Test changes

Before you test

Before you test the SSO installation consider the following points:

1. If this is a brand new installation of the IFS Applications you need to login to the system as the ifsadmin user in order to setup the user accounts. To login to the SSO configured application server as the ifsadmin user enter the following url in a web browser : http://<hostName>:<port>/client/runtime/Ifs.Fnd.Explorer.application. Now you will see the IFS Enterprise Explorer login panel where you can enter the user as ifsadmin and the password as ifsadmin user's database password. Once you successfully login to IFS EE you can proceed with the admin tasks that you need to perform. The above URL can be used at any time when you want to login to IFS EE as a non domain user (eg: system users such as ifsadmin, ifsapp, ifsconnect etc).
2. Make sure that the Directory ID of the user is given without the domain qualifier. For example, if the user is david@corpnet.ifsworld.com, the Directory ID should simply be david. Read more about this under Single Sign-on Considerations.

Perform the test

You are now ready to test the SSO configuration. When testing SSO it is important to perform the test from a different computer than the one hosting the server(s). Windows will not send Kerberos tickets to the server if it runs on the same computer.

To test the changes, log in to your client computer (with an IFS user that has the rights to connect to IFS Applications) and open a browser. Point the browser to the web server URL and test if it is possible to access WebClient and IFS EE.

There are some errors that are more likely to appear than others. These are 401 and 403.

Browser related

1. Internet Explorer - When you point your browser to the IFS Applications web client, you should be directed to the default page. If you get a windows login dialog, go to Tools > Internet Options > Security tab and select the Internet security zone and open up the Custom level dialog. Select Automatic logon with current user name and password.

   
   

2. Firefox
   • Start Firefox
   • Enter about:config in the Location Bar
   • Enter the filter string network.negotiate
   • Double click on network.negotiate-auth.delegation-uris and enter "http://,https://"
   • Double click on network.negotiate-auth.trusted-uris and enter "http://,https://"
   • Restart Firefox

    

401 Unauthorized

1. The authentication is not successful. This problem can have many roots.

• Check with Wireshark that you send a Kerberos ticket and not an NTLM token. The sent ticket should be large, around 1000 bytes of BASE64 encoded string starting with the sequence "YII".
• Check that the keytab file is correct.
• Check that the user is an IFS user with rights to connect to IFS Applications
• It is not possible to test SSO from the server itself. You must verify the SSO setup by starting the application from a separate client machine.

403 Forbidden

1. When this error appears the authentication was successful but authorization failed and, according to the server, the user does not have permission to access the application.

Account settings for IFS Servers

If you are running IFS servers such as Connect Server and Print Agent on the same machine as the IFS Middleware Server, you need to change the "Log On" settings on the Windows Service since it is not possible to run as the "Local System account". As the "Log On" user, give credentials of the machine administrator account.