Share This:

Hi Everyone,

 

In this month's blog, we are going to share troubleshooting steps for the most common error message i.e. ARERR 623 Authentication Failed after authenticating through Remedy Single Sign On (RSSO). This error means, the user is getting authenticated successfully from Remedy SSO but failing to authorize on AR Server.

 

You might see this error due to different reasons. Please go through the below steps to resolve a 623 Authentication failed error:

 


 

1. Check AR Integration

 

a. Make sure the following AREA settings (<AR>/Conf/ar.cfg) are configured on the AR Server

    (Can be set from the Server Information form > EA tab):

 

External-Authentication-RPC-Socket: 390695

Authentication-Chaining-Mode: 1

Crossref-Blank-Password: T

 

b. Make sure that rsso.cfg file exists in <AR>/Conf & make sure that the below URL points to the correct Remedy SSO server service URL:

 

SSO-SERVICE-URL: <rsso_service_url>

 

c. Make sure that below files present in <AR>/pluginsvr

 

rsso-area-plugin-all.jar

gson-2.3.1.jar

slf4j-api-1.7.25.jar (For RSSO 18.11 or later versions)

 

d. Check below entries in <AR>/pluginsvr/pluginsvr_config.xml :

 

<plugin>

           <name>ARSYS.AREA.RSSO</name>

           <classname>com.bmc.rsso.plugin.area.RSSOPlugin</classname>

            <pathelement type="location"><AR>/pluginsvr/rsso-area-plugin-all.jar</pathelement>

            <pathelement type="location"><AR>/pluginsvr/gson-2.3.1.jar</pathelement>

            <pathelement type="location"><AR>/pluginsvr/slf4j-api-1.7.25.jar</pathelement>  --- (For RSSO 18.11 or later versions)

            <userDefined>

                 <configFile>{AR}/Conf/rsso.cfg</configFile>

            </userDefined>

</plugin>

 

2. Operating-Mode parameter in ar.cfg

 

- If you are getting 623 error after AR Server upgrade then It might be due to Operating-Mode parameter in ar.cfg in <AR>/conf.

- Make sure that Operating-Mode in the ar.cfg is set to 0. If It is 1, you will see this issue.

- You will need to restart AR server after changing the parameter.

- If you are interested in knowing about Operating-Mode parameter, you can go through below AR Blog :

   Operating Mode

 

3. Server Plugin Alias entry for AREA plugin

 

- AR Server's AREA plugin is used by RSSO Plugin for authentication. If you are missing the below line in ar.cfg then you will encounter a 623 error.

- Server-Plugin-Alias: AREA AREA <servername>:9999

- If It's missing then please add the above entry & restart the AR service.

 

4. Check Certificates (If using HTTPS for RSSO)

 

- If you are using the HTTPS protocol for RSSO Service URL in rsso.cfg then you might see a 623 error because of handshake issues between AR & RSSO server.

- To avoid certificate related errors, you should import the RSSO root certificate in Java cacerts on AR Server.

- If you wanted to confirm if the issue is happening due to Certificate or not, you can disable SSL/TLS checks for HTTPS communication on Agent side

  (This should be used only to confirm if the issue is related to Certificates or not)

- To disable SSL/TLS check, you can change the below parameter to true in rsso.cfg file exist in <AR>/conf

    com.bmc.rsso.tls.disable.checks: true

- This is only available for RSSO 19.05 & later versions

 

5. Midtier Service Password

 

- You might see a 623 error for Midtier service account after login e.g. ERROR (623): Authentication failed; MidTier Service

- That means you don't have the correct password for the AR Server in the Midtier config tool.

- You can update the password from Midtier Config tool → AR Server Settings

- Select the AR server & click on the edit button.

- Make sure that you check the Validate password option as It will give an error if the password is not correct.

    MidtierServPwd.png

6.  Check Username

 

- Sometimes an error can be seen because the username received from IDP (IDP could be LDAP/SAML/OKTA etc.) doesn't match with one exist in AR Server's User form.

- You can validate this by going to RSSO Admin Console & check sessions. It will show you the username received from LDAP or other authentication protocol.

- If that is not matching with the username on the User form then you will need to use transformation on the RSSO Admin console.

  e.g. If LDAP is sending username as "user@bmc.com" but on the User form, if it is specified as "user" then you will need to use the "Remove Email domain" transformation on the RSSO console.

 

7. AR Java plugin related issues

 

- RSSO Plugin is part of the AR Java plugin. You might see a 623 error if the AR Java plugin is not initialized or not working.

- You can run below command on the command line :

    netstat -an | findstr "ar_plugin_port"

     Processes.png

- You can also check the AR Java plugin process on Task manager if its running or not

         Java.png

- You will need to add the "Command line" column on Task Manager to see the complete java path.

- If you are not able to see Java process with "pluginsvr;" in the command line means it is not initialized.

- You can check arjavaplugin.log from ARSystem/db to see errors related to RSSO.

- If you don't see details for login failure in the log, you can enable debug level logging for AR Java plugin & restart plugin.

- You will need to re-login to get more details on why authentication is failing with a 623 error on AR Server.

- Here is the KA to enable debug level logging for AR Java plugin :

            Remedy - Server - v.9.x How to enable DEBUG Java Plugin Server Logging in AR System in the arjavaplugin.log file

 

These troubleshooting steps should help you to resolve a 623 error. Thank you for reading this blog!