As part of configuring an IdP and an RP, you will be asked to run a TIDC command to verify that your RP proxy or IdP are able to contact the trust router correctly. 

The below cases are the most common errors experienced when attempting to run the TIDC command. If you have come across one not listed here, please get in touch with us with the command run and the subsequent output.

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. I get the following error when running the TIDC command:

Error returned by gss_init_sec_context:
      major error <1> Unspecified GSS failure. Minor code may provide more information
      minor error <1> Generic RADIUS failure
AuthenticateToServer failed: Generic RADIUS failure (err = 2109382928)
Error in tidc_open_connection.

Possible Solutions:

Check the following:

  1. The RADIUS server specified in /etc/radsec.conf is running and can be reached over TLS or UDP (depending on your setting in radsec.conf).
  2. There may be a problem with the APC or the trust router. Please contact JANET.

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. I get the following error when running the TIDC command:

Error returned by gss_init_sec_context:
      major error <1> Unspecified GSS failure. Minor code may provide more information
      minor error <1> Missing default password or other credentials
AuthenticateToServer failed: Missing default password or other credentials (err = 2109382948)
Error in tidc_open_connection.

Possible Solutions:

Check the following:
  1. You are running the newest version of the trust router and Moonshot software. If you were part of the Moonshot Pilot Workshop in February 2014, you must update your software to the newest version as Trust Router 1.2 is not forward compatible.
  2. You have installed the dbus-x11 package. This package is not installed as part of the package dependencies, but it is part of the instructions in Section 2 of the platform-specific instructions for Install an Identity Provider. It is a client library and will not require the installation of the X11 system.
  3. You have the FreeRADIUS user (freerad on Debian systems, radiusd on RHEL systems) listed in /etc/moonshot/flatstore-users.
  4. You have imported the Trust Router credentials using the moonshot-webp command as the FreeRADIUS user in Section 4.4.1 of Install an IdP on Debian 7. To verify you have, execute ls -la ~/.local/share/moonshot-ui/identities.txt as the FreeRADIUS user, and you should see the file listed.
  5. You are running the TIDC command as the FreeRADIUS user and that you have run the unset DISPLAY command before running the TIDC command.
  6. If your service is firewalled, check that TCP ports 2083 and 12309 are open both in- and outbound, and that the public IP address is the one you gave Adam Bishop. Ideally, your firewall should also support hairpinning.
  7. If you use Network Address Translation (NAT), check that you are forwarding TCP ports 2083 and 12309 both in- and outbound, and that the public IP address is the one you gave Adam Bishop.

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. I get the following error when running the TIDC command:

Error returned by gss_init_sec_context:
      major error <1> Invalid token was supplied
      minor error <1> Acceptor identity different than expected
AuthenticateToServer failed: Acceptor identity different than expected (err = 2109382938)
Error in tidc_open_connection.

Possible Solutions:

Check the following:
  1. Your hostname must resolve correctly. Check that the hostname and hostname -f commands return the same name.
  2. Check that your hostname resolves with nslookup

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. It seems to start but then I get the following error when running the TIDC command:

tidc_open_connection: Opening GSS connection to tr1.moonshot.ja.net:12309.gss_connect: Connecting to host 'tr1.moonshot.ja.net' on port 12309
CTRL-EVENT-EAP-STARTED EAP authentication started
:
:
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
tidc_fwd_request: Sending TID request: {"msg_type": "tid_request", "msg_body": {"rp_realm": "my RP realm", "target_realm": "apc.moonshot.ja.net", "community": "apc.moonshot.ja.net", ...}
ReadBuffer failed: Connection reset by peer (err = 104)
ReadBuffer failed: Connection reset by peer (err = 104)
ReadBuffer failed: Connection reset by peer (err = 104)

Solution:

  1. The trust router may be down. This should not be the case, but it occasionally happens. If the problem persists, contact us!
  2. There may be a problem with your credentials. If you were part of the pilot workshop in February 2014, you must apply for new credentials. Credentials issued after May 2014 should be ok. If in doubt, check the credentials.xml file, and convert the 'Issued on' number from UNIX time to human time.
  3. Check that the value of your RP realm parameter is correct and the same as the one you specified when you applied for credentials at JANET.

Please get in touch with JANET!

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. It seems to start but then I get the following error when running the TIDC command:

tidc_open_connection: Opening GSS connection to tr1.moonshot.ja.net:12309.gss_connect: Connecting to host 'tr1.moonshot.ja.net' on port 12309
CTRL-EVENT-EAP-STARTED EAP authentication started
:
:
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
tidc_fwd_request: Sending TID request: {"msg_type": "tid_request", "msg_body": {"rp_realm": "my RP realm", "target_realm": "apc.moonshot.ja.net", "community": "apc.moonshot.ja.net", ...}
tidc_fwd_request: Response Received (226 bytes).
{"msg_type": "tid_response", "msg_body": {"result": "error", "comm": "apc.moonshot.ja.net", "target_realm": "apc.moonshot.ja.net", "rp_realm": "target_realm", "err_msg": "Can't open connection to next hop TIDS"}}
tr_msg_decode_tidresp(): Error! result = error.
Response received! Realm = apc.moonshot.ja.net, Community = apc.moonshot.ja.net.
tidc_resp_handler: Response is an error.

Solution:

  1. There appears to be a problem with either your credentials or with the RP realm that you specified.
  2. Check that you have imported the credentials file as the FreeRADIUS user, and that you are running the TIDC command as the same user.
  3. Check that the value of your RP realm is correct and the same as the one you specified when you applied for credentials at JANET.

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. It seems to start but then I get the following error when running the TIDC command:

tidc_open_connection: Opening GSS connection to tr1.moonshot.ja.net:12309.gss_connect: Connecting to host 'tr1.moonshot.ja.net' on port 12309
CTRL-EVENT-EAP-STARTED EAP authentication started
:
:
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
tidc_fwd_request: Sending TID request: {"msg_type": "tid_request", "msg_body": {"rp_realm": "my RP realm", "target_realm": "apc.moonshot.ja.net", "community": "apc.moonshot.ja.net", ...}
tidc_fwd_request: Response Received (198 bytes).
{"msg_type": "tid_response", "msg_body": {"result": "error", "err_msg": "RP Realm filter error", "rp_realm": "my RP realm", "target_realm": "apc.moonshot.ja.net", "comm": "apc.moonshot.ja.net"}, "msg_type": "tid_response"}
tr_msg_decode_tidresp(): Error! result = error.
Response received! Realm = apc.moonshot.ja.net, Community = apc.moonshot.ja.net.
tidc_resp_handler: Response is an error.

Solution:

  1. There appears to be a problem with the RP realm that you specified.
  2. Check that:
    1. the value of your RP realm is the same as the one you specified when you applied for credentials at JANET
    2. the value of your RP realm is specified in the second parameter of the TIDC command-line
    3. you have not specified your ID Provider realm by accident, if it differs from your RP realm.

 

Problem

I can't seem to be able to connect my service to the trust router infrastructure. It seems to start but then I get the following error when running the TIDC command:

tidc_open_connection: Opening GSS connection to tr1.moonshot.ja.net:12309.gss_connect: Connecting to host 'tr1.moonshot.ja.net' on port 12309
CTRL-EVENT-EAP-STARTED EAP authentication started
:
:
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
tidc_fwd_request: Sending TID request: {"msg_type": "tid_request", "msg_body": {"rp_realm": "my RP realm", "target_realm": "my IdP realm", "community": "apc.moonshot.ja.net", ...}
tidc_fwd_request: Response Received (198 bytes).
{"msg_type": "tid_response", "msg_body": {"result": "error", "err_msg": "No path to AAA Server(s) for realm", "rp_realm": "my RP realm", "comm": "apc.moonshot.ja.net", "target_realm": "my IdP realm"}}
tr_msg_decode_tidresp(): Error! result = error.
Response received! Realm = apc.moonshot.ja.net, Community = apc.moonshot.ja.net.
tidc_resp_handler: Response is an error.

Solution:

  1. There appears to be a problem with the ID Provider realm that you specified.
  2. Check that:
    1. the value you specified on the command-line matches the ID Provider realm you specified in the portal or asked Adam Bishop to register for you in the portal
    2. the ID Provider server name and IP address you specified in the portal or to Adam Bishop are correct for your IdP server, and that they are accessible from anywhere on ports tcp/2083 and tcp/12309
    3. you have not specified your RP realm by accident, if it differs from your ID Provider realm.

 

More to come...