8 Troubleshooting

8.1.5.1 Initial Authentication

User logs onto a computer with different domain/workgroup accounts but sees the same credentials.

The problem is that the local computer's Windows account provides the user's Registry Hive (HKCU), not the domain/workgroup account. There are two workarounds: use the CleanupOnShutdown feature or use a different Windows account for each domain/workgroup logon.

8.1.5.2 Reauthentication

Users are never asked to reauthenticate.

Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.

Users have to reauthenticate too frequently.

• Make sure Extensions\AccessManager:AutoLogin is set to the desired value. The value is in milliseconds; a value of 900000 (default for client-side installations) is 15 minutes.

• Make sure other force-reauth settings are set appropriately. These settings include:

  • Overriding settings: Extensions\AccessManager:ReauthOnReveal.

  • Application configuration settings: ForceReauth.

8.1.6.1 All Applications

The Agent does not recognize pre-existing logon credentials after an upgrade

After an upgrade of the Agent, users report that applications for which they have previously provided credentials no longer function. Instead, a message box appears, advising that the credentials do not correspond to configured logons. The applications appear in Logon Manager in gray, italicized text.

Create a Bulk Add list to update the user's entlist.ini. Also note that in Logon Manager, preconfigured logons for Windows and Web applications are included in the Administrative Console templates, rather than in the Agent's applist.ini. Create the required application logons, using templates, then create the Bulk Add list to update the user's entlist.ini.

An application is not available in the list of predefined applications when you add credentials

Shut down the Agent making sure that no ssoshell.exe processes are running, and restart the Agent.

The Agent can be started and Logon Manager can be opened without the user authenticating

Shut down the Agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the Agent.

8.1.6.2 Predefined Windows Applications

The Agent does not recognize a password change window –OR– The Agent does not respond to an application's configured password-change dialog

This can be remedied by adding the password-change form's window title to the main logon form's window-title matching list.

In the Administrative Console, select the application in the left pane and click the General tab. Double-click the Password Change form for the application to open the form configuration dialog. Note the Window Titles of the form, then click Cancel. Double-click the Logon form for the application and, under Window Titles, click Add. Enter the window title of the Password Change form, click OK, then click OK to close the form configuration dialog.

Double-Logon or Wrong Window

The Agent responds twice to an application or responds to a previously-invisible window or to the wrong window

• Use one or more (additional) Match sections and Field keys to specify more precise matching criteria.

• Specify the window class that should be ignored in Ignore this Window Class in the Miscellaneous tab on the application configuration.

The Agent does not respond to any Windows application

Shut down the Agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the Agent.

The Agent does not respond to a specific Windows application

• Use fewer matching criteria.

• Check that the application configuration values that are numbers are in decimal, not hexadecimal.

• Check that the application configuration values that are strings are the exact ones in the application dialogs.

• If using multiple sections, try a test with just one section.

The Agent provides credentials but does not submit

Verify that Auto Submit is set in the Miscellaneous tab of the application configuration and AutoOK is set in the specific set of credentials.

8.1.6.3 All Web Applications

The Agent does not detect or respond to a specific Web page

• Check that the page has a password field (Field Type of Password). Without it, the Agent will ignore the page.

• Check that SSObho.exe is running.

• Try disabling Java, JavaScript, and/or ActiveX support.

The Agent responds slowly to a specific Web page

• Check that the page has finished loading. The Agent does not respond to a page until the page finishes loading completely.

• Try turning off images.

• Try disabling Java, JavaScript, and/or ActiveX support.

The Agent doesn't respond to a loaded Web Application

1. Start the Agent, then trigger the Agent from the Title Bar Button.

2. Log On using Logon Manager.

3. Refresh the browser page.

The Agent doesn't respond to a selected logon using Logon Manager

There is a known issue in the Agent where it does not respond to Web Applications in this way. The Agent still responds via the other triggers.

SSObho.exe does not run

If the Agent does not recognize web pages properly, make sure that SSObho.exe is running. If it is not, the Agent may think the user is in a Terminal Services session. To correct this:

1. Shut down the Agent. (Verify no SSO* tasks are running in Task Manager.)

2. Uninstall the Agent.

3. Make sure the following files are not present on the user's computer:

   • SSOwts.exe

   • SSOwts.exe

   • SSOwts.exe

4. Search using RegEdit in the system hives of the registry (for example, NOT in HKEY_CURRENT_USER or HKEY_USERS) for references to SSO, vGO, and Passlogix. Delete all inappropriate references, especially:

   HKEY_LOCAL_MACHINE\SOFTWARE\Passlogix and its children

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04EB19CE-B3B3-11D2-8A09-006008C7059E} and its children

   HKEY_CLASSES_ROOT\CLSID\{04EB19CE-B3B3-11D2-8A09-006008C7059E} and its children

   HKEY_CLASSES_ROOT\AppID\SSO WTS.EXE and its children

   HKEY_CLASSES_ROOT\AppID\{6B9E3EFF-C54A-472C-821B-6FC464B58235} and its children

   HKEY_CLASSES_ROOT\SSObho.HelperObject and its children

   HKEY_CLASSES_ROOT\SSObho.HelperObject.1 and its children

5. Reinstall the Agent.

8.1.6.4 Web Applications That Are Predefined

The Agent provides credentials but does not submit

• If a Submit field is of type Image, make sure that the URL is exact, including the protocol.

• If a Submit field is not present, add one.

Instead of submitting the page, the Agent triggers a link to another page or some other action (for example, cancel/clear)

Add a Submit field to the application configuration.

The Web page uses more than three fields (for example, a Social Security # as three fields and a password)

Break the logon up into two (or more) logons. Then the user will select (via the Logon Chooser) first the credential lacking the password (with Auto Submit disabled) and then the credential with the password.

8.1.6.5 Web Applications That Are Not Predefined

The Agent provides credentials but does not submit

Keep the system focus on the window that is requesting the credentials; if you switch to another window, the Agent will supply the credentials but not tell the page to submit.

Instead of submitting the page, the Agent triggers a link to another page or some other action (for example, cancel/clear)

• Turn off Auto Submit for that credential, and manually trigger page submission.

• Predefine the page, specifying the Submit field.

When adding credentials, the window title is stored instead of the URL

Check that SSObho.exe is running. (See above.)

8.1.7.1 Responding to All Host Applications

The Agent does not respond to any Host application

• Shut down the Agent, kill any running ssoshell.exe or SSObho.exe processes, and restart the Agent.

• Check that HLLAPI is properly enabled in the host emulator.

• Check that MFEnable=1.

• Check that the coordinates are relative to the top-left corner, where the top-left corner is (1,1) (row 1, column 1).

The Agent does not respond at all to any Telnet application

Check that the Host emulator supports Telnet through HLLAPI or through a scripting language.

8.1.7.2 Responding to a Specific Host Application

One or more credential fields are not inserted, or are partially inserted

• Check that the coordinates are relative to the top-left corner, where the top-left corner is (1,1) (row 1, column 1).

• Check that application configuration coordinates are for the exact place where credentials are inserted; usually, there is a space after the field prompts (for example, "Username:Space"), and the credential field needs to be inserted after the space.

• If a special character sequence is used between fields, check that the sequence is valid, that Delay Field is set to a sufficiently high value.

The Agent does not respond at all to a specific Host application

• Check that the coordinates are relative to the top-left corner, where the top-left corner is (1,1) (row 1, column 1).

• Use fewer matching criteria.

The Agent does not respond at all to a specific Telnet application

Check that the coordinates for all fields are set to (1,1).

8.1.8.1 All Extensions

No events are recorded

• The Filter setting is not set. For testing purposes, set to 0xFFFFFFFF (to log all events) and restart the Agent.

• The Agent has not reached the Retry setting (default: 30 minutes). To change the value from the default, set Extensions\EventManager:Retry or Extensions\EventManager\%Extension%:Retry to a lower value. To verify that the Event Logging is occurring, open the user's %UserName% AML.ini file, look in the SSOSection column for entries with the name starting with CacheItem (for example, CacheItem1). These items are the events, cached until the retry time is reached. At the retry time, the cached events will be sent to the extension(s).

The wrong events are recorded

The Filter setting is set improperly. Review the Event Logging Filter, note the precise bit order and conversion from binary to hexadecimal/decimal.

8.1.8.2 Windows Event Viewer

Credentials do not arrive at the server

The server name is not properly set. Do not use leading "\\" characters. Specify the proper NetBIOS name (not the TCP/IP name).

Credentials on the server are missing data; category and event labels are only numbers and the Description is similar to "The description for Event ID ( ### ) in Source (Logon Manager) cannot be found

• The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event:"

• The server is not properly configured. See Section 2.17.11.1, "Configuring the Windows Event Logging Server" extension for instructions on configuring the server.

8.1.10.1 All Directory Extensions User Connections

Cannot connect via SSL

Make sure the directory connection works without SSL.

A user cannot create an object on the directory

• Make sure the user is connecting to the directory.

• Make sure UserPaths points to a valid location.

• An SSOlocator object for the user does not exist, either specifically for the user or as a default object. Put a default object in the location UserPaths points to; if this works, you can move the default object up the tree or put a user-specific object on the tree.

8.1.10.2 Admin Objects

Admin objects (vGOAdminOverride, vGOentlist, vGOftulist) cannot be altered

Existing objects cannot be overwritten. Instead, delete the old objects and then push new ones.

8.1.10.3 File System Server User Connections

A user cannot create an object on the directory

Make sure the user can connect to the File System share directly (for example, in Explorer).

8.1.10.4 OpenLDAP Directory Server Repository

An error message appears when extending the Schema

In the Connect to Repository dialog, if OpenLDAP Directory Server is selected as the Repository Type and an Extend Schema Status error appears, the schema will have to be manually extended.

The Error message appears as follows:

If you receive this error, follow these steps to extend the schema manually:

1. Copy the sso.schema file to the OpenLDAP server. The sso.schema file can be located in the following location: C:\Program Files\Passlogix\v-GO SSO Console\DirectorySchema\vgo\OLDAP\sso.schema

2. Place the sso.schema file in the following directory (or other schema directory for OpenLDAP configuration): /usr/local/etc/openldap/schema

3. The OpenLDAP configuration file must be modified to include the new schema file. Open the file, and add the following line: include <path>/sso.schema where <path> is the path specified in the previous step.

   Note:

   On UNIX machines, this file is called slapd.conf.

8.2.7.1 Windows Password Logon and Unlock Errors

The Universal Authentication Manager logon component conforms with Windows password authentication error scenarios and duplicates the flows of the Windows credential provider. For example, if the user types an invalid password, the error flow is identical and the user receives the same error messages as with Windows.