Environment
Novell ZENworks 11 Configuration Management
Novell ZENworks 10 Configuration Management with Support Pack 1 - 10.1 Situation
Rights authentication fails with more than one server in the zone, and when the validating server time is behind the server that ZCC is being run from.
ERROR: "Rights Authentication failed. The ticket has expired. If the connection was initiated from the managed device, close the Remote Management Listener, launch it again and retry. If this does not resolve the problem, contact Novell Technical Services ".
ERROR (from services-messages.log on the validating server):
[DEBUG] [3/12/09 6:50:01 AM] [] [[[Remote Management Authentication Service]]] [Ticket expired.Server time now = 1236865801647Ticket ValidFrom = 1236865806693Ticket ValidTill = 1236865926693] [Ticket expired.Server time now = 1236865801647Ticket ValidFrom = 1236865806693Ticket ValidTill = 1236865926693] [] []
Resolution
This is fixed in version 11.2.1 - see KB 7010042 "ZENworks Configuration Management 11.21 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7010042
Additional Information
This won't happen with just one server in the zone, or if the logged in ZCC server is the same as the server used for ticket validation. Note in the times listed in the services-messages.log :
now = 1236865801647 (Thu Mar 12 09:50:01 2009)
validfrom = 1236865806693 (Thu Mar 12 09:50:06 2009)
vaildtill = 1236865926693 (Thu Mar 12 09:52:06 2009)
validfrom = 1236865806693 (Thu Mar 12 09:50:06 2009)
vaildtill = 1236865926693 (Thu Mar 12 09:52:06 2009)
In this case the validating server "now" is behind the "valid from" time of the ticket and fails.
Tickets should only fail if the validity of the time is outside the 2 minute window in either direction. The zmd-messages.log of the agent (debug or higher) will show the server being used to validate the ticket. Look for the IP address or DNS name in the rmauth service URL, for example: https://server/zenworks-rmauth-service