We help IT Professionals succeed at work.

GWIA Issue

1,403 Views
Last Modified: 2013-12-05
Hello,

I am having an issue with gwia authentication for all of my users.  The problem started seemingly randomly,  I am running groupwise 7 on a SLES 9 box.  When users attempt to login to gwia it actsas though they have incorrectly entered the username/password (please login again...you must have typed username/pw incorrect).  After several attemps its locks the mailbox for 15 minutes as it would usually do if incorrect credentials had been entered.  I am not sure where to even start as nothing has changed as far as I know.  - Additional info - the groupwise client does work internally but attempting to access gwia internally either via domain name or internal ip net the same result.

Any help will be greatly appriciated.

Thanks
Comment
Watch Question

Scott KunauSr. Consultant/Managing Partner

Commented:
What is the purpose for your users to access the GWIA with login and password?  IMAP or POP?  Has this worked in the past?  What has changed in the past few days with regards to patches, updates, etc. on the server?

Are you having the same issue with WebAccess and user authentication?

Scott

Author

Commented:
Sorry for the confusion, I just worded my question improperly.  They can not authenticate with webaccess, that is my entire issue.  They do not actually access the gwia backend.  Using the groupwise client internally works fine.  I have not installed any updates or changed anything, it just seemingly stopped working about 4 days ago.
Scott KunauSr. Consultant/Managing Partner

Commented:
Try the following:

Do you see the WebAccess login screen?  If so that means apache2 and tomcat are working and we can move to the following:

rcgrpwise status which will tell you the status of all of the agents.  Look for one probably call webac70a or webacc or <yourdomainname.webac70a>.  What is the status (running, failed, unused)?

If you don't see the WebAccess login screen try these:

next rcapache2 status  is it running, failed, unused?
next rcnovell-tomcat (4 or 5 I'm not sure which number to add to tomcat) status  is it running or not?

Assuming you get the WebAccess login screen, what is the error you get when trying to login to Webaccess?

Thanks for clarifying the login problem...I didn't think you meant GWIA but wasn't sure and I didn't want to assume.

Scott

Author

Commented:
I do see the web access screen.  When I enter correct credentials and attempt to login I recieve the error "Please login again, you may have typed your name or password incorrectly."  After a few failed attempts at this it locks the mailbox for 15 minutes as it should do with an incorrect password entry.  Running rcgrpwise status shows me that webac70a status is "done"

Thanks for the quick reply and the patience...I am an exchange guy trying to fix a group wise problem.
Scott KunauSr. Consultant/Managing Partner

Commented:
ok.  The problem is in the apache web server.  Find the webacc.cfg file (may have to do a find / -name webacc.cfg in a shell prompt).  Once you find it, open it with an editor and go looking for a security.useclientIP=true (that may not be the exact but it will be close enough to take you to the right place in the file).  Change it to false and then wait a few minutes.  Apache and Tomcat refresh every 10 minutes or so.  Or you can do a rcapache2 restart and a rcnovell-tomcat(with a number) restart

Then try and login.

Let me know.

Scott

Author

Commented:
I found the security.useclientIP=true and changed that to false, restarted apache and tomcat, and I am still getting the same thing at webaccess.
Sr. Consultant/Managing Partner
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I get a 503 service unavailable error when i try to go to the specified port number.

Author

Commented:
One thing i did notice though is it redirects me to https:// when i attempt to access that port through http://

I don't know if that is usual behavior for that or not.

Thanks

Author

Commented:
Another thing - When i go to port 7211using the servers name it gives me an authentication dialog box, none of my credentials will work in this box though.
Scott KunauSr. Consultant/Managing Partner

Commented:
Go back to ConsoleOne, highlight the WebAccess gateway object and right click properties and then look for the GroupWise tab where you'll find Optional Gateway settings.  At the bottom of that screen you'll find the http user and password.  Change the user account to whatever entity you want and password (this shouldn't be a GW or eDirectory user, rather just a name and password you'll remember).  After clicking OK, wait about 3 or so minutes and then try the login again.

You can do the above to all of the agents as you need in basically the same place in C1.

Scott

Author

Commented:
Hmm... we have three gateways listed, i changed the username and password for http access on all three, have waited several minutes and none of them work.
Scott KunauSr. Consultant/Managing Partner

Commented:
Do you get a windows login prompt?  You may have to go into the /opt/novell/groupwise/agents/share directory on your SLES box and edit the webac70a.waa and add your username and password to the http section.  Then type rcgrpwise stop webac70a and press enter.  Wait for the gateway to shutdown and then type rcgrpwise start webac70a (enter) and wait for it to start up.  Then go back to the browser and give it a try.

Another thing you may have to end up doing is rebuild the domain database.  There is a possibility that something in the domain database for the domain that houses your WebAccess gateway (and others too) is corrupted or beginning to get corrupted.  It is an easy process but the gateways and the MTA must be down in order to do the rebuild.  Usually takes less than 5 minutes so if you can't get into WebAccess or the web console, a rebuild will likely be in the cards.

Author

Commented:
I am no able to get to the web console and look at logs (thanks for bearing with me on that, your instructions were great)  i restarted it so here is a fresh log file:

04-02-09 16:32:12 ***** WebAccess Configuration Information *****
04-02-09 16:32:12  
04-02-09 16:32:12 General Settings:
04-02-09 16:32:12   Agent Version: 7.0.1  (6/13/2006)
04-02-09 16:32:12   Gateway Home Directory: /mail/nsddom/wpgate/webac70a
04-02-09 16:32:12 Linux Release 2.6.5-7.287.3-bigsmp
04-02-09 16:32:12   SNMP: Disabled
04-02-09 16:32:12   Work Directory: /opt/novell/groupwise/agents/share/tmpFiles
04-02-09 16:32:12  
04-02-09 16:32:12 Log Settings:
04-02-09 16:32:12   Log File: /var/log/novell/groupwise/nsd_domain.webac70a/000.prc/0402web.004
04-02-09 16:32:12   Log Level: NORMAL
04-02-09 16:32:12   Max Log File Age (days): 7
04-02-09 16:32:12   Max Log Disk Space (kb): 65536
04-02-09 16:32:12  
04-02-09 16:32:12 Client/Server Settings:
04-02-09 16:32:13   IP Address: server
04-02-09 16:32:13   TCP Port for Incoming Connections: 7205
04-02-09 16:32:13   Client/Server over SSL: Enabled
04-02-09 16:32:13   WebConsole: Enabled
04-02-09 16:32:13   WebConsole Url: https://server:7211
04-02-09 16:32:13  
04-02-09 16:32:13 Performance Settings:
04-02-09 16:32:13   Processing Threads: 12 (Default)
04-02-09 16:32:13   Maximum users: 250
04-02-09 16:32:14 ****************************************************************
04-02-09 16:32:14 Warning: Public Userid for WebPublisher not configured
04-02-09 16:32:14 GWDVA is initialized and running
04-02-09 16:32:14 WebAccess Server is ready for work
04-02-09 16:33:26 Login failed: randomuser


the only thing i changed was the servername/ip and username for logon failure

Thanks
Scott KunauSr. Consultant/Managing Partner

Commented:
Looks like it is behaving normally except for the fact that you can't login.

Can you open the /opt/novell/groupwise/agents/share/webac70a.waa file and look for the /loglevel (or perhaps --loglevel) and unremark it by removing the ; plus remove the text to the right of the hyphen and replace that text with verbose so it will look like:

/loglevel-verbose  or --loglevel-verbose

Then save and exit the file (if you're using the vi utility it will be :wq enter)  then rcgrpwise stop webac70a wait for it to stop and then rcgrpwise start webac70a.

Then try and login and look at the log file just like what you've posted.  Hopefully in verbose mode, we'll be able to see more information for error code searching.  If that doesn't offer anything, we'll proceed with a database rebuild.  Are you onsite and perhaps callable for me to walk you through a rebuild?

Author

Commented:
The log level now shows as verbose but the error is still just login failed.  I am not onsite but have remote access to everything.  

Author

Commented:
One thing that I find confusing is that users can connect internally with the groupwise client, I would think that this would mean that there wasn't an issue with the database, but I don't really know.


Thanks
Scott KunauSr. Consultant/Managing Partner

Commented:
I'll try to walk you through the domain database rebuild.

1) in a shell prompt type rcgrpwise status and copy down the name of the domain, the gwia, the webaccess (which we know is webac70a).

2) type rcgrpwise stop domain name then enter to stop the MTA
3) type rcgrpwise stop <the name of gwia>
4) type rcgrpwise stop webac70a

5) In ConsoleOne, find the domain that houses the webaccess and right click GroupWise Utilities | System Maintenance.  Click the rebuild database and then click run.  A box will appear with the path to where the database is located.  Change this path to /tmp and then click ok to rebuild the db...if you get any error, please post them.

6) If you don't get any error or message other than database rebuild complete/successful, close out of the rebuild utility and then close ConsoleOne.  Open a shell prompt and cd to the directory where the GroupWise domain database/directory is located.

7) Confirm (by typing ls wpdomain.db then enter) that you see a wpdomain.db file in the domain directory we just rebuild.  If so, type mv wpdomain.db wpdomain.402 and press enter.

8) Confirm that you see wpdomain.402 by typing ls in the same directory.

9) Type mv /tmp/wpdomain.db . (single period).  That puts the rebuilt database into place.

10) Repeat step 7 except for the rename part.

11) type rcgrpwise start name of domain wait for the green "done" then do the same for the gwia and the webaccesss.

12) When you're done reloading the agents, type ps -ef | grep gw and confirm that you see a process running webac70a.waa, one running gwia.cfg and one running domain mta.

By rebuilding the file to a separate location, you're protecting the one that is inplace and possibly broken.

Scott

Author

Commented:
Everything went well with the rebuild, new file is in place, all services started back up.  Still same problem.  
Scott KunauSr. Consultant/Managing Partner

Commented:
If you're still available tonight, send me an email to skunau-at-igtg-dot-net and we'll figure out a way for me to remote in and look.  Otherwise, I'm available Friday morning.

Commented:
One question:

When using the groupwise client, are the users authenticated to eDirectory, and is the POst office set to allow authenticated users to access Groupwise?  

Or, are they using their Groupwise password to log in (not the eDirectory password - those are two different things) Becuase Webaccess will only authenticate a user with the Groupwise password, not the eDirectory password.  
Scott KunauSr. Consultant/Managing Partner

Commented:
Is the login problem with WebAccess solved?  If so, what did it take to get it working?
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.