Need help troubleshooting Luminis Live SSO

Feb 13, 2009 at 12:59 PM
I have installed the Luminis Live SSO for our environment: Luminis III. When I go to the test page, I get a message that says Authenticated: jstroup@test.gardner-webb.edu and a GUID. But when I click on the link I get "Page cannot be displayed". I have tried contacting Microsoft and they have been no help so far.

Can someone tell me how to go about troubleshooting this problem? I am honestly not sure where to start. Thanks!
May 26, 2009 at 3:16 PM
Edited May 26, 2009 at 3:22 PM

I am actually having the same issue with out implementation.  I have opened a ticket with microsoft as well.  If anyone has any ideas, please let me know.  I've ran through the entire setup multiple times, every time with the same result.  I see all the values from the web.config files showing up properly in the .Net configuration.  I've also tried both the 4.0 and 4.1 versions of SSO from Microsoft, without a change.

 

Thanks for any help or guidance anyone can provide.

Developer
May 26, 2009 at 4:16 PM

Are you referring to the testredirect.jsp page on the Luminis Server?  The link is built using the variables at the top of the page that you must provide values for.  The actual link target is built using the value for redirectUrl, which should point to the URL for your Windows Web Server.

Also, Microsoft will not support this custom solution unless it is a configuration of the Windows Web Server that has been unaltered.

May 26, 2009 at 7:55 PM

Thanks for the response.

Our problem isn't with the testdirect.jsp page, basically what is happening is after the user logs into the Luminis portal, and then uses the email link, a new window pops up with the following address:

http://%windows web server IP%/SSO/Public/Redirect.aspx?ID=%GUID% 

From my understanding this is correct.  However, that page resolves to a 404 - File or directory not found error, instead of going to Windows Live Mail.

When just doing a simple "Browse" from IIS on the redirect.aspx page, it also returns the same error (http://localhost/SSOPortal/Public/Redirect.aspx).  I'm not sure if there's a paramenter in the web.config file on the Windows Server configured incorrectly, but when I check the configuration in ASP.NET, redirectURL is pointing to http://mail.live.com/default.aspx, which I can open from IE on the web server.

Hope this makes some sense.

Developer
May 26, 2009 at 8:35 PM

I know it's confusing, but the redirect in the web.config is different than the Luminis redirect.  I do notice you have mail.live.com for the web.config... are you using Hotmail?  There were some additional files in the zip for the Windows Web Server that needed to be merged into the website.  Can you validate that \public\Redirect.aspx actually exists in the file system?

May 26, 2009 at 8:46 PM

We are infact using Hotmail for our mail system, we will be going to Outlook Live and sometime in the future, just not right now.  On the Windows Server, the path to the redirect.aspx is C:\Inetpub\wwwroot\SSOPortal\Public\redirect.aspx.   The redirect.aspx.cs resides in this directory as well.  The redirect.aspx and redirect.aspx.cs have not been edited from the originals provided via CodePlex.  Only the web.config file has been changed.  Is that correct?

Developer
May 26, 2009 at 9:49 PM

This is correct.  You shouldn't need to alter those files.  The only non-standard setting from the SSO Toolkit to support this page is adding the connection string in the web.config, which should be updated as you point out.  I wonder if you are experiencing a permissions issue.  You need anonymous access turned on in IIS for the public virtual directory and the anonymous user account should have read permissions to the files in the file system.  It's possible that if you extracted the files to some other location and then moved (as opposed to copy) the files, they do not inherit the file permissions properly.  You can force inheritance or simply add the anonymous account with read permissions.

May 27, 2009 at 4:08 PM

I went back through and re-setup the directories (keeping the same Web.Config).  I had previously done a "move" rather than a copy.  I then explicitly gave both the "Internet Guest Account" and "ANONYMOUS LOGON" Read & Execute rights on everything at or below the SSO directory.  I restarted IIS and that didn't seem to resolve the issue we are having.  Is there anyway to verify the redirect in IIS by using the "Browse" function in the IIS manager?  I'm wondering if there could be a problem on the Luminis server.  If you have any other thoughts let me know (and thanks again for the help).

As a side question, should the Web.Config be in the Public Directory or in the SSOPortal Directory?

May 28, 2009 at 10:12 PM

Bit of a different error now (an a much more meaningful one).  I get this on the redirect.aspx page:

Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: CS0246: The type or namespace name 'LiveSLT' could not be found (are you missing a using directive or an assembly reference?)

Source Error:

 
Line 87:                     redirected = true;
Line 88: 
Line 89:                     LiveSLT ticket = new LiveSLT(certThumb, siteID, webProxy, loginSeconds);
Line 90:                     string slt = ticket.GetSLT(liveMail);
Line 91: 

Source File: c:\Inetpub\wwwroot\SSOPortal\Public\Redirect.aspx.cs    Line: 89

Developer
May 29, 2009 at 2:27 AM

Ahhhhh, this is making more sense now.  It looks like you may have an older copy of the SSO Toolkit.  Where\When did you get your copy?  The one that is up on connect.microsoft.com is v4.1 and this Luminis solution will work with any v4+.  The SSO Toolkit v4+ has the LiveSLT.cs file in the App_Code directory.  Can you verify?

May 29, 2009 at 4:58 PM
Edited May 29, 2009 at 7:16 PM

My problem was I didn't "merge" the two App_Code directories, instead I just replaced the one from the SSO toolkit with the one from codeplex. The original 404 error I had been getting was caused by improperly configured Web Service Extensions (the ASP .Net version I was using wasn't shown in the list of web service extensions in IIS, so it was prohibiting them even though it wasn't showing me the option to set it to Allowed). 

Fixing the App_Code directory has led me to my latest issue (below).  I did install the windows live ID server even though for our setup (hotmail) I'm not sure if it's needed.  I set up the rpsserver.xml file according to the SSO documenation, but it doesn't give much guidance in editing it.  Any thoughts?

Microsoft Live Single Sign-On cannot be completed at this time. Please return to the school portal to access your email.

Cannot find object or property. Internal error: CertFindCertificateInStore failed, the certificates in the config\certs directory must be installed to the local machine cert store with the private key :cs.rpssample.pp.test.microsoft.com.
Developer
May 29, 2009 at 7:09 PM

This one is actually fairly common.  There may even be another thread on this in codeplex.  It has to do with the setup for RPS.  The zip file that contained the SSO Toolkit had a special copy of RPSServer.xml that is in the root of the SSO Toolkit zip file.  What you will need to do is uninstall RPS and reinstall using this special copy of the RPSServer.xml.  For example, if you extract the SSO Toolkit to c:\SSO, you will type the full path when asked by the RPS setup of C:\SSO\RPSServer.xml.  If you simply type RPSServer.xml, it will give you the wrong one, you need the full file path.  The ONLY other setting during RPS installation you will change is for selecting the production environment.

Jun 8, 2009 at 4:55 PM

That did the trick.  Our SSO implementation is now working properly.