Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Users and Authentication > Users Cannot Log In With Web Server Authentication

Users Cannot Log In With Web Server Authentication

Common problems users experience when they log in to SGD using web server authentication include:

To help diagnose and resolve some of these problem, add the following log filters on the Global Settings, Monitoring tab in the SGD Administration Console:

Skip past command syntax or program codeserver/login/*:log_file_name%%PID%%_error.jsl

Web Server Authentication Fails

If a user fails to authenticate to the web server, they might see a message such as "401 Authorization Required". This indicates that either there is a problem with the user name and password the user is typing, or there is a problem with the web server configuration.

Check the following:

Users See the Standard SGD Login Page

If web server authentication is not set up correctly or it fails for any reason, SGD displays the standard login page. The following table lists the things you might need to check.

What To Check More Information
Is the right SGD URL protected? For the webtop, you must set up your web server to protect the /sgd URL.
Is Tomcat configured to trust the web server authentication? The Tomcat component of the SGD Web Server has to be configured to trust the Apache web server authentication.

On each array member, edit the /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the tomcatAuthentication="false" attribute to the <Connector> element for the Coyote/JK2 AJP 1.3 Connector:

Does the user have a user profile in the local repository? If your configuration of SGD relies on users having user profile objects in the local repository and you have not enabled one of the fallback profile objects, users might not be able to log in. If this happens and you have enabled the additional logging, search the log file for messages that indicate that SGD could not find a match for the authenticated user.

Either create a user profile for the user or enable one of the fallback profile objects, see Third-party Authentication for more details.

Is the user a Secure Global Desktop Administrator? By default, Secure Global Desktop Administrators cannot access SGD if they have been authenticated by a web server. To change this behavior, run the following command:
Skip past command syntax or program code$ tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1
Have you changed the trusted user? If you have changed the user name and password of the trusted user, have you verified that the new user works? See Trusted Users and Third-Party Authentication for details.

Users Get the Wrong Webtop

Web server authentication does not support ambiguous users. This means users get the webtop of the first matching user profile.

Search the SGD log files for messages that indicate an ambiguous user.

To resolve the situation, you can either of the following:

Related Topics