WebUI/LN UI/Ming.

le SSO Login: Frequent errors and how to fix them

KB 1444810

WebUI/LN UI/Ming.le SSO Login: Frequent errors and how to fix them
|

Attachments (0)

| Linked KBs (2)

| Sign Up

| Add to Favorites

| Email KB

Description:
This KB deals with known WebUI/LN UI SSO login error messages and is frequently updated; any new knowledge should be added to this
KB.
This KB deals with known issues during the Generate/Update Keystores procedure in WebUI/LN UI Administrator.
Chapter 1: Know where the login goes wrong
SSO is used mostly to connect Infor Ming.le (formely know as Workspace) to Infor LN via WebUI/LN UI.
This connection is done using either Integrated Windows Authentication (IWA) or Infor Federation Services (IFS).
In both cases there are several places where your credentials are passed through, to know that SSO is the place that is failing a simple test is
possible:
Open the standalone WebUI or LN UI (abstracted from Ming.le) and try logging in to the LN Environment via SSO. Here's how to:
WebUI
1. For WebUI, usually the address is the following: http://server.domain:8312/webui/servlet/login, change it a little bit (login>fslogin): http://server.domain:8312/webui/servlet/fslogin.
2. A window with all SSO-enabled environments should come up
3. Select the desired one and click Login
4. Select an existing profile / create a new one
5. Click open
LN UI
In LN UI there is no other option than using SSO. The backend login (/servlet/login) is not oficially supported.
1. Try opening http://server.domain:8312/webui/servlet/environments, if it comes up without error:

2. Click on your environment to get in.

If you're successfully logged in Infor LN, it means that the problem is not in SSO and this KB most probably won't help you resolve your
issue.
When doing this test, please use the FQHN of the WebUI/LN UI server, especially when you use IFS as Authentication provider.
On the other hand, if you receive error of any kind during this test, you're on a right track that the problem is in SSO Login.
By SSO we mean the place between WebUI/LN UI and Infor LN. Not the credentials sharing via IFS or IWA to WebUI/LN UI.
To clarify: the credentials are passed as following:
Your login in Windows > Login passed to Browser > Login passed to IWA/IFS > (Login passed to Ming.le/Workspace >) Login passed
to WebUI/LN UI > Login passed to Infor LN
By SSO we mean the final part: WebUI/LN UI > Login passed to Infor LN
KB 1577800 contains a diagram explaining the whole SSO procedure.
Chapter 2: How to get the most information about what goes wrong
Rule number one: Do not use the Front-end messages given by Java to analyse your problem. They are mostly incomplete or irrelevant.
Instead of this, you can use two techniques to mine the error messages:
A. Using the WebUI Diagnostics / LN UI Environment Test
WebUI
1. Go to WebUI Admin, usually http://server.domain:8312/webui/servlet/admin
2. Login using the Administrator's password, usually "webtop"
3. Navigate to Infor LN - Diagnostics
4. Click on your SSO-enabled Environment
5. If you don't get error here, then enter a valid LN username (e.g. baan, bsp)
6. Errors are shown there, but you might as well receive "Connection succesfully established"; in this case use the next technique
LN UI
1. Go to LN UI Admin, usually http://server.domain:8312/webui/servlet/admin
2. Login name is always "Administrator", password usually "webtop"
3. Infor LN - LN Environments

4. Zoom-in to your SSO-enabled Environment

5. Go to the tab "Test"
6. Fill in your AD username and do Test
7. Errors are shown there, but you might as well receive "Connection test successful"; in this case use the next technique
B: Using the Logic Service debug mode
under WINDOWS:
1. Login to the Infor LN server
2. Open Registry Editor (regedit)
3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Baan\Services
4. Create a DWORD
Name = RexecDebug
Value = 1
5. Go to Services (services.msc)
6. Restart the Infor ES Logic Service
7. In the Event Viewer you will get an Information message from Infor ES (Task Category = Rexecd) stating where the debug file is located
Message : Enabled debugging for 'Infor ES Logic Service', see file: C:\Windows\TEMP\rexecd.log
8. Use a program such as BareTail to read the debug log file in run-time
under UNIX:
1. Login to the Infor LN server as root
2. Ensure that the variable $BSE is set correctly
echo $BSE
if not: export BSE=[path to BSE]
3. Run the following commands
$BSE/bin/blogind6.2 -k
(to kill the Logic Service)
$BSE/bin/blogind6.2 -d > $BSE/tmp/blogind.debug 2>&1 (to restart the Logic Service in debug mode)
tail -f $BSE/tmp/blogind.debug
(to read the debug file in real-time)
When you have enabled the debug mode, try to login via SSO again (Chapter 1), you will get the error message now.
Chapter 3: Known error messages

WebUI/LN UI FrontEnd

Diagnostics/Test

Logic Service Debug

returns to the
Environment
selection without any
action
as FrontEnd

Could not read ssl properties file

"security/ssl.properties"

Could not open

@/baan/bse/lib/user/sso/suser

as FrontEnd
Error during
SSLFactory
initialization
-

sslv3 alert certificate unknown

unknown

Failure to configure
key/truststores for backend

XML file
'security/sso_permissions.xml'
not found (in $BSE for BaanLogin
Daemon='/baan/bse')
No permission to impersonate
SSO user 'xxx' as OS user 'yyy'

Please download and install

the 'Java Cryptography
Extension (JCE) Unlimited
Strength Jurisdiction Policy
Files'.
-

Connection broken during login

3
4

Could not find Baan and/or OS user for

user 'user': <Could not open
@/baan/bse/lib/user/sso/suser>
Connection broken during login
unknown

SAML Authorization failure: No

permission for SSO Location 'STS' OS
user 'xxx' SSO User 'yyy'

as FrontEnd

SAML Authorization failure: No

permission for SSO Location 'STS' OS
user 'xxx' SSO User 'yyy'
-

as FrontEnd

Connection to the
environment could
not be established.

Connection broken during login

as FrontEnd

Error from cert Store within SSL

Update/Generate
Keystores

Connection to the
environment could not be
established.
Use diagnostics to test LN
environment settings.
ssl.properties file is
corrupted
-

1
1
1
2
1
3
1
4

The Reference for URI #_1f0cc822d41c-4e77-9317-4913a6a56f36 has no

XMLSignatureInput
-

not tested

handshake validation:
"certificate is not yet valid".
Certificate that failed is: xxx
doesn't get that far

Filter execution threw an exception

not tested

doesn't get that far

Failed to convert SSO

Parameters to runtime.
-

javax.security.auth.login.LoginException
: java.lang.IllegalStateException:
Cannot get keys at REQ_OK state -ORNTLM specified. Downgraded to Basic
Auth (and/or SSL) but downgrade not
supported. -ORGSSException:*

not tested

doesn't get that far

Some PATH aliases are used, they are marked with $:

$BSE = the BSE folder of the Infor LN
$ESE = the base folder of the Enterprise Server Extensions = WebUI/LN UI+Tomcat folder
$SECURITY= the folder with the Infor ES Logic Service security configuration,
for Windows this is usually C:\Infor\ERPLN\commonx64\security
for Unix this is always $BSE/security
$JAVA = Tomcat JRE. You can determine this folder by going to the WebUI/LN UI Admin - Infor WebUI/LN UI Administration Diagnostics under the java.home property.
Resolution:
1- Could not read ssl properties file "@/usr/bse/security/ssl.properties"
This means that the blogind6.2 service couldn't locate the ssl.properties file.
1. Make sure the file ssl.properties file exists in the $SECURITY folder (It's generated by Generate/Update Keystores procedure)
2. UNIX: Set the $BSE variable and restart the blogind6.2, make sure you set the $BSE variable each time the blogind6.2 is started!

$ export BSE=[path to BSE]

2- Failed to login on Application ServerResponse: SAML Authentication failure: Could not find Baan and/or OS user for user 'user':
<Could not open @/baan/bse/lib/user/sso/suser>
This error points out that the SSO file for the user login passed by Active Directory to the Infor ES Logic Service via WebUI/LN UI doesn't
exist.
Check if the person who is trying to login has exactly the same string as 'user' (in the error message) in the session User Data
[ttaad2500m000] under the field SSO User. This is case sensitive. If the login in Active Directory is "JRDoe", the Infor Security User must
be "JRDoe" as well. If yes, convert to runtime to create the s-file.
If the error message tells you it's looking for UPN name ([email protected]) instead of the pre-Windows 2000 name (JRDoe) and this is
not intentional, then you have most probably enabled the "Support Multiple Domain SSO" in WebUI or "Send User Principal Name (UPN)
instead of SAM account name" in LN UI. Check this in:
WebUI Admin: Infor WebUI Administration - Login Configuration
LN UI Admin: Infor LN - LN Environments - [Your enviornment details] - BaanLogin SSL - Support for Multiple Domains
NOTE: Multi Domain SSO is supported only since Infor LN 10.3
For more problem related to case-sensitivity and AD user changed please check the KB 1424114.
3- Connection broken during login / sslv3 alert certificate unknown
This error usually occurs when something is changed in WebUI/LN UI Login Configuration. The certificate on the WebUI/LN UI
side becomes invalid vis a vis the certificare on the Infor LN side. The "Create/Update Keystores" procedure solves this problem.
4- Failure to configure key/truststores for backend / Error during SSLFactory initialization
This error occurs while Creating/Updating Keystores from the Infor LN Environment menu in the WebUI/LN UI Administrator.
You need to Create/Update Keystores when eg. "Error during SSLFactory initialization" error is shown in the Diagnostics.
To solve this you need to delete the previously created Keystores on (sometimes) both WebUI/LN UI and Infor LN sides.
First try to delete these two files:
On the Infor LN server:
$SECURITY/[WebUI server hostname].p12
$SECURITY/ssl.properties
If it doesn't help delete also:

On the WebUI/LN UI server:

(WebUI)$ESE/Webtop/config/keystores/[LN server hostname].p12 / (LN UI)$ESE/lnui/config/keystores/[LN server hostname].p12
and sometimes also (WebUI)$ESE/Webtop/config/keystores/[WebUI server hostname].jks / (LN UI)$ESE/lnui/config/keystores/[WebUI
server hostname].jks
After deleting the files, regenerate the keystores and restart the Logic service on the LN server.
It seems that the error Failure to configure key/truststores for backend is triggered when the hostname of the LN server is defined
differently than during the previous Create/Update Keystores run.
5- Please download and install the 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'.
The newest JCE Unlimited Strength Jurisdiction Policy Files are needed while Generating/Updating the Keystores.
Download them here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Replace the old ones in the $JAVA/lib/security
6- SAML Authorization failure: No permission for SSO Location 'STS' OS user 'xxx' SSO User 'yyy' / XML file
'security/sso_permissions.xml' not found (in $BSE for BaanLogin Daemon='/baan/bse')
The user is denied the access, because the permissions couldn't be read.
1. Make sure the file sso_permission.xml exists in the $SECURITY folder.
2. UNIX: Set the $BSE variable and restart the blogind6.2, make sure you set the $BSE variable each time the blogind6.2 is started!
$ export BSE=[path to BSE]
7- SAML Authorization failure: No permission for SSO Location 'STS' OS user 'xxx' SSO User 'yyy'
This error is related to a wrong configuration on Infor LN side in the file $SECURITY/sso_permissions.xml
Please refer to the Chapter 3 in the Infor Enterprise Server Single Sign On User Guide.
If Generic User is used, its username must be written in the <impersonation os user="[generic user]"> tag together with all SSO users
that impersonate the Generic User. The easiest way is to use <sso_user name="*">.
<?xml version="1.0"?>
<SingleSignOn>
<impersonations sso_location="STS">
<impersonation os_user="bsp">
<sso_user name="*"/>

</impersonation>
</impersonations>
</SingleSignOn>

See these sessions to determine whether the Generic User is used or not.
- SSO Parameters [ttams0100m000]
- User Data [ttaad2500m000]
NOTE: Under Windows the Generic User is ALWAYS used.
This error can also happen when the Generic User's password/username is no longer valid. These are written in $BSE/lib/sso_config.
Use the session SSO Parameters [ttams0100m000] to regenerate the credentials.
If you change the Generic User name, make sure you convert all users to runtime via Convert to Runtime DD [ttams2201m000] selecting
Remote Users and System Data / User Data / Text Groups.
8- Connection to the environment could not be established.
This happens when WebUI/LN UI cannot connect to the ERPLN environment. Something in the LN environment connection details must be
wrong.
Usually it's the port.
For Windows-based LN servers the BaanLogin SSL port is always 512. Make also sure that it's enabled in the Infor Manager - ES Logic
Service properties.
For *NIX-based LN servers the BaanLogin SSL port depends on which port the blogind6.2 service is listening - usually 7150 if not set
differently
9- ssl.properties file is corrupted
Delete $SECURITY/ssl.properties
10- Connection broken during login / certificate is not yet valid
This is caused by a time difference between the WebUI/LN UI and LN server.
Even if the absolute time is equal, check the Time zone - it is taken in account.
If LN server is on 13:00 CET (UTC+01:00) and WebUI/LN UI server on 13:00 PST (UTC-08:00), the certificate will become valid only after
9 hours.
11- The Reference for URI #_1f0cc822-d41c-4e77-9317-4913a6a56f36 has no XMLSignatureInput

Java bug: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8017171

Downgrading the Tomcat Java version 7u51 to version 7u21 solves the issue for now.
12- Failed to convert SSO Parameters to runtime.
During the procedure Update/Generate keystores, the file $BSE/lib/sso_config is re-written. This error means that the user which is running
the procedure has not the write permissions to this file or the file is read-only. Use a different user, for example "baan" or "bsp", to Generate
the keystores and check if the file is writable. Note that under Windows even if the user is part of the Administrators group it won't be enough.
The ntbshell.exe process which writes the file is not running with elevated permissions, so it will fail. You need to specify the user explicitly in
the Security tab.
13- Filter execution threw an exception
This means that no SSO Login Provider has been selected in the WebUI/LN UI Admin console. Go to Infor Web UI / LN UI Administration Login Configuration, select IWA or IFS according to your needs and click on "Select SSO". You'll need to restart the ESE Service (Tomcat) to
apply the changes.
14- SPNEGO related errors (when IWA is used on *NIX-deployed Tomcat)
For errors related to LN UI / WebUI deployed under a Unix/Linux environment with IWA activated, please see the KB 1587174. It is
recommended to use IFS in that case, because the SPNEGO integration might not work well since Windows 7 due to a Microsoft bug. This is
however overcome in the later version of Java.
Affected Products & Releases

Affected Product

Affected Release

LN UI -Windows / Worktop / Webtop

Unspecified

Infor Ming.le Enterprise

11.1.6

Infor Ming.le Foundation

11.1.6

Recommended Articles for Products :

Recommended Articles for Releases :
Keywords :
sso;keystores;fslogin
Type :
Knowledge

Patch Status

Classification :
Severity :
Status :
Last Updated :
Created: 14 Oct 2013 09:06 PM E
Revised: 14 Apr 2016 01:56 PM E

2 - High
Complete
14 Apr 2016