IBM BS029ML - WebSphere Portal Server Self Help Manual page 142

Association Interceptor configuration. Further investigation should be done with the traces
enabled, using the trace strings given in Table 4-5 on page 107.
The more complicated cases are from the failure of multiple servers. Besides the things
mentioned above, you may want to verify the following:
All participating servers share the same DNS domain, which should be the one configured
as the SSO domain. As stated before, the SSO domain cannot be blank in this case.
All participating servers share the same LTPA key.
All participating servers are configured to the same user registry and port number, for
example, LDAP.
A couple of cases are given in Example 4-17 and Example 4-18.
Example 4-17 SSO failure case: mismatched realm
[6/12/07 11:16:37:762 CDT] 0000004d LTPAServerObj E
realms during token validation.
[6/12/07 11:16:37:824 CDT] 0000004d LTPAServerObj E
credential for the user <null> due to failed validation of the LTPA token. The
exception is com.ibm.websphere.security.CustomRegistryException: The realm in the
token: tamdirprod.mayo.edu:389 does not match the current realm: WMMRealm
[6/12/07 11:17:03:153 CDT] 0000004d SecurityColla A
failed for WMMRealm/m024534 while invoking (Bean)ejb/MemberServiceHome
getMember(com.ibm.websphere.wmm.datatype.MemberIdentifier,com.ibm.websphere.wmm.da
tatype.StringSet):1 securityName: WMMRealm/testuser1;accessID:
user:WMMRealm/uid=testuser1,ou=people,ou=dept,o=acme.com is not granted any of the
required roles: Everyone
This failure is due to the mismatched user registry realm. When WMMUR is configured, the
default realm is "WMMRealm". If other systems are configured to use the realm, such as
"corpldap.acem.com:389", the configuration in the global security of WebSphere Application
Server must be configured to use the same realm. In the case of WMMUR, you need to add a
custom property called userRegistryRealm and give the value to the shared user registry
realm. This is shown in Example 4-4 on page 111.
Example 4-18 SSO failure case: BadPaddingException
[8/13/07 11:12:48:127 CDT] 00000097 LTPACrypto
BadPaddingException validating token, normal when token generated from other
factory.
Given final block not properly padded
[8/13/07 11:12:48:127 CDT] 00000097 LTPACrypto
[8/13/07 11:12:48:127 CDT] 00000097 LTPAServerObj 3
tokenFactory[2].validateTokenBytes()
[8/13/07 11:12:48:127 CDT] 00000097 AuthzPropToke > AuthzPropToken from byte[]
Entry
[8/13/07 11:12:48:129 CDT] 00000097 AuthzPropToke 3
string: B4> l<jEQ hV 0rgk0E3l?
s <i.CXq] r% E{ w ??# #
&yS0P3[K]c?j!X?g1ØL!) ym N. 8%"EwY id ^? ?#kE(@gh 1Pp2;? VCtH) Tnm _j
[8/13/07 11:12:48:130 CDT] 00000097 AuthzPropToke 3
found.
[8/13/07 11:12:48:130 CDT] 00000097 LTPAServerObj 3
security.ltpa.validate.verifytoken.failed
128
IBM WebSphere Portal V6 Self Help Guide
H Sg)5"d ]p'B> Y e(Vq & $Z {0 ?_/K1W? ·[[\?] D k
SECJ0375E: Mismatch of
SECJ0373E: Cannot create
SECJ0053E: Authorization
3
3 Total decryption time: 1
Calling
Before parsing, length: 169
UserData delimiter not