Scenario 1:
AR Server and MT integrated with RSSO. When trying to login using LDAP, AR or SAML Authentication, seeing the following message on the browser

Authentication failed (ARERR 623)

The user session is seen in the RSSO admin console session tab.

Scenario 2:
After RSSO upgrade to 19.x or 20.02 start watching: Authentication failed (ARERR 623)

Scenario 3:
user is not created in the sessions list due to a null agent id.
14 Jul 2021 06:57:03.407 FINEST Thread_2666 com.bmc.rsso.dao.oracle.OracleSessionDao.createAuthenticatedAgent(): AuthenticatedAgent: AuthenticatedAgent{token='_00088ef0-89cf-44cc-87ae-78c673163d20', agentId='', callbackUrl=''}
14 Jul 2021 06:57:03.410 SEVERE Thread_2666 com.bmc.rsso.dao.oracle.OracleSessionDao.createAuthenticatedAgent(): [3] Token _00088ef0-89cf-44cc-87ae-78c673163d20 failed to merge , exception

Scenario 4:
After updating Java on ARS to Open JDK17.x user sees ARERR 623 and this is shows in the arjavaplugin.log:
<PLUGINSVR> <TrID:                               > <TNAME: pool-6-thread-4          > <WARN > <AREAChainingHandler                               > <                          AREAChainingHandler.java:170       > /* Wed Mar 09 2022 01:12:54.690 */  AREAVerifyLogin() FAIL for plugin ARSYS.AREA.RSSO
java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1

Scenario 5:
After upgrading from 19.02 to 20.02, the SAML login is working normally but the AR Authentication bypass login fails with an error that the username or password is invalid.  The rsso.log on the RSSO server shows the following error message:

DEBUG ARAuthentication.authenticate()    : Login with AR user 'user-abc'
INFO  ARAuthentication.logARException()  : Failed to login: authentication failure. AR message: ERROR (623): Authentication failed; user-abc

This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.
 

Please check reference communities for the latest version:
https://community.bmc.com/s/news/aA33n000000CfhcCAC/helix-support-troubleshooting-steps-for-arerr-623-authentication-failed-with-re

You might see this error due to different reasons. Please go through the below steps to resolve a 623 Authentication failed error:

• 1. Check AR Integration
• 2. Operating-Mode parameter in ar.cfg
• 3. Server Plugin Alias entry for AREA plugin
• 4. Check Certificates (If using HTTPS for RSSO)
• 5. Midtier Service Password
• 6. Check Username
• 7. AR Java plugin related issues
• 8. What if the RSSO integration in-place, but still Authentication fails
• 9. Check the agent id in the MidTier rsso-agent.properties.
• 10. Check the APLRSSOTransformation.properties configuration file
• 11. Check for errors with the ARSYS.AREA.AREALDAP plugin
• 12. Check if User form of ITSM has correct password.

 

1. Check AR Integration

a. Make sure the following AREA settings (<AR>/Conf/ar.cfg) are configured on the AR Server
(Can be set from the Server Information form > EA tab):

External-Authentication-RPC-Socket: 390695
Authentication-Chaining-Mode: 1                      (This means ARS-AREA if you check it from the AR Admin Console > EA)
Crossref-Blank-Password: T

b. Make sure that the rsso.cfg file exists in <AR>/Conf & make sure that the below URL points to the correct Remedy SSO server service URL:

SSO-SERVICE-URL: <rsso_service_url>

c. Make sure that the below files are present in <AR>/pluginsvr

rsso-area-plugin-all.jar
gson-2.3.1.jar
slf4j-api-1.7.25.jar (For RSSO 18.11 or later versions)

 

d. Check below entries in <AR>/pluginsvr/pluginsvr_config.xml : (Edit <AR>/pluginsvr/pluginsvr_config.xml, and add Remedy SSO AREA plug-in by replacing <AR> with the corresponding path:)

<plugin>
<name>ARSYS.AREA.RSSO</name>
<classname>com.bmc.rsso.plugin.area.RSSOPlugin</classname>

<pathelement type="location"><AR>/pluginsvr/rsso-area-plugin-all.jar</pathelement>
<pathelement type="location"><AR>/pluginsvr/gson-2.3.1.jar</pathelement>
<pathelement type="location"><AR>/pluginsvr/slf4j-api-1.7.25.jar</pathelement> --- (For RSSO 18.11 or later versions)

<userDefined>
<configFile>{AR}/Conf/rsso.cfg</configFile>
</userDefined>
</plugin>

2. Operating-Mode parameter in ar.cfg

- If you are getting a 623 error after AR Server upgrade then It might be due to the Operating-Mode parameter in ar.cfg in <AR>/conf.
- Make sure that Operating-Mode in the ar.cfg is set to 0. If It is 1, you will see this issue.
- You will need to restart the AR server after changing the parameter.
- If you are interested in knowing about the Operating-Mode parameter, you can go through below AR Blog :

Operating Mode

 

3. Server Plugin Alias entry for AREA plugin

- AR Server's AREA plugin is used by RSSO Plugin for authentication. If you are missing the below line in ar.cfg then you will encounter a 623 error.
- Server-Plugin-Alias: AREA AREA <servername>:9999
- If It's missing then please add the above entry & restart the AR service.

 

4. Check Certificates (If using HTTPS for RSSO)

- If you are using the HTTPS protocol for RSSO Service URL in rsso.cfg then you might see a 623 error because of handshake issues between AR & RSSO server.
- To avoid certificate-related errors, you should import the RSSO root certificate in Java cacerts on AR Server.
- If you wanted to confirm if the issue is happening due to Certificate or not, you can disable SSL/TLS checks for HTTPS communication on the Agent side

(This should be used only to confirm if the issue is related to Certificates or not)

- To disable SSL/TLS check, you can change the below parameter to true in the rsso.cfg file exist in <AR>/conf

com.bmc.rsso.tls.disable.checks: true

- This is only available for RSSO 19.05 & later versions

4.1. Check the Backchannel URL in the Advanced Tab on the RSSO Admin Console

The backchannel URL should be the same as the one in the "rsso.cfg" file

SSO-SERVICE-URL: <rsso_service_url>

If you see a "/" at the end of the URL, please remove it


also check that the SSO-SERVICE-URL in rsso.cfg from AR Server doesn't contain a "/" in the RSSO URL

Restart AR Server service.
Retry the login to Remedy and confirm the issue is resolved.

Test the access to the SSO-SERVICE-URL from the AR server host using curl:
          curl -v http(s)://rssoserver(:port)/rsso/api/version 
          This should return the version string of the RSSO server.
If https does not work, try http.   

 

5. Midtier Service Password

- You might see a 623 error for Midtier service account after login e.g. ERROR (623): Authentication failed; MidTier Service
- That means you don't have the correct password for the AR Server in the Midtier config tool.
- You can update the password from the Midtier Config tool → AR Server Settings
- Select the AR server & click on the edit button.
- Make sure that you check the Validate password option as It will give an error if the password is not correct.

If after resetting the password you still see the same error, you can try removing and adding the AR servers back in the midtier configuration tool.

6. Check Username

- Sometimes an error can be seen because the username received from IDP (IDP could be LDAP/SAML/OKTA etc.) doesn't match with one existing in AR Server's User form.
- You can validate this by going to RSSO Admin Console & check sessions. It will show you the username received from LDAP or other authentication protocols.
- If that is not matching with the username on the User form then you will need to use transformation on the RSSO Admin console.
- Username is case-sensitive. Please make sure if Active Directory is stored as "USER" and AR is stored as "user". it will have to be updated on Active Directory or User to match UPPERCASE or lowercase

e.g. If LDAP is sending username as "user@bmc.com" but on the User form, if it is specified as "user" then you will need to use the "Remove Email domain" transformation on the RSSO console.

 

7. AR Java plugin related issues

- RSSO Plugin is part of the AR Java plugin. You might see a 623 error if the AR Java plugin is not initialized or not working.
- You can run the below command on the command line :

netstat -an | findstr "ar_plugin_port"

- You can also check the AR Java plugin process on Task manager if its running or not

- You will need to add the "Command line" column on Task Manager to see the complete java path.
- If you are not able to see the Java process with "pluginsvr;" in the command line means it is not initialized.
- You can check arjavaplugin.log from ARSystem/db to see errors related to RSSO.
- If you don't see details for login failure in the log, you can enable debug level logging for AR Java plugin & restart plugin.
- You will need to re-login to get more details on why authentication is failing with a 623 error on AR Server.

8.  What if all the above integration configurations are in-place but still there is an Authentication Failure error?

A recent Windows security update or for any other reasons, the Operating system of the application servers might have restarted.  Please ensure the following sequence is followed when restarting the services

8.1 Ensure the RSSO Database server is up and running
8.2 STOP All RSSO Nodes i.e  Remedy SSO Tomcat service. 
8.3 STOP All  AR services (those servers that are integrated with RSSO server)
8.4 STOP All the Midtier services (those servers that are integrated with RSSO server)
8.5 START All RSSO Nodes i.e All RSSO services
      Ensure you are able to login into the RSSO Admin console 
8.6 START All ARServices
8.7 START All Mid Tier Services

- Check the version of the RSSO agent on the ARServer.  Update the agent to 20.02 and this will resolve the issue when the ARServer is configured to use Open JDK 17.x

9. What if all the above configuration is all set and still ARERR 623 occurs?

Check the MidTier rsso-agent.properties and see if the agent-id is set.

14 Jul 2021 06:57:03.407 FINEST Thread_2666 com.bmc.rsso.dao.oracle.OracleSessionDao.createAuthenticatedAgent(): AuthenticatedAgent: AuthenticatedAgent{token='_00088ef0-89cf-44cc-87ae-78c673163d20', agentId='', callbackUrl=''}
14 Jul 2021 06:57:03.410 SEVERE Thread_2666 com.bmc.rsso.dao.oracle.OracleSessionDao.createAuthenticatedAgent(): [3] Token _00088ef0-89cf-44cc-87ae-78c673163d20 failed to merge , exception
This occurs when the agent-id is not set e.g. agent-id = midtier_agent (note the spaces either side of the =.  The customer initially set the value to agent-id=midtier_agent and this also causes the issue.

9.a    Using nslookup to check for errors.

In RSSO Console, for an AR Authentication, the FQDN of the AR Server name was checked with nslookup.  The nslookup returned three IP addresses eg:

nslookup  remedysvr.corp.local
Server:      x.x.x.x
Address:     x.x.x.x

Name: remedysvr.corp.local
Address: a.a.a.a
Name: remedysvr.corp.local
Address: b.b.b.b
Name: remedysvr.corp.local
Address: c.c.c.c

In the above example, it was found that IP address b.b.b.b was invalid and not reachable for that FQDN.  So there would be a one out of three chance that during login, the RSSO server selected would be b.b.b.b and thus fail the login with an ARERR 623.  Once the DNS was corrected, the error no longer occurred.

If nothing helps then reintegration between RSSO and AR is required.

These troubleshooting steps should help you to resolve a 623 error.

See Also: BEST FAQ on BMC Helix Single Sign On