Administration
Symptom
Stacktrace in ontigms.0.0.log containing something like "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Fix
Import Root and intermediate certificates into the Java keystore used for on OnTime for Microsoft solution.
- Backup the current 'cacerts' file - C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\cacerts
- Export the root certificate - if required, any intermediate certificates by using copy to file for each using PEM/CER (Base64 encoded) format. This may be done using a web browser. Here we are using *.cer.
- Copy the *.cer files to C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\
- Using password "changeit" (unless manually changed) install the root certificate
..\..\..\bin\keytool -import -trustcacerts -alias root -file root.cer -keystore cacerts
Using password "changeit" (unless manually changed) install the intermediate certificates..\..\..\bin\keytool -import -trustcacerts -alias intermediateXX -file intermediateXX.cer -keystore cacerts
Restart OnTime for Microsoft.
Symptom
When accessing OnTime for Microsoft with domain(SSO) login enabled the server reports "HttpStatus Code 400 Bad Request – RequestUrl/Field to Long" during the domain logon redirect on the OnTime Server the C:\Windows\System32\LogFiles\HTTPERR\httperr1.log shows2015-12-10 12:51:43 10.41.32.152 62489 10.41.40.35 80 HTTP/1.1 GET /ontime/auth.html?redirect=http://ch-s-0008355:8080/ontimegcms/ 400 - RequestLength -
Fix
- Using regedit add the following values HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Key,
DWORD(Decimal value)MaxFieldLength 65534MaxRequestBytes 65534MaxTokenSize 65535 - Stop the OnTimeMSAuth NT Service
- Restart the HTTP service From an elevated command prompt
>net stop http
>net start http - Start the OnTimeMSAuth NT Service.
The license for OnTime requires the USERDOMAIN name of the Windows server on which the OnTime server runs. This is true for both trial and production environments.
You can find the USERDOMAIN by executing a 'Set' command from a Command prompt. The machine you run the set command on, must be part of the same domain as your future OnTime server. Please make sure that you do not select the USERDNSDOMAIN)".
Please see the example below.
The user makes a login request from the client to the OnTime server. The OnTime servers passes the login as an Authentication request to the Exchange server. In turn the user gets a token, valid for typically 7 days, for further requests to Ontime.
OnTime supports four types of authentication methods as shown below.
Form Based - Pass-through (HTTP and HTTPS)
How to login with your Outlook email address and password on the OnTime login screen. If you can approve by login operation, a Token will be issued.
The proper use of HTTP and HTTPS is determined by the URL to connect to.
HTTP(s) Domain (SSO)
This is a method that can be linked with SSO, Single-Sign-On as a function of Windows,joined to an AD domain, Windows integrated authentication. If it can be approved via AD, a Token will be issued.
Select HTTP or HTTPS at the time of setting to use HTTP and HTTPS properly.
The "OnTime Auth Service" bundled with OnTime runs on the server.
HTTPS ADFS (SSO)
An SSO that authenticates by redirecting to ADFS organizational authentication in Azure AD or on-premise AD. Azure AD configures SAML settings from an enterprise application.
HTTP(s) Mail Auth
This is a method to enter an email account to login to and send an email with a one-time activation link to that email account. OnTime activates the Token when you click the one-time activation link in the email.
Authentication is possible regardless of the mail system you are using, on-premise or cloud, client application you are using, etc. In addition, there is no need to link with the authentication system used by the organization, and installation is simple.
Also, this one-time activation link can only be used once, so if you need it again, it will be resent. This one-time activation link is valid only 15 minutes after sending, and can be used only once. If you need it again, it will be resent. If you receive an email with a one-time activation link that you don't remember, don't click the link as someone else is trying to activate OnTime using that person's account. Also, if this email is clicked first by anyone other than you, you need to worry about eavesdropping on the email environment and authentication to the email environment before OnTime.
Of course, if you enter an external email address or an email address that does not use OnTime even within the same organization (an email address that is not subject to OnTime synchronization), an error message will be displayed and the one-time link email will not be sent.
The OnTime client uses the Token to verify the users identity when communicating with the OnTime server.
What is the Token used by OnTime?
The Token consists of the identity of the connecting user and the Token expiration date. A Token is issued when the user is authenticated at the time of the first connection regardless of the authentication method. A new Token, whose Token expiration date is updated, is issued every time a new connection is made (for example, when data is acquired by clicking with the mouse). Therefore, this Token can continue to be used without re-authentication from the time when the data was last acquired (for example, switching groups, creating a schedule, etc.) until the Token expiration date. Of course, even if you close the OnTime client, you can use it without going through the authentication step when you reopen it.
How to set the OnTime Token expiry time:
Is it possible to invalidate the Token?
In the Users/Members section, click the user - and click 'Invalidate Token'.
It has been reported that the Microsoft Domain controller has a vulnerability called 'KrbRelayUp' when using standard LDAP requests.
This vulnerability can be removed in the domain controller by changing the security to 'LDAP signing'.
In the OnTime configuration please change the LDAP setup from LDAP to LDAPS.
