Secure Global Desktop Administration Guide > Users and authentication > Users experience problems with web server authentication
Common problems users experience when they log in to Secure Global Desktop using web server authentication include:
To help diagnose and resolve some of these problem, add the following log filters on the Array Properties panel in Array Manager:
server/login/*error:log_file_name%%PID%%_error.jsl server/login/*error:log_file_name%%PID%%_error.log server/login/*info:log_file_name%%PID%%_error.jsl server/login/*info:log_file_name%%PID%%_error.log
If a user fails to authenticate to the web server, they may see a message such as "401 Authorization Required". This indicates that either there is a problem with the username/password the user is typing or there is a problem with the web server configuration.
Check:
ttaserv
user? If this user can't read the password file, web authentication will fail.If web server authentication is not set up correctly or it fails for any reason, Secure Global Desktop displays the standard login page. The following table lists the things you may need to check.
What to check | More information |
---|---|
Is the right Secure Global Desktop directory/URL protected? | You must set up your web server to protect:
|
Is Tomcat configured to "trust" the web server authentication? | For the browser-based webtop, the Tomcat component has to be configured to trust the web server authentication.
On each array member, edit the |
Does the user have an ENS person object? | If your configuration of Secure Global Desktop relies on users
having ENS person objects and you have not enabled one of the fallback
profile objects, users may not be able to log in.
If this happens and you have enabled the additional logging, search the log file for messages that indicate that Secure Global Desktop
could not match the authenticated user to an ENS object.
Either create an ENS person object for the user or enable one of the fallback profile objects, see web server/third party authentication for more details. |
Is the user a Secure Global Desktop Administrator? | By default, the browser-based webtop will not allow Secure Global Desktop Administrators access if they have been authenticated by a web server. To change this behavior, run the following command:tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1 |
Have you changed the trusted user? | For the browser-based webtop only, if you have changed the username and password of the trusted user, have you verified that the new user works? See security considerations of using web server authentication for details. |
Are the tokens timing out? | For the classic webtop only, check that the tokens are not timing out.
If you have enabled the additional logging, search the log file for messages beginning Increase the web token validity period and try logging in again. |
Is the web server username correct? | For the classic webtop only, check that the web server username configured in Secure Global Desktop matches the user that owns the web server processes. For the Secure Global Desktop Web Server this is ttaserv . This user is required to validate web server authentication tokens.
|
For classic web server authentication to work, the
tarantella/cgi-bin/secure
directory must be protected on
your web server. If you protect any other Secure Global Desktop
directories (for example /tarantella
or /tarantella/cgi-bin
, browsers that use a plug-in virtual machine
for the Java™ platform ('Java virtual machine' or 'JVM')
will prompt users for their username and password.
This happens because the JVM and the browser do not share
authentication information.
Make sure you only protect the tarantella/cgi-bin/secure
directory.
For the browser-based webtop, you may need to upgrade your plug-in version or arrange a workaround, see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4943729.
Web server authentication does not support ambiguous users. This means users get the webtop of the first matching login profile.
If you have enabled the additional logging, search the log file for messages that indicate an ambiguous user.
To resolve the situation, you can either:
To disallow ambiguous logins for classic web server authentication, run the following command:
tarantella config edit --com.sco.tta.server.login.webauth.WebLoginAuthority.properties-takeFirstMatch false
You must restart the Secure Global Desktop server after making this change.
Copyright © 1997-2006 Sun Microsystems, Inc. All rights reserved.