# Troubleshooting

General information

The SSO service from the example above is on ssoserver.example.com. The 4ALLPORTAL should be accessed via HTTPS only, so only this will be considered. Using HTTP will lead to problems.

# Login not Possible

If a login is not possible, check the following options to solve the problem:

# 1. Check if your browser is configured for SSO

  • Internet Explorer, Edge, and Chrome on Windows:
    https://ssoserver.example.com has to be in the local intranet zone
  • Mozilla Firefox:
    about:config parameter network.negotiate-auth.trusted-uris must be https://ssoserver.example.com
  • Chrome on Mac OS X:
    Open the terminal:
    • defaults read com.google.Chrome AuthNegotiateDelegateWhitelist
    • Check if URL ssoserver.example.com or wildcard .example.com are configured
    • Make sure a user has reading access to file /Users/$USER/Library/Preferences/com.google.Chrome.plist

# 2. Test access from front end with all used browsers

  • Call URL https://ssoserver.example.com/sso-service/sso/Login and check the result: It has to be a 32-character string.
  • If the result is wrong, please check if all SSL certificates are valid. If they are not valid, please solve the problems.

# 3. Solve certificate problem(s)

  • Missing certificates

    • Windows: .cer certificates can be installed like a program
    • Mac: .pem certificates can be installed like a program
    • Mozilla Firefox: allows importing .pem certificates for certificate authority

  • Error in recent Chrome version

    • If you receive error Subject Alternative Name Missing in the browser's development tools (Inspect / Information etc.) you need a new certificate.

  • Access denied because of CORS

    • check your certificates for problems
    • check if you set all required headers. Set the following in your Apache configuration:
      • Access-Control-Allow-Origin
      • Access-Control-Allow-Credentials
    • if the error occurs on MAC OS X although the configuration is valid:
      • Reproduce the error with call kdestroy in the terminal.
      • To solve the problem, lock and unlock the desktop. It’s not necessary to logout.

# 4. Fix error "A cookie associated with a cross-site resource ..."

If you get an error like this:

A cookie associated with a cross-site resource at http://.../  
was set without the `SameSite` attribute. It has been blocked, as Chrome ...

add this to the Apache configuration:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None

# 5. Try to renew Kerberos tickets

  • Windows terminal (cmd.exe)

    • show the existing tickets
      klist
    • delete the existing tickets
      klist purge

    After deleting the Kerberos tickets SSO does not work anymore until they are renewed by locking and unlocking the screen. Logout is not necessary.

  • Mac OSX terminal

    • show the existing tickets

      klist

    • delete the existing tickets

      kdestroy

    • renew the existing tickets

      After deleting the Kerberos tickets SSO does not work anymore until they are renewed by locking and unlocking the screen or use kinit. Logout is not necessary.

      kinit username@DOMAIN (DOMAIN in upper case)

# 6. Further problems

  • Close your firewall and virus scanners for testing.
  • Microsoft Edge: It was not possible to get a valid certificate with a Sophos virus scanner.