Re: [ovirt-users] Troubleshooting VM SSO on Windows 10 (ovirt 4.2.1)

Anyone??? Hi, I'm trying to setup sso on Windows 10, vm is domain joined, has agent installed and credential provider registered.Of course I setup an AD domain and the vm has sso enabled Whenever I log to the user portal and open a VM I'm presented with the login screen and nothing happens, it's like the engine doesn't send the command to autologin. In the agent logs there's nothing interesting but the communication between the engine and the agent is ok: for example the command to lock-screen on console close runs and works: Dummy-2::INFO::2018-03-01 09:01:39,124::ovirtagentlogic::322::root::Received an external command: lock-screen... This is an extract from engine logs when I login in the user portal and start a connection: 2018-03-01 11:30:01,558+01 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-30) [] Userc.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users> successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-03-01 11:30:01,606+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-31) [7bc265f] Running command: CreateUserSessionCommand internal: false. 2018-03-01 11:30:01,623+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-31) [7bc265f] EVENT_ID: USER_VDC_LOGIN(30), User c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>@apra.it connecting from '192.168.1.100' using session '5NMjCbUiehNLAGMeeWsr4L5TatL+uUGsNHOxQtCvSa9i0DaQ7uoGSi6zaZdXu08vrEk5gyQUJAsB2+COzLwtEw==' logged in. 2018-03-01 11:30:02,163+01 ERROR [org.ovirt.engine.core.bll.GetSystemStatisticsQuery] (default task-39) [14276418-5de7-44a6-bb64-c60965de0acf] Query execution failed due to insufficient permissions. 2018-03-01 11:30:02,664+01 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-54) [617f130b] Running command: SetVmTicketCommand internal: false. Entities affected : ID: c0250fe0-5d8b-44de-82bc-04610952f453 Type: VMAction group CONNECT_TO_VM with role type USER 2018-03-01 11:30:02,683+01 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-54) [617f130b] START, SetVmTicketVDSCommand(HostName = r630-01.apra.it, SetVmTicketVDSCommandParameters:{hostId='d99a8356-72e8-4130-a1cc-e148762eca57', vmId='c0250fe0-5d8b-44de-82bc-04610952f453', protocol='SPICE', ticket='u2b1nv+rH+pw', validTime='120', userName='c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>', userId='39f9d718-6e65-456a-8a6f-71976bcbbf2f', disconnectAction='LOCK_SCREEN'}), log id: 18fa2ef 2018-03-01 11:30:02,703+01 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-54) [617f130b] FINISH, SetVmTicketVDSCommand, log id: 18fa2ef 2018-03-01 11:30:02,713+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-54) [617f130b] EVENT_ID: VM_SET_TICKET(164), User c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>@apra.it initiated console session for VM testvdi02 2018-03-01 11:30:11,558+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedThreadFactory-engineScheduled-Thread-49) [] EVENT_ID: VM_CONSOLE_CONNECTED(167), Userc.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users> is connected to VM testvdi02. Any help would be appreciated

On 5 Mar 2018, at 09:49, Cristian Mammoli <c.mammoli@apra.it> wrote:
Anyone???
what authentication to the portal are you using ? SSO only works if you provide user and password in the ovirt’s login screen
Hi, I'm trying to setup sso on Windows 10, vm is domain joined, has agent installed and credential provider registered.Of course I setup an AD domain and the vm has sso enabled
Whenever I log to the user portal and open a VM I'm presented with the login screen and nothing happens, it's like the engine doesn't send the command to autologin.
In the agent logs there's nothing interesting but the communication between the engine and the agent is ok: for example the command to lock-screen on console close runs and works:
Dummy-2::INFO::2018-03-01 09:01:39,124::ovirtagentlogic::322::root::Received an external command: lock-screen...
This is an extract from engine logs when I login in the user portal and start a connection:
2018-03-01 11:30:01,558+01 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-30) [] Userc.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users> successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-03-01 11:30:01,606+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-31) [7bc265f] Running command: CreateUserSessionCommand internal: false. 2018-03-01 11:30:01,623+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-31) [7bc265f] EVENT_ID: USER_VDC_LOGIN(30), User c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>@apra.it connecting from '192.168.1.100' using session '5NMjCbUiehNLAGMeeWsr4L5TatL+uUGsNHOxQtCvSa9i0DaQ7uoGSi6zaZdXu08vrEk5gyQUJAsB2+COzLwtEw==' logged in. 2018-03-01 11:30:02,163+01 ERROR [org.ovirt.engine.core.bll.GetSystemStatisticsQuery] (default task-39) [14276418-5de7-44a6-bb64-c60965de0acf] Query execution failed due to insufficient permissions. 2018-03-01 11:30:02,664+01 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-54) [617f130b] Running command: SetVmTicketCommand internal: false. Entities affected : ID: c0250fe0-5d8b-44de-82bc-04610952f453 Type: VMAction group CONNECT_TO_VM with role type USER 2018-03-01 11:30:02,683+01 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-54) [617f130b] START, SetVmTicketVDSCommand(HostName = r630-01.apra.it, SetVmTicketVDSCommandParameters:{hostId='d99a8356-72e8-4130-a1cc-e148762eca57', vmId='c0250fe0-5d8b-44de-82bc-04610952f453', protocol='SPICE', ticket='u2b1nv+rH+pw', validTime='120', userName='c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>', userId='39f9d718-6e65-456a-8a6f-71976bcbbf2f', disconnectAction='LOCK_SCREEN'}), log id: 18fa2ef 2018-03-01 11:30:02,703+01 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-54) [617f130b] FINISH, SetVmTicketVDSCommand, log id: 18fa2ef 2018-03-01 11:30:02,713+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-54) [617f130b] EVENT_ID: VM_SET_TICKET(164), User c.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users>@apra.it initiated console session for VM testvdi02 2018-03-01 11:30:11,558+01 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedThreadFactory-engineScheduled-Thread-49) [] EVENT_ID: VM_CONSOLE_CONNECTED(167), Userc.mammoli at apra.it <http://lists.ovirt.org/mailman/listinfo/users> is connected to VM testvdi02.
Any help would be appreciated
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

It's ldap based with Active Directory, of course I login to the user portal with the correct credentials
what authentication to the portal are you using ? SSO only works if you provide user and password in the ovirt’s login screen
-- *Cristian Mammoli* System Administrator T. +39 0731 719822 www.apra.it <http://www.apra.it> ApraSpa linksocial *Avviso sulla tutela di informazioni riservate.* Questo messaggio è stato spedito da Apra spa o da una delle aziende del Gruppo. Esso e gli eventuali allegati, potrebbero contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari designati, vogliate cortesemente informarci immediatamente con lo stesso mezzo ed eliminare il messaggio e i relativi eventuali allegati, senza trattenerne copia.
participants (2)
-
Cristian Mammoli
-
Michal Skrivanek