Web Single Sign-on Problems and Diagnosis
Last modified on 13 August 2020 08:53 PM
PaperCut’s Web SSO functionality (see SSO chapter in manual) is compelling and in the case of Windows Authentication, easy to implement.
But the technology underlying SSO is complex and there are many Windows policy and configuration variables that can occasionally cause things to go wrong.
If you find yourself locked out of PaperCut, you can bypass SSO to get PaperCut’s standard login screen by adding “/nosso” to the URL. For example:
If automatic Windows Authentication cannot proceed, the browser may ask for your credentials. If you provide incorrect credentials, or click Cancel, the request will fail as “Not Authorized”. There are several reasons why you may see this behavior:
In this scenario, the URL for the PaperCut server is already in the Intranet Zone, but users are still being prompted for credentials to sign in when using Internet Explorer or Chrome. This was seen to happen when customers followed the instructions to set up their PaperCut Application Server service to run as a domain user or Service Account. The solution is to edit an advanced attribute on the account that PaperCut is running as, then specify the FQDN of your PaperCut server for the servicePrincipalName attribute. This issue was was fixed with the release of PaperCut 18.2.6.
(Note that If you try browsing to the web interface again and seen an error code “0×20b5:- The name reference is invalid”, then try editing the servicePrincipalName with this syntax “http/fully qualified domain”. Also in some cases this has been case sensitive and the syntax are “HTTP/fully qualified domain”.)
A white screen with no browser authentication prompt indicates a failure in the Windows Authentication process. For example, there may be a site or browser mis-configuration that makes the Windows Domain controller unreachable. You should ensure that the browser is accessing the PaperCut server directly and not via a proxy server.
Internet Explorer users may see this when they are actually getting a “HTTP 413” error (see below)
If using Kerberos SSO the HTTP headers can be large, and can exceed the jetty default max size (4096 bytes). This can be fixed with a
If your Windows login does not have PaperCut admin rights, you will not be able to access the admin interface. Instead, you may be redirected to the PaperCut user interface. If you have been using the built-in “admin” account prior to using SSO, you may log in with that account using the
Try to isolate the problem as much as possible. For example, log in to the Windows machine running the PaperCut application server and try to access PaperCut from localhost.
If you wish to report an SSO problem to PaperCut support, please collect the following diagnostic information:
To collect the server debug logs: