Troubleshooting

From cosign wiki

(Difference between revisions)
Jump to: navigation, search
(Digging Deeper)
Current revision (15:38, 13 June 2011) (edit) (undo)
(Debugging)
 
(2 intermediate revisions not shown.)
Line 28: Line 28:
     </Location>
     </Location>
</pre>
</pre>
 +
 +
== CosignModule ==
 +
 +
A program such as [http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx DebugView] will display the CosignModule's verbose logging. Be sure to restart the application pool, if necessary, and then access a cosign-protected page to ensure the CosignModule is loaded.
 +
 +
=== Debugging ===
 +
 +
The 3.1.0 and later versions of the CosignModule include a program database file. If you are encountering application pool crashes, this will help analyze the crash dump to find the offending code.
 +
 +
# Be sure Windows Error Reporting is enabled. WER can be disabled via a registry key and by group policy.
 +
# Add this REG_EXPAND_SZ registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
 +
"DumpFolder"=C:\dump
 +
# Download [http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx Windows Debugging Tools]. You only need to select the debugging tools when installing, unless you really want the Windows SDK files installed.
 +
# Start WinDBG then load the dump file.
 +
# Run these commands:
 +
<pre>
 +
.sympath SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\path\to\cosignmoduledownload\x64;c:\path\to\cosignmoduledownload\x86
 +
.reload
 +
!analyze -v
 +
</pre>
 +
 +
Assuming everything went well, and why wouldn't it, you'll see the dll function calls, and, in the case of the cosignmodule, the actual line number of the source code. The source code that is conveniently included with each cosignmodule release. The cosign project accepts patches.
== IISCosign filter ==
== IISCosign filter ==
Line 154: Line 176:
* Unfortunately, this is the result of a bug.  When the IISCosign filter cannot connect to any weblogin servers, it enters an indeterminate state.  See [[troubleshooting SSL|the troubleshooting connection errors section]] for correcting SSL misconfigurations.
* Unfortunately, this is the result of a bug.  When the IISCosign filter cannot connect to any weblogin servers, it enters an indeterminate state.  See [[troubleshooting SSL|the troubleshooting connection errors section]] for correcting SSL misconfigurations.
-
== Warnings ==
+
=== Warnings ===
These are only warnings.  These will not prevent IISCosign from loading.
These are only warnings.  These will not prevent IISCosign from loading.
Line 193: Line 215:
* Another process has a lock on the file cosignlog.csl and is preventing IISCosign from getting write permissions.
* Another process has a lock on the file cosignlog.csl and is preventing IISCosign from getting write permissions.
-
== Digging Deeper ==
+
=== Digging Deeper ===
If none of the above situations seem to resolve the issue, you can use cosigntrace.dll to create verbose logging.  The log file is specified in the cosign.dll.config file under <Log><Path>.  Usually, this is set to C:\Program Files\IISCosign\Logs.
If none of the above situations seem to resolve the issue, you can use cosigntrace.dll to create verbose logging.  The log file is specified in the cosign.dll.config file under <Log><Path>.  Usually, this is set to C:\Program Files\IISCosign\Logs.

Current revision

Contents

[edit] General

[edit] Apache filter

[edit] Cosign 3 filter validation URL returns "401 Not authorized"

The user authentications OK, but when being redirected back to the validation URL, they get a "401 Not authorized" error in their web browser and something similar to this appears in the web server error log:

[Mon Apr 06 16:13:40 2009] [error] [client 141.213.234.243] access to
/cosign/valid failed, reason: verification of user id '<null>' not
configured, referer: https://weblogin-test.itcs.umich.edu/
?cosign-request-test.itcs&https://request-test.itcs.umich.edu/

The problem turned out to be a "require valid-user" directive in the <Directory /> stanza for the web site. Removing this directive solved the problem.

A better solution that preserves stronger security for the rest of the site is to keep the above directive and instead use the following configuration for the cosign URL valdiation handler:

    <Location /cosign/valid>
        SetHandler cosign
        CosignProtected Off
        Allow from all
        Satisfy any
    </Location>

[edit] CosignModule

A program such as DebugView will display the CosignModule's verbose logging. Be sure to restart the application pool, if necessary, and then access a cosign-protected page to ensure the CosignModule is loaded.

[edit] Debugging

The 3.1.0 and later versions of the CosignModule include a program database file. If you are encountering application pool crashes, this will help analyze the crash dump to find the offending code.

  1. Be sure Windows Error Reporting is enabled. WER can be disabled via a registry key and by group policy.
  2. Add this REG_EXPAND_SZ registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]

"DumpFolder"=C:\dump

  1. Download Windows Debugging Tools. You only need to select the debugging tools when installing, unless you really want the Windows SDK files installed.
  2. Start WinDBG then load the dump file.
  3. Run these commands:
.sympath SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\path\to\cosignmoduledownload\x64;c:\path\to\cosignmoduledownload\x86
.reload
!analyze -v

Assuming everything went well, and why wouldn't it, you'll see the dll function calls, and, in the case of the cosignmodule, the actual line number of the source code. The source code that is conveniently included with each cosignmodule release. The cosign project accepts patches.

[edit] IISCosign filter

If the IISCosign filter encounters an error, it will attempt to disable the web server. It does this by processing all requests with the response "The server is currently disabled."

Errors will be placed in the Event Viewer under the Application Log and be labeled "Cosign".

[edit] Cosign Event Viewer Application Log Messages

Event Type:	Error
Event Source:	Cosign
Event Category:	None
Event ID:	3
Date:		4/28/2009
Time:		12:33:16 PM
User:		N/A
Computer:	SERVER_NAME
Description:
Could not load the cosign config file C:\Program Files\iiscosign\cosign.dll.config.

Possible Causes:

  • The name of the config file is probably misspelled. Either change the file name or change the value in the Registry for HKEY_LOCAL_MACHINE\SOFTWARE\University of Michigan\ITCS\Cosign\ConfigFile.

NOTE: This registry path may not be up-to-date. The IISCosign distributions come with a cosign.reg file with the most recent and correct registry paths.

  • It's also possible that MSXML 4.0 SP2 is not installed. Install it.
Event Type:	Error
Event Source:	Cosign
Event Category:	None
Event ID:	4
Date:		4/21/2009
Time:		11:25:19 PM
User:		N/A
Computer:	SERVER_NAME
Description:

IISCosign does not have permission to access something.  Please see the readme.txt file for
information about setting file permissions for IISCosign.  Here is what caused the error:

Possible Causes:

  • Permissions to allow cosign.dll to access various parts of the file system are not set.
Event Type:	Error
Event Source:	Cosign
Event Category:	None
Event ID:	7
Date:		4/28/2009
Time:		12:36:39 PM
User:		N/A
Computer:	SERVER_NAME
Description:
An error occurred while IISCosign was loading.  It is now running in a minimal state that will prevent your web site from serving content.

Possible Causes:

  • This message almost never appears by itself, but is the result of another error state. Look for other Cosign-related events in the Event Viewer to determine what cause IISCosign to enter this state.
Event Type:	Error
Event Source:	Cosign
Event Category:	None
Event ID:	8
Date:		4/28/2009
Time:		12:33:16 PM
User:		N/A
Computer:	SERVER_NAME
Description:
Config file parsing error at line 213: Text is not allowed in this context according to DTD/Schema.
Expecting: Protected, Unprotected, AllowPublicAccess.
.

Possible causes:

  • Most likely an xml tag in the cosign.dll.config file is either misspelled, in the incorrect order, or a required xml tag is missing. You can compare the xml tags appearing at the reported line number against the iiscosign.xsd schema.
  • The iiscosign.xsd schema file did not get updated. New xml tags are periodically added to the schema to allow new functionality and, sometimes, reordered or moved to more logical locations. Make sure the iiscosign.xsd schema file that is in the same directory as the cosign.dll is the one that was included with that distribution.
Event Type: Error
Event Source:     SideBySide
Event Category:   None
Event ID:   59
Date:       7/21/2008
Time:       4:54:17 PM
User:       N/A
Computer:   SERVER_NAME
Description:

Generate Activation Context failed for C:\path\to\cosign.dll.
Reference error message: The referenced assembly is not
installed on your system.

Possible Causes:

Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date:		4/28/2009
Time:		5:26:29 PM
User:		N/A
Computer:	SERVER_NAME
Description:
Faulting application inetinfo.exe, version 6.0.3790.3959, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0002c873.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 69 6e 65   ure  ine
0018: 74 69 6e 66 6f 2e 65 78   tinfo.ex
0020: 65 20 36 2e 30 2e 33 37   e 6.0.37
0028: 39 30 2e 33 39 35 39 20   90.3959 
0030: 69 6e 20 6e 74 64 6c 6c   in ntdll
0038: 2e 64 6c 6c 20 35 2e 32   .dll 5.2
0040: 2e 33 37 39 30 2e 34 34   .3790.44
0048: 35 35 20 61 74 20 6f 66   55 at of
0050: 66 73 65 74 20 30 30 30   fset 000
0058: 32 63 38 37 33            2c873   

Possible Causes:

  • Unfortunately, this is the result of a bug. When the IISCosign filter cannot connect to any weblogin servers, it enters an indeterminate state. See the troubleshooting connection errors section for correcting SSL misconfigurations.

[edit] Warnings

These are only warnings. These will not prevent IISCosign from loading.

Event Type:	Warning
Event Source:	Cosign
Event Category:	None
Event ID:	4
Date:		5/5/2008
Time:		11:31:40 AM
User:		N/A
Computer:	SERVER_NAME
Description:
Connection pool is busy.  Perhaps the current size is too low?  This value can be changed in the cosign.dll.config file.

Congratulations! You have a very popular web service! In order to improve throughput of web pages, the size of the connection pool should be increased.


Event Type:	Warning
Event Source:	Cosign
Event Category:	None
Event ID:	9
Date:		4/28/2009
Time:		1:31:34 PM
User:		N/A
Computer:	SERVER_NAME
Description:
Could not initialize log file C:\Program Files\IISCosign\Logs.

Possible causes:

  • The directory does not exist.
  • The permissions on the directory are incorrect.
  • The IISCosign filter loaded before the previous instance unloaded and could not get write permission on the cosignlog.csl file.
  • Another process has a lock on the file cosignlog.csl and is preventing IISCosign from getting write permissions.

[edit] Digging Deeper

If none of the above situations seem to resolve the issue, you can use cosigntrace.dll to create verbose logging. The log file is specified in the cosign.dll.config file under <Log><Path>. Usually, this is set to C:\Program Files\IISCosign\Logs.

It's also possible that IISCosign will encounter an error creating a log file. If this is a case, the logging output from cosigntrace.dll (and cosign.dll) can be captured with a program such as DebugView.

[edit] JavaCosign filter

[edit] Weblogin server

Personal tools