How to Troubleshoot AdminServer Single Sign On Issues?

How does the AdminServer use the Single Sign On process when starting?
SSO Adminserver login problems: user validation
How to debug AdminServer SSO issues?
How to debug AdminServer local password issues?
How to debug AdminServer system password issue?
How to debug error 9908 and 9909?
 

When an AdminServer client connects to an AdminServer on the same host, the default behavior is to use Single Sign-On (SSO) so that the user does not have to use their user-id and password to authenticate again. 

The SSO feature uses one-time generated passwords in combination with the client's OS process user-id. The one-time password is an encoding of multiple pieces of information that include the local system's DNS host name, user-id, and others. The SSO password also has an expiration time so that it cannot be copied and used later by intruders. The expiration time is 90 seconds and can be adjusted to compensate for JVM clock skew with the -Dpwdtimeout parameter.  Refer to Article  What are the causes of Error 9908 JVM clock skew?   

The "system generated password" in error 9908 and 9909 is SSO password. When any of the encoded elements do not match, errors 9908 and 9909 are printed.

The SSO feature is not used when:

1. The -host option is used (regardless of the host name pointing to the local system)
2. The -user option is used and the account name does not match what is recorded in the user's OS process. 

Debugging SSO Adminserver login issues:

A tracing capability was added since OpenEdge 10.1A, to provide further debug information when an error occurs in the SSO password generation or validation. It simply outputs information to the console's STDOUT.  

To trace SSO password generation and validation

The following 3 steps need to be followed:

1)  Turn on tracesso for the AdminServer:

• Edit the proadsv[.bat] script and add '-Dtracesso=1'  to the list of Java properties given to the jvmStart executable.
• Edit the dlc/properties/AdminServerPlugins.properties and add '-Dtracesso=true' to the list of jvmargs passed to the java executed by the executable.

2)  Turn on tracesso for *man command line AdminServer clients

• Edit the ubutil[.bat] script and add '-Dtracesso=1'  to the list of Java properties given to jvmStart. 

3)  Stop the AdminServer from going into Daemon mode and closing STDOUT by starting the AdminServer from the command line in interactive mode:
 
With tracing enabled, the output will show:

• The initial user login to validate the user has the permissions to start the server, 
• The validation information each time a client connects to the AdminServer.

Example: AdminServer startup interactive authentication tracing
 
Example: AdminServer client *man command authentication tracing
What to look for in authentication tracing:

1. The client generated password value matching 'Auto-validating' line in the AdminServer, if not SSO will fail. Try starting the AdminServer, or *man commands with the “-user” parameter. The OS Password will then be prompted for and will not use the auto-generated SSO password.
2. The local host names match, if not SSO will fail.
3. The times +- 90 seconds match the SSO password. If not it is an intruder or the Java clock is skewed and the time window needs to be adjusted.

An alternative method, also available to earlier OpenEdge versions is to set the PSC_AUTH_DEBUG Environment Variable described in Article  How do I further debug AdminServer authentication problems?  

Progress Articles: 

Intermittent 'System generated password has expired (9908)' errors in admserv.log file