| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 13:13 | |
| *** markw78 (~mark.wole@38.83.98.34) has joined #wikid | 17:14 | |
| markw78 | hi | 17:14 |
|---|---|---|
| markw78 | getting an error about currput keystore or something, and there's a SSL error in the RADIUS log | 17:15 |
| markw78 | not really sure what to do, can't find the password for the tomcatKeystore (if thats where I should be looking) | 17:15 |
| nowen | what version of WiKID is this? | 17:16 |
| markw78 | not sure... sec | 17:17 |
| markw78 | probably older | 17:17 |
| markw78 | wikid-server-enterprise-3.4.87-b1092 | 17:17 |
| nowen | you probably just need to update your certificates, maybe just the localhost | 17:17 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-know-if-my-certificate-is-valid | 17:18 |
| nowen | will show you how | 17:18 |
| markw78 | ok I will check that out | 17:18 |
| nowen | we're up to 3.5 too, upgrading is probably a good idea | 17:18 |
| markw78 | java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file. | 17:18 |
| markw78 | same error I get in the Wikid Logs in the web UI | 17:18 |
| markw78 | ERRORcom.wikidsystems.client.wClientERROR: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file. | 17:19 |
| markw78 | maybe I just recreate via wikidadmin? | 17:20 |
| nowen | is this for the localhost? | 17:20 |
| nowen | yes, are you only using radius? | 17:20 |
| markw78 | I think so, thats the log in the Wikid log when I click Logs and Filter | 17:20 |
| markw78 | yes | 17:20 |
| markw78 | only radius | 17:20 |
| nowen | then recreating should be fine | 17:20 |
| markw78 | ok | 17:21 |
| markw78 | <create a localost certificate> | 17:21 |
| markw78 | oh I was using the wrong password on the keytool command :/ | 17:22 |
| markw78 | sure enough | 17:22 |
| markw78 | expired today | 17:22 |
| nowen | if the IntCA is ok, then you can just create a new localhost | 17:22 |
| markw78 | oh | 17:25 |
| markw78 | its not expired, I just can't read | 17:25 |
| markw78 | Valid from: Tue May 11 04:31:01 EDT 2010 until: Fri May 10 04:31:01 EDT 2013 | 17:25 |
| markw78 | its the only cert in the store | 17:25 |
| markw78 | Your keystore contains 1 entry | 17:26 |
| markw78 | Alias name: | 17:26 |
| markw78 | Creation date: Mar 4, 2013 | 17:26 |
| nowen | I would go ahead and create both anew. | 17:26 |
| markw78 | Weird that the creation date shows that | 17:26 |
| markw78 | ok | 17:26 |
| markw78 | /opt/WiKID/private/intCAKeys.p12 | 17:27 |
| markw78 | thats the localhost? | 17:27 |
| nowen | that's the intermediate CA. localhost.p12 | 17:27 |
| markw78 | ah | 17:27 |
| markw78 | I have 2 passwords documented trying to figure out which is which heh | 17:28 |
| markw78 | oh I see, reread the KB heh | 17:28 |
| markw78 | sorry | 17:28 |
| markw78 | localhost expired 2 months ago | 17:29 |
| markw78 | but this just broke overnight | 17:29 |
| markw78 | I'll recreate both | 17:29 |
| nowen | did you restart overnight? | 17:29 |
| markw78 | hmm over the weekend possibly, yah | 17:30 |
| markw78 | thats probably it | 17:30 |
| markw78 | yah | 17:30 |
| markw78 | we did a vmware tools update yesterday | 17:30 |
| markw78 | so now I just need to figure out the 2 passwords, it said my keystore password isn't right for the store ;/ | 17:30 |
| markw78 | there | 17:31 |
| nowen | you can change them when you re-create | 17:31 |
| markw78 | when I recreated it said the keystore password wasn't right, I tried the other one and it worked tho | 17:31 |
| markw78 | bleh can't get a token now | 17:37 |
| markw78 | Can't start RADIUS Server | 17:37 |
| nowen | hmm, that should not be affected by the certs | 17:38 |
| nowen | is there an error? | 17:38 |
| markw78 | yah, in the wikidlog | 17:38 |
| markw78 | the radius.log has this... | 17:38 |
| markw78 | log4j:ERROR Could not connect to remote log4j server at [localhost]. We will try again later. | 17:38 |
| nowen | that doesn't relate to this | 17:39 |
| markw78 | ok | 17:39 |
| nowen | run 'netstat -anp | grep 1812 | 17:39 |
| nowen | ' | 17:39 |
| nowen | and see if the radius listener is up | 17:39 |
| markw78 | yah | 17:39 |
| markw78 | java listening | 17:39 |
| nowen | ok - it can take a while for radius to start b/c it needs random info | 17:39 |
| nowen | the updated versions start radius faster | 17:40 |
| markw78 | argh | 17:40 |
| markw78 | com.wikidsystems.client.wClientERROR: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file. | 17:40 |
| markw78 | I just made the new one lol | 17:40 |
| nowen | hmm | 17:40 |
| markw78 | that error just happened | 17:40 |
| nowen | this is after you restarted WiKID? | 17:40 |
| markw78 | yah, I updated the localhost cert, and rebooted the box | 17:41 |
| markw78 | I wonder if I need to update my password for it somewhere? but that would prevent wikid from starting all together I thought? | 17:41 |
| nowen | did you get prompted for the passphrase on start? | 17:41 |
| nowen | the intermediate CA passphrase, which is used to start the server, can be entered into /etc/WiKID/security | 17:43 |
| markw78 | oh we got a passcode now | 17:43 |
| markw78 | thats the file I was thinking of | 17:44 |
| markw78 | ok let me check | 17:44 |
| markw78 | ok we get a token now, but still can't connect heh | 17:44 |
| nowen | can | 17:44 |
| nowen | can | 17:45 |
| nowen | erp | 17:45 |
| nowen | can't connect meaning? | 17:45 |
| nowen | VPN ? | 17:45 |
| markw78 | yah vpn sorry | 17:46 |
| nowen | ok= any error in the wikid admin logs? | 17:46 |
| markw78 | having someone check | 17:46 |
| nowen | also, make sure that the user is still enabled | 17:46 |
| markw78 | yah did check that | 17:46 |
| markw78 | we have the passphrase in the file | 17:47 |
| markw78 | and wikid starts, can get tokens... so the passphrase should be OK? | 17:47 |
| markw78 | or could it still be wrong? | 17:47 |
| nowen | if it is wrong, the server won't start | 17:47 |
| markw78 | ok, thats what I thought | 17:47 |
| markw78 | so that should be ruled out | 17:47 |
| nowen | yes | 17:47 |
| nowen | did any ip addresses change? for the vpn ? | 17:48 |
| markw78 | awhle back | 17:48 |
| markw78 | we had you create a DNS alias for us | 17:48 |
| markw78 | so its slow to get a token, and that part works | 17:48 |
| markw78 | but its possible this is the first server restart since then? | 17:48 |
| nowen | maybe | 17:49 |
| markw78 | radius log has stuff now | 17:50 |
| markw78 | nothing new in the GUI log | 17:50 |
| nowen | you might want to set radius logging to debug: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests | 17:51 |
| markw78 | ah I was filtering wrong too | 17:54 |
| *** josha (~josh.arri@38.83.98.34) has joined #wikid | 17:54 | |
| markw78 | <10> Access-Request(1) LEN=275 192.168.10.245:51354 Access-Request by user.name Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 17:55 |
| nowen | hmm | 17:55 |
| markw78 | checking the domain controller / IAS server | 17:56 |
| markw78 | thats the error on the wikid server, when I check the radius server I see this | 17:57 |
| markw78 | Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request. | 17:57 |
| markw78 | lol | 17:57 |
| markw78 | tcpdump time | 17:57 |
| nowen | there have been a lot of updates to the radius plugin. | 17:58 |
| nowen | I don't think it would cause these issues though | 17:58 |
| markw78 | yah, its weird that it just stopped after the reboot I guess :/ | 17:58 |
| nowen | I'll post the newest rpms and you can download them. | 17:58 |
| nowen | http://wikidsystems-dl.com/wikid-server-enterprise-3.5.0.b1411-1.noarch.rpm | 17:58 |
| nowen | and | 17:58 |
| markw78 | ok | 17:59 |
| nowen | http://wikidsystems-dl.com/wikid-utilities-3.4.2-1.i386.rpm | 17:59 |
| markw78 | wikid is sending a reject radis packet | 17:59 |
| markw78 | back to the radius server | 17:59 |
| nowen | you have to update both | 17:59 |
| markw78 | VPN sends request to RADIUS server, RADIUS server sends request to WIKID, WiKID rejects it | 17:59 |
| nowen | hmm. no way the shared secret changed, right? | 18:01 |
| markw78 | I'm fairly sure not | 18:01 |
| nowen | can you take a snapshot and then do the RPM upgrade? 'rpm -Uvh wikid...' should do it | 18:02 |
| markw78 | yah | 18:02 |
| nowen | There was one fix for radius that might be it, and md5 issue | 18:02 |
| markw78 | will we need to reconfigure the security file or startup or anything? | 18:02 |
| nowen | you might need to re-edit it. | 18:02 |
| markw78 | ok | 18:03 |
| nowen | do you'll use the example.jsp or adregister? | 18:03 |
| markw78 | adregister | 18:03 |
| nowen | make a copy of it as it will get overwritten | 18:03 |
| markw78 | alright | 18:03 |
| markw78 | yah the wikid log just shows an auth failure for MS-CHAPv2 | 18:03 |
| markw78 | like both servers are blaming each other, but the tcpdump showed the wikid server the source rejection... going to try the upgrade | 18:04 |
| markw78 | thx for the help btw | 18:10 |
| nowen | np, sorry for the issue | 18:10 |
| markw78 | happens | 18:10 |
| markw78 | if it didn't us IT folks would be out of jobs lol | 18:10 |
| nowen | ha | 18:10 |
| markw78 | ok | 18:17 |
| markw78 | upgraded, I Went to copy my adregister back | 18:18 |
| markw78 | and the ADregister folder isn't there | 18:18 |
| markw78 | /opt/WiKID/tomcat/webapps/wikid/ only has ROOT, and 2 .war files | 18:18 |
| markw78 | suppose thats not really important right now tho | 18:18 |
| nowen | hmm | 18:18 |
| nowen | are they WiKIDAdmin and wikid? | 18:18 |
| markw78 | right | 18:18 |
| markw78 | I just restarted the service after the update... | 18:19 |
| markw78 | Starting database...Success! | 18:19 |
| markw78 | Applying cumulative schema updates... | 18:19 |
| nowen | ok | 18:19 |
| markw78 | now services starting | 18:19 |
| markw78 | Passphrase is good | 18:19 |
| markw78 | ok | 18:19 |
| markw78 | let me go find someone to test | 18:19 |
| markw78 | left my token at home lol ;/ | 18:19 |
| nowen | you can create a new one ;-) | 18:20 |
| markw78 | true | 18:20 |
| markw78 | I do need to setup a new domain | 18:21 |
| markw78 | but I tried and couldn't get it working :/ | 18:21 |
| josha | will we be needing to update anything on the tokens or will they continue to work? | 18:21 |
| markw78 | (to deal with our IP change so we can get rid of the DNS timeout lag) | 18:21 |
| markw78 | ^^ josha = coworker | 18:21 |
| nowen | hmm, dns shouldn't be that slow | 18:21 |
| markw78 | login failed again :/ | 18:21 |
| nowen | josha: if we're not changing the domain, the tokens shouldn't need to be altered | 18:22 |
| josha | awesome | 18:22 |
| nowen | markw78: you will probably have to enable radius debugging again | 18:22 |
| markw78 | ok, checking that now | 18:22 |
| markw78 | ok failed... refreshing log filter | 18:24 |
| markw78 | This is a MSCHAPV2 request | 18:25 |
| markw78 | trace com.mchange.v2.resourcepool.BasicResourcePool@ef5502 [managed: 3, unused: 2, excluded: 0] (e.g. com.mchange.v2.c3p0.impl.NewPooledConnection@1c0e45a) | 18:25 |
| markw78 | <18> Access-Request(1) LEN=275 192.168.10.245:51354 Access-Request by mark\ Failed: AccessRejectException: Microsoft MS-CHAP failed authentication. | 18:25 |
| nowen | if you want you can post it to pastebin.org | 18:25 |
| markw78 | I don't see any more details, other than the whole RADIUS Packet in the log | 18:26 |
| nowen | yeah, let me see the packet | 18:26 |
| markw78 | ok | 18:26 |
| markw78 | http://pastebin.com/GG7rjb1d | 18:27 |
| markw78 | I replaced the actual username with user.name | 18:27 |
| markw78 | and formatting leaves a lot to be desired... but there it is | 18:27 |
| nowen | damn, I'm not sure why it would stop working all the sudden. the cert issue stopped it from starting properly, but no settings changed | 18:29 |
| markw78 | yah | 18:29 |
| nowen | is the date correct? | 18:30 |
| markw78 | where | 18:30 |
| markw78 | just in general? | 18:30 |
| markw78 | its the wrong time zone, but otherwise the time/date is right on the OS | 18:30 |
| nowen | on WiKID | 18:30 |
| nowen | huh, did you move the server or was it never right? | 18:31 |
| markw78 | no its never been right as far as I know | 18:31 |
| markw78 | just the wrong timezone set | 18:31 |
| markw78 | thinks its EST | 18:31 |
| markw78 | at least I think it's always been like that? | 18:31 |
| markw78 | let me see | 18:32 |
| markw78 | ugh | 18:33 |
| markw78 | I just typed setup | 18:33 |
| nowen | try /usr/bin/system-config-time | 18:33 |
| markw78 | and its running wikidsetup | 18:33 |
| markw78 | oh phew :) | 18:33 |
| markw78 | ok time info all right now | 18:34 |
| markw78 | restarting wikid | 18:35 |
| nowen | yep | 18:35 |
| markw78 | the ADreigster stuff, do I just need to manually create the folder/files ? | 18:35 |
| nowen | you can copy your old one over or just edit the new ones | 18:36 |
| markw78 | but the folder was missing when I looked | 18:36 |
| markw78 | unless it's there now | 18:36 |
| nowen | should be there | 18:36 |
| markw78 | there it is | 18:36 |
| markw78 | I guess it was the schema update thing | 18:36 |
| nowen | also, on the loggers > configure loggers page, set the middle three loggers to debug | 18:36 |
| markw78 | ok | 18:37 |
| markw78 | still can't auth | 18:37 |
| nowen | note that you can save the config on a restart, but don't leave it in debug for production, our your logs will overflow | 18:37 |
| markw78 | ok | 18:37 |
| nowen | change those loggers and retry. hopefully, more info will help | 18:38 |
| markw78 | gotta re-add the radius one too | 18:38 |
| markw78 | no change | 18:41 |
| markw78 | new log: http://pastebin.com/ngW0SqmM | 18:41 |
| markw78 | on the domain controller side, just get " Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request. " | 18:41 |
| nowen | there should be more log data though | 18:42 |
| nowen | you should see the passcode | 18:42 |
| markw78 | checking | 18:42 |
| nowen | is 192.168.10.245 the radius server? | 18:43 |
| markw78 | yes | 18:43 |
| markw78 | MS IAS | 18:43 |
| nowen | and that's what's listed on the Network Client page? | 18:43 |
| markw78 | I don't see anything about the passcode | 18:43 |
| markw78 | Network clients has that I in it twoce | 18:43 |
| markw78 | I was trying to setup a 2nd one a long time ago | 18:44 |
| markw78 | so the same thing is in there twice | 18:44 |
| markw78 | maybe I should delete one? | 18:44 |
| nowen | yes, I think so | 18:44 |
| markw78 | Also under Certificate it says N/A for both, but I think thats Ok | 18:44 |
| markw78 | ok | 18:44 |
| markw78 | oh yah I duplicated out domain too | 18:44 |
| markw78 | with a new domain ID | 18:44 |
| markw78 | I'll delete that also | 18:44 |
| markw78 | restarting | 18:45 |
| markw78 | awhile back we changed our VPN IP and Wikid server IP, so you put a DNS work around in place for us... but that makes it slow, because the first attempts have to timeout first... so I was trying to setup a new domain using the new IP's | 18:46 |
| markw78 | but the domain name etc was all the same, so maybe that confused things when the services started | 18:46 |
| markw78 | still fails :/ | 18:47 |
| nowen | hmm | 18:47 |
| markw78 | log looks the same | 18:49 |
| markw78 | I could check the radius passphrase, thats easy to do and independant of things right | 18:50 |
| markw78 | was also thinking of making a new user | 18:50 |
| markw78 | I still don't see the passcode logged tho | 18:50 |
| nowen | can you try a pap request from nps? | 18:50 |
| markw78 | not sure how | 18:50 |
| nowen | do you have com.wikidsystems.client.wClient and com.wikidsystems set to debug? | 18:51 |
| markw78 | http://pastebin.com/qSAnvDrm | 18:51 |
| markw78 | checking | 18:51 |
| markw78 | yes | 18:51 |
| markw78 | alld ebug except HTTP access logger and org.apache | 18:52 |
| nowen | you can change the encoding settings on NPS | 18:52 |
| nowen | from chap to pop | 18:52 |
| nowen | err pap | 18:52 |
| markw78 | we're not using NPS | 18:53 |
| markw78 | windows 2003 - IAS | 18:53 |
| markw78 | let me check | 18:54 |
| nowen | oh, yes | 18:54 |
| markw78 | unencrypted PAP? | 18:54 |
| markw78 | and should I uncheck CHAP or leave them both? | 18:55 |
| markw78 | change to... sounds like uncheck :) | 18:55 |
| nowen | uncheck chap | 18:55 |
| nowen | and let's see | 18:55 |
| markw78 | failed | 18:55 |
| markw78 | want to check the log I assume | 18:55 |
| nowen | hmm | 18:56 |
| markw78 | nothing new :/ | 18:56 |
| markw78 | http://pastebin.com/4rz2QKBa | 18:57 |
| nowen | still thinks it's a chapv2 | 18:58 |
| markw78 | interesting | 18:58 |
| nowen | ok - run 'wikidctl stop | 18:59 |
| nowen | and the 'killall -9 java' | 18:59 |
| nowen | and then start again | 18:59 |
| nowen | maybe the radius cache is not getting cleared out | 18:59 |
| markw78 | ok | 18:59 |
| markw78 | bounced IAS too | 18:59 |
| markw78 | interesting | 19:02 |
| markw78 | it worked now... BUT the radius.log still says MSCHAPV2 lol | 19:02 |
| markw78 | "This is a MSCHAPV2 request" | 19:02 |
| markw78 | let me re-enable CHAPV2 and see | 19:02 |
| markw78 | starting back up | 19:06 |
| markw78 | ok CHAP is working too, this really makes no sense at all :/ | 19:09 |
| markw78 | I mean root cause is probably the cert... but I rebooted the whole server after I fixed the cert... | 19:09 |
| nowen | yes | 19:09 |
| markw78 | and we restarted IAS earlier this morning | 19:09 |
| markw78 | some random magic combonation though | 19:09 |
| markw78 | and an upgrade :D | 19:09 |
| nowen | I know that radius caches a lot of stuff. I can't believe it made it through the upgrade | 19:10 |
| markw78 | yah | 19:10 |
| nowen | take a look at this: http://www.wikidsystems.com/downloads/changelogs/enterprise-changelog | 19:10 |
| markw78 | I guess I didnt reboot after the upgrade | 19:10 |
| nowen | you shouldn't have to | 19:10 |
| markw78 | I just mean to fully clear our all the cache/ram etc | 19:10 |
| markw78 | we need to pay more attention to the server in general though lol, its been so solid it just sorta works | 19:11 |
| nowen | hehe | 19:11 |
| markw78 | also could have had something to do with my duplicate domain info in there | 19:11 |
| markw78 | I do need to setup a new domain ID for the same domain tho, so we can get rid of the DNS work around | 19:11 |
| nowen | yeah, that could have confused the radius request | 19:11 |
| markw78 | yah | 19:11 |
| nowen | how many users do you have again | 19:11 |
| markw78 | about 60 or so I think | 19:11 |
| markw78 | right now the issue is that the DNS work around has a longer delay than the iphone app waits for a token | 19:12 |
| markw78 | so people who wanted to use their iphone apps were complaining, that may have gotten fixed though | 19:12 |
| markw78 | hasn't really been a priority lol | 19:12 |
| nowen | are the iPhone tokens not working? | 19:13 |
| nowen | what's your domain id again? | 19:13 |
| markw78 | I'll have to double check... I know at one point, right after we changed IP's and put the DNS work around in they were not... but no ones been complaining so it may be OK now | 19:13 |
| nowen | you can also put an entry into your dns | 19:13 |
| markw78 | 012069065165 | 19:13 |
| markw78 | yah I have one internally I think | 19:14 |
| markw78 | the issue is that the client tries to hit the domain IP the normal way, and has to timeout before it does the wikidsystems.com lookup | 19:14 |
| markw78 | I gotta go update my boss on the vpn issue, I'll ask about the iphone app while I'm down there | 19:14 |
| markw78 | then gonna grab a bit and I'll be back in a bit | 19:14 |
| markw78 | thx again for the help getting us back up! We'll put something in place to monitor / remind us about the cert heh | 19:14 |
| nowen | we're going to improve that sometime | 19:15 |
| nowen | hmm, odd. it is slow on my phone | 19:16 |
| *** cdub_ (40fee8e2@gateway/web/freenode/ip.64.254.232.226) has joined #wikid | 19:18 | |
| cdub_ | I am trying to install the desktop client and after running it is asking for a passphrase | 19:19 |
| nowen | is this a re-install? | 19:19 |
| cdub_ | It may have been installed in the past. Also the uninstaller does not seem to do anything | 19:19 |
| nowen | something is wrong with the short-cut. run the uninstaller jar works, also, you can just delete the directory as it's all in there. | 19:20 |
| nowen | you can search for wikidtoken.wkd and delete that file. If you using the latest, then entering the wrong passphrase 5 ttimes will prompt you to re-create it | 19:21 |
| cdub_ | ok thx | 19:21 |
| *** cdub_ has quit (Ping timeout: 245 seconds) | 19:34 | |
| *** nowen has quit (Quit: Leaving.) | 21:19 | |
| *** markw78 has parted #wikid (None) | 21:26 | |
| *** josha has parted #wikid (None) | 21:34 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!