Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Users Cannot Log In With Web Server Authentication

Users Cannot Log In With Web Server Authentication

Common problems users experience when they log in to SGD using web server authentication include:

Web Server Authentication Fails
Users See the Standard SGD Login Page
Users Get the Wrong Webtop

To help diagnose and resolve some of these problem, add the following log filters on the Global Settings, Monitoring tab in the SGD Administration Console:

server/login/*:log_file_name%%PID%%_error.jsl
server/login/*:log_file_name%%PID%%_error.log

Web Server Authentication Fails

If a user fails to authenticate to the web server, they might see a message such as "401 Authorization Required". This indicates that either there is a problem with the user name and password the user is typing, or there is a problem with the web server configuration.

Check the following:

Does the user have an entry in the web server password file?
Is the web server configured to use the correct password file?
If you are using the SGD Web Server, is the password file accessible by the ttaserv user? If this user cannot read the password file, web server authentication fails.

Users See the Standard SGD Login Page

If web server authentication is not set up correctly or it fails for any reason, SGD displays the standard login page. The following table lists the things you might need to check.

What To Check	More Information
Is the right SGD URL protected?	For the webtop, you must set up your web server to protect the `/sgd` URL.
Is Tomcat configured to trust the web server authentication?	The Tomcat component of the SGD Web Server has to be configured to trust the Apache web server authentication. On each array member, edit the `/opt/tarantella/webserver/tomcat/version/conf/server.xml` file. Add the `tomcatAuthentication="false"` attribute to the `<Connector>` element for the Coyote/JK2 AJP 1.3 Connector:
Does the user have a user profile in the local repository?	If your configuration of SGD relies on users having user profile objects in the local repository and you have not enabled one of the fallback profile objects, users might not be able to log in. If this happens and you have enabled the additional logging, search the log file for messages that indicate that SGD could not find a match for the authenticated user. Either create a user profile for the user or enable one of the fallback profile objects, see Third-party Authentication for more details.
Is the user a Secure Global Desktop Administrator?	By default, Secure Global Desktop Administrators cannot access SGD if they have been authenticated by a web server. To change this behavior, run the following command: $ tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1
Have you changed the trusted user?	If you have changed the user name and password of the trusted user, have you verified that the new user works? See Trusted Users and Third-Party Authentication for details.

Users Get the Wrong Webtop

Web server authentication does not support ambiguous users. This means users get the webtop of the first matching user profile.

Search the SGD log files for messages that indicate an ambiguous user.

To resolve the situation, you can either of the following:

Accept the first match.
Attempt to manually resolve the ambiguity, for example by creating or amending user profiles.

Related Topics
Web Server Authentication