look at the log for <JSS.AREA.SSO> <SEVERE> AR Server Connection... And verify the connection details including the TCP and RPC port. You may see this at the start of your arplugin log but then after a few 30 second intervals the plugin continues. This is due to some AR Servers being slow to start up which is fine and thus can ignore this error. If this error persists then this could mean the AR Server is not working, crashed or too busy. Enable the arplugin logging within the AR System Administration Console. Set the plug-in log level to ALL. If using a server group then do this on all AR Servers. Attempt the authentication then the full plug-in log file(s) to support@javasystemsolutions.com HTTP Error Code: 500 JSPG0049E: /jss-sso/index.jsp failed to compile : Using IBM Websphere and browsing to pages within the jss-sso application, the user is presented with the above error. If you are using IBM Websphere 7, use WAS to ensure the com.ibm.ws.jsp.jdksourcelevel custom property is set to 16 on the web extension file all Websphere logs to support@javasystemsolutions.com

22 Page 22 of 22 Appendix A: Acronyms, Abbreviations & Definitions JSS SSO Plugin Tomcat IIS Websphere Fiddler Service Principle Name (SPN) BMC ARS Mid Tier Description Company name Java System Product name for Single Sign On (SSO) Java web server produced by the Apache Foundation Internet Information Service produced by Microsoft IBM WebSphere is a brand of software products Free web debugging tool which logs all HTTP(S) traffic between your computer and the Mid Tier. Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. BMC Remedy Action Request System is the workflow engine produced by BMC HTTP middleware from BMC.