Use the information in the following sections to troubleshoot login and authentication issues.
Edit the log4j.properties file.
Windows Primary Server: The locations are:
<%ZENworks_HOME%>\share\tomcat\conf\log4j.properties (internal CASA)
<%ZENworks_HOME%>\share\ats\etc\svc\log4j.properties (external CASA)
Windows Satellite Server: The location is:
<%ZENworks_HOME%>\ share\ats\etc\svc\log4j.properties
Linux Primary Server: The locations are:
\opt\novell\zenworks\share\tomcat\conf\log4j.properties (internal CASA)
etc\CASA\auttoken\svc\log4j.properties (external CASA)
Linux Satellite Server: The location is:
/etc/opt/novell/zenworks/conf/casa/log4j.properties
Set the log mode to debug, and restart the ATS (Authentication Token Service).
NOTE:The names of the services are specified in Checking the CASA Service Status.
Create a folder. For example:c:\logfolder
Modify<%ZENworks_HOME%>\casa\etc\auth\client.conf to set the values of DebugLevel to 3 and DebugLogFolderPath to the desired log location. For example, c:\logfolder.
Restart the ZENworks Agent Service.
If the time on the managed device is not synchronized with the ZENworks Server, the managed device does not trust the certificate presented by the server. Ensure that devices are always time-synchronized. Also, ensure that you check the time synchronization with the eDirectory servers.
Ensure that the authentication Satellite Server has a primary DNS suffix specified prior to promoting the server. Generally the certificates are created against the device's (Satellite or Primary) FQDN or DNS name.
Ensure that the ATS (Authentication Token Service) certificate of a Satellite Server is imported into the trust store of the Primary Server by issuing the following commands:
On the Windows Primary Server:
keytool -list –keystore "c:\program files\novell\zenworks\conf\security\trusted-ats-jks-store" -storepass secret
On the Linux Primary Server:
keytool -list –keystore "/etc/opt/novell/zenworks/security/ trusted-ats-jks-store " -storepass secret
Ensure that the casa_crypto.properties file, available at the locations specified below, is updated to show the correct keystore path.The trusted ATS keystore entry should map to the ZENworks keystore.
<%ZENworks_HOME%>\share\tomcat\webapps\CasaAuthTokenSvc\WEB-INF\classes\casa_crypto.properties
<%ZENworks_HOME%>\share\ats\catalinabase\webapps\CasaAuthTokenSvc\WEB-INF\classes\casa_crypto.properties
/opt/novell/zenworks/share/tomcat/webapps/CasaAuthTokenSvc/WEB-INF/classes/ casa_crypto.properties
/srv/www/casaats/webapps/CasaAuthTokenSvc/WEB-INF/classes/casa_crypto.properties (/etc/opt/novell/zenworks/security/ trusted-ats-jks-store)
Ensure that the right certificates are present in the server store and the trusted store.
Ensure that the subject name in the server certificate matches the server host name or the server IP.
Ensure that the certificate has not expired.
Ensure that the ATS (Authentication Token Service) configuration files are present in the following locations:
On Linux (Primary and Satellite): \etc\CASA\authtoken\svc
On Windows (Primary and Satellite):<%ZENworks_HOME%>\share\ats\etc\svc
Ensure that the iarealms.xml file exists and verify whether the configured tee and search root are updated.
Ensure that the auth.policy files for the configured services are created under the Enabled_Services folder. If these files are missing, reconfigure the user source or restart the ZenLoader Service.
Ensure that the CASA services are up and running. On Windows, launch services.msc. On Linux, go to /etc/init.d and check the status of the service.
Primary Server External CASA ATS: casaAuthTokensvc(Windows);casa_atsd (Linux)
Primary Server Internal CASA ATS: novell-zenserver(Linux);Novell ZENworks Server (Windows)
Windows Satellite: Novell ZENworks Authentication server
Linux Satellite: On Linux satellites, the authentication service runs within the ZMD (ZENworks Management Daemon) service.
If the CASA service has not started on the Linux server, verify that the PID file exists in:/var/lib/CASA/authtoken/svc/casaatsd.pid. If it exists, manually delete the file, and start the service again.
Ensure that the ATS servlet is listening on the configured ports by issuing the following command on the managed device:
https://<server_ip>:<port>/CasaAuthTokenSvc/Rpc
on the Managed Device.
If you receive a 400 error, this indicates that the servlet is listening but the browser has not formed the request in the required format.
Ensure that the authentication Satellite (if it is configured) is accessible by typing https://<server_ip>:<port>/zenworks-ping in the browser. The browser should display Zenworks-Ping or Pong.
Verify that there is communication between CASA-ATS and the configured user source and ensure that you can browse through the users of the configured user source. Also, ensure that the LDAP server is not overloaded and server utilization is normal. LDAP server responses might directly impact login times.