Full Guide: FME Flow Troubleshooting Guide
Are you encountering issues configuring FME Flow (formerly FME Server) for IWA/SSO? Please read below for some common troubleshooting tips and issues.
In 2023, FME Server underwent a name change and is now known as FME Flow. Since this article discusses features present in previous versions of FME, it will refer to both names interchangeably, using the appropriate product name based on the year the feature was introduced. For more information on the rebranding, see our website.
Content Overview
- Initial Troubleshooting
- Authentication Failures
- Further Troubleshooting
- Common Issues
- "When I click on the 'Use Windows Credentials' button an additional Sign in dialog pops up"
- “Using ‘Use Windows Credentials’ I am returned You are not authorized to access this web application”
- “In the fmeserver.log there is an Encryption type error reported”
- “When I attempt to use SSO the fmeserver.log records a failed login by user due to insufficient credentials”
- “When I attempt to use SSO the fmeserver.log records a failed login by user due No SASL mechanism specified in configuration”
- "When I attempt to use SSO, I receive a Login failed message and there is nothing the FME Flow logs. My FME Flow is configured for HTTPS."
Initial Troubleshooting
-
Is it just SSO that fails - does logging in using your Active Directory credentials work? If you are also experiencing problems with AD please review this troubleshooting guide.
-
Have you followed all the configuration steps? (This doc is for the current release, please use the correct version for your installation which can be found in the help section after logging into FME Flow)
-
Are you using a supported browser? Single Sign On is currently supported on Microsoft Edge, Firefox and Chrome.
-
It is known that SSO will not work if you are logged into the machine where FME Flow is installed – please test connecting from a different machine.
-
Have you checked the log files located in <FMEFlowFileShare>/Resources/Logs/Core? In particular look in the fmedirectoryserver.log and the fmeserver.log for messages starting with '(Active Directory)' or '(Single Sign-On)'. See the Authentication Failures section below for resolutions to common errors.
Authentication Failures
Check out the resolution on the relevant documentation page if you see any of the following errors in the fmeserver.log or the fmedirectoryserver.log:
Failure to Connect to Directory Server (SSL):
the following message appears in the Directory Servers page:
An error occurred while communicating with directory server (81) or (91)
and the log file reports:
(Directory Server) Exception: "An error occurred while attempting to send the LDAP message to "...": javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Unable to Use SASL Authentication:
(Directory Server) Not using SASL for authentication, because configuration is incomplete.
Unsupported SASL Mechanism:
(Directory Server) SASL mechanism "..." is not supported by Directory Server.
Incorrect Mechanism:
(Single Sign-On) Client attempted NTLM authentication; single sign-on authentication supports only Kerberos V5 authentication. Refer to single sign-on documentation for resolution. (Single Sign-On) Failed authentication because of an invalid client token. Refer to single sign-on documentation for resolution.
Negotiation Error:
(Single Sign-On) Negotiation reported an error: "Failure unspecified at GSS-API level (Mechanism level: Checksum failed)". (Single Sign-On) Failed authentication because of an negotiation error. Refer to single sign-on documentation for resolution.
OR
(Single Sign-On) Negotiation reported a defective token from client: "...". (Single Sign-On) Failed authentication because of an negotiation error. Refer to single sign-on documentation for resolution.
OR
(Single Sign-On) Negotiation reported an error: "...". (Single Sign-On) Failed authentication because of an negotiation error. Refer to single sign-on documentation for resolution.
-
Additional Notes: Make sure that the SPNs have been entered in the form http/server.com instead of http://server.com. HTTP and HTTPS Protocols both use the HTTP Service Class.
Service Account:
(Single Sign-On) Failed authentication using pre-authenticated credentials (for a service account). (Single Sign-On) Failed to create server credentials. Ensure that pre-authenticated credentials (for a service account) are correctly specified in single sign-on configuration.
Cross-Domain User:
(Single Sign-On) Negotiation complete; authentication granted for user "...". (Single Sign-On) Failed authentication because user "..." could not be found in Active Directory.
Same Machine Access:
(Single Sign-On) Negotiation reported a defective token from client: "Defective token detected (Mechanism level: GSSHeader did not find the right tag)". (Single Sign-On) Failed authentication because of an negotiation error. Refer to single sign-on documentation for resolution.
Further Troubleshooting
-
Did SSO work in a previous installation of FME Flow? Is the current configuration provided from a Backup/Restore process?
-
Are you using multiple domains, or do you have your “realm” parameter set?
-
Is the Host domain controller a round robin or load balancing domain controller or are you pointing directly at a single domain controller machine? Currently, you must point directly at the domain controller and if additional domain controllers are required please add them in the Alternate Servers.
-
Is your KDC separate from the Domain Controller machine, if so please ensure you have specified the KDC Host parameter.
-
Is your SPN set up correctly? The green comment on this post highlights the need to have both the SPN set for the machine name as well as any CNAME that is specified for the server.
-
Have you configured your FME Flow for HTTPS? Was SSO working correctly prior to this being set up?
-
Is your Active Directory Domain Controller set up to use HTTPS, have you imported the CA Certificate into FME Flow's trusted list?
Common Issues
"When I click on the 'Use Windows Credentials' button an additional Sign in dialog pops up"
Using Google Chrome after attempting to log in to FME using SSO a second Sign In box appears requesting my credentials:
but if I insert my credentials and click Sign in, nothing will load and the pages stays blank. When I check the fmeserver.log there is no record of my attempt to sign in, this is because the client browser does not trust my server, so logging will be limited.
This is a web browser configuration issue that can be resolved through the Internet Options settings, where you must add FME Flow to the list of trusted sites. You can find instructions on how to do this under the Microsoft Edge heading here.
“Using ‘Use Windows Credentials’ I am returned You are not authorized to access this web application”
When I attempt to login to FME Flow via single sign-on, the login page is returned with a warning that I am not authorized to access this web application. However if I type in my active directory credentials the login is a success.
There are two known causes for this error.
1. For your Active Directory Connection set up check what you have entered for the SSO Service Account Name. This username should just be entered in as USERNAME (i.e. no DOMAIN) unlike the Search Account Name. If you have entered a domain name here then you will be presented with the above error and will be unable to log in using SSO.
2. Please specify a Realm in the Optional Fields section of the Active Directory Connection set up.
“In the fmeserver.log there is an Encryption type error reported”
When attempting to configure single sign-on, you may not be able to log in automatically, even though everything is configured correctly in the FME Flow configuration files. If you find the following error in the fmeserver.log
Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
Please review this article for a resolution.
“When I attempt to use SSO the fmeserver.log records a failed login by user due to insufficient credentials”
If your FME Server is between build b19594 (2019.1) and b19797 (2019.2) and when you click on the ‘Use Windows Credentials’ button there are messages recorded in the fmeserver.log that the login attempts fail due to insufficient credentials you may be encountering a known issue. In order to resolve this issue you must upgrade your FME Server. For more information please see this article.
“When I attempt to use SSO the fmeserver.log records a failed login by user due No SASL mechanism specified in configuration”
In FME Server 2021.0 there is a known GUI issue with the incorrect Authentication Type being set by the Web UI when single sign-on is enabled. To workaround this issue, you'll need to remove the connection and create it using the REST API POST /security/ldap/servers. For more information please see this article.
"When I attempt to use SSO, I receive a Login failed message and there is nothing the FME Flow logs. My FME Flow is configured for HTTPS."
Ensure that you have correctly updated the propertiesFile.properties, located in <FMEFlowDir>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\
Within the propertiesFile, locate the SINGLE_SIGN_ON_AUTH_URL parameter and ensure it is using HTTPS. Update the hostname and port portion of the URL to match the hostname through which the FME Flow Web User Interface is accessed.
Are you still experiencing issues?
Please consider posting to the FME Community Q&A if you are still experiencing issues that are not addressed in this article. There are also different support channels available.
If you have checked all the troubleshooting steps listed above then this will help refine where the disconnect is. If all these check out you can change the DEBUG_LEVEL to FINEST in the tomcat propertiesFile.properties. This configuration file is located at <FMEFlowDir>/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties on a default installation. You will need to restart FME Flow to apply these changes and then once you have tried logging in again share a copy of the logs folder with Support as well as the answers to the questions above.
Have ideas on how to improve this?
You can add ideas or product suggestions to our Ideas Exchange.
Here are some existing ideas:
Comments
0 comments
Please sign in to leave a comment.