Article
Latest iChain Version: iChain 2.3 Support Pack 2 
Common Form Fill issues:
- The URL defined in the <url> form fill tag should match the name of the protected resource and not the name of the back end Web server.
- Using wildcards for the <url> tag can cause the content-length field of a response to be modified for data that is not specific to an application login page. Always try and make the <url> entry in the form fill page as specific as possible. If this is not possible use the <formCriteria> tag to narrow down the list.
- Do NOT include the http:// scheme in from of the URL in the <url> tag. This will cause the link to not find a matching profile and the SSO will fail
- To avoid human error, always copy and paste the URL into the form fill policy URL tag. This avoids any typos that result in no matching profile found for the URL.
- Form Fill does not preserve the input for type="image". Check the <form> tag in the application login page to make sure that this type does not exist. If it does, try and modify it is possible. If not, it may be possible to use the custom rewriter can be used to substitute the required data although this is not recommended.
- Check if the login page you are trying to single sign on to includes multiple <form> statements (see bottom of item 1. under Tools below). If this is the case, load SSO.NLM /X and also use the <formnum> tag in your form fill profile to POST the right credentials to that form.
- Make sure that the login page credentials match what form fill is configured to look for. The key entries are the name fields. The HTML forms follow the HTML specifications defined in http://www.w3.org/TR/1998/REC-html40-19980424/inte.... For any queries regarding the login page, consult the HTML form specifications.
- Make sure that the LDAP proxy user defined in the aclcheck profile has enough rights to read and write attributes to the directory. For the minimum rights required to work with iChain, reference http://support.novell.com/cgi-bin/search/searchtid.cgi?/10084506.htm.
Tools:
- Gathering traces using PKTSCAN.NLM (ships with iChain). This tool prevents administrators from having to replicate a port on a switch to gather a LAN trace of traffic in and out of the iChain box. This trace may be saved and viewed with Sniffer or Ethereal. The accelerator will have to be temporarily setup for HTTP as HTTPS is not decodable with the above applications.
- Remove the <Post/> tag so that only the <fill> tag exists in the URL policy. This allows the administrator to confirm whether the credentials were available via LDAP.Assuming that this works, then one can be sure that LDAP has been setup correctly.
If the form fill works without the <post/> tag and failed with the <post> tag, then it is a good indicator that there may be some Java related problems. iChain form fill injects the document.forms[0].submit() javascript code to have the browser auto submit the credentials iChain form fill passed back to the browser. If there is any other javascript methods defined in the login page, they will not get executed unless additional javascript related form fill tags are added.
- The <DebugPost/> form fill tag. When this tag is active and we hit the URL that matches what we have defined in our form fill policy, we will get following page before the credentials are sent by the browser.
- Extended form fill logs -- when the form fill module (SSO.NLM) is loaded with the /Dx /L1 option (where x ranges from debug level 1-5 , level 5 being the most verbose level), then the form fill operations are logged to log files accessible via the iChain Web GUI Cache Logs TAB.
This file can be used to check whether a policy has been hit, and whether any errors have occurred when processing that policy. In the example below, one can see that a request has come in for http://nfuse.novell.com/Citrix/NFuse17/login.asp and that a matching policy (named MetaFrameLogin) was located. Another request came in after this for http://nfuse.novell.com/Citrix/NFuse17/frameset.asp but no matching policy was found.
[09/Nov/2004:11:51:39 +0100] SSO_1: No policy: 'nfuse.novell.com/Citrix/NFuse17/login.asp' [09/Nov/2004:11:51:39 +0100] SSO_4: nfuse.novell.com/Citrix/NFuse17/login.asp [09/Nov/2004:11:51:39 +0100] SSO_4: Policy 'MetaFrameLogin': nfuse.novell.com/Citrix/NFuse17/login.asp [09/Nov/2004:11:51:39 +0100] fillHtml: Start [09/Nov/2004:11:51:39 +0100] SSO_4: form fill no cache flag is turned on [09/Nov/2004:11:51:39 +0100] SSO_4: New page data [09/Nov/2004:11:51:39 +0100] SSO_1: No policy: 'nfuse.novell.com/Citrix/NFuse17/frameset.asp'
At this page, one can select the browser option to View source (View -> Source). This displays the variable names and values that iChain will inject into the login form. It is also very useful for checking the javascript methods sent back to the browser.
The example below shows the values that iChain will inject for a form that requests the users name, password and domain fields. The appendix below includes both the form fill script and the application login page.
Source of login page to be submitted by iChain:
<html>
<body>
<b>Please look at HTML Source for Form Fill modifications</b>
<form name="NFuseForm" action="login.asp" method="POST">
<input value="Explicit" name="LoginType" TYPE="HIDDEN">
<input value="administrator" MAXLENGTH="256" onFocus="focus_UPD(this.form);"
class="loginEntries" name="user" type="hidden">
<input value="novell" MAXLENGTH="254" onFocus="focus_UPD(this.form);" class="loginEntries"
name="password" type="hidden">
<input value="ICHAINFARM" MAXLENGTH="256" onFocus="focus_UPD(this.form);" class="loginEntries"
name="domain" type="hidden">
</form>
<script language="JavaScript">
<!--
function iChainPostForm()
{
document.forms[0].submit();
}
//-->
</script>
<a href="JavaScript:iChainPostForm()">Click to submit</a>
</body>
</html>It may be that, with the <debugPost/> tag enabled, you will be asked twice to view the HTML source for form fill changes. This would imply that the login page that you are posting credentials to has multiple forms in it ie. Multiple <form> tags. In this scenario, make sure that the <Formnum> tag is used in conjunction with the <post> tag to POST the appropriate credentials. You should also load SSO.NLM with the -X parameter.
Appendix:
- iChain Form Fill profile for this login page
- Login Form source (with <form> tag contents in bold)
<html> <head> <title>Citrix(R) NFuse(TM) Classic Login</title> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta http-equiv="expires" content="0"> <meta http-equiv="pragma" content="no-cache"> <style type="text/css"> <!-- .loginEntries { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #000000; width: 200px} A.appLinks { FONT-SIZE: 8pt; FONT-WEIGHT: bold; TEXT-DECORATION: none COLOR: #000000 FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; } A.appLinks:hover { COLOR: #CCCCCC } --> </style> <script LANGUAGE="JavaScript"> <!-- function clearForm(loginForm) { loginForm.user.value = ""; loginForm.password.value = ""; loginForm.domain.value = ""; setDefaultFocus(); } function focus_UPD(loginForm) { if (loginForm.LoginType) { for (i = 0; i < loginForm.LoginType.length; i++) { if (loginForm.LoginType[i].value == "Explicit") { loginForm.LoginType[i].checked = true; } } } } function setFocus(loginForm) { if (loginForm.LoginType) { if (loginForm.LoginType.value == "Explicit") { if (!loginForm.user.disabled) { loginForm.user.focus(); } } else { for (i = 0; i < loginForm.LoginType.length; i++) { if (loginForm.LoginType[i].checked) { if (loginForm.LoginType[i].value == "Explicit") { loginForm.user.focus(); } else { document.all.login.focus(); } } } } } } function setDefaultFocus() { var form = document.forms[0]; if (form) { setFocus(form); } } //--> </script> </head> <body bgcolor="#CCCCCC" LINK="#000000" VLINK="#000000" ALINK="#000000" onLoad="setDefaultFocus()"> <div align="center"> <table width="100%" height="100%" border="0" cellspacing="0" cellpadding="0"> <tr align="center" valign="middle"> <td> <table border="1" cellspacing="0" cellpadding="20" bordercolor="#000000" bgcolor="#FFFFFF"> <tr> <td> <table border="0" cellspacing="0" cellpadding="10"> <tr> <td valign="top"> <table border="0" cellspacing="0" cellpadding="10" bgcolor="#CCCCCC"> <tr align="left" valign="middle"> <td> <img src="media/nfusehead.gif" width="214" height="73"> </td> </tr> <tr> <td valign="middle" align="center"> <table border="1" cellspacing="0" cellpadding="0" bordercolor="#000000"> <tr> <td> <table border="0" cellspacing="0" cellpadding="0" WIDTH="100%"> <tr> <td colspan="2" background="media/greygrad.gif" bgcolor="#CCCCCC"> <a class="appLinks" HREF="NFuseHelp.htm#Login" target="_blank"><img SRC="media/help.gif" BORDER="0" align="right" vspace="1" hspace="1" alt="Help" title="Help"></a> <img src="media/logintxt.gif" width="75" height="25" vspace="3" hspace="3"></td> </tr> <tr> <td> <table width="286" border="0" cellspacing="0" cellpadding="3" bgcolor="#6699CC"> <form method="POST" action="login.asp" name="NFuseForm"> <input TYPE="HIDDEN" name="LoginType" value="Explicit"> <tr> <td> </td> <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td> <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Username</b></font></td> </tr> <tr> <td colspan="2"> </td> <td> <input type="text" name="user" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" > </td> </tr> <tr> <td> </td> <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td> <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Password</b></font></td> </tr> <tr> <td colspan="2"> </td> <td> <input type="password" name="password" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="254" > </td> </tr> <tr> <td> </td> <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td> <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Domain</b></font></td> </tr> <tr> <td colspan="2"> </td> <td> <input type="text" name="domain" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" > </td> </tr> <tr align="right" valign="middle"> <td colspan="3"> <input type="image" id="login" src="media/loginbtn.gif" width="80" height="20" alt="Log In" title="Log In" name="Log In" border="0" > </td> </tr> </form> </table> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> <td valign="top"> <table> <tr> <td> <table border="0" cellspacing="0" cellpadding="10" width="100%"> <tr align="left" valign="middle" bgcolor="#6699CC"> <td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF"><b>Welcome to Citrix<font size='1'><sup>®</sup></font> MetaFrame<sup><font size='1'></font></sup></b></font></td> </tr> <tr align="left" valign="top"> <td> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="4"><b><font size="3">Please log in </font></b></font></p> <ul> <li><font face="Verdana, Arial, Helvetica, sans-serif" size="2">To log in to the application portal, type your user name, password, and domain name in the boxes at left. <p></p> <li>Click the Log In button to log in. </ul> <p>If you do not know your login information, please contact your help desk or system administrator.</font></p> </td> </tr> </table> </td> </tr> <tr> <td valign="top"> <table border="0" cellspacing="0" cellpadding="10" width="100%"> <tr align="left" valign="middle" bgcolor="#6699CC"> <td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF"> <b> Citrix<font size='1'><sup>®</sup></font> NFuse<sup><font size='1'></font></sup><i>Classic</i> Message Center </b> </font> </td> </tr> <tr> <td> <table border="0"> <tr> <td> <font face="Verdana, Arial, Helvetica, sans-serif" size="2"> The NFuse Classic Message Center displays any informational or error messages that may occur. </font> <p></p> </td> </tr> <tr> <td> <script language="vbscript" type="text/vbscript"> <!-- function hasIcaObjVal() dim obj Err.Clear On Error Resume Next hasIcaObjVal = 0 set obj = CreateObject("Citrix.ICAClient") if (Err.number = 0) then hasIcaObjVal = 1 else Err.Clear set obj = CreateObject("Wfica.WficaCtl.6") if (Err.number = 0) then hasIcaObjVal = 1 else Err.Clear hasIcaObjVal = 0 end if end if set obj = Nothing end function select case hasIcaObjVal() case 1 case else popupContent = "<p><IMG SRC='media/info.gif' border='0'><font face='Verdana, Arial, Helvetica, sans-serif' size='2'>You do not have the Citrix ICA Client (ActiveX) for 32-bit Windows installed on your system. You must install the ICA Client to launch the applications.<p>Select the icon below to install the ICA Client." popupContent = popupContent & "<p><a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'><IMG SRC='media/ica.jpg' alt='Citrix ICA Web Client for 32-bit Windows' border='0'></a> <a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'>Citrix ICA Web Client for 32-bit Windows</a></font>" document.write(popupContent) end select //--> </script> </td> </tr> </table> <br clear="all"><img src="media/citrix.gif" width="130" height="56" align="right"> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </td> </tr> </table> </div> </body> </html>
<!-- This is an example form fill policy for logging in --> <!- secure tunnel to MetaFrame without NFuse --> <formCriteria> <title>MetaFrame XP Login</title> </formCriteria> <urlPolicy> <name>MetaFrameLogin</name> <url>nfuse.novell.com/Citrix/NFuse17/login.asp</url> <actions> <fill> <input name="user" value="~"> <input name="password" value="~password"> <input name="domain" value="~"> </fill> <post/> <debugPost/> </actions> </urlPolicy> <!- end of MetaFrame login -->
Additional Information:
The online documentation for Form Fill has been GREATLY enhanced for iChain 2.3 Support pack 2 and is now available here: iChain 2.3 SP2 Documentation. 
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 4844 reads




0