06-06-2018 05:20 PM - edited 03-19-2019 01:23 PM
We have installed a Centralised CM and IM&P cluster, but have hit a wall with Jabber sign in.
For service discovery, our UDS SRV record points to our SME for the Home cluster.
Our SME cluster is the Hub of our ILS network, with all leaf clusters, including the Centralised CM and IM&P cluster are Spoke clusters.
We have SSO configured throughout all clusters, using FQDN multi-SAN single agreement SAML trusts, with OAuth Refresh Logins enabled for each cluster.
Some errors we receive in Jabber log and SSO log on IM&P:
Jabber:
2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - Entry
2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - ****************************************************************
2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::Outage::onServerDisconnection] - ****************ATTENTION********************
2018-05-16 16:34:53,855 INFO [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - OnLoginError: LERR_CUP_SSOTOKEN_INVALID <28>:
2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::IMPStackCap::Login::OnLoginError] - ****************************************************************
2018-05-16 16:34:53,855 DEBUG [IMPServices] [CSFUnified::LoginEventListenerImpl::OnLoginCredentialInvalid] - Login Credential Invalid
SSO log:
2018-05-16 16:34:53,389 INFO [http-bio-443-exec-19] servlet.OauthServlet - doPost :: POST request for servletPath:/token/validate
2018-05-16 16:34:53,389 INFO [http-bio-443-exec-19] handlers.ValidateTokenHandler - processRequest
2018-05-16 16:34:53,390 ERROR [http-bio-443-exec-19] token.TokenV2Manager - JWS Token header error or signing key mismatch: {"alg":"RS256","typ":"JWT","kid":"..."}
We had a case open with TAC, but couldn't be resolved and case was closed. This is set up in a lab environment so couldn't escalate to developers.
Anyone else working on this?
09-26-2018 12:35 AM
Hi, I am getting the same error for a single user, what did TAC suggest
10-01-2018 07:54 PM
11-04-2019 09:37 PM
Restart the Cisco sync agent service and check . During the issue validate the same user can be visible in IMP server too
11-05-2019 03:37 PM
01-27-2019 02:00 AM - edited 01-27-2019 02:07 AM
11-05-2019 08:56 PM
This didn't do much to help us at the time, but try checking if the authz keys match on each node, and regenerate if needed.
show key authz signing
show key authz encryption
set key regen authz signing
set key regen authz encryption
04-09-2020 05:24 AM
Thanks !
That did it for one of my customers.
For some reason the sync on tickets had stopped.
renewing fixed it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide