Novell Home

Troubleshooting Form Fill Issues

Novell Cool Solutions: Feature
By Neil Cashell

Digg This - Slashdot This

Posted: 28 Jan 2005
 

Latest iChain Version: iChain 2.3 Support Pack 2

Common Form Fill issues:

  1. The URL defined in the <url> form fill tag should match the name of the protected resource and not the name of the back end Web server.


  2. Using wildcards for the <url> tag can cause the content-length field of a response to be modified for data that is not specific to an application login page. Always try and make the <url> entry in the form fill page as specific as possible. If this is not possible use the <formCriteria> tag to narrow down the list.


  3. Do NOT include the http:// scheme in from of the URL in the <url> tag. This will cause the link to not find a matching profile and the SSO will fail


  4. To avoid human error, always copy and paste the URL into the form fill policy URL tag. This avoids any typos that result in no matching profile found for the URL.


  5. Form Fill does not preserve the input for type="image". Check the <form> tag in the application login page to make sure that this type does not exist. If it does, try and modify it is possible. If not, it may be possible to use the custom rewriter can be used to substitute the required data although this is not recommended.


  6. Check if the login page you are trying to single sign on to includes multiple <form> statements (see bottom of item 1. under Tools below). If this is the case, load SSO.NLM /X and also use the <formnum> tag in your form fill profile to POST the right credentials to that form.


  7. Make sure that the login page credentials match what form fill is configured to look for. The key entries are the name fields. The HTML forms follow the HTML specifications defined in http://www.w3.org/TR/1998/REC-html40-19980424/interact/forms.html. For any queries regarding the login page, consult the HTML form specifications.


  8. Make sure that the LDAP proxy user defined in the aclcheck profile has enough rights to read and write attributes to the directory. For the minimum rights required to work with iChain, reference http://support.novell.com/cgi-bin/search/searchtid.cgi?/10084506.htm.

Tools:

  1. Gathering traces using PKTSCAN.NLM (ships with iChain). This tool prevents administrators from having to replicate a port on a switch to gather a LAN trace of traffic in and out of the iChain box. This trace may be saved and viewed with Sniffer or Ethereal. The accelerator will have to be temporarily setup for HTTP as HTTPS is not decodable with the above applications.


  2. Remove the <Post/> tag so that only the <fill> tag exists in the URL policy. This allows the administrator to confirm whether the credentials were available via LDAP.Assuming that this works, then one can be sure that LDAP has been setup correctly.

    If the form fill works without the <post/> tag and failed with the <post> tag, then it is a good indicator that there may be some Java related problems. iChain form fill injects the document.forms[0].submit() javascript code to have the browser auto submit the credentials iChain form fill passed back to the browser. If there is any other javascript methods defined in the login page, they will not get executed unless additional javascript related form fill tags are added.


  3. The <DebugPost/> form fill tag. When this tag is active and we hit the URL that matches what we have defined in our form fill policy, we will get following page before the credentials are sent by the browser.




  4. At this page, one can select the browser option to View source (View -> Source). This displays the variable names and values that iChain will inject into the login form. It is also very useful for checking the javascript methods sent back to the browser.

    The example below shows the values that iChain will inject for a form that requests the users name, password and domain fields. The appendix below includes both the form fill script and the application login page.

    Source of login page to be submitted by iChain:

    <html>
    <body>
    <b>Please look at HTML Source for Form Fill modifications</b>
    <form name="NFuseForm" action="login.asp" method="POST">
    <input value="Explicit" name="LoginType" TYPE="HIDDEN">
    <input value="administrator" MAXLENGTH="256" onFocus="focus_UPD(this.form);"
    class="loginEntries" name="user" type="hidden">
    <input value="novell" MAXLENGTH="254" onFocus="focus_UPD(this.form);" class="loginEntries"
    name="password" type="hidden">
    <input value="ICHAINFARM" MAXLENGTH="256" onFocus="focus_UPD(this.form);" class="loginEntries"
    name="domain" type="hidden">
    
    </form>
    <script language="JavaScript">
    <!--
    function iChainPostForm()
    {
    document.forms[0].submit();
    }
    //-->
    </script>
    <a href="JavaScript:iChainPostForm()">Click to submit</a>
    </body>
    </html>

    It may be that, with the <debugPost/> tag enabled, you will be asked twice to view the HTML source for form fill changes. This would imply that the login page that you are posting credentials to has multiple forms in it ie. Multiple <form> tags. In this scenario, make sure that the <Formnum> tag is used in conjunction with the <post> tag to POST the appropriate credentials. You should also load SSO.NLM with the -X parameter.

  5. Extended form fill logs -- when the form fill module (SSO.NLM) is loaded with the /Dx /L1 option (where x ranges from debug level 1-5 , level 5 being the most verbose level), then the form fill operations are logged to log files accessible via the iChain Web GUI Cache Logs TAB.



    This file can be used to check whether a policy has been hit, and whether any errors have occurred when processing that policy. In the example below, one can see that a request has come in for http://nfuse.novell.com/Citrix/NFuse17/login.asp and that a matching policy (named MetaFrameLogin) was located. Another request came in after this for http://nfuse.novell.com/Citrix/NFuse17/frameset.asp but no matching policy was found.

    [09/Nov/2004:11:51:39 +0100] SSO_1: No policy: 'nfuse.novell.com/Citrix/NFuse17/login.asp' 
    [09/Nov/2004:11:51:39 +0100] SSO_4: nfuse.novell.com/Citrix/NFuse17/login.asp  
    [09/Nov/2004:11:51:39 +0100] SSO_4: Policy 'MetaFrameLogin': nfuse.novell.com/Citrix/NFuse17/login.asp 
    [09/Nov/2004:11:51:39 +0100] fillHtml: Start 
    [09/Nov/2004:11:51:39 +0100] SSO_4: form fill no cache flag is turned on 
    [09/Nov/2004:11:51:39 +0100] SSO_4: New page data 
    [09/Nov/2004:11:51:39 +0100] SSO_1: No policy: 'nfuse.novell.com/Citrix/NFuse17/frameset.asp'

Appendix:

  1. iChain Form Fill profile for this login page
  2. <!-- This is an example form fill policy for logging in -->
    <!- secure tunnel to MetaFrame without NFuse   -->
    <formCriteria>
    <title>MetaFrame XP Login</title>
    </formCriteria>
    <urlPolicy>
    <name>MetaFrameLogin</name>
    <url>nfuse.novell.com/Citrix/NFuse17/login.asp</url>
    <actions>
    <fill>
    <input name="user" value="~">
    <input name="password" value="~password">
     <input name="domain" value="~">
    </fill>
    <post/>
    <debugPost/>
    </actions>
    </urlPolicy>
    <!- end of MetaFrame login --> 
  3. Login Form source (with <form> tag contents in bold)
    <html>
    <head>
    <title>Citrix(R) NFuse(TM) Classic Login</title>
    <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
    <meta http-equiv="expires" content="0">
    <meta http-equiv="pragma" content="no-cache">
    <style type="text/css">
    <!--
    .loginEntries {  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 8pt; color: #000000; width: 200px}
    A.appLinks
    {
        FONT-SIZE: 8pt;
        FONT-WEIGHT: bold;
        TEXT-DECORATION: none
        COLOR: #000000
        FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;
    }
    A.appLinks:hover
    {
        COLOR: #CCCCCC
    }
    -->
    </style>
    <script LANGUAGE="JavaScript">
    <!--
    function clearForm(loginForm) {
        loginForm.user.value = "";
        loginForm.password.value = "";
        loginForm.domain.value = "";
        setDefaultFocus();
    }
    
    function focus_UPD(loginForm) {
        if (loginForm.LoginType) {
            for (i = 0; i < loginForm.LoginType.length; i++) {
                if (loginForm.LoginType[i].value == "Explicit") {
                    loginForm.LoginType[i].checked = true;
                }
            }
        }
    }
    
    function setFocus(loginForm) {
        if (loginForm.LoginType) {
            if (loginForm.LoginType.value == "Explicit") {
                if (!loginForm.user.disabled) {
                    loginForm.user.focus();
                }
            } else {
                for (i = 0; i < loginForm.LoginType.length; i++) {
                    if (loginForm.LoginType[i].checked) {
                        if (loginForm.LoginType[i].value == "Explicit") {
                            loginForm.user.focus();
                        } else {
                            document.all.login.focus();
                        }
                    }
                }
            }
        }
    }
    
    function setDefaultFocus() {
        var form = document.forms[0];
        if (form) {
            setFocus(form);
        }
    }
    //-->
    </script>
    
    </head>
    <body bgcolor="#CCCCCC" LINK="#000000" VLINK="#000000" ALINK="#000000" onLoad="setDefaultFocus()">
    <div align="center">
      <table width="100%" height="100%" border="0" cellspacing="0" cellpadding="0">
        <tr align="center" valign="middle">
          <td>
    	<table border="1" cellspacing="0" cellpadding="20" bordercolor="#000000" bgcolor="#FFFFFF">
    	  <tr>
    	    <td>
    	      <table border="0" cellspacing="0" cellpadding="10">
    		<tr>
    		  <td valign="top">
    		    <table border="0" cellspacing="0" cellpadding="10" bgcolor="#CCCCCC">
    		      <tr align="left" valign="middle">
    			<td> <img src="media/nfusehead.gif" width="214" height="73">
    			</td>
    		      </tr>
    		      <tr>
    			<td valign="middle" align="center">
    			  <table border="1" cellspacing="0" cellpadding="0" bordercolor="#000000">
    			    <tr>
    			      <td>
    				<table border="0" cellspacing="0" cellpadding="0" WIDTH="100%">
    				  <tr>
    				    <td colspan="2" background="media/greygrad.gif" bgcolor="#CCCCCC">
    				      <a class="appLinks" HREF="NFuseHelp.htm#Login" target="_blank"><img
     SRC="media/help.gif" BORDER="0" align="right" vspace="1" hspace="1" alt="Help"
     title="Help"></a>
    				      <img src="media/logintxt.gif" width="75" height="25" vspace="3" hspace="3"></td>
    				    </tr>
    				    <tr>
    				      <td>
    					<table width="286" border="0" cellspacing="0" cellpadding="3" bgcolor="#6699CC">
    					  <form method="POST" action="login.asp" name="NFuseForm">
    					  
    					  <input TYPE="HIDDEN" name="LoginType" value="Explicit">
    					     
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Username</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="text" name="user" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" >
    					    </td>
    					  </tr>
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Password</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="password" name="password" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="254" >
    					    </td>
    					  </tr>
    
    					  <tr>
    					    <td> </td>
    					    <td><img src="media/reddot.gif" width="10" height="10" vspace="3" hspace="3" alt="o" name="redDot"></td>
    					    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"><b>Domain</b></font></td>
    					  </tr>
    					  <tr>
    					    <td colspan="2"> </td>
    					    <td>
    					      <input type="text" name="domain" class="loginEntries" onFocus="focus_UPD(this.form);" MAXLENGTH="256" >
    					    </td>
    					  </tr>
    
    					  <tr align="right" valign="middle">
    					    <td colspan="3">
    					      <input type="image"
    					      id="login"
    					      src="media/loginbtn.gif"
    					      width="80" height="20" alt="Log In" title="Log In" name="Log In" border="0" >
    					    </td>
    					  </tr>
    					  </form>
    					</table>
    				      </td>
    				    </tr>
    				  </table>
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    		      </table>
    		    </td>
    		    <td valign="top">
    		      <table>
    			<tr>
    			  <td>
    			    <table border="0" cellspacing="0" cellpadding="10" width="100%">
    			      <tr align="left" valign="middle" bgcolor="#6699CC">
    				<td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF"><b>Welcome to Citrix<font
     size='1'><sup>®</sup></font> MetaFrame<sup><font size='1'>™</font></sup></b></font></td>
    			      </tr>
    			      <tr align="left" valign="top">
    				<td>
    				  <p><font face="Verdana, Arial, Helvetica, sans-serif" size="4"><b><font size="3">Please log in
    				  </font></b></font></p>
    				  <ul>
    				    <li><font face="Verdana, Arial, Helvetica, sans-serif" size="2">To log
     in to the application portal, type your user name, password, and domain name in the boxes at left.
    				    <p></p>
    				    <li>Click the Log In button to log in.
    				  </ul>
    				  <p>If you do not know your login information, please contact your help desk or
     system administrator.</font></p>
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    			<tr>
    			  
    			  <td valign="top">
    			    <table border="0" cellspacing="0" cellpadding="10" width="100%">
    			      <tr align="left" valign="middle" bgcolor="#6699CC">
    				<td> <font face="Verdana, Arial, Helvetica, sans-serif" size="3" color="#FFFFFF">
    				  <b>
    				  Citrix<font size='1'><sup>®</sup></font> NFuse<sup><font size='1'>™</font></sup><i>Classic</i> Message Center
    				  </b>
    				  </font>
    				</td>
    			      </tr>
    			      <tr>
    				<td>
    				  <table border="0">
    				    <tr>
    				      <td>
    					<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
    					The NFuse Classic Message Center displays any informational or error messages that may occur.
    					</font>
    					<p></p>
    					
    				      </td>
    				    </tr>
    				    <tr>
    				      <td>
    
    <script language="vbscript" type="text/vbscript">
    <!--
    
    function hasIcaObjVal()
        dim obj
        Err.Clear
        On Error Resume Next
        hasIcaObjVal = 0
        set obj = CreateObject("Citrix.ICAClient")
        if (Err.number = 0) then
            hasIcaObjVal = 1
        else
            Err.Clear
            set obj = CreateObject("Wfica.WficaCtl.6")
            if (Err.number = 0) then
                hasIcaObjVal = 1
            else
                Err.Clear
                hasIcaObjVal = 0
            end if
        end if
        set obj = Nothing
    end function
    
    select case hasIcaObjVal()
        case 1
        case else
    
            popupContent = "<p><IMG SRC='media/info.gif' border='0'><font face='Verdana,
     Arial, Helvetica, sans-serif' size='2'>You do not have the Citrix ICA Client (ActiveX) for
     32-bit Windows installed on your system. You must install the ICA Client to launch the
     applications.<p>Select the icon below to install the ICA Client."
            popupContent = popupContent & "<p><a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'><IMG SRC='media/ica.jpg' alt='Citrix ICA Web Client
     for 32-bit Windows' border='0'></a> <a href='/Citrix/ICAWEB/en/ica32/ica32t.exe'>Citrix ICA Web Client for 32-bit Windows</a></font>"
            document.write(popupContent)
    
    end select
    
    //-->
    </script>
    
    				      </td>
    				    </tr>
    				  </table>
    				  <br clear="all"><img src="media/citrix.gif" width="130" height="56" align="right">
    				</td>
    			      </tr>
    			    </table>
    			  </td>
    			</tr>
    		      </table>
    		    </td>
    		  </tr>
    		</table>
    	      </td>
    	    </tr>
    	  </table>
    	</td>
          </tr>
        </table>
    </div>
    </body>
    </html>

Additional Information:

The online documentation for Form Fill has been GREATLY enhanced for iChain 2.3 Support pack 2 and is now available here: iChain 2.3 SP2 Documentation.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell