What would cause SSO to stop working after upgrade?

[Erin Trotter]

I upgraded our dev environment from 8.2.07 to 9.0.3 today. I have 2 issues that I cannot seem to resolve. First of all, now the homepage is prompting for credentials when it was SSO during 8.2.07. Secondly, I am unable to log into my environment in the new App Studio 9.0.3, no matter what credentials I put in. Any ideas?

[Toby Mills]

Hi Erin

When you do an upgrade, you'll find a new folder just under ibiwebfocus82 that is called backup_files - not the one that might have a date on it's filename if you should have 2 backup_files. Just plain backup_files.

Use your favorite file comparison tool to see what's different in the config / securitysettings.xml files to see if you see any differences.

You'll be comparing d:ibiwebfocus82 to d:webfocus82backup_files.

Note that some things in the webfocus.cfg might be in a different order. I think it'd be a good idea to make a backup copy of your newly created entries in your config folder.

Once you've got a backup, you can experiment with filling in things that don't seem to be set right.

That's the approach I'm taking.

What do you guys use for SSO? Was it a custom servlet filter written by the branch in Houston or are you guys using LDAP or AD? I ask because that'll help us understand where to look.

If you're using a custom servlet filter provided by IBI, there are more changes to make that also will be in your backup_files. This would be files way down under d:ibiWebFOCUS82webappswebfocusWEB-INF like web.xml might need some changes. And you may need to copy in some properties that were set under the classes folder and a custom .jar file that would have been given to you by IBI (that jar would go in the lib folder).

I use Beyond Compare from scootersoftware for my comparisons and am currently going through a similar exercise upgrading from 8207 to 9.1. I'm finding some odd password issues in webfocus.cfg where the usual encrypted passwords are not working. We also see some odd path names in webfocus.cfg for 9.1. You'll be able to see these with your file comparison.

Let me know what you use for authentication. If you're not using the servlet filter from IBI, you probably dont need to worry about changes to the webapps folders.

Toby

[Toby Mills]

Hey Erin

One more thing - I wouldn't even worry about getting App Studio working till your have the web interface behaving for you through your browser. Once you get the web part working, you'll probably have luck with App Studio.

[Erin Trotter]

I am about to do the comparison right now. We are using LDAP currently

[Erin Trotter]

I did the comparison and the 2 securitysettings.cfg files are identical. The webfocus.cfg files are identical and the securitysettings-appl.cfg files are identical except for the comments at the top about the versions that have nothing to do with the settings. Any other files that I should compare? I looked for ODIN.cfg. No differences there either.

[Toby Mills]

LDAP typically is not configured in the client anymore. It's mostly reporting server side.

Can you log onto the Reporting Server console okay (typically port 8121)? Maybe you can check your LDAP settings there and do a test logon to see if that works.

I'd start there and make sure the WFRS (webfocus reporting server) is doing it's deal correctly, then move back over to the client to see about it's setup.

There are often 2 parts to SSO - the first is Authentication (userid/pw being valid) then there's Authorization (what groups do you belong to so you can see content you should be able to see.

And not for nothing (as the new yorkers say) but is your WFRS service up and running?

Are you able to logon to the client (good userid / pw) but things go wrong after that (bad authorization)? Just trying to get a feel for where you're broken.

Thanks

[Erin Trotter]

I can log into the reporting server console just fine and I am able to do the test on the LDAP in there and it works correctly

[Erin Trotter]

Also, I can log into the client when I'm prompted for a login, but I have a user that cannot (could be a user error though).

[Toby Mills]

Sounds like things are working for you, but not this other person.

It's possible this is a security zone thing. in comparing your files, did you take a look at all the files that look like securitysettings*.xml? Specifically the one that says zone.

Are you able to log in to the client from any machine, or are you only able to log in from a certain desktop?

Make sure your user clears their browser cache too.

Watch them log in via Teams or something similar. If you can take control of their keyboard via Teams, try using your ID and pw to see if you can log in from their machine. There might be a clue there.

I have a trace you can turn on but first check to see if your user really has some typo or if it's maybe their machine.

com.ibi.log can sometimes provide helpful info in LDAP logins to make the login process 'talk' more in your logs.

We can enable that if you can tell that the user is doing everything right. Maybe have your user login from your machine to see if that works too.

Sounds like you're really close to the answer so don't give up!

[Erin Trotter]

Thank you. I really appreciate you taking time out of your day to help me. SSO doesn't work for either of us and that's the real issue. I put in a ticket with support, but they have not been much help except pointing me back to the documentation for setting up security and I've already looked through all of that. Seems that they don't really help you troubleshoot anymore like they used to when it was Information Builders. If all else fails, I will just revert back to 8.2.07 at the end of today since our Snapshots will expire then.

[Toby Mills]

No problem Erin. I used to be a security guy for IBI back when I worked there. Some potential good news is that since Tibco has been purchased by Cloud Software Group, IBI gets to have it's brand name back more under it's own control.

FWIW, I'm in the middle of a really mysterious upgrade problem myself from 8207 to 9.1. I have the security working though. I'm getting some IBX errors from the client interface. Those are really hard for me to debug so far.

Meantime, back to you.

Can you sign on at all to the client? Maybe with the 'super user' if you configured that? If you didn't have a super user configured already, let me know and maybe we can manually make one for you.

Once you have that, you can start nosing around the security settings a little more. That's kind of the whole point of the super user - that ID should be able to get in even if the connection to the repository isn't quite working right (specifically so you can fix those kind of issues).

Here's where you could go look to see if you have a Super user set up:

Check your confwebfocus.cfg - do you see an entry for IBI_ADMIN_NAME and IBI_ADMIN_PASS?

[Erin Trotter]

I can log into the client just fine manually. My sso is just not working anymore and I cannot log into App Studio at all anymore

[Toby Mills]

That helps that you can get into the client manually through Form Based Authentication.

It's been a long time since I set up an LDAP authentication/authorization, so Im just going off memory here.

When you say you can't get in via SSO, are you expecting to just slide in with your windows ID and never get prompted by the Form Authorization?

Lets leave App studio out of the picture till you can get there okay with your web browser. App Studio is essentially a fancy web browser that uses HTTP traffic to talk to the client. Better to just work on the web part.

Do you have your main security zone set up like this?

 

I think you don't want the Form Auth enabled. If you need to, you can edit right inside your securitysettings.xml if for some reason you have having a hard time getting back to this screen.

Also I have it rolling around my head that you need to add tomcatauthentication="false" in your server.xml for tomcat (if thats what you are using. Does that ring a bell?

Some logging you might try since you can get in to the client manually.

Go into the admin console, choose Diagnostics and click on the Log Files. Look for this section that shows what things will show up in the event.log:

 

Go down a little ways and turn on com.ibilog. I think that's the right thing that will make your active directory/ldap hits show up in your event.log output:

 

I think I'd dump it up to Trace and then see if you get extra info. Try doing that and then ask your co worker to try to hit the client /ibi_apps/ web page. Once she gets re-routed to the Form Auth instead of signing in (which is what I presume is happening), turn your com.ibilog trace back to info an click on the Event.log to look inside there. See if you can see any clues.

I know this is a lot of stuff to think about. I wish I could see your setup to help you but I'm in the midst of my own fires.

SSO using IIS and LDAP are pretty common inside IBI. Somebody will probably be able to do a remote session with you to tell more. Assuming they get to you of course.

[Erin Trotter]

Ok, this is so strange, but I disabled forms authentication like you said (even though it is enabled on our test and prod environments and SSO works on both of those so it automatically authenticates us in without a login screen). Somehow, it fixed the issue. AND I can get into App Studio as well now. I had an additional person that is not an admin test it to see if the same happens for them to get in with SSO and it automatically took them in as well. I can't thank you enough for spending a good chunk of your afternoon helping me troubleshoot. I wish I knew more about WF configuration so that I could return the favor help you solve your issues as well. I hope you have a great weekend and a wonderful holiday season. Best Wishes!

-Erin

[Toby Mills]

That's great Erin! Glad you got it going.

I'm still stuck in my own upgrade issues, so I'm glad at least one of us working!