Frequently Asked Questions

Answers to the Most Common Questions about the OnTime® Group Calendar

Do you have any questions about the OnTime® Group Calendar? See if you find the answer below. If you have a hard time finding what you are looking for, please contact us with your questions, we are ready to help.

Did You Not Find What You Were Looking For? 

If you didn't find what you were looking for, you might be able to find the answer in the documentation section. Otherwise, you can submit a question to our support team.


Administration

SSL issues connecting to Load Balancer/Exchange Server

Symptom

Stacktrace in ontigms.0.0.log containing something like "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Fix

Import Root and intermediate certificates into the Java keystore used for on OnTime for Microsoft solution.

  1. Backup the current 'cacerts' file - C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\cacerts
  2. Export the root certificate - if required, any intermediate certificates by using copy to file for each using PEM/CER (Base64 encoded) format. This may be done using a web browser. Here we are using *.cer.
  3. Copy the *.cer files to C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\
  4. Using password "changeit" (unless manually changed) install the root certificate
    ..\..\..\bin\keytool -import -trustcacerts -alias root -file root.cer -keystore cacerts

    Using password "changeit" (unless manually changed) install the intermediate certificates
    ..\..\..\bin\keytool -import -trustcacerts -alias intermediateXX -file intermediateXX.cer -keystore cacerts

Restart OnTime for Microsoft.

Domain (SSO) login fails with 400 Bad Request RequestUri/Field To Long

Symptom

When accessing OnTime for Microsoft with domain(SSO) login enabled the server reports "HttpStatus Code 400 Bad Request – RequestUrl/Field to Long" during the domain logon redirect on the OnTime Server the C:\Windows\System32\LogFiles\HTTPERR\httperr1.log shows
2015-12-10 12:51:43 10.41.32.152 62489 10.41.40.35 80 HTTP/1.1 GET /ontime/auth.html?redirect=http://ch-s-0008355:8080/ontimegcms/ 400 - RequestLength -

Fix

  1. Using regedit add the following values HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Key,
    DWORD(Decimal value)
    MaxFieldLength 65534
    MaxRequestBytes 65534
    MaxTokenSize 65535

  2. Stop the OnTimeMSAuth NT Service
  3. Restart the HTTP service From an elevated command prompt
    >net stop http
    >net start http
  4. Start the OnTimeMSAuth NT Service.
How to determine the USERDOMAIN for a license key

The license for OnTime requires the USERDOMAIN name of the Windows server on which the OnTime server runs. This is true for both trial and production environments.

You can find the USERDOMAIN by executing a 'Set' command from a Command prompt. The machine you run the set command on, must be part of the same domain as your future OnTime server. Please make sure that you do not select the USERDNSDOMAIN)".

Please see the example below.

user domain

OnTime User Authentication Method

The user makes a login request from the client to the OnTime server. The OnTime servers passes the login as an Authentication request to the Exchange server. In turn the user gets a token, valid for typically 7 days, for further requests to Ontime.

OnTime_authentication OnTime for Microsoft - FAQ

OnTime supports four types of authentication methods as shown below.

 OnTime_Auth OnTime for Microsoft - FAQ

 

Form Based - Pass-through (HTTP and HTTPS)
How to login with your Outlook email address and password on the OnTime login screen. If you can approve by login operation, a Token will be issued.
The proper use of HTTP and HTTPS is determined by the URL to connect to.

HTTP(s) Domain (SSO)
This is a method that can be linked with SSO, Single-Sign-On as a function of Windows,joined to an AD domain, Windows integrated authentication. If it can be approved via AD, a Token will be issued.
Select HTTP or HTTPS at the time of setting to use HTTP and HTTPS properly.
The "OnTime Auth Service" bundled with OnTime runs on the server.

HTTPS ADFS (SSO)
An SSO that authenticates by redirecting to ADFS organizational authentication in Azure AD or on-premise AD. Azure AD configures SAML settings from an enterprise application.

HTTP(s) Mail Auth
This is a method to enter an email account to login to and send an email with a one-time activation link to that email account. OnTime activates the Token when you click the one-time activation link in the email.
Authentication is possible regardless of the mail system you are using, on-premise or cloud, client application you are using, etc. In addition, there is no need to link with the authentication system used by the organization, and installation is simple.
Also, this one-time activation link can only be used once, so if you need it again, it will be resent. This one-time activation link is valid only 15 minutes after sending, and can be used only once. If you need it again, it will be resent. If you receive an email with a one-time activation link that you don't remember, don't click the link as someone else is trying to activate OnTime using that person's account. Also, if this email is clicked first by anyone other than you, you need to worry about eavesdropping on the email environment and authentication to the email environment before OnTime.
Of course, if you enter an external email address or an email address that does not use OnTime even within the same organization (an email address that is not subject to OnTime synchronization), an error message will be displayed and the one-time link email will not be sent.

OnTime Token

The OnTime client uses the Token to verify the users identity when communicating with the OnTime server.

What is the Token used by OnTime?
The Token consists of the identity of the connecting user and the Token expiration date. A Token is issued when the user is authenticated at the time of the first connection regardless of the authentication method. A new Token, whose Token expiration date is updated, is issued every time a new connection is made (for example, when data is acquired by clicking with the mouse). Therefore, this Token can continue to be used without re-authentication from the time when the data was last acquired (for example, switching groups, creating a schedule, etc.) until the Token expiration date. Of course, even if you close the OnTime client, you can use it without going through the authentication step when you reopen it.

 

How to set the OnTime Token expiry time:

 TokenExpiry OnTime for Microsoft - FAQ

 

 

Is it possible to invalidate the Token?
In the Users/Members section, click the user - and click 'Invalidate Token'.

InvalidateToken OnTime for Microsoft - FAQ

 

 

KrbRelayUP - LDAP signing - Vulnerability in MS domain controller

It has been reported that the Microsoft Domain controller has a vulnerability called 'KrbRelayUp' when using standard LDAP requests.

This vulnerability can be removed in the domain controller by changing the security to 'LDAP signing'.

 

In the OnTime configuration please change the LDAP setup from LDAP to LDAPS.

 

 

 


Outlook Add-In

How to install the OnTime - Outlook Add-in

For information on how to install the OnTime Outlook add-in, please refer to the OnTime Installation & Configuration manual available for download here


Web Interface


Mobile Interface

How can I make an OnTime Web App?

Central roll-out:

Usually OnTime® Mobile is delivered to the whole organisation from a central place, this would usually be through Mobile Device Management Solutions, and therefore it shouldn’t be up to the user to do this manually. 

Manual Instalation:

In order to make an OnTime Mobile Web App in iOS, you have to open your mobile client in safari, using the link you would usually use to open the Desktop Client online, but replacing the word desktop with mobile. You can then click on the square icon with an arrow pointing upwards in the middle of the bottom panel. In the lower part of the box that opens, you can then choose “Add to Home Screen”. You can name the Web App e.g. OnTime Mobile, and click add. You will now have easy access to your OnTime Mobile Client from you home screen.


Microsoft Teams UI's

Why wont OnTime load in the MS Teams desktop application, but loads on MS Teams web?
The web application requires a HTTPS authorization. Check if you are using the correct authorization setup in the Admin Client.

More Help

User Tutorials

Learn about the interfaces and functionalities in our tutorials.

Administration Manuals

Learn about the installation and configuration in our manuals.

Get Support

Did not find what you were looking for.
Ask our experts.

Copyright © 2022 OnTime.
All rights reserved.

Company

Stay Connected


Contact: Venlighedsvej 6 | 2970 Hørsholm, Denmark | CVR: DK 1935 2838 | Phone: +45 70 23 23 40

Opening hours (EST):  Mon - Thu 09:00 to 16:30 | Fri 09:00 to 16:00 | Sat - Sun < closed >