You are on page 1of 36

Plugin Single Sign On Version 1.

2
Installation Guide
The following document describes Plugin Single Sign On version 1.2 Component configuration and installation process for BMC Remedy AR System TopPositions 2010-03-29

Plug-in Single Sign On Version 1.2

CONTENTS
1 2 3 4 5 6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 7 7.1 7.2 7.3 7.4 7.5 8 8.1 8.2 8.3 8.4 8.5 8.6 8.7 INTRODUCTION ................................................................................................................... 3 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1.2 ................................................................. 4 APPLICATION ....................................................................................................................... 5 EQUIPMENT COMPATIBILITY ............................................................................................... 6 HOW PLUGIN SSO WORKS................................................................................................... 7 INSTALLATION AND CONFIGURATION .............................................................................. 10 Windows Authentication ............................................................................................... 10 ClearTrust / Sitemider ................................................................................................... 10 Installation ..................................................................................................................... 10 Installation Part 1 in the server environment (ARS Platform) ....................................... 10 Installation part II in the environment on the side of Mid-Tier server ......................... 17 Installation Part III SSO Authentication Service............................................................. 22 Installation Part IV- Plugin SSO Authentication for BMC Remedy User Tool ................ 28 TROUBLESHOOTING .......................................................................................................... 33 SSO AREA plugin ............................................................................................................ 33 AREA LDAP plugin .......................................................................................................... 33 Mid-Tier SSO Plugin ....................................................................................................... 33 SSO Authentication Service ........................................................................................... 34 What’s next ................................................................................................................... 34 POTENTIAL ERRORS ........................................................................................................... 35 Mid-Tier can’t find the file mt-sso.jar............................................................................ 35 Mid-Tier can’t find the file jespa-1.0.9.jar ..................................................................... 35 Mid-Tier can’t find the file with the licence .................................................................. 35 Mid-Tier can’t find the configuration file mt-sso.config ............................................... 35 Remedy SSO can’t find the Domain controller .............................................................. 36 Remedy SSO can’t log into Domain controller .............................................................. 36 SSO Authentication service doesn’t work ..................................................................... 36

Copyright @ 2009 TopPositions 2

Plug-in Single Sign On Version 1.2

1 INTRODUCTION
There is a very common problem each company has to deal with, that is entering an incorrect password when logging in to system or a certain application. Frustrated and unsatisfied users are unable to remember each password they are obliged to use, that leads up to many unavoidable mistakes. The only one solution seems to be IT specialists support, and the next new password. However it helps, it’s not a long- lasting support. The password’s change does not guarantee that the new one will not be forgotten. What is more, security policy forces users to recurrent password’s changes . Not to forget the new phrases and numbers, users’ write tem on the self stick note sheets and stick them onto the screens. It’s obvious, that such way of storing passwords is not a safe one. That is why our team of IT specialists worked out an innovative system, that is Plugin SSO ( Plugin Single Sign On). This security method is safe and allows you to get a very easy access to BMC Remedy AR System. Plugin SSO makes the whole process of logging in very quickly and without the user’s participation. That is why, users’ do not have to think hours about a new password, but take care their duties. Plugin SSO is the best solution. All the problems will disappear as well as users’ frustration and annoyance. Everyone knows, that a satisfied employee is an effective employee, and effectiveness means profits. So let us help you to make a big profit. For more information, please visit our Web site : http://www.remedy-sso.com

Copyright @ 2009 TopPositions 3

NTLMv2 is recommended and used by the best IT security specialists all over the world. NTLMv2 service is asserted by the IOPLEX component. Our System as the only one in the world guarantees handling of the Microsoft NT LAN Manager version.Plug-in Single Sign On Version 1. Here you can find more information about IOPLEX: http://www. the Plugin SSO was created and tested by the best IT security specialists makes your information unavailable for unwanted audience. The fact that. Moreover. Plugin SSO supports joint security policy for all passwords in the company so that it makes the information stored in the BMC AR Remedy System safer. Our system uses Security Support Provider Interface(SSPI).ioplex.com Plugin SSO is a product for BMC Remedy AR system and does not require any complex process of installation or configuration.2 2 WHAT IS PLUGIN SINGLE SIGN ON VERSION 1. Exerted all over the world SSPI authentication systems work on Windows and give you the highest level of information security. Copyright @ 2009 TopPositions 4 .2 Plugin SSO is a component that enables the access to the BMC Remedy AR System without the necessity of logging in. 2 (NTLMv2).

5 and 7.5 and 1. 7. Websphere and others.6. Linux.Plug-in Single Sign On Version 1. vol. Plugin SSO can be applied in various equipment and system configurations. Copyright @ 2009 TopPositions 5 . Weblogic.6.0.  J2EE Containers like Apache Tomcat.2 3 APPLICATION As a very flexible solution.  All variants of the NTLM protocol (NTLM by default). 7.1. Plugin SSO supports:  BMC Remedy AR System.  Internet browsers like Internet Explorer and Mozilla Firefox ( Mozilla Firefox requires Windows Authentication Configuration.  Java 1. 7.  The outside authentication systems like ClearTrust and SiteMinder ( they authenticate users through “Http header” protocol). Solaris and HP-UX.  Operating systems like Windows.

2 4 EQUIPMENT COMPATIBILITY Automatic Plugin SSO log in can be used on the following operating systems: Matrix of the solution compatybility Operating systems Windows 2000.x+ 7.x HP-UX 11.5 (MT patch 1+) Plugin SSO supports many typical WWW security systems.0 Sun Solaris 9. Copyright @ 2009 TopPositions 6 .Plug-in Single Sign On Version 1.1 (MT patch 6+) 7. 2008 BMC Action Request System 7.x Linux 2. Popular products Authentication systems ClearTrust SiteMinder Quest QSJ HTTP Basic Plugin SSO supports Windows Authentication (NTLM v2) in “Out of Box” version. 2003.6.

User’ s authorization by Plugin SSO In case of Web browser. When correctly logged into the Windows domain. Plugin SSO Works as a plugin installed on BMC Remedy AR System and is able to support WebSSO systems or work autonomously. Then it checks if this data is correct or not . user doesn’t have to log once again to connect with BMC Remedy AR System. Plugin SSO is triggered out when user is logging into one of the following Mid Tier Server addresses: /arsys/home.2 5 HOW PLUGIN SSO WORKS Plugin SSO allows to get to Remedy AR System surroundings on the basis of authorization that was made when logging into the corporate network( by Windows domain authorization). user gains the access to the BMC Remedy AR System. This component logs the users’ with BMC Remedy AR System automatically by the Web browser of BMC Remedy User Application. If the user was identified by the Windows Controller. The following diagram shows the user’s authorization by the web browser Copyright @ 2009 TopPositions 7 .Plug-in Single Sign On Version 1. The following diagram shows how Plugin SSO authorizes user’s system by the use of Windows Authentication Protocol. /arsys/forms /arsys/apps Plugin SSO asks the user's Web browser to send the NTLM header together with the user’s data.

Plug-in Single Sign On Version 1. Plugin SSO is being given a special ticket to SSO Authorization Service. Plugin SSO is being triggered when the application opened. The following diagram shows how BMC Remedy User authorizes users’. Plugin AREA SSO verifies this ticket in the SSO Authorization Service. Each ticket is generated for particular user and for the computer. Then. BMC Remedy User sends the ticket to BMC AR Remedy System.2 User’s logging in by the Internet Browser When BMC remedy User authorization application used. from which user is trying to connect to BMC Remedy AS System. Copyright @ 2009 TopPositions 8 . This service is activated at any Windows server after SSPI Negotiate (NTLM) authorization.

Plug-in Single Sign On Version 1.2 User’s logging in by the BMC Remedy User Copyright @ 2009 TopPositions 9 .

SiteMinder. It involves the ARS Server (ITSM)and also the MidTier module. We do not support the product ServletExec.ars and rut. Installation pack contains 3 directories: mt .2 6 INSTALLATION AND CONFIGURATION 6. /arsys/forms oraz /arsys/apps. 6. The third one contains files necessary in case of SSO authorization made by BMC Remedy User.dll/areasso. while installing Mid-Tier the following steps must be taken:  Configure ClearTrust or Siteminder to protect the paths /arsys/home. The first directory contains files that are required for the installation in MidTier server. Our solution works only if Apache Tomcat has already been started as a standalone application. 6.2 ClearTrust / Sitemider After some time a session of ClearTrust and Siteminder expires.exe) Copyright @ 2009 TopPositions 10 . On this account length of the session must be synchronized with length of the BMC Remedy Mid-Tier module session. Copy areasso.Plug-in Single Sign On Version 1. you will need to make extra moves to install the component BMC Remedy Mid-Tier. 6. First two parts are obligatory.3 Installation Installation consists of two parts.1 Windows Authentication If you do not have an external SSO system (ClearTrust. as it is not presently recommended by BMC. Files copying to AR system 1.  Adjust length of Mid-Tier session one minute shorter than the session in ClearTrust or Siteminder. etc.4 Installation Part 1 in the server environment (ARS Platform) All the files necessary for this part of installation you can find in ars directory. To prevent a situation when a user is still logged in the BMC Remedy AR system and is no longer logged in SSO module.so file to operational directory of ARS server (It is the same directory that includes the file arserver.) and would like MidTier to authenticate users within Windows Controller.

conf file to the directory containing ar.conf.g.cfg/area-sso.cfg/ar.Plug-in Single Sign On Version 1.cfg/ar.2 2. e.: c:\program files\AR Server\conf) Copyright @ 2009 TopPositions 11 . Copy area-sso.conf. (It is the same directory that includes the file ar.

2 Checking whether the AR External Authentication (AREA) is switched on In order to do that you need to:  Log the BMC Remedy User Tool  Open AR System Administration Console  Open System->General->Server Information  Open the folder EA  Make sure RPC 390695 is selected  Make sure Cross Reference Blank Password is marked  Save the potential changes.Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 12 .

In order to check it you have to examine the file ar.conf or use the BMC Remedy User Tool.2 The following picture presents how to configure AR External Authentication. You need to make sure AREAHUB has been installed and started.Plug-in Single Sign On Version 1. To do it you need to:  Log in Remedy into the administration account using BMC Remedy User Tool  Find form Configuration ARDBC  On the list find the value areahub. Copyright @ 2009 TopPositions 13 . The picture illustrates the way of searching for areahub  When on the list there is a proper record. it means that AREA-HUB has been suitably installed.cfg/ar.

2 The picture illustrates the search result on condition that the areahub has been suitably installed  When AREAHUB has not been installed you will have to do it by making appropriate entries in the file ar.HUB ): In order to turn on logging of Plugin Server you need to move to the chapter entitled Turning on of the Plugin Server.conf: Windows Plugin: areahub. After having restarted the system in the log file of a plugin there should be the following entry (if the log file is large you should search in there the value ARSYS.Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 14 .AREA.cfg/ar.dll Solaris/Linux Plugin: areahub.so  In order to verify whether Plugin AREAHUB works properly you need to restart service BMC Remedy AR System.

1 This parameter should be “enabled” if “RUT-Enabled” is set to Enabled.: MidTier-IP: 127.192.: RUT-Enabled: Enabled IP address of SSO Authentication Service For ex.1. TCP port on which SSO Authentication Service works.conf file.conf file. For ex.0.168.cfg/area-sso. For ex.conf file.2 AREAHUB configuration for Plugin AREA SSO usage To activate AREA SSO Plugin add the following entries to ar.0. Parametr MidTier-Enabled Opis If the users’ will connect to BMC Remedy AR System by Web browser this parameter should be „enabled”.dll Configuration using the authorization pursuant to form User: Plugin: areahub.Plug-in Single Sign On Version 1. In the case when the data about users is stored in the form User within AR System you will need to go straight to the chapter Turning on of the Plugin Server logging.cfg/area-sso.dll AREA-Hub-Plugin: arealdap.0.: New-MidTier-Shared-Key: <password> If users will connect to the BMC Remedy AR System by BMC Remedy User. You should change the following entries in the area-sso.: AuthService-Port: 12000 MidTier-IP New-MidTier-SharedKey RUT-Enabled AuthService-IP AuthService-Port Configuration of the AREA LDAP plugin If the BMC AREA LDAP Plugin is used to store data about users in LDAP or in Active-Directory you will need to follow the instructions in the following chapter.dll AREA-Hub-Plugin: areasso. just like the one configured in the second part of installation guide.conf file (this configuration uses the additional authorization based on LDAP) : Plugin: areahub. Copyright @ 2009 TopPositions 15 .: MidTier-Enabled: Enabled Addresses of the Mid-Tier Servers that users will be authorized by.: AuthService-IP: 127. Default parameter value is 11000 port For ex. The password is going to be encoded after restarting BMC Remedy AR System in area-sso.dll AREA-Hub-Plugin: areasso.21. this parameter should be “enabled” For ex. For ex.cfg/area-sso.cfg/ar.2 Shared key password identical.dll AREA SSO plugin configuration in the area-sso.0.

Plug-in Single Sign On Version 1.com/supportu/documents/93/94/69394/69394.bmc.1.pdf Page 163 BMC Remedy Action Request System 7.00 Integration Guide http://www.0 Integrating with Plugins and Third-Party Products http://www.bmc. The installation and configuration details can be found in the documents of BMC AR System: BMC Remedy Action Request System 7.bmc.2 After having made sure that plugin AREAHUB has been properly installed you will have to take another step consisting in configuring or checking whether BMC AREA LDAP Plugin has been properly installed and configured.pdf Page 133 BMC Remedy Action Request System 7.com/supportu/documents/53/80/95380/95380.00 Integrating with Plugins and Third-Party Products http://www.5.pdf Page 143 To verify if the BMC AREA LDAP plugin configuration is appropriate you should open the AREA LDAP Configuration form and check the data entered into the form is correct: The picture illustrates a model BMC AREA LDAP plugin configuration. Copyright @ 2009 TopPositions 16 .com/supportu/documents/84/67/58467/58467.

The contents of the patch needs to be copied into the file Mid-Tier\WEB-INF \web. The picture illustrates the way of configuring logging of the Plugin Server. Patch the file Web.patch.xml between the last entry of a type </filter> and the first one of a type <filter-mapping> 2.5 Installation part II in the environment on the side of Mid-Tier server All the files to be used in this part of the installation you can find in mt directory.xml that can be found in the Mid-Tier server via update of the file web. Installation of Java JRE is not sufficient for the correct functioning of the system. Copy the mt-sso. Copying and changes of the files 1. Copy jespa-1.jar file to Mid-Tier\WEB-INF\lib directory Copyright @ 2009 TopPositions 17 . Copy bcprov-jdk15-144.xml.. 6.2 Turning on of the Plugin Server logging In order to verify that Remedy SSO Plugin works properly you need to select logging into PlugIn Server from the level of the authorized ARS user in the module Server Information and in the folder Log Files you need to select All in the Plugin Log Level.Plug-in Single Sign On Version 1. Java SDK Environment At first you need to check if Java SDK has been installed in the Server.jar file to Mid-Tier\WEB-INF\lib directory 4.jar file to Mid-Tier\WEB-INF\lib directory 3.0.

6. Otherwise you can move on to the next point Configuration of the MidTier SSO plugin via http website To create the service account in Active Directory you have to use a tool called Active Directory Users and Computers (ADUC).Plug-in Single Sign On Version 1.CN=Computers.g. you need to create a service account in Active Directory. Password change can be made only by using the Microsoft tools or with help of the script attached to the installation pack: Copyright @ 2009 TopPositions 18 . Change of a password to the service account A password to the service account must be entered in the MidTier SSO Plugin configuration. Creating service account for NETLOGON communication If the authorization is supposed to take place in Windows Controller.config file to Mid-Tier\WEB-INF\classes directory Copy mt-sso.2 5.DC=com. digits and underlining (without spaces) in the field "Computer name" (cn) and "pre-Windows 2000 name" (sAMAccountName).license file to Mid-Tier\WEB-INF\classes directory Copy the whole sso directory to Mid-Tier\shared directory After having made all the above changes you need to restart Mid-Tier server.: If the account has been called REMEDY and the name of the domain in which the account has been created is example. The created service account should have its own DN that has to be used to change the password in the next step.com DN for this account will equal: CN=REMEDY. NETLOGON service requires the account to be of a Computer type (A regular user’s account will not work. 7. 8.DC=example. Copy mt-sso.) We recommend to enter the same value using letter. E.

2 'SetComputerPass.Quit End If strDn = WScript.Echo "Usage: SetComputerPass.Quit The above scripts should be activated from the station that has rights to the Active Directory. objComputer If WScript.DC=example. The following example demonstrates how to change the password for the account CN=REMEDY. Open the website of the configuration tool in your internet browser: http://path-to-midtier/arsys/shared/sso/config.GetPassword() Set objComputer = GetObject("LDAP://" & strDn) objComputer.vbs CN=REMEDY. objPassword. 3.Echo WScript.arguments.DC=com Password: ********** Configuration of the MidTier SSO plugin via http website In order to configure MidTier SSO Plugin you need to: 1.Plug-in Single Sign On Version 1.count <> 1 Then WScript.Password") WScript.jsp 2. Log in the administration panel by using a password.StdOut. Select General Settings MidTier SSO configuration tool contains the following section: Core Configuration Parametr Turn On/Off Shared Key Opis Turning on and turning off of MidTier SSO plugin In this field you should enter the same password as the one defined on the side of ARS Server (SharedKey) Log level of MidTierSSO plugin Potential values:  Info – information about configuration  Trace – information about users logging into the system Copyright @ 2009 TopPositions 19 SSO Log Level . strPassword.item(0) Set objPassword = CreateObject("ScriptPW.Echo "Password set on " & strDn WScript.vbs <ComputerDN>" WScript.DC=com: C:\>cscript SetComputerPass.SetPassword strPassword WScript. 4.Write "Password:" strPassword = objPassword.vbs Option Explicit Dim strDn. The default password for the administration panel is “password”.CN=Computers.CN=Computers.DC=example.arguments.

Plug-in Single Sign On Version 1. Otherwise this field should remain empty.: REMEDY$@EXAMPLE.COM  To Lower case – changes all the letters in the username into lower case ones: For example. Copyright @ 2009 TopPositions 20 NTLM log level Computer Account Computer Password Canonical Account Name . Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account Format of a user logging into Remedy system.: ABAKER@EXAMPLE.: abaker@example. Possible values:  Username – only username. Parametr Active Directory domain Opis Name of the domain into which users will be authenticated must be entered in full format: For example.COM* *It is necessary to type $ after username. HTTP header(s) containing username Windows Authentication Configuration When the users’ authorization is to take place in Windows Controller. in this field you should enter the name of this header. Otherwise you need to restart Mid-Tier module.com If the external SSO system sends the username in a specific HTTP header . The installation of Mid-Tier SSO Plugin is completed.com NTLM protocol log level Possible values:  None – no logging  Critical – critical errors  Basic – basic information  Detailed – detailed information  Debbuging – all the information Name of a user’s account created in the point: Creating service account for NETLOGON For example. you need to fill in the following Fields.2   Username conversion Debug – debugging information All – all the information Username conversion Possible values:  To Upper case – changes all the letters in the username into upper case ones: For example.: example.

: abaker  Backslash – username + domain name separated by a symbol ‘\’ For example. in this field you should enter the name of this header.2 For example.http.sharedKey remedy. you should change mt-sso.loglevel Copyright @ 2009 TopPositions 21 .: EXAMPLE\abaker  Principal – username + full domain name separated by a symbol ‘@’ For exampe.com If the external SSO system sends the username in a specific HTTP header .sso.config file that you can find in the Midtier\WEB-INF\classes directory.sso.new.com Save the changes and then restart MidTier application.sso.sso. Otherwise this field should remain empty.config To configurate MidTier SSO plugin manually.: abaker@example. Possible values:  upper – changes all the letters in the username into upper case ones: For example. Core Configuration Parametr remedy.username.: ABAKER@EXAMPLE.Plug-in Single Sign On Version 1.header remedy.sharedKey Remedy SSO log level Possible values:  Info – information about configuration  Trace – information about users logging into system  Debug – debugging information  All – all the information remedy.: abaker@example. A password that has been defined on the side of ARS server (SharedKey).COM  lower – changes all the letters in the username into lower case ones: For example. After restarting Mid-Tier service the password will be hashed and saved in the configuration file within the parameter: remedy.sso.sso. Possible values: on/off Username conversion.case remedy. Configuration of the Remedy SSO solution via edition of the file mt-sso.status Opis Turning on and turning off of the Remedy SSO plugin.

canonicalForm For example.log.Plug-in Single Sign On Version 1. It identifies users’ in the Windows controller by the SSPI Negotiation interface(NTLM protocol). More details can be found in technical documentation for Jespa module: Jespa Operator's Manual 6.: EXAMPLE\abaker 4 – username + full domain name separated by a symbol ‘@’ For example. Possible values: 2 – only username.: abaker@example.service. If the automatic logging should not work on BMC Remedy User Tool application.com NTML protocol log level Possible values: 0 – no logging 1 – critical errors 2 – basic information 3 – detailed information 4+ – all the information Name of a user’s account created in the point: Creating service account for NETLOGON For example. 3 – username + domain name separated by a symbol ‘\’ For example.: REMEDY$@EXAMPLE.com Save the changes and then restart MidTier application.password Format of a user logging into Remedy AR System. jespa. In the file you can use additional options for Windows Authentication.level jespa. please miss the rest part of this chapter. Password to the user’s account (Computer Account) modified in the point: Change of a password to the service account After restarting Mid-Tier service the password should be hashed and saved in the configuration file within the parameter jespa.2 Windows Authentication Configuration Parametr jespa.account.acctname jespa. SSO Authentication Service is the service that is run on Windows server.service.new.COM* *It is necessary to type $ after username.bindstr Opis Name of the domain into which users will be authenticated must be entered in full format: For example. Copyright @ 2009 TopPositions 22 .6 Installation Part III SSO Authentication Service All the files to be used in this part of the installation you can find in rut directory.: abaker.: example.service.password jespa.

2 The following service may be run on each Windows Server that is connected to the domain. Run Installer’s 1.Net Framework 3. Accept the license by choosing checkbox „YES – I accept the terms of the License Agreement”. If there is no Microsoft . Run setup. 3. 4. and then click Next.exe on the server where the SSO Authentication Service will be installed ( be logged on the administrator’s account). it’s installer will install automatically. Choose Next on the first screen.5 on the server.Plug-in Single Sign On Version 1. 2. Copyright @ 2009 TopPositions 23 .

Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 24 . 6.2 5. Choose the directory where SSO Authentication Service will be installed. and then click Next. then click Next. Choose SSO Authentication Service from the list and remove SSO Authentication plugin.

then click Next. Choose format of a username logging into Remedy AR System. 8. then click Next.2 7. Copyright @ 2009 TopPositions 25 .Plug-in Single Sign On Version 1. Type TCP port number used by the SSO Authentication Service(the port address must be unused by any others services).

com In the UserName Conversion area you can choose between the following :  Upper – changes all the letters in the username into upper case ones: For exampe.: abaker@example. When the formula left empty.COM  Lower– changes all the letters in the username into lower case ones: For exampe. Give the BMC Remedy AR System localization to which users’ will be automatically logged in. For example. the configuration will be necessary on each user’s station.: EXAMPLE\abaker Principal – username + full domain name separated by a symbol ‘@’ For exampe.Plug-in Single Sign On Version 1.: abaker Backslash – username + domain name separated by a symbol ‘\’ For example. Copyright @ 2009 TopPositions 26 . Then choose Next.2 In Canonical Account Name you can choose between the following:    Username – only username.: ABAKER@EXAMPLE.com 9.: abaker@example.

2 10. 11.Plug-in Single Sign On Version 1. Continue installation by choosing Next. Installation completed. Choose Finish to close installer. Copyright @ 2009 TopPositions 27 .

Copyright @ 2009 TopPositions 28 .7 Installation Part IV.exe on the workstation where the SSO Authentication Plugin will be installed. Run setup. If there is no Microsoft .Net Framework 3. it’s installer will install automatically. please install SSO Authentication plugin. Run Installer’s 1. 3.Plug-in Single Sign On Version 1.2 6.5 on the workstation. If you want the automatic Single Sign On logging in BMC Remedy User to work on the final user’s workstation. 2.Plugin SSO Authentication for BMC Remedy User Tool All the files to be used in this part of the installation you can find in rut directory. Choose Next on the first screen.

and then click Next.2 4.Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 29 . Choose the directory where SSO Authentication Plugin will be installed. Accept the license by choosing checkbox „YES – I accept the terms of the License Agreement”. and then click Next. 5.

7.Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 30 .2 6. then click Next. Give the SSO Authentication Service localization to which users’ will be automatically logged in. Choose SSO Authentication Plugin from the list and remove SSO Authentication Service. Then choose Next.

Choose Finish to close installer. 9. Continue installation by choosing Next. Copyright @ 2009 TopPositions 31 . Installation completed.2 8.Plug-in Single Sign On Version 1.

open the BMC Remedy User application and check if the user was automatically logged in BMC Remedy AR System. To verify whether the installation completed successfully.2 11.Plug-in Single Sign On Version 1. Copyright @ 2009 TopPositions 32 .

Otherwise you have to start a tool BMC Remedy User. enter a domain password in the field ‘password’. in the next step you need to check if plugin on the side of Mid-Tier has been correctly installed. 7.jar has been correctly installed. in the field ‘authentication’. Then in the field ‘username’ enter your login coming from Active-Directory.Plug-in Single Sign On Version 1. 7.conf has been correctly configured.3 Mid-Tier SSO Plugin If SSO AREA plugin works properly. 7.2 7 TROUBLESHOOTING If during the installation you faced a problem that cannot be solved you should take the following steps in order to enable us to diagnose the problem.conf.1 SSO AREA plugin In the beginning of problem diagnosis you need to verify whether SSO AREA plugin has been correctly installed and configured.cfg/area-sso. After that you should enter your login coming from Active-Directory in the field ‘username’. Otherwise you have to again set up a correct shared-key in the file area-sso. Otherwise you have to check the configuration of AREA LDAP plugin in the form AREA LDAP Configuration.cfg/areasso. If you manage to log into the system that would mean AREA LDAP plugin has been properly installed and configured. In order to do that you need to check if there is the file MT-SSO. You should key ‘shared-key’.2 AREA LDAP plugin If AREA LDAP plugin is not used to authorize users in Active Directory you need to move on to the next step. In order to do that you have to start the tool BMC Remedy User on the server on which MidTier is installed. that has been previously configured during installation. If you manage to log into the system that would mean SSO AREA plugin has been properly installed and configured.jar At first you should check if the file MT-SSO. Copyright @ 2009 TopPositions 33 . MT-SSO. Shared-Key Then you need to verify if shared-key has been correctly configured. the field ‘password’ should be left empty.jar in the directory MitTier/WEB-INF/lib. Mid-Tier IP address At first you need to check whether the Mid-Tier IP address in the file area-sso.

cfg from AR Server.5 What’s next If the problem continues you should forward an email to our support department including following information:  file AR Server plugin log (with the Plugin-Log-Level adjusted to 100) with a user’s logging attempt registered by BMC Remedy User-using shared-key. In order to do that you need to check if there is the file mt-sso. and the file mt-sso. mt-sso.jsp.  EventLog entries for SSO Auth Service.license Then you need to check if the file mt-sso. MidTier SSO Plugin Configuration In order to verify whether MidTier SSO plugin has been correctly configured you need to open the website of the Configuration tool: http://mid-tier hostname/arsys/shared/sso/config.2 mt-sso.xml from Mid-Tier server. Copyright @ 2009 TopPositions 34 .license has been correctly installed.  files ar. check the EventLog entries ( on the Server.  log files from servlet engine on which Mid-Tier has been installed. 7.cfg and area-sso. In order to do that you need to check if there is the file mt-sso.  version numbers of the ARS server and Mid-Tier together with patch numbers  name and version number of servlet engine.config has been correctly installed.  the file web.config from Midtier. Then after correct logging you need to verify if:  a correct licence has been installed  Remedy SSO plugin has been turned on  Windows Controller data have been entered correctly (if the controller is used for users’ authentication) 7.config In the next step you need to check if the file mt-sso.config in the directory Mit-Tier/WEBINF/classes.4 SSO Authentication Service If the SSO Auth Service doesn’t work. on which it was installed).license in the directory Mit-Tier/WEB-INF/classes.Plug-in Single Sign On Version 1.

jespa.SecureClassLoader.findClassInternal(WebappClassLoader.filters.loader.loadClass(WebappClassLoader.lang.getFilter(ApplicationFilterConfig.WebappClassLoader. in logs of Tomcat server there should be the following error report: 15:33:20.license not found .catalina.java:78) 8.apache.java:1208) at org.config.2 Mid-Tier can’t find the file jespa-1.core.WebappClassLoader.2 8 POTENTIAL ERRORS Below find a list of errors that may occur during installation: 8.jar If during installation you have forgotten to copy the file jespa-1.lang.midtier.java:876) 8.ClassLoader.SSOHttpFilter:init:?) .security.license.apache.SSOHttpFilter at org.java:207) at org.ClassLoader.loadClass(WebappClassLoader.0.ApplicationFilterConfig.catalina.java:1362) at org.4 Mid-Tier can’t find the configuration file mt-sso.core.lang.apache.defineClass1(Native Method) at java.loader.setFilterDef(ApplicationFilterConfig. in logs of Tomcat server there should be the following error report: java.Plug-in Single Sign On Version 1.1 Mid-Tier can’t find the file mt-sso.License not 8.WebappClassLoader.lang.LicenseManager:validateLicense:?) - ON ERROR (filters.9.317 Remedy Single Sign ON ERROR (filters.loader.942 Remedy Single Sign file: /mt-sso.LicenseManager:loadLicence:?) .ApplicationFilterConfig.jar If during installation you have forgotten to copy the file mt-sso.sso.apache.0.license 15:14:51.java:1852) at org.core.apache.defineClass(Unknown Source) at org.ClassNotFoundException: remedy.loader.java:302) at org.WebappClassLoader.9.catalina.config If during installation you have forgotten to copy the file mt-sso.jar.Licence file: /mt-sso.jar.942 Remedy Single Sign License not loaded .License not loaded 15:14:51. in logs of Tomcat server there should be the following error report: java.catalina.<init>(ApplicationFilterConfig.Licence not found ON WARN (lic.3 Mid-Tier can’t find the file with the licence If during installation you have forgotten to copy the file mt-sso.apache.apache. in logs of Tomcat server there should be the following error report: 15:14:51.ApplicationFilterConfig.defineClass(Unknown Source) at java.catalina.Failed to load config file! Copyright @ 2009 TopPositions 35 .findClass(WebappClassLoader.catalina.catalina.942 Remedy Single Sign loaded ON ERROR (lic.SSOHttpFilter:init:?) .NoClassDefFoundError: jespa/http/HttpSecurityService at java.

Copyright @ 2009 TopPositions 36 .PlainDatagramSocketImpl.SmbAuthException: Logon failure: unknown user name or bad password.receive(Unknown Source) at java.5 Plugin SSO can’t find the Domain controller If during installation you have incorrectly entered the domain name in the field Active Directory domain.PortUnreachableException: ICMP Port Unreachable at java.sessionSetup(Unknown Source) at jcifs.smb.PlainDatagramSocketImpl.sun.smb.checkStatus(Unknown Source) at jcifs.sun.treeConnect(Unknown Source) 8.jndi.DnsClient.net.query(Unknown Source) 8.DatagramSocket.net.Resolver.net.SmbSession.dns.smb.jndi.smb. in logs of Tomcat server there should be the following error report: java. in logs of Tomcat server there should be the following error report: jcifs.7 SSO Authentication service doesn’t work TCP Port is probably busy by the other service.smb.SmbTransport.Plug-in Single Sign On Version 1.send(Unknown Source) at jcifs. in the field Active Directory domain.DnsClient.receive0(Native Method) at java.query(Unknown Source) at com.SmbTree. at jcifs.smb.dns.dns.receive(Unknown Source) at com.net.send(Unknown Source) at jcifs.6 Plugin SSO can’t log into Domain controller If during configuration you have incorrectly entered the name of a service account or its password.sun. Change the port’s number ( SSO Auth Service should be installed again).2 8.SmbSession.SmbTransport.doUdpQuery(Unknown Source) at com.jndi.