Web Single Sign-on Problems and Diagnosis

KB Home   |   Web Single Sign-on Problems and Diagnosis

Main.SSOProblemsAndDiagnosis History

Hide minor edits - Show changes to output

Changed lines 13-14 from:
!! I've turned SSO on and now can't login to PaperCut!
to:
!! I've turned SSO on and now can't log in to PaperCut!
Changed lines 58-59 from:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the [@http://mypapercutserver:9191/admin/nosso@] URL and grant your Windows account the necessary admin rights.
to:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may log in with that account using the [@http://mypapercutserver:9191/admin/nosso@] URL and grant your Windows account the necessary admin rights.
Changed lines 62-63 from:
Try to isolate the problem as much as possible.  For example, login to the Windows machine running the PaperCut application server and try to access PaperCut from localhost.
to:
Try to isolate the problem as much as possible.  For example, log in to the Windows machine running the PaperCut application server and try to access PaperCut from localhost.
Changed lines 72-73 from:
# Attempt to login (and note the date/time)
# Login using [@/nosso@] and turn off SSO
to:
# Attempt to log in (and note the date/time)
# Log in using [@/nosso@] and turn off SSO
Changed line 39 from:
(Note that If you try browsing to the web interface again and seen an error code "0x20b5:- The name reference is invalid", then try editing the servicePrincipalName with this syntax "http/fully qualified domain".)
to:
(Note that If you try browsing to the web interface again and seen an error code "0x20b5:- The name reference is invalid", then try editing the servicePrincipalName with this syntax "http/fully qualified domain". Also in some cases this has been case sensitive and the syntax are "HTTP/fully qualified domain".)
June 28, 2018, at 09:27 PM by Aaron Pouliot - Added Category SSO
Deleted line 75:
Changed line 77 from:
''Categories:'' [[Category.Error|+]], [[Category.Administration|+]]
to:
''Categories:'' [[Category.SSO|+]], [[Category.Error|+]], [[Category.Administration|+]]
June 15, 2018, at 09:11 PM by Brian - move email to website support
Changed line 31 from:
In this scenario, the URL for the PaperCut server is already in the Intranet Zone, but users are still being prompted for credentials to sign in when using Internet Explorer or Chrome. The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. Please let us know if you encounter this issue by sending an email to support@papercut.com.
to:
In this scenario, the URL for the PaperCut server is already in the Intranet Zone, but users are still being prompted for credentials to sign in when using Internet Explorer or Chrome. The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. Please let us know if you encounter this issue by opening a case at: [[https://support.papercut.com/]].
October 11, 2017, at 06:04 PM by Aaron Pouliot -
Deleted lines 28-31:
!!! All I get is a white screen

A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process.  For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser is accessing the PaperCut server directly and not via a proxy server.

Changed lines 31-32 from:
The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. Please let us know if you encounter this issue by sending an email to support@papercut.com
to:
In this scenario, the URL for the PaperCut server is already in the Intranet Zone, but users are still being prompted for credentials to sign in when using Internet Explorer or Chrome. The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. Please let us know if you encounter this issue by sending an email to support@papercut.com.
Added lines 41-43:
!!! All I get is a white screen

A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process.  For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser is accessing the PaperCut server directly and not via a proxy server.
October 11, 2017, at 06:02 PM by Aaron Pouliot - Added workaround for PC-12346 Windows SSO fails when PaperCut App Service runs as Domain Acct
Added lines 32-44:

!!! Windows SSO fails when the PaperCut Application Service is running as a Domain User account

The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. Please let us know if you encounter this issue by sending an email to support@papercut.com

Steps:
#Open Active Directory Users and Computers.
#Go to View and select Advanced Features.
#Find the service account PaperCut is running as, then right click and choose Properties.
#Find the Attribute Editor tab and look for servicePrincipalName, then enter the fully qualified domain name of your PaperCut Server, and click OK to apply.
#Then restart the PaperCut Service and test.
(Note that If you try browsing to the web interface again and seen an error code "0x20b5:- The name reference is invalid", then try editing the servicePrincipalName with this syntax "http/fully qualified domain".)

Changed lines 35-36 from:
[[#http413]]!!! Error 413 "Full HEAD"
to:
[[#http413]]
!!! Error 413 "Full HEAD"
Added lines 32-33:

Internet Explorer users may see this when they are actually getting a "HTTP 413" error (see below)
Added lines 35-41:
[[#http413]]!!! Error 413 "Full HEAD"

If using Kerberos SSO the HTTP headers can be large, and can exceed the jetty default max size (4096 bytes). This can be fixed with a @@[app-path]/server/server.properties@@ config option "server.request-header-size". The default size is 10000 bytes. It seems that for kerberos SSO it needs to be higher. e.g. 32000. This can be set in the server.properties file by adding a brand new line with:\\
@@server.request-header-size=32000@@\\
The App Server will then need to be restarted.\\
''Note that this will only work with PaperCut build 14.2 (28942) or later''

Deleted lines 46-52:
!!! Error 413 "Full HEAD"

If using Kerberos SSO the HTTP headers can be large, and can exceed the jetty default max size (4096 bytes). This can be fixed with a @@[app-path]/server/server.properties@@ config option "server.request-header-size". The default size is 10000 bytes. It seems that for kerberos SSO it needs to be higher. e.g. 32000. This can be set in the server.properties file by adding a brand new line with:\\
@@server.request-header-size=32000@@\\
The App Server will then need to be restarted.\\
''Note that this will only work with PaperCut build 14.2 (28942) or later''

November 25, 2014, at 12:07 AM by TimG - Updated to include server.request-header-size information
Added lines 38-44:
!!! Error 413 "Full HEAD"

If using Kerberos SSO the HTTP headers can be large, and can exceed the jetty default max size (4096 bytes). This can be fixed with a @@[app-path]/server/server.properties@@ config option "server.request-header-size". The default size is 10000 bytes. It seems that for kerberos SSO it needs to be higher. e.g. 32000. This can be set in the server.properties file by adding a brand new line with:\\
@@server.request-header-size=32000@@\\
The App Server will then need to be restarted.\\
''Note that this will only work with PaperCut build 14.2 (28942) or later''

October 03, 2013, at 09:08 AM by Chris - Minor layout fixes
Changed lines 36-37 from:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the [=http://mypapercutserver:9191/admin/nosso=] URL and grant your Windows account the necessary admin rights.
to:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the [@http://mypapercutserver:9191/admin/nosso@] URL and grant your Windows account the necessary admin rights.
Changed line 51 from:
# Login using [=/nosso=] and turn off SSO
to:
# Login using [@/nosso@] and turn off SSO
October 03, 2013, at 09:08 AM by Chris - Minor layout fixes and added some keywords
Changed lines 17-19 from:
   http://mypapercutserver:9191/admin/nosso

to:
   [@http://mypapercutserver:9191/admin/nosso@]

Changed lines 36-37 from:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the http://mypapercutserver:9191/admin/nosso URL and grant your Windows account the necessary admin rights.
to:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the [=http://mypapercutserver:9191/admin/nosso=] URL and grant your Windows account the necessary admin rights.
Changed line 51 from:
# Login using /nosso and turn off SSO
to:
# Login using [=/nosso=] and turn off SSO
Changed line 58 from:
[-Keywords: SSO, Authentication, IWA-]
to:
[-Keywords: SSO, single signon, sign-on, Authentication, IWA, log-in problem, auth, domain, username, -]
Changed line 31 from:
A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process.  For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser accessing the PaperCut server directly and not via a proxy server.
to:
A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process.  For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser is accessing the PaperCut server directly and not via a proxy server.
Changed lines 36-37 from:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the admin/nosso URL described above and grant your Windows account the necessary admin rights.
to:
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the http://mypapercutserver:9191/admin/nosso URL and grant your Windows account the necessary admin rights.
Changed line 42 from:
If you wish to report an SSO problem to PaperCut support.  Please collect the following diagnostic information:
to:
If you wish to report an SSO problem to PaperCut support, please collect the following diagnostic information:
Added lines 40-41:
Try to isolate the problem as much as possible.  For example, login to the Windows machine running the PaperCut application server and try to access PaperCut from localhost.
Added lines 10-12:
Before implementing SSO it is very important to work through the [[https://www.papercut.com/products/ng/manual/ch-sso.html#ch-sso-planning |planning section]] in the manual. 
Complete the [[https://www.papercut.com/products/ng/manual/ch-sso-configure.html#ch-sso-post-install-test |post install tests]] '''before''' putting SSO in production.

Changed lines 24-25 from:
* The PaperCut server is not configured to be in the "Intranet Zone".  This applies to Internet Explorer and Chrome. Go to Control Panel -> Internet Options -> Security.  Select Intranet Zone and ensure the PaperCut server is included.  By default a URL containing a period '.' will not belong to the intranet zone and may need to be manually added.
to:
* The PaperCut server is not configured to be in the "Intranet Zone".  This applies to Internet Explorer and Chrome browsers.  Go to Control Panel -> Internet Options -> Security.  Select Intranet Zone and ensure the PaperCut server is included.  By default a URL containing a period '.' will not belong to the Intranet Zone and may need to be manually added.
Changed line 28 from:
A white screen with no browser authentication prompt may occur if Windows Authentication process is failing.  For example, there may be a site mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser is not accessing the PaperCut server via a proxy server.
to:
A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process.  For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser accessing the PaperCut server directly and not via a proxy server.
Changed lines 22-23 from:
* You are not logged into Windows.  Users accessing the site from a mobile device or a Mac or Linux computer can expect
to see the authentication dialog.
to:
* You are not logged into Windows.  Users accessing the site from a mobile device or a Mac or Linux computer can expect to see the authentication dialog.
Changed line 21 from:
If automatic Windows Authentication cannot proceed, the browser may ask for your credentials.  If you click Cancel, the request will fail as "Not Authorized".  There are several reasons why you may see this behavior:
to:
If automatic Windows Authentication cannot proceed, the browser may ask for your credentials.  If you provide incorrect credentials, or click Cancel, the request will fail as "Not Authorized".  There are several reasons why you may see this behavior:
Changed line 21 from:
If automatic Windows Authentication cannot proceed, the browser will normally ask for your credentials.  If you cancel, the request will fail as "Not Authorized".  There are several reasons why you may see this behavior:
to:
If automatic Windows Authentication cannot proceed, the browser may ask for your credentials.  If you click Cancel, the request will fail as "Not Authorized".  There are several reasons why you may see this behavior:
Changed line 4 from:
(see [[https://www.papercut.com/products/ng/manual/ch-sso.html | sso chapter in manual]])
to:
(see [[https://www.papercut.com/products/ng/manual/ch-sso.html | SSO chapter in manual]])
Changed lines 43-50 from:
To collect the server debug logs:
1. Turn on debug logging (instructions here: https://www.papercut.com/kb/Main/HowToEnableDebugInNG)
2. Turn on SSO.  Take a screen shot of your SSO configuration.
3. Attempt to login (and note the date/time)
4. Login using /nosso and turn off SSO
5. Turn off debug logging and set the logs to us along with the time of your SSO login attempt

to:
'''To collect the server debug logs:'''
#
Turn on debug logging (instructions here: https://www.papercut.com/kb/Main/HowToEnableDebugInNG)
# Turn on SSO.  Take a screen shot of your SSO configuration.
# Attempt to login (and note the date/time)
# Login using /nosso and turn off SSO
# Turn off debug logging and set the logs to us along with the time of your SSO login attempt

Added lines 1-54:
(:title Web Single Sign-on Problems and Diagnosis:)

PaperCut's Web SSO functionality
(see [[https://www.papercut.com/products/ng/manual/ch-sso.html | sso chapter in manual]])
is compelling and in the case of Windows Authentication, easy to implement.

But the technology underlying SSO is complex and there are many Windows policy and configuration
variables that can occasionally cause things to go wrong.

!! I've turned SSO on and now can't login to PaperCut!

If you find yourself locked out of PaperCut, you can bypass SSO to get PaperCut's standard login screen by adding "/nosso" to the URL.  For example:

    http://mypapercutserver:9191/admin/nosso


!! Troubleshooting Common Problems

!!! User is prompted by the Browser to provide username and password

If automatic Windows Authentication cannot proceed, the browser will normally ask for your credentials.  If you cancel, the request will fail as "Not Authorized".  There are several reasons why you may see this behavior:
* You are not logged into Windows.  Users accessing the site from a mobile device or a Mac or Linux computer can expect
to see the authentication dialog.
* Your browser does not support Integrated Windows Authentication or needs configuration.  Firefox, for example, requires configuration as described [[http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication | here]].
* The PaperCut server is not configured to be in the "Intranet Zone".  This applies to Internet Explorer and Chrome.  Go to Control Panel -> Internet Options -> Security.  Select Intranet Zone and ensure the PaperCut server is included.  By default a URL containing a period '.' will not belong to the intranet zone and may need to be manually added.

!!! All I get is a white screen

A white screen with no browser authentication prompt may occur if Windows Authentication process is failing.  For example, there may be a site mis-configuration that makes the Windows Domain controller unreachable.  You should ensure that the browser is not accessing the PaperCut server via a proxy server.
 
!!! Trying to access admin interface but get user interface instead

If your Windows login does not have PaperCut admin rights, you will not be able to access the admin interface. 
Instead, you may be redirected to the PaperCut user interface.  If you have been using the built-in "admin" account prior to using SSO, you may login with that account using the admin/nosso URL described above and grant your Windows account the necessary admin rights.

!! Diagnostics

If you wish to report an SSO problem to PaperCut support.  Please collect the following diagnostic information:
* Windows version on PaperCut server and client
* Type of Browser
* Server debug logs

To collect the server debug logs:
1. Turn on debug logging (instructions here: https://www.papercut.com/kb/Main/HowToEnableDebugInNG)
2. Turn on SSO.  Take a screen shot of your SSO configuration.
3. Attempt to login (and note the date/time)
4. Login using /nosso and turn off SSO
5. Turn off debug logging and set the logs to us along with the time of your SSO login attempt


----
''Categories:'' [[Category.Error|+]], [[Category.Administration|+]]
----
[-Keywords: SSO, Authentication, IWA-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on November 19, 2018, at 04:34 AM
Printable View   |   Article History   |   Edit Article