IChain ® 2.3 troubleshooting tools and tips Neil Cashell iChain WWS engineer Novell, Inc. [email protected]

iChain® 2.3 troubleshooting tools and tips

Neil CashelliChain WWS engineerNovell, [email protected]

© March 9, 2004 Novell Inc.2

one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.

The one Net vision

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


The one Net vision

Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably.

Novell Nsure™

Novell exteNd™

Novell Nsure™

Novell Nterprise™

Novell NgageSM

:

:

:

:


Presentation Outline

General iChain® 2.3 troubleshooting toolsNew iChain components (proxy authentication, Citrix SSO, OLAC, Rewriter, WebDAV, Xtier)

• Specific troubleshooting tools• Common issues


Generic iChain Troubleshooting Tools


LSEARCH.NLM from NDK

Bind done for all requests

• http://developer.novell.com/ndk/cldap.htm

Generic iChain Troubleshooting Tools

LDAP browser•http://www.iit.edu/~gawojar/ldap/

•Export configuration to file•Confirm LDAP search strings

http://developer.novell.com/


iChain Proxy GUI

• Home->Health status for details of services running

• Monitor TAB gives services and stats information - Services running (rewriter display) - Disk space info, CPU utilization, cache hit ratio

• access ACLCHECK and Proxy logs via MONITOR TAB• can ping remote applications

Generic iChain Troubleshooting Tools (cont.)


iChain Proxy Console and Logger Screens

• Communication error messages printed here • Debug options modified to write here (SB, Nsure Audit, NPKIT)• Activation Related Debugging Info (Display ISO Object Info)

• Very useful in knowing what activation information (including evaluation period ending) the Proxy has read from the ISO.

• If it cannot read the ISO object then it would give TreeName=Not Resolved and/or Tree GUID=Invalid (problem with filtered replica, DirXML, referrals)



TCPCON• Connectivity specific tool (ICMP, TCP issues)

• Active TCP listeners LDAP profile errors

• _TCP/_IP console command tools

Logs from authentication servers• DSTRACE.NLM for LDAP (view DS trace traffic for

object/attribute resolution - +LDAP/+TIME/FILE=ON)

• ‘Radius debug ON’ trace from Radius server



Browser tools• ieHTTPHeaders -

http://www.blunck.info/ieHTTPHeaders.html• Mozilla “Live HTTP Headers” plug-in



Network layout information• Firewalls/L4 may pose Connectivity/State problems

LAN analyzer (Sniffer, Ethereal, tcpdump, pktscan)• Trace traffic between proxy and auth server• Trace traffic between browser and proxy server• Trace traffic between proxy and origin server

• Check out TUT230 for remote debugging with PKTSCAN



iChain Components “Proxy Authentication”


Proxy Troubleshooting Tools



Internet browser• Useful for importing and viewing certificate attribs• Mozilla/IE ‘Live HTTP Headers’ plug in

Proxy load line switches• -ri (remove IP address check on cookie)• -cc (clear cache at startup)• -cs (enable secure cookies)• -cv (cookie mode – 24 or 40 bit)• -gzip (compressed data to browser – default 1)



Proxy Console -> IAgent console



Ethereal (free, decodes SSL headers, filters TCP stream)


- Initialization problems

Proxy Troubleshooting Steps

- SSL Handshake Problems

- Authentication server problems


Failed to get ISO information over LDAP• Get authentication <prof_name> returns valid parameters

• Ping <ldap_srvr_addr:port> from iChain command line interface

• Check interpacket delay times between LDAP request/responses - LDAP Server overloaded and may require addition of threads

• Check is LDAP over SSL setup – may be a cert issue

• Add delay to appstart.ncf before Proxy loads

Proxy Initialization Problems

19


Login page not displayed• Failure at this level most often indicates an SSL/PKI issue - Verify is authentication over HTTP is alright - If not check Cert timestamps, CRL information

- Look closely at the SSL diagnostic screens on the iChain Proxy server and try and check for SSL handshake errors

- Trace client to proxy connection and verify, after the first redirect, - That you see cert chains being transferred

- That the iChain Proxy doesn’t have time set in the future (Non US!)

Proxy SSL Handshake Problems


Proxy SSL Handshake Problems (certificate timing issue)


Proxy Authentication Problems (cont.)

Login page displayed but authentication fails

•Verify that login page hasn’t been customized400 Bad Request error message• Verify that no intermediate device stripping cookies• Verify browser is sending the correct credentials when POSTing information to the iChain Proxy server - Browser tools to view HTTP headers - Check authentication server logs (DSTRACE, Radius) to see if user being validated




• 403 Browser does not support cookies - Verify accelerator name and cookie domain (IE issue)

- Verify if transparent proxy in path

• Session Broker enabled - Mixed iChain 2.2 and 2.3 environment (cookie sizes) - same authentication profile names - Intermediate devices (firewalls) resetting connections




• LDAP search (multi attribute) resolves correctly

POST context=default&username=admin&[email protected]&password=novell

• ANDing of profile information incorrect

• Ldaprad/ldapcert profiles– Authtype == FieldName

• Forced LDAP on token auth



LDAP problems• LDAP profile has valid BIND username/password - Must have Read (not just browse!) rights to DS

• LDAP server - responds to requests (DSTRACE +LDAP switch) - Slow interpacket delay time (LAN TRACE, DSTRACE +TIME)

• indexing required when setting up conplex searches

Radius Problems• ‘Radius debug on’ commands show no errors• Changes between 2.2 and 2.3

• ldaprad profile replaces SET commands• LAN trace shows successful RADIUS response - Timeout issues



Mutual Authentication problems• Trusted root container includes client cert CA and intermediate certificates• Certificate error checkbox enabled to return more detailed information• LDAP server responds to requests (DSTRACE +PKIA +TIME switch) • Debug NPKIT.NLM (shipped as NPKIT.DBG)

• Cert 1 -- Step 3 -- Revocation checking• Cert num 1 Starting revocation check• ERROR: Cert num 1 No CRL DP's so invalid

• Cert 2 -- Step 2 -- General certificate checks• Basic Constraints: Cert num 2 is a CA• Cert num 2 This is the Root Certificate.

• Cert 2 -- Step 3 -- Revocation checking• Cert num 2 Starting revocation check• Cert num 2 number of CRL DP's is 1• 1 Distribution Point: ldap://151.155.164.163:389/cn%3DCA%2C o%3DNovell• --- Entering checkForValidCRL -- ldap://151.155.164.163:389/cn%3DCA%2C o%3DNovell• node type NPKIx509CRL_crlType• node type NPKIx509CRL_OnlyCACertsType• Current time:402A1175 Wed Feb 11 11:26:45 2004• nextUpdateTime:402924FA Tue Feb 10 18:37:46 2004 ERROR: CRL has expired.• --- Exiting checkForValidCRL with ccode = -1258



Mutual Authentication problems

• check CDP attributes on client and intermediate certificate (points to an LDAP or HTTP CRL server)

• View and check CRL attributes from browser• Check if certs (Equifax) have the option

without any LDAP or HTTP server specified– enable the mapx500crltoldap set

command• check if client certs have an AIA attribute

• don’t need to enable ocspconfiguredsource/URL

• Check OCSP server log files• check if disablerevocationchecks disabled



Back end application problems

• Authentication header invalid• OLAC not passing correct credentials

• Protected resource change• iChain servlets can check OLAC/Auth headers


iChain Components “Citrix SSO”/FormFill


Citrix SSO Troubleshooting Tools



Proxy Console -> Display services screen• Check what links are being rewritten



SSO Debug screen Check formfill status



Rewritten ICA file• Save the ICA file to confirm entries rewritten


1

Citrix SSO Authentication Flow

ICA Client

Web Browser

Secure Web Server

Production MetaFrame

Farm

XML Service

Nfuse Portal

Firewall 1 Firewall 2

DMZ

3

4

6

7

2

3

4

5

7

6



LAN traces

iChain to LDAP if SSO to Citrix serveriChain to browser communication

Verify rewrite of ICA pageVerify the CONNECT sent to Metaframe ProxyVerify the 407 Proxy author. required sent back

Realm is “iChain-ICA”Verify Connection established

iChain to Web serverApplication info sent back correctlyCookies existNo Errors from back end servers


FormFill Troubleshooting Tools

BuildFormFillScript.jsp•http://www.novell.com/coolsolutions/icmag/features/tips/t_ichain_form_fill_script_generator_ic.html

LDAP Browser/ConsoleOne•Confirm ISO and user “iChainFormFillCrib” attributes

Browser ‘View->Source’•View info submitted by browser and login page details

LAN traces•iChain to LDAP and browser communication

Updated Documentation•Understand all options


• tunnelauthforica = Yes for Citrix/MF server• SSO to login fails - profile URL doesn't

match• Client connecting thru forward proxy fails

• ICA client ignore browser proxy settings• No spaces in between 'address=' in script• ICHAIN-TOKEN=<timeout> added to

formfill script (CONNECT requests failing)• Load balanced servers -> specified twice!• Disable 'keep-alive' for VIP ports 80/443

Common Citrix SSO Problems and tips


•remove POST/ from FormFill profile to only fill (no submit) - Check for Javascript TAGs/methods in login page

• Simplify profile to one variable if possible - Use test profile written to confirm

• Verify if multiple <form> tags exist• Verify iChainFormFillCrib or LDAP attribute

sent/received- Verify DSTRACE +LDAP settings show valid response- verify LAN trace for LDAP communication

• Verify schema extensions (secret store - tid 10090219)• Load SSO.NLM /d /l and view debug/logger screen info

Common FormFill Problems and tips


Miscellaneous Issues



• Rewriter

• Rewriter.sam file• Proxy Console->Display services• Multiple accelerators cannot have same althostname/port! • [Exclude] option to turn off rewriting for links•  tag to turn off/on

rewriting of portions of HTML data• [Javascript Variables] can be used to overwrite Javascript

variables containing URL references• [Alias Host Names] extended to rewrite non DNS

hostnames, schemes, ports and links– Can be used to add additional paths to pbmh setup



• XTier Integration and NW65 interoperability• Must have NetIdentity client (X-NovInet header)• NetIdentity client IE browser must have a Trusted

Root certificate for the iChain accelerator AND the NetStorage server in its Trusted Root certificate store

• SSL certificate used by the NetStorage server must have a Subject Name matching iChain DNS accelerator for NetStorage (can include wildcard certificates)

• XTier Realm is case sensitive!• Problems with NNLS (Linux)



• WebDAV• Tunnel WebDAV methods through but must note

rewriter requirements• Cannot delete mails when SSLizer enabled and OWA

server running over HTTP• OWA/Outlook in PBMH setup requires rewriter

changes

– Different paths, Javascript variables• OWA requires alt hostname to be same as DNS name

– Outlook 2003 does not!


Miscellaneous iChain Issues

TroubleshootingiChain access

control issues - 10080500

Troubleshooting iChain activation

issues - 10080226

TroubleshootingiChain authentication

issues - 10080271

TroubleshootingiChain OLAC issues -

10080620

Troubleshooting iChain installation issues - 10068257

Configuring formfill to SSO to other Novell

products - 10078054


Summary

iChain troubleshooting tools• More than enough!

iChain troubleshooting steps• Follow flow and identify broken interface


General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

Documents

IChain ® 2.3 troubleshooting tools and tips Neil Cashell iChain WWS engineer Novell, Inc. [email protected]