Skip to main content

skip to main content

developerWorks  >  Security | Tivoli  >

Troubleshooting Tivoli Access Manager for Enterprise Single Sign-On (TAMESSO)

developerWorks
Document options

Document options requiring JavaScript are not displayed


Rate this page

Help us improve this content


Level: Intermediate

Giancarlo V. Marchesi (gmarches@us.ibm.com), Solution Architect, IBM
Rajalakshmi Iyer (iyer_rajalakshmi@in.ibm.com), Staff Software Engineer, IBM

01 Oct 2007

This article helps to scale the deployment skills of customers, Business Partners and IBM consultants who deploy and operate the IBM® Tivoli® Access Manager for Enterprise Single Sign-On (TAMESSO) product. It will essentially describe various troubleshooting tips of commonly reported problems, and it also aids in overcoming issues encountered during integration of TAMESSO with other products.

TAMESSO provides single sign-on by introducing a secure middle layer that authenticates the user one time, and then automatically detects and handles subsequent requests for user credentials. It is an intelligent client software that works by responding to logon requests on behalf of the user, directly from the user’s desktop. The appropriate application helper object, in turn, responds to each application’s logon request by automatically providing correct credentials. It supports authentication from any authenticator (for example, passwords, biometrics, and tokens and smart cards) and authentication service (for example, Microsoft® Windows®, Entrust PKI or LDAP). It is ready to use with almost any Windows, Web, proprietary and host-based application, thereby lowering IT, help-desk and integration costs. The following diagram illustrates the architecture of TAMESSO.


Figure 1. TAMESSO architecture aiagram
TAMESSO architecture aiagram

TAMESSO logs

The components that constitute TAMESSO are distributed. Administrators need to be aware of the interaction between various components and know which logs to refer while debugging any issue. The table below details the logs associated with TAMESSO and when and how to enable them. Note that changes to registry settings described do not take effect until TAMESSO is restarted (which happens automatically when the computer boots and the client starts).


Table 1. Important logs to refer to while troubleshooting TAMESSO
Log TypeWhen to enableHow to enable
Event LogsEnable event logging to monitor various user events including client startup and shutdown, logon, password changes, credential updates, authenticator changes, backup and restore, and more. Events can be logged to any desired destination including local XML store, SNMP service, Windows event logs, or a directory server.Event logging is an optional feature of TAMESSO and can be installed by enabling the Event Manager and the required extension during custom installation. Events are cached for a specific duration before being periodically flushed through the selected extension. To configure the events to log and extensions, go to TAMESSO Administrative Console | Global Agent Settings | <selected set> | Event Logging:
  • Enable the check box Select Events to log and select the events from the available list.
  • Go to the Advanced tab and provide other settings like the cache limit and cache retry interval
  • Depending on whether the XML extension or Windows event viewer extension is going to be used, the corresponding options can be configured in the respective tabs.
Inactivity LogEnable this log when TAMESSO does not respond to applications that have been configured for single sign-on. Because this trace generates a lot of data, enable it only for a short duration.Using regedit set:
  • DWORD registry key HKLM\Software\Passlogix\Shell\LogInactive to 1.
  • String registry key HKLM\Software\Passlogix\Shell\LogInactivePath to the full path of the directory that should contain the traces (for example, C:\ESSODUMP)
Note that the directory that containing traces must exist before logging can begin. When set up, bring up the application (Windows or Web) and a trace file is created per window ID.
Java™ Helper Object LogEnable this log when TAMESSO does not respond to a Java application after defining a template. Using regedit, set the DWORD registry key ‘HKLM\Software\Passlogix\Extensions\AccessManager\Enable JHOLog’ to 1. When enabling, the JHO.log file is created in the users’ %appdata%\Passlogix directory.
Mainframe Helper Object Status windowEnable the SSO MHO status window when TAMESSO does not respond to Mainframe applications after defining a host application template..
  • Create a shortcut to ssomho.exe (the default path is <TAMESSO client installation path>\v-GO SSO\Helper\Emulator) and drag it to the desktop.
  • Modify this shortcut’s properties to add the /ssomho option in the "Target" field.
  • Double-click on the ssomho.exe shortcut to launch it when TAMESSO is running.
  • The SSO MHO window can now show the host application running on the client machine. If a running application is not shown as running, then often a message in the status window will provide information about why the application is not detected.
The SSO MHO window closes when TAMESSO client shuts down or if the same shortcut is double-clicked to launch the SSO MHO window.
Synchronization LogRefer to this log when the TAMESSO client fails to synchronize with the repository and, as a result, templates are not available in the logon manager or user credentials are not saved in the repository.Using regedit, set the DWORD registry key TraceSync in HKLM\Software\Passlogix\Extensions\SyncManager\Syncs to 1. On setting this flag, the log file SYNCLOG.txt is created in the user's %appdata%\Passlogix directory, if there are any synchronization errors.
Crash LogThis is to be referred when TAMESSO fails to start. It is to be sent to IBM support for analysis.It will be generated when TAMESSO fails to start and is located at Documents and Settings\<user profile>\Application Data\Passlogix and is named "vgo.log"
DPRA LogRefer to this log while debugging issues related to the Desktop Password Reset Adapter.To enable the DPRA log file, using regedit, set the string key logfile under HKLM\SOFTWARE\Passlogix\SSPR\SSPRService and set its value to the path of the log file (for example, C:\DPRA_LOG.txt).

The subsequent subject matter in this article is organized into sections, each providing a brief introduction to an individual component of TAMESSO along with debugging tips for that component.



Back to top


SSO aDAPTER

The single sign-on adapter (identified as TAMESSO core in the above diagram) detects an application’s request for credentials, determines the appropriate action, and responds with the correct credentials. It enables configuration of many popular applications by providing options for:

  • Logon methods that are plug-ins to provide different methods for logging onto TAMESSO.
  • Extensions to enhance and extend the functionality of TAMESSO.
  • Logon manager that is comprised of several helper plug-ins to assist with SSO.
  • Synchronization Manager that synchronizes credentials and settings information from supported data-stores.
  • Event manager that controls which events to log, where and when to log and whether to maintain a local copy of the log.

Listed below are debugging tips and typical issues encountered with the SSO adapter along with troubleshooting procedures for the same.

TAMESSO does not respond to any application

This symptom occurs when one or more of the following is true:

  • TAMESSO client is not running.

    When TAMESSO is running, the TAMESSO target is visible in the system tray and there is at least one instance of SSOShell.exe in the Task Manager | Processes tab. If TAMESSO is not running, try to start it from the Start menu. If it still fails to start, send the Crash Log (Refer to the section “TAMESSO logs”) to IBM Support. It is also possible that TAMESSO is configured to shut down if the repository is not available.

  • More than the expected number of SSOShell.exe processes are running.

    If TAMESSO is running, confirm that the number of SSOShell.exe processes launched (as displayed under Task manager | Processes) is as expected. The expected number of SSOShell.exe processes is:
    • One for the base copy that corresponds to the icon in the system tray.
    • One copy for each Logon Manager session open
    • One copy that opens temporarily (1-2 seconds) during a synchronization event, logon event, or password change event.
    If more instances than expected are running, try to restart TAMESSO client. An inappropriate file system and registry lockdowns can prevent Microsoft and RSA encryption from functioning properly. Hence, try to log on as a user with local administrator rights or as a user with few or no policy restrictions.
    If you do not have appropriate rights in the TAMESSO repository, try logging in as a user who has successfully operated on another computer.

  • TAMESSO fails to synchronize with repository (Active Directory) and does not pull down application templates.

    TAMESSO configuration files include:
    • entlist.ini, which is created to provide the organization with customized logons for Windows, Web and mainframe applications. It is located in the directory Documents and Settings\<user data>\Application Data\Passlogix directory.
    • applist.ini, which contains pre-defined logons for network and web pop-up logon dialogs for many online service providers. It is located in the TAMESSO installation directory (for example, C:\Program Files\Passlogix\v-GO SSO\plugin\LogonMgr).
    • aetlist.ini, which is the TAMESSO application logon instructions file obtained by merging entlist.ini and aetlist.ini. It resides in Documents and Settings\<user data>\Application data\Passlogix directory.
    Check to see if entlist.ini exists. If not, TAMESSO cannot connect to Active Directory. Even if entlist.ini exists, in order to ensure connectivity to Active Directory, delete it, open TAMESSO Logon Manager and select Refresh. This file is re-created if TAMESSO is able to connect to Active Directory.
    Check to see if applist.ini exists. If not, the TAMESSO installation is corrupt and needs repair. Re-installing TAMESSO through Control Panel | Add/Remove Programs should solve it.
    Check if aetlist.ini exists. If not, then the merge process between entlist.ini and applist.ini is not successful. If applist.ini and entlist.ini both exist, contact IBM Support for assistance.

  • Templates are missing for the application being tested.

    If the credentials appear in the Logon Manager for the affected application, but the credentials listed are grayed out, the templates are not currently available. Ensure that the templates in Active Directory were not renamed, and that the affected user has the rights to the templates.
    From the TAMESSO system tray icon, go to Configuration | Settings. On the Password tab confirm that Auto-Prompt is checked. On the Logons tab, confirm that Auto-Recognize is checked. On the Excluded Web-sites tab, confirm that the base domain (for example, company.com) for the Web application is not listed.

Common issues with web applications

  • The TAMESSO client does not respond to Web applications with in-frame credential requests.

    The component represented by the SSOBHO.exe process is responsible for the in-frame Web application's logon and password change detection and response. Check that there is one instance of this process running under Task Manager | Processes. If SSOBHO.exe is not running, restart TAMESSO while watching Task Manager | Processes for it. If it is found that this process starts and stops immediately, then it means that this component is failing; send the crash log (Refer to TAMESSO logs) to IBM Support for analysis.
    Another possibility is that there are some unnecessary plug-ins enabled in Internet Explorer (like adware, spyware, and so on), that are poorly written and can significantly slow down Web browsing in addition to having negative and unanticipated effects on TAMESSO. Note that TAMESSO does not have any known conflicts with major commercial plug-ins.

  • Auto-recognize does not work on some Web sites.

    The Auto-recognize option is used to make the adapter recognize applications and Web sites, and log on the users automatically. It is possible that after TAMESSO configuration for providing SSO to the Web site, the site’s URL has changed. If it has changed, then the site’s logon information must be updated with the new URL. To do this, open the Logon Manager window by double-clicking the TAMESSO system tray icon and edit the Properties to provide the new URL for the application in question by selecting and right-clicking on it.

Common issues with Windows (form-based) applications

  • Application is not listed under the New Logon wizard

    TAMESSO can provide single sign-on for a configured application even if it is not listed under the New Logon wizard. To do so, it needs the information about where the logon boxes for username, ID, and password are on the application’s logon screen. To accomplish this:
    • Bring up the Logon Manager window by double-clicking on the TAMESSO system tray icon (the red target). In Logon Manager, click the Add button, select Add a Logon. In the New Logon wizard that comes up, ensure that Application not in List is selected in the drop-down menu. Provide the application name and an optional description in the Application Name and Description fields and click Next.
    • Click on the TAMESSO logo next to Username/ID field and using the mouse, drag it to the username text box of your application. A green check mark then appears next to the TAMESSO logo.
    • Click on the TAMESSO logo next to the Password field and using the mouse, drag it to the password text box of your application. A green check mark then appears next to the TAMESSO logo.
    • Click Next, enter the credentials required logon to the application and proceed to the final steps of the New Logon wizard.

Common issues with Java applications

  • The TAMESSO client does not respond to Java applications or applets

    TAMESSO requires Sun™ Java 1.3.1 or higher for native support of Java applications and applets. Using the java –version command, determine the version of java.exe being used by TAMESSO. Note that in the case of multiple JRE (Java runtime environment) installations, the java.exe is picked from the JRE path that is listed first in the system PATH environment variable.
    The JRE installation directory should have \bin, \lib and \lib\ext sub-folders. TAMESSO requires the following support files to be located in this structure for the active JRE path for all applications requiring native Java logon and password change support:
    • \bin\ssojho.dll
    • \bin\accessibility.properties
    • \lib\logging.properties
    • \lib\ext\jaccess.jar
    • \lib\ext\jho.jar
    • \lib\ext\log4j_1.2.8.jar

    An applet is a Java application running from within a Web browser. If you are using Internet Explorer, in order to confirm that Sun Java 1.3.1 or higher is configured as the default Java engine, go to Tools | Internet Options | Advanced; scroll down to Java (with the coffee cup icon) and confirm that the option exists and is checked. If the option is not available, refer the Sun instructions to install and configure the Java plug-in for Internet Explorer that will allow applets to use the Sun JRE in place of the browser’s default Java runtime.

  • The TAMESSO client does not recognize the Logon Window presented by a Java application

    This requires enabling Service Logon for Java applications. To do this:
    • Select the Applications node in the TAMESSO administrative console. Click on the application in question and on the right side of the console, go to the Miscellaneous tab. Check the Service Logon option.
    • On the left side of the console, go to Global Agent Settings | Live | End-User Experience | Response | Windows Apps. Check the box Supported Windows classes for Services and add the window class for the application in question at the end of the semi-colon separated list of class names. The window class name can be obtained by running the new application wizard.



Back to top


Repository and authentication

The repository can be used as a centralized encrypted storage for user credentials and adapter configuration. The client can back up and restore credentials to and from the central repository using synchronization plug-ins. Supported repositories include any LDAP v2- or v3-compliant directory, databases including Microsoft SQL server, Oracle, IBM DB2 and network drive shares. In the architecture diagram above, this component is identified as “Directory/DB”.
Listed below are commonly reported issues and troubleshooting tips for the same with respect to the repository.

Manual schema extension

Manual schema extension is required for repositories that are not supported ready to use by TAMESSO, for example, OpenLDAP. On trying automated schema extension, TAMESSO reports an error saying 'Automated schema extension is not supported by this server. Use the file located at ‘C:\Program Files\Passlogix\v-GO SSO Administrative Console\DirectorySchema\vGO\OLDAP\sso.schema’ to extend the schema manually. Extend schema ABORTED!’ The steps for manual schema extension for OpenLDAP are as follows:

  • Copy the sso.schema file from ‘C:\Program Files\Passlogix\v-GO SSO Administrative Console\DirectorySchema\vGO\OLDAP’ to the OpenLDAP server machine.
  • Place the sso.schema file in the schema folder of OpenLDAP (/usr/local/etc/openldap/schema).
  • Modify the OpenLDAP configuration file (slapd.conf) to include TAMESSO-specific schema entities by adding the line include /usr/local/etc/openldap/schema/sso.schema.
Note that TAMESSO supports SunONE directory server, Novell eDirectory, Microsoft Active Directory and Microsoft ADAM straight from the box.

Common issues with Active Directory repository

Since TAMESSO is essentially a Windows application, Active Directory is the most commonly used repository. Listed below are some of the recurring issues with Active Directory and ways to troubleshoot them.

  • Schema extension not allowed error reported by Active Directory on attempting to extend schema.

    Schema updates require write access to schema in Active Directory. This is enabled by means of a Schema Update Allowed registry key. Schema updates can be enabled by means of the schema management console. The schema updates can only be enabled on the domain controller that holds the schema master role. To enable schema update:
    • At the command prompt type regsvr32 schmmgmt.dll.Note that the registration is successful only if the message DllRegisterServer in schmmgmt.dll succeeded dialog box is displayed.
    • Open a new management console by clicking Start | Run and type mmc.
    • On the Console menu, click Add/Remove Snap-in.
    • Click Add to open the Add Standalone Snap-in dialog box.
    • Right click Active Directory Schema, and then click Operations Master.
    • Click to select the Schema may be modified on this Domain Controller check box and click OK and exit the console.


  • TAMESSO gives the error "The keys in the synchronizer extension do not match the keys on this computer. Synchronization will not occur. Please contact your system administrator."

    This error is noticed when a user sets up TAMESSO on one workstation, synchronizes to Active Directory, then goes to another workstation and is prompted through the TAMESSO First Time Use (FTU) setup process. This first time setup will only occur if the second system cannot contact Active Directory, or if the user has cancelled an authentication dialog box from Active Directory.
    It can also occur if the user has not previously logged on to the second system and used TAMESSO, specifically; TAMESSO created a unique key pair on the first workstation and errantly created a second key pair on the second workstation.
    To handle such a situation, remove all local data (including credentials) from the second workstation using the following steps:
    • Shut down the TAMESSO client.
    • Using regedit, delete HKCU\Software\Passlogix. Note that it is HKCU (current user) and not HKLM (local machine).
    • Delete C:\Documents and Settings\<user profile>\Application Data\Passlogix.
    • Start TAMESSO.



Back to top


Administrative console

The administrative console provides centralized administration for TAMESSO by enabling adapter and server configuration for most options. All changes are pushed to the central repository and are then synchronized back to the adapters.
Listed below are some points to remember while using the administrative console to configure TAMESSO.

Multi-value check box settings

Many configuration options in the TAMESSO administrative console are set through multi-valued check box controls. The multi-value check box can be in one of the following states:

  • Unchecked, meaning the setting is turned off and the client cannot override this setting.
  • Checked, meaning the setting is turned on and the client cannot override this setting.
  • Checked and grayed out, meaning the setting is turned on and the client can override this setting and turn it off.

When to enable "Use WM_CHAR message to fill controls" setting

Enable this setting on a template if the behavior of credentials being submitted to the application is noticed, but is not being recognized as populated in the fields on the application itself.
Some applications require that passwords are entered via keyboard and not “set text” commands. Enabling this control simulates keyboard entry in an alternate way by setting text within controls. For example, in the case of the Citrix 9.15 ICA Client, the credentials are being supplied, but appear as corrupt or wrong values. The WM_CHAR option has been used in the past to resolve template issues for Citrix, Novell and Lotus Notes.



Back to top


Authentication adapter

The authentication adapter enables organizations to bridge strong authentication seamlessly to all of their applications, including smart cards, biometric devices, and Entrust authenticators. Users can employ different authenticators at different times and application access can be controlled based upon the authenticator used.

TAMESSO configuration for the IBM ThinkPad embedded One Touch fingerprint biometric sensor

TAMESSO can be configured to provide single sign-on using fingerprint as logon method, for example, the IBM ThinkPad fingerprint-based biometric sensor. This configuration comprises of following steps:

  • Installation of ThinkVantage Fingerprint Software

    ThinkVantage fingerprint software can be installed on any computer with Windows 2000, Windows XP Home or Professional edition, Windows Vista and a free USB port. Note that the free USB port is not required for ThinkPads with built-in biometric sensor; it is required only if you have an external biometric sensor. Administrator rights are required to install or uninstall ThinkVantage fingerprint software. Following are the installation steps:
    • If you have a CD, insert it into the CD ROM drive, otherwise run Setup.exe and skip the next step.
    • The ThinkVantage Fingerprint Software screen is displayed. Click the Installation icon. If this screen does not display, run Setup.exe manually.
    • The Welcome screen is displayed.
    • Click Next to continue.
    • The User Information screen is displayed.
    • Enter your user information, and then click Next to continue.
    • Confirm or select an installation directory.
    • Click Next to start installation.
    • When the installation is finished, restart your computer when prompted.
    The installation is now complete. After you restart the computer, the logon screen is displayed. Note that, during installation, all necessary device drivers are installed. If you intend to use an external fingerprint sensor, we recommend that you connect your fingerprint hardware after completing the installation and restarting your computer.

  • Fingerprint enrollment

    Each user identity in ThinkVantage Fingerprint Software is represented by a passport, which contains biometric fingerprint data used to verify the identity of the user. Fingerprint enrollment is a process of creating correspondence between your user name, password and your fingerprints. To create a new passport (that is, enroll fingerprints):
    • If you want to use an external fingerprint sensor, connect your device. All the necessary drivers are installed with ThinkVantage Fingerprint Software. An informational message that the sensor was connected and is ready to use is displayed in the lower right corner of your screen.
    • The License Agreement is displayed. Read the License Agreement carefully.
    • Accept the License Agreement by selecting the appropriate radio button. You must agree to the License Agreement to install this product. Click Cancel to close the application if you do not agree to the License Agreement.
    • To launch the enrollment wizard, select Start menu | Programs | ThinkVantage | ThinkVantage Fingerprint Software | User enrollment.
    • Enter your user name, password, and domain (if applicable) and click Next.
    • Click Next to proceed with the fingerprint tutorial. Or uncheck the Run interactive tutorial check box and click Next to skip the tutorial.
    • Click on a box above the finger in which you want to enroll. Create three samples of the selected finger according to the instructions in the tutorial. These samples are combined into a single fingerprint passport. A warning is displayed if the three created samples cannot be matched.
    • Select another finger to enroll. You can enroll up to 10 fingerprints. We strongly recommend that you enroll more than one finger in the event of injury. Click Next when done.


  • TAMESSO configuration through administrative console

    • In the TAMESSO Administrative Console, highlight and right click the Global Agent Settings.
    • Select Import | From Live HKLM to import the current adapter configuration from lthe ocal machine registry as a set of settings named Live.
    • You can now see Live under the Global Agent Settings tab. Expand by clicking on the + sign to see the current registry settings for the SSO adapter.
    • Expand the Primary Logon Methods node and select Windows V2, which provides the primary controls for Windows authenticator version 2.
    • On the right side of the console, enable Re-authentication dialog and choose Use GINA. This will set Windows GINA (Graphical Identification and Authentication) as the method that TAMESSO uses for the user to re-authenticate.
    • On the left side of the console select the Advanced node below Windows V2 and on the corresponding right side of the console, enable Passphrase and choose the Disable option. This disables the passphrase challenge that is provided for additional security.
    • Back on the left side of the console, select the Applications tab under TAM E-SSO and on the corresponding right side of the console, double-click on the application that you want to protect using biometrics. On the Miscellaneous tab, enable Force Reauthentication. This will require the user to reauthenticate before providing credentials to this application.


  • Deployment of TAMESSO configuration in ThinkPad client machine

    • In the TAMESSO administrative console, select Global Agent Settings | Live, right-click and select Export. From the export format list, select HKLM Registry Format (.REG) and save the file in a convenient location so that it is easily accessible from other client machines.
    • Copy the exported .REG file to the ThinkPad client machine and merge it with the ThinkPad registry.


  • ThinkPad client configuration

    • Go to Control Panel | Add/Remove Programs. Select IBM Tivoli Access Manager for Enterprise Single Sign On and click Change.
    • Expand Logon Methods, click on Windows V2 and select GINA install. Keep other logon methods as they are and proceed to complete the installation.
    • Right-click on the Logon Manager icon in the system tray. Go to Configuration and double-click on the Change Logon Method option. Select Windows v2 and click Finish.


From this point onwards, if the user has defined force re-authentication for an application, the user will see a biometric prompt. If a user attempts to reveal passwords in the logon manager, (s)he will see a biometric prompt.
Note that the ThinkVantage configuration can be replaced by any other biometric sensor software and driver configuration, but TAMESSO configuration for biometric authentication-based applications remains the same.



Back to top


Desktop password reset adapter (DPRA)

The Desktop P\Password R\Reset Adapter allows access to the Windows user account when you lose or forget the domain password. Instead of calling the Help desk, one only needs to answer a pop-up quiz that verifies the person and allows that person to reset his/his own password. The quiz was created by the person on completing the DPRA enrollment interview.
Listed below are typical issues encountered with DPRA and troubleshooting tips for the same.

Common issues related to Active Server Pages

  • Access denied error on trying to access DPRA console

    This problem is applicable only to Windows 2000 SP4 servers. When ASP .NET 1.1 is installed on a computer running Windows 2000 domain controller with Service Pack 4 (SP4) installed, the built-in IWAM user account (that is used by IIS Web services with ASP) is not granted impersonate user rights for ASP .NET 1.1. Hence, a request for any ASP resource (including the TAMESSO DPRA management console) can produce the Access Denied error. This is a known issue (Refer to Microsoft Knowledge Base article # 824308). To workaround this:
    • Click Start, point to Programs, point to Administrative Tools and then click Domain Controller Security Policy.
    • Click Security Settings.
    • Click Local Policies, and then click User Rights Assignment.
    • In the right pane, double-click Impersonate a client after authentication.
    • In the Security Policy Setting window, click Define these policy settings.
    • Click Add and then click Browse.
    • In the Select Users or Groups window, select the IWAM account name, click Add and then click OK.
    • Click OK and OK again on the next two windows.
    • To enforce an update of the computer policy, type the following command secedit /refreshpolicy machine_policy /enforce.
    • At the command prompt, type iisreset to restart IIS.


  • Unable to access DPRA management console with error The current identity (NT_AUTHORITY\NETWORK SERVICE) does not have write access to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP .NET files

    In order to handle this error, the specified user or group (that is, NT_AUTHORITY\NETWORK_SERVICE) must be granted access to the IIS metabase and other directories that are used by ASP.NET. To do this, open the command prompt, go to the directory referenced in the error that is, C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP .NET files and run the command aspnet_regiis -ga "NT_AUTHORITY\NETWORK_SERVICE". Note that this option is not available for ASP .NET versions earlier than ASP .NET 2.0. After successful ASP .NET IIS registration, access to the DPRA management console must be allowed.

Successful completion of DPRA service reset quiz results in "You are not allowed to reset your password" error message

This is a very commonly reported issue and is caused by having a very strict domain password policy. If Active Directory is used as the user repository, the Minimum Password Age password policy setting is used to determine how many days a new password must be kept before the user can change it. If it is set to 0, users can immediately change their passwords. If it is greater than 0, then users will not be able to change their passwords more than one time a day. Also, ensure that the new password chosen meets the Password Complexity rules set while configuring password reset service through the DPRA management console.

After DPRA installation, Internet Explorer gives strange errors

Sometimes, for unknown reasons the DPRA installation seems to corrupt the registry keys for the Internet Explorer (IE) browser. Hence IE reports errors while closing the browser window, accessing bookmarks, or while opening the Options menu. There is no need to reinstall DPRA to handle this. Using regedit, locate the directory HKLM\Software\Passlogix\Microsoft\Internet Explorer\Restrictions. Various options like NoBrowserClose, NoBrowserOptions, NoFavourites, and so on, are listed here with their values set to some large number. Reset their values to 0, and IE should no longer give strange errors. Note that making these changes does not interfere with DPRA installation in any way.

Excluding local user accounts from forced enrollment

If it is required that only domain users and not users logging on to a client machine are enrolled into DPRA, then using regedit:

  • Select the registry key HKLM\Software\Passlogix\SSPR\WindowsInterface
  • Click Edit and go to Permissions.
  • Click the Advanced button and uncheck Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
  • On the pop-up dialog box that appears, click Copy to copy the permission entries that were previously applied from the parent to the object.
  • Remove all local users and groups from the permissions, leave SYSTEM as is, and add Domain Users with read permission and Domain Admins with full control permission.

User locked out because password reset fails and old password stopped working

This is a typical scenario where the user's attempt to reset the password fails and the user is not able to log on using the old password, because the old password has expired. In order to avoid such situations, the user must ensure that the DPRA Password Complexity Settings (as shown in the screenshot below) match the password complexity settings in Active Directory (assuming it is the repository of choice). The DPRA password complexity information is available through the Password Complexity Settings page in the DPRA management console. Note that these settings are not enforced on the client's password reset value, but are used to generate the temporary password value.


Figure 2. Password Complexity settings
Password Complexity settings


Back to top


Kiosk adapter

The kiosk adapter delivers a secure and easy-to-use and administer solution that addresses the needs of a traditional single sign-off in a kiosk environment. The client side adapter suspends or closes inactive sessions and seamlessly shuts down all applications.
A typical requirement while using the kiosk mode of operation is to bypass the kiosk splash screen.

Bypassing the kiosk splash screen

If sometimes, the kiosk adapter is not correctly configured and thereafter the user is not able to logon using the kiosk splash screen, it might be required that you bypass the kiosk splash screen and logon as usual. To prevent the kiosk adapter from starting, hold the Shift key while logging on to the machine. After entering the password, the Shift key must be held down before clicking the login button, and must continue to be held down until the machine is fully logged in. Note that even with this method, the kiosk might start, but it definitely delays the start, so that there is enough time to open the Task Manager and stop the smagent.exe process that represents the kiosk adapter, before it completely starts.



Back to top


Provisioning adapter

The provisioning adapter server can receive and process provisioning requests initiated by the Tivoli Identity Manager. The integration between Provisioning Adapter server and Tivoli Identity Manager (TIM) is accomplished by using a workflow extension that TIM uses to communicate with the Provisioning Adapter Server Web service.
Listed below are some typical issues encountered with the provisioning adapter and solutions to the same.

Unable to logon to the provisioning adapter console

Sometimes in spite of providing administrator credentials, attempting to log on to the provisioning adapter console results in text/html as the response content type instead of text/html, and hence the logon request fails with the error message Server application unavailable. Upon getting this error, check to see if ASP .Net is a registered Web service extension with Internet Information Services (IIS). To check this:

  • Go to Control Panel | Administrative Tools | Internet Information Services (IIS) Manager.
  • Under Web Service Extensions, if ASP .Net extension is registered and its setting is Prohibited, change its setting to Allowed.
If ASP .Net is not listed at all under Web service extensions, follow these steps to install the ASP .Net extension and then confirm that it is registered with IIS:
  • Go to Control Panel | Add or Remove Programs | Add / Remove Windows Components.
  • When the wizard comes up, select Application Server and click on the Details button.
  • Select ASP .NET from the list of components and continue through the wizard.
If this does not solve the log on problem, try to register the ASP .Net extension with IIS using the command line facility C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe –I and restart IIS.

Unable to provision new credentials for an SSO user through the provisioning adapter console

In spite of enabling the setting Role/Group support in the provisioning adapter, sometimes a user logged into the provisioning adapter console is not allowed to add an application template with the error, “The user is not authorized for the action. ” To handle this, go to the Default Rights tab of the provisioning adapter link in the TAMESSO console, define users and groups and the kind of access they will have. These default rights will be inherited by any new application templates. The same settings can be copied to existing application templates in the administrative console.



Back to top


Contact IBM Support

In order to contact IBM support for a TAMESSO problem, a problem management report (PMR) needs to be generated. It must contain the following information to accelerate problem resolution:

  • "About TAMESSO" information
    Right-click on the TAMESSO client (red carpet icon in the system tray) and select About TAMESSO. It will display the list of exact version of all libraries and binaries that are part of the TAMESSO installation, as shown in the figure below. Click on Save to save this information in a text format. Send this information to IBM Support to help them quickly identify the version of components used so that they can easily reproduce the problem .


Figure 3. About TAMESSO window
About TAMESSO window
  • TAMESSO administrative console settings XML file
    If the TAMESSO configuration is not already available in an XML file, go to the TAMESSO administrative console and select File | Save As, and provide the name and location of the configuration XML file. Send this file to IBM Support when submitting a PMR.


Resources



About the authors

Giancarlo Marchesi

Giancarlo Marchesi is a Solution Architect in the Tivoli Worldwide Security SWAT team. He has extensive experience working with customers to provide solutions for systems integration, application and enterprise security. He holds a Bachelor of Science degree in Computer Systems Engineering from the University of California. He is considered a Subject Matter Expert (SME) for TAMESSO at IBM and is based in Spain.


Rajalakshmi Iyer

Rajalakshmi Iyer is a senior developer with the IBM Tivoli Directory Server team at India Software Labs, Pune. In this role, she is responsible for all stages in a feature development life cycle. She has more than seven years of experience in the directory domain. She holds a Bachelor of Engineering degree in Computer Science from Mumbai University, India.




Rate this page


Please take a moment to complete this form to help us better serve you.



 


 


Not
useful		Extremely
useful
 


Share this....

digg Digg this story del.icio.us del.icio.us Slashdot Slashdot it!



Back to top