Middleware 3.0 troubleshooting Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3 Document type: Whitepaper Security status: EXTERNAL Summary This document explains how to troubleshoot your VACMAN Middleware 3.0 installation. Details This document is mainly intended to discover and resolve configuration issues with Vacman Middleware. In this document, we will: - Explain some basic checks to perform - Explain what tools and methods are available to troubleshoot - Explain a few parameters and mechanisms that are often the cause of problems - Provide a list of common errors Vacman Middleware Version Make sure that you have installed the latest version of the software and have all additional patches. At the time of publishing of this KB; the current version is VACMAN Middleware service Release 10. The latest patch level is Patch 12 You can check for the latest patches on http://www.vasco.com/mymaintenance. Trouble shooting tools and methods Different tools are available to help you troubleshooting the VACMAN Middleware configuration: The Full Tracing option. This option will write all configuration, server and user activity to a logfile. To Enable Full Tracing: Open the Authentication Server Configuration (Start Programs Vasco Authentication Server Configuration).doc (1.0) 31/01/2008 14:01 Page 1 of 6
Select the Full Tracing option and click OK Eventually, you can change the default log filename To activate the new configuration, the service has to be restarted. After enabling this option all Middleware events are logged to a text file. The default file name is C:\Program Files\Vasco\Vacman Middleware 3\Log.doc (1.0) 31/01/2008 14:01 Page 2 of 6
The DIGIPASS Audit Viewer The Audit Viewer is a Windows application that can display and filter audit messages from the Authentication Server. It can read the data from text files and ODBC databases, or receive a live feed from the Authentication Server. The Show effective policy settings button. This button allows you to show the settings of the policy you are using even when this policy inherits its settings from a base policy. The Radius Client Simulator You can test your Radius authentications to the Middleware using the Vasco Radius Client simulator. This tool can be found on the Middleware CD image under Windows\Utilities\Radius Simulator. Depending on the options you have specified in the Middleware Server authenticator and authentication options (see Configuring your Middleware Server) you can test your setup by: 1) Create a user test on your backend server (for example Active Directory) 2) Copy the default policy you want to create a new policy. (for example copy the VM3.0 Windows Password replacement policy to test policy ) 3) In the test policy properties On the Main Settings tab: Set the authenticator to Digipass/Password Backend Authentication: Always Protocol: Windows On the User Settings tab: Enable DUR, Autolearn, Stored Password Proxy Set the Windows Group Check to No Check 4) Change the policy used on the default Radius client component to test policy 5) Since DUR is enabled and the authenticator is configured to also use a backend server you can use the Vasco Radius Client Simulator to login using your username and static windows password 6) Your user should be created in the Middleware if the backend authentication was successful. Check this in the Middleware MMC (for an ODBC setup) or Active Directory Users and Computers for a setup with AD as data repository. (make sure to refresh the screen) 7) If DUR was disabled you need to create the user manually in the Middleware (through the MMC or via import of a CSV file,...) as well as configure the correct static password 8) If the authentication was successful, import a demo DPX file (Check the dpx subdirectory directory under the Middleware installation directory) The Demo DPX key is always 32 times the nr 1.doc (1.0) 31/01/2008 14:01 Page 3 of 6
(11111111111111111111111111111111) 9) Assign the Digipass to the user in the Middleware MMC or Active Directory Users and Computers 10) Login with username and One Time Password (OTP) If you do not have a Demo DIGIPASS, you can generate an OTP with this online demo DIGIPASS: http://demotoken.vasco.com 11) In case of unsuccessful authentications, check the dpauthserv.trace file for error messages. Configuring your Middleware Server By default the Middleware installation creates several policies. It is advisable not to change these policies but to create your own policy, based on one of these policies. For more information about policies check the Vacman Middleware Product Guide. Depending on how you would like your users to login you have several options that can be enabled or disabled. - Dynamic User Registration (DUR). This allows for users that exist on a backend server (e.g. Active Directory), to login to the Middleware server without having to create the user manually in the Middleware. At the first login, the user logs in using his static password. The Middleware server will check with the backend server if this is a valid user and password. If the backend server validates the password then the user will be created in the Middleware server, and the static password is remembered as the stored static password - Autolearn. This allows for a user to change his Middleware stored static password by logging in using his username and NewPassword+PIN+OTP. The Middleware server will go to a backend server with the username and new password for validation. If the validation is successful the new password will be remembered as the new stored static password. Note that the PIN is only needed if a Digipass with a server side PIN is used. - Stored Password Proxy If you want to your users to logon using only the OTP as password, but the authenticator is set to also use a backend server you need to enable this option..doc (1.0) 31/01/2008 14:01 Page 4 of 6
This option allows the Middleware to take the stored static password and use that to be sent to the backend server for validation. If you want your users to login using Static Password + PIN + OTP each time they log in, you should disable this option. This option is necessary for example for OWA and Citrix (which use Windows as backend authentication Common error messages and problems Error code: <1> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Validation Failed]> Server (Static) PIN code or OTP mistyped Correctly enter the PIN and OTP Error code: <201> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Code Replay Attempt]> The Digipass OTP has already been used before Wait at least 36 seconds before retrying to log in. Never login more than once with the same OTP. Error code: <-202> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Response Too Small]> The user did not type his complete (PIN+)OTP Make sure the user enters his full OTP (With PIN if required) Error code: <-205> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Response Not Decimal]> The user tries to login using his static password after the grace period has expired Make sure users only use their Digipass OTP after the Grace Period has expired..doc (1.0) 31/01/2008 14:01 Page 5 of 6
Windows Authentication failed: [1326] [Logon failure: unknown user name or bad password.] The user s static password does not correspond with the Middleware password while using Local and Windows authentication If Autolearn is enabled let the user login using Windows Password + PIN + OTP. If Autolearn is not enabled please make this change manually in the Middleware. Error code: <1007> Error message: <Digipass User account is locked> The password or OTP have been entered incorrectly too many times. By default the user lock threshold is set to 3 attempts. An administrator needs to uncheck the locked checkbox on the user record in the administration MMC or in the Active Directory Users & Computers. Cannot set password field. Possible shared secret mismatch? The Shared secret between the server and Radius client do not match. Make sure the shared secrets match The Vasco Radius Simulator will give the following error message: Login failed - invalid response authenticator. Mismatched shared-secret is a possibility Applies to: Vacman Middleware 3.0.x More information: Documentation: VACMAN Middleware Administration Guide VACMAN RADIUS Client Simulator Users Guide KB100036 : Outlook Web Access Troubleshooting guide KB100037 : Citrix Troubleshooting guide.doc (1.0) 31/01/2008 14:01 Page 6 of 6