IBM Support

Mustgather: IBM Navigator for i Single Signon

Troubleshooting


Problem

This document describes the items to gather when IBM Navigator for i Single Signon has been configured and is not working properly. 

Diagnosing The Problem

NOTE: It is recommended to first perform a review of the following documentation to ensure the environment has been configured correctly prior to data collection:

How to Configure IBM Navigator for i For Single Sign On (SSO)
https://www.ibm.com/support/pages/node/6593749

To diagnose problems with Single Signon for IBM Navigator for i, the following  data needs to be gathered:
  1. User Account Information from Active Directory (requires an Active Directory Administrator to supply).
  2. IBM i Navigator for i Tracing.
  3. PC Wireshark trace data from a connection attempt.
  4. QMGTOOLS collector data from the HTTP Admin server and LDAP server.
1. User Account Information from Active Directory
The following commands need to be run from the Active Directory command prompt:
ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=krbsvr400/*)" -p subtree

ldifde -f check_SPN2.txt -t 3268 -d "" -r "(servicePrincipalName=krbsvr400/*)" -p subtree

ldifde -f check_SPN3.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=HTTP/*)" -p subtree

ldifde -f check_SPN4.txt -t 3268 -d "" -r "(servicePrincipalName=HTTP/*)" -p subtree
NOTE: These commands will create files 'check_SPN.txt' , 'check_SPN2.txt',  'check_SPN3.txt' and 'check_SPN4.txt' on the Active Directory system that will need to be sent in for review.
2. IBM i Navigator for i Tracing
A) Open the IBM Web Administration GUI (http://systemname:2001/HTTPAdmin or https://systemname:2010/HTTPAdmin) and click on 'Manage' -> 'Application Servers' and select 'ADMIN1' from the server drop down.
B) On the left menu click 'Logging' under 'Server Properties'.
C) For 'Trace Specification' replace the default '*=info' with the following:
com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all
For 'Trace Format' change it from 'Enhanced' to 'Basic'.

Click OK at the bottom of the screen
D) On the IBM i command line run the following command:
EDTF '/qibm/userdata/os/admininst/admin1/wlp/usr/servers/admin1/jvm.options'
E) Insert the following lines into the file:
-Dcom.ibm.security.krb5.Krb5Debug=all
-Dcom.ibm.security.jgss.debug=all
F3 to save/exit the file.
F) End and restart the ADMIN server by running the following commands:
  
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN1)

WRKACTJOB SBS(QHTTPSVR)  
NOTE: Make sure ADMIN1 job has ended, then start it again with the following command:
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN1)
3. PC Wireshark trace data from a connection attempt
A) On the PC  close all web browser sessions.
B) Open a PC command prompt and type the following to purge the Kerberos tickets:
C:\Windows\System32\klist.exe purge
C)  Next, on the PC we'll then want to start a Wireshark trace using the following instructions:
NOTE: We will want to select all Ethernet interfaces available when starting the trace.
D)  We then need to lock the PC by holding the Windows key + L and then sign back in.
E) Then try to connect with Navigator for i to test Single Singon:
http://fully.qualified.name.of.ibmi:2002/Navigator
F) Once the problem has been reproduced the Wireshark trace can be stopped and the resulting capture file can be sent in for review.
4. QMGTOOLS collector data from the HTTP Admin server and LDAP server.
- On the IBM i command line type the following command:
ADDLIBLE QMGTOOLS
If the library is found follow steps B and C below. If the library is not found we will want to do steps A - C to install QMGTOOLS and update it:
A) On the IBM i command line type the following to restore the QMGTOOLS library (NOTE: QALWOBJRST system value needs to be set to *ALL):
RSTLIB SAVLIB(QMGTOOLS) DEV(*SAVF) SAVF(QSYS/QESMGTSAVF) MBROPT(*ALL) ALWOBJDIF(*ALL)

B) We can then run the following commands:
  
ADDLIBLE QMGTOOLS

GO MG
C) Take an opt. 13 to check for an update and follow the prompts to automatically download and restore the updated library. NOTE: If the system cannot connect to IBM please perform 'Method 3' from the following document to manually update the QMGTOOLS library:
https://www.ibm.com/support/pages/qmgtools-how-check-and-update-qmgtools
-  Uploading data to IBM requires a data transfer ID. Ensure that you create a transfer ID and transfer PASSWORD.
https://www.ecurep.ibm.com/transferids/#
We can then run the following command to run our ADMIN collector and automatically send the data back to the case (insert the 'TransferID' and 'password' generated from the web site above, replace 'case' with your IBM Support Case number and 'emailAddress' with an address you would like to receive upload confirmation sent to.):
QMGTOOLS/HTTPADMCOL FTPRSP(Y) FTPTYPE(*HTTPS) IBMID('transferid') IBMPWD('password') CASE_NBR(case) EMAIL(emailAddress)

Should the tool be unable to send in the collector zip file it can be located in the following IFS directory:
/tmp/collectorscripts/data/httpAdmincollector.zip
We would want to pull this off the system and then upload it to the case.
- We can then run the following command to run our LDAP collector and automatically send the data back to the case (replace 'LDAPpassword' with the 'cn=Administrator' password and insert the 'TransferID' and 'password' generated from the web site above, replace 'case' with your IBM Support Case number):
  
QMGTOOLS/LDAPCOL LDAP_INST(QUSRDIR) LDAP_PW(LDAPpassword) FTP(Y) FTPTYPE(*HTTPS) IBMID('transferid') IBMPWD('password') CASE_NBR(case)

Should the tool be unable to send in the collector zip file it can be located in the following IFS directory:
/tmp/collectorscripts/data/LDAPCollector.zip
We would want to pull this off the system and then upload it to the case.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"},{"code":"a8m0z0000000CGrAAM","label":"Single Sign On"}],"ARM Case Number":"TS019241745","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0;and future releases"}]

Document Information

Modified date:
03 June 2025

UID

ibm17232869

Page Feedback