I posted this on a 2 year old thread but I’m posting it as a new topic as well in case old thread is not being followed anymore. “SAML Authentication with multiple servers”
I’m able to log into Webui with SAML with no issues but webreports and console does not work.
Webreports throws an error “HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: no alternative certificate subject name matches target host name ‘’************” Weird that the host name in the error is the host name of webui server even though I’m its not the server which hosts webreports!!
When I try to launch Bigfix console with SAML checked, First I get a security alert (almost looks like an IE alert) “the identity of this website cannot be verified, Do you want to proceed” with Yes, No and View certificate buttons. Clicking on Yes, opens up a webpage with SAML login heading and error “The webpage cannot be found” More information has “HTTP 400 bad request”
If I disable SAML, then I’m able to login to webreports and console.
ssl is configured and I’m able to use https urls
I’m running 9.5.14 version of platform
Any help or advise is appreciated before I reach out to HCL tech support.
Did you follow ALL the steps outlined at the How to Configure BigFix SAML Integration page? I think when I set it up for the first time, I missed a step. If anything is out of place, you can get odd results.
Did you set the “_WebUI_AppServer_Hostname” property on your primary BigFix server? This should point to your WebUI server FQDN.
Did you set the “_WebUI_AppEnv_PLATFORM_HOST” property on the WebUI server? This should point to the server in your Masthead/License FQDN.
The SSL Error may be resulting because when you log into Web Reports or the Console with SAML, you are actually re-directed to the WebUI server for Authentication,m and it will pass back an authentication token if you succeed.
In my case, we actually use Shibboleth for our SAML authentication. I always get the error message …
We have to click “YES” to proceed. I’ve not found a way to get around it yet. If you do, PLEASE let me know.
Another issue we ran into was related to our Shibboleth environment, it wanted to encrypt the response data it was sending back to the WebUI server, even though the connection was already using HTTPS. We had to have the owners/managers of the Shibboleth environment create a special configuration so that the results inside the response packet would NOT be encrypted before they were sent across the encrypted HTTPS connection.
I doubt this is your problem though since in our case, if SAML was configured then ALL authentication was broken until we got on a conference call with the BigFix Dev’s and the folks that manage our Shibboleth environment.
Another thing we ran into as a problem was the “_WebUIAppEnv_LOGIN_SESSION_TIMEOUT_SECONDS” setting.default being too short. I had to turn this up a good bit to allow people to be able to get some work done before the system would force them to re-authenticate.
I have “_WebUI_AppServer_Hostname” property on your primary BigFix server pointing to FQDN of webui server and “_WebUI_AppEnv_PLATFORM_HOST” property on the WebUI server pointing to masthead FQDN of root server. Webui works no issues with SAML authentication. Only issue is webreports and console.
Weird part is when browsing to webreports, its ssl error shows webui server name (like its looking for SAN name of webui server name from the property “_WebUI_AppServer_Hostname”). Error is as like below
"HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: no alternative certificate subject name matches target host name '<name of the server what is in property “_WebUI_AppServer_Hostname”>'
I have Active directory CA issued ssl certs on both webreports and webui and added the full chain from server cert to intermediates and then at the bottom, root cert. Still no go.
Boyd Bradford, I did follow this SAMl document from HCL support link
And from the webreport/root server, I can ping/nslookup webui server’s FQDN and from the webui server, I’m able to ping/nslookup webreport/root server’s FQDN with no issues.
I agree a ticket is in order. In the browser warning I’d click the ‘View Certificate’ link to verify it is actually using the certificate you expect.
Chrome browsers at some version started requiring certificates issued with Subject Alternate Names specifying the DNS name of the server, rather than checking the Subject alone as in earlier versions. Your AD certificate may be missing the SubjectAltName field, but I wouldn’t have expected that to be a problem from IE.
Also the warning about Untrusted Issuer makes me think it may not actually be using the certificate you issued for it.
_HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: no alternative certificate subject name matches target host name '<name of the server what is in property “WebUI_AppServer_Hostname”>’
it looks the certificate presented by WebUI doesn’t contain any name matching the value you specified in the _WebUI_AppServer_Hostname property. Maybe, the certificate was created just using the hostname not the FQDN.
As suggested by @JasonWalker, I’d check the certificate details from the browser warning: the value specified in _WebUI_AppServer_Hostname should match the value in WebUI certificate.
@JasonWalker
I checked both ssl certs on Webui and webreports via Chrome browser. Both have Subject Alternative Name section.
In case of webui certificate, SAN has server’s FQDN and also has web url address similar to as below
DNS Name = Server host FQDN
DNS Name = web address of the webui portal
In case of webreports certificate, SAN has server’s FQDN and also has web url address similar to as below
DNS Name = webreports Server hostname
DNS Name = webreports Server host FQDN
DNS Name = web address of the webreports portal
When I use IE 11 instead of Chrome to browse to Webreports, IE does not give descriptive message like Chrome does,it just shows http errror as below under more information section.
“This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.”
I verified ssl certificate on the webui server and it does have server’s FQDN in its SAN section and that FQDN exactly matches with the value of property “WebUI_AppServer_Hostname”.
Also the debug logs on the web reports server shows following entries corresponding to the time when chrome shows up the error
Log entries:
Wed, 11 Mar 2020 07:21:01 -0500 – 5444 – /saml?RelayState=/ - "IP of my workstation"
Wed, 11 Mar 2020 07:21:01 -0500 – /saml (9828) – Running plugin /saml?RelayState=/ with client "IP of my workstation"
Wed, 11 Mar 2020 07:21:01 -0500 – /saml (9828) – Request from “IP of my workstation” : GET /saml?RelayState=/
I currently have WebUI installed ONLY on a separate computer and we are using SAML authentication.
I DO NOT have WebUI installed on my BigFix server. It works just fine. I DO have Web Reports installed on the BigFix server (as well as on a separate server that is used by users as the Web Reports server to minimize resource utilization on the BigFix server)…
In the environments I work on, we’ve had SAML working for Console and Web Reports for years, and our WebUI is not installed on the root server. We have multiple BigFix deployments where SAML is working on all of them, and in each case the WebUI is on it’s own seperate server. Some of these environments are configured to run WebUI in Query-Only mode. Others are full WebUI.
I’m not sure why you would be unable to do this, but in our case, we use the same certificate across the BigFix server’s 52311, Web Reports, and WebUI - just have all the various hostnames & aliases in the Subject Alternate Name field of the cert. Doing that was pretty critical to our success.
Thanks for pushing back on a wrong comment/suggestion.
If my root server is running the following services: BES Root Server, FillDB, GatherDB, and BES Web Reports server, then where on the root server does https://:52311/saml and https://:8083/saml exist? I can’t find it searching the drive where BES Server is installed?
