Login

Consultor Eletrônico



Kbase P150513: How to Trouble Shoot AdminServer Single Sign On Issues?
Autor   Progress Software Corporation - Progress
Acesso   Público
Publicação   22/03/2010
Status: Verified

GOAL:

What is SSO (Single Sign on)?

GOAL:

What is AdminServer Single Sign On process?

GOAL:

How to debug AdminServer single sign on issues?

GOAL:

How to debug AdminServer local password issues?

GOAL:

How to debug AdminServer system password issue?

GOAL:

How to debug error 9908 and 9909?

GOAL:

<user,time> System generated password has expired (9908)

GOAL:

Error, system generated Password <password> is not valid, user and host are <user> <host> (9909)

FACT(s) (Environment):

All Supported Operating Systems
Progress 9.x
OpenEdge 10.x

FIX:

When an AdminServer client connects to an AdminServer on the same host, the default behavior is to use Single Sign-On (SSO) so that the user does not have to use their user-id and password to authenticate again. The SSO feature is not used when:
1) The -host option is used (regardless of the host name pointing to the local system)
2) The -user option is used and the account name does not match what is recorded in the user's OS process
The SSO feature uses one-time generated passwords in combination with the client's OS process user-id. The one-time password is an encoding of multiple pieces of information that include the local system's DNS host name, user-id, and others. The SSO password also has an expiration time so that it cannot be copied and used later by intruders. The expiration time is 90 seconds, and can be adjusted to compensate for JVM clock skew.
The "system generated password" in error 9908 and 9909 is SSO password. When any of the pieces do not match, error 9908 and 9909 are printed.
Following is debugging information:
When an error occurs in the SSO password generation or validation, a tracing capability was added in 10.1a and later OE releases. It simply outputs information to the console's STDOUT. To trace SSO password generation and validation you need to perform three steps:
1) Edit the proadsv[.bat] script and add '-Dtracesso=1' to the list of Java properties given to jvmStart. This will turn on tracesso for the AdminServer
2) Edit the ubutil[.bat] script and add the same '-Dtracesso=1' to the list of Java properties given to jvmStart. This will turn on tracesso for the *man command line AdminServer clients
3) Start the AdminServer using proadsv and invoke interactive mode (to stop the AdminServer from going into Daemon mode and closing STDOUT)
./proadsv -start -interactive true [any other options here]
What you should see on the AdminServer is the initial user login to validate the user has the permissions to start the server, then the validation information each time a client connects to the AdminServer.

Example:
./proadsv -start -port 2293-adminport 22932 -interactive true
***** Generating auto-password using johnsmith
***** local host name: myhost.bedford.progress.com
***** resolved local host name: myhost
***** client generated password: tfcks5rf2beeeyv66wu6u7x41wln2
***** returning auto-password tfcks5rf2beeeyv66wu6u7x41wln2
***** Auto-validating johnsmith (tfcks5rf2beeeyv66wu6u7x41wln2)
***** using auto-username johnsmith
***** local host name: myhost.bedford.progress.com
***** resolved local host name: myhost
***** using decode Time: 1249046207782
***** using current Time: 1249046207878
***** using delta Time (current - decode): 96
***** check of delta time < : -90000
***** check of delta time > : 90000
***** passed password check
AdminServer>***** Auto-validating johnsmith
AdminServer>(xp6wgyv4cxa869g1y9yt1m761:vhe)
***** using auto-username johnsmith
***** local host name: myhost.bedford.progress.com
***** resolved local host name: myhost
***** using decode Time: 1249046268664
***** using current Time: 1249046269155
***** using delta Time (current - decode): 491
***** check of delta time < : -90000
***** check of delta time > : 90000
***** passed password check
***** Auto-validating johnsmith(0igtwfdazg4bj:bmscxy5fv413orb)
***** using auto-username johnsmith
***** local host name: myhost.bedford.progress.com
***** resolved local host name: myhost
***** using decode Time: 1249046300412
***** using current Time: 1249046300875
***** using delta Time (current - decode): 463
***** check of delta time < : -90000
***** check of delta time > : 90000
***** passed password check
The AdminServer client will look like this (using nsman for this test):
>nsman -query -name NS1 -port 22931 -user johnsmith OpenEdge Release 10.2B as of Wed Jul 29 18:22:26 EDT 2009
***** Generating auto-password using johnsmith
***** local host name: myhost.bedford.progress.com
***** resolved local host name: myhost
***** client generated password: 0igtwfdazg4bj:bmscxy5fv413orb
***** returning auto-password 0igtwfdazg4bj:bmscxy5fv413orb
What to look for:
1) the client generated password value matching 'Auto-validating' line in the AdminServer
2) the local host names MATCH!! If not, SSO will fail
3) the times +- 90 seconds match the SSO password. If not it is an intruder or the Java clock is skewed and you have to open a wider window than 90 seconds..