Answers to the Most Common Questions about the OnTime® Group Calendar
Do you have any questions about the OnTime® Group Calendar? See if you find the answer below. If you have a hard time finding what you are looking for, please contact us with your questions, we are ready to help.
Did You Not Find What You Were Looking For?
If you didn't find what you were looking for, you might be able to find the answer in the documentation section. Otherwise, you can submit a question to our support team.
Stacktrace in ontigms.0.0.log containing something like "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Import Root and intermediate certificates into the Java keystore used for on OnTime for Microsoft solution.
Backup the current 'cacerts' file - C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\cacerts
Export the root certificate - if required, any intermediate certificates by using copy to file for each using PEM/CER (Base64 encoded) format. This may be done using a web browser. Here we are using *.cer.
Copy the *.cer files to C:\Program Files\IntraVision\OnTimeMS-x.x\jdk\lib\security\
Using password "changeit" (unless manually changed) install the root certificate ..\..\..\bin\keytool -import -trustcacerts -alias root -file root.cer -keystore cacerts
Using password "changeit" (unless manually changed) install the intermediate certificates ..\..\..\bin\keytool -import -trustcacerts -alias intermediateXX -file intermediateXX.cer -keystore cacerts
When accessing OnTime for Microsoft with domain(SSO) login enabled the server reports "HttpStatus Code 400 Bad Request – RequestUrl/Field to Long" during the domain logon redirect on the OnTime Server the C:\Windows\System32\LogFiles\HTTPERR\httperr1.log shows 2015-12-10 12:51:43 10.41.32.152 62489 10.41.40.35 80 HTTP/1.1 GET /ontime/auth.html?redirect=http://ch-s-0008355:8080/ontimegcms/ 400 - RequestLength -
Using regedit add the following values HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Key, DWORD(Decimal value) MaxFieldLength 65534 MaxRequestBytes 65534 MaxTokenSize 65535
Stop the OnTimeMSAuth NT Service
Restart the HTTP service From an elevated command prompt >net stop http >net start http
The license for OnTime requires the USERDOMAIN name of the Windows server on which the OnTime server runs. This is true for both trial and production environments.
You can find the USERDOMAIN by executing a 'Set' command from a Command prompt. The machine you run the set command on, must be part of the same domain as your future OnTime server. Please make sure that you do not select the USERDNSDOMAIN)".
The user makes a login request from the client to the OnTime server. The OnTime servers passes the login as an Authentication request to the Exchange server. In turn the user gets a token, valid for typically 7 days, for further requests to Ontime.
OnTime supports four types of authentication methods as shown below.
Form Based - Pass-through (HTTP and HTTPS) How to login with your Outlook email address and password on the OnTime login screen. If you can approve by login operation, a Token will be issued. The proper use of HTTP and HTTPS is determined by the URL to connect to.
HTTP(s) Domain (SSO) This is a method that can be linked with SSO, Single-Sign-On as a function of Windows,joined to an AD domain, Windows integrated authentication. If it can be approved via AD, a Token will be issued. Select HTTP or HTTPS at the time of setting to use HTTP and HTTPS properly. The "OnTime Auth Service" bundled with OnTime runs on the server.
HTTPS ADFS (SSO) An SSO that authenticates by redirecting to ADFS organizational authentication in Azure AD or on-premise AD. Azure AD configures SAML settings from an enterprise application.
HTTP(s) Mail Auth This is a method to enter an email account to login to and send an email with a one-time activation link to that email account. OnTime activates the Token when you click the one-time activation link in the email. Authentication is possible regardless of the mail system you are using, on-premise or cloud, client application you are using, etc. In addition, there is no need to link with the authentication system used by the organization, and installation is simple. Also, this one-time activation link can only be used once, so if you need it again, it will be resent. This one-time activation link is valid only 15 minutes after sending, and can be used only once. If you need it again, it will be resent. If you receive an email with a one-time activation link that you don't remember, don't click the link as someone else is trying to activate OnTime using that person's account. Also, if this email is clicked first by anyone other than you, you need to worry about eavesdropping on the email environment and authentication to the email environment before OnTime. Of course, if you enter an external email address or an email address that does not use OnTime even within the same organization (an email address that is not subject to OnTime synchronization), an error message will be displayed and the one-time link email will not be sent.
The OnTime client uses the Token to verify the users identity when communicating with the OnTime server.
What is the Token used by OnTime? The Token consists of the identity of the connecting user and the Token expiration date. A Token is issued when the user is authenticated at the time of the first connection regardless of the authentication method. A new Token, whose Token expiration date is updated, is issued every time a new connection is made (for example, when data is acquired by clicking with the mouse). Therefore, this Token can continue to be used without re-authentication from the time when the data was last acquired (for example, switching groups, creating a schedule, etc.) until the Token expiration date. Of course, even if you close the OnTime client, you can use it without going through the authentication step when you reopen it.
How to set the OnTime Token expiry time:
Is it possible to invalidate the Token? In the Users/Members section, click the user - and click 'Invalidate Token'.
Usually OnTime® Mobile is delivered to the whole organisation from a central place, this would usually be through Mobile Device Management Solutions, and therefore it shouldn’t be up to the user to do this manually.
In order to make an OnTime Mobile Web App in iOS, you have to open your mobile client in safari, using the link you would usually use to open the Desktop Client online, but replacing the word desktop with mobile. You can then click on the square icon with an arrow pointing upwards in the middle of the bottom panel. In the lower part of the box that opens, you can then choose “Add to Home Screen”. You can name the Web App e.g. OnTime Mobile, and click add. You will now have easy access to your OnTime Mobile Client from you home screen.