Common problems users experience when they log in to Tarantella using web server authentication include:
To help diagnose and resolve some of these problem, you may find it useful
to add extra logging information. On the Array Manager Array Properties panel,
add the following log filters (tarantella config edit --array-logfilter):
server/login/*error:log_file_name%%PID%%_error.jsl
server/login/*error:log_file_name%%PID%%_error.log
If web server authentication is not set up correctly or it fails for any reason, Tarantella displays the standard login page. Users have to be authenticated by Tarantella before they can access their webtop. The following table lists the things you may need to check.
| What to check | More information |
|---|---|
| Is the right Tarantella directory protected? | You must set up your web server to protect the
install_dir/var/docroot/cgi-bin/secure directory. |
| Does the user have an ENS person object? | If your configuration of Tarantella relies on users having an
ENS person object and you have not enabled one of the fallback profile objects,
users may not be able to log in. If this happens and you have enabled the
additional logging, search the log file for messages beginning webauthNoENSMatch
or webauthNoLDAPMatch. These messages indicate that Tarantella
could not match the authenticated user to an ENS object.
Either create an ENS person object for the user or enable one of the fallback profile objects, the LDAP User Profile and the Web User Profile. See Login authorities for more details. |
| Are the tokens timing out? | When the web server authenticates a user, it issues a token which is only
valid for a short period of time (the default is three minutes). The client
has to be able to download the Tarantella Java™ archives during
the token validity period otherwise the login will fail. If you have enabled the additional logging, search the log file for messages beginning invalidToken. This may indicate that the token is timing out.
Increase the web token validity period and try logging in again. |
| Is the web server username correct? | If the web server username configured in Tarantella does not
match the username the web server uses to run the
Tarantella ttaweblogin.cgi program, the login will fail.
This username must be the same for all web servers in the array.
To check these details, type: Note To be able to run this command, you must be logged in as root user. The The key details displayed should be the same as when you run
|
For web server authentication to work, the tarantella/cgi-bin/secure
directory must be protected on your web server. If you protect any other
Tarantella directories (for example /tarantella
or /tarantella/cgi-bin, browsers that use a plug-in virtual machine
for the Java™ platform ('Java virtual machine' or 'JVM')
will prompt users for their username and password. This happens because the
JVM and the browser do not share authentication information.
Make sure you only protect the tarantella/cgi-bin/secure
directory.
Web server authentication does not support ambiguous users. This means users get the webtop of the first matching login profile.
If you have enabled the additional logging, search the log file for messages
beginning webauthAmbiguousMatch. This indicates that the first match was used.
Administrators can either:
To disallow ambiguous logins for web server authentication, you need to set a JavaBeans™ technology property. Run the following command:
tarantella config edit --com.sco.tta.server.login.webauth.WebLoginAuthority.properties-takeFirstMatch false
You must restart the Tarantella server after making this change.
If this property is set to false and the login is ambiguous, the login will fail and the standard Tarantella login page displays.