Make sure that the URL defined in the <url></url> tag matches the name of the protected resource, not the name of the back-end server.

If you use wildcards for the <url> tag, the content-length field of a response might get modified for data that is not specific to an application login form. Always try to make the <url></url> entry in the Form Fill policy as specific as possible. If this is not possible, use the <formCriteria> tag and/or the <cgiCriteria> tag to narrow the list.

Do not include the http:// scheme in front of the URL in the <url> tag. This prevents the link from finding a matching profile. It also causes the SSO to fail.

Always copy and paste the URL into the Form Fill policy URL tag. This reduces the chances of incorrectly typing a URL.

Form Fill does not preserve the input for type=“image”. Check the <form> tag in the application login form to make sure that this type does not exist. If it does, try modifying it. If it does exist, you might be able to use the custom rewriter to substitute the required data. However, we do not recommend using this method.

You might be able to supply the required data with the <injectStaticValue> tag.

Remove the <post/> tag and leave only the <fill> tag in the URL policy.

This lets you confirm that the credentials were available via LDAP and that LDAP was set up correctly.

The <debugPost/> Form Fill tag allows single sign-on usage to modify the HTML page with changes needed for auto post.

When the <debugPost/> tag is active and the URL matches the <url></url> in the Form Fill policy, iChain displays a screen with the message “Please look at HTML source for Form Fill modifications.” In this screen, you can select the View Source option in the browser. This shows the variable names and values that iChain injects into the login form. It also lets you check the JavaScript methods sent back to the browser.

The following example shows the values that iChain injects for a form that requests the user's name, password, and domain field:

<html>
<body>
   <b>Please look at HTML Source for Formfill modifications</b>
   <form name=”NFuseForm” action=”login.asp” method=”POST”>
      <input value=”Explicit” name=”LoginType” TYPE=”HIDDEN”>
      <input value=”administrator” maxlength=”256”
                    onFocus=”focus_UPD(this.form);” class=”loginEntries”
                    name=”user” type=”hidden”>
      <input value=”novell” maxlength=”254”
                    onFocus=”focus_UPD(this.form);”
                    class=”loginEntries” name=”password” type=”hidden”>
      <input value=”ICHAINFARM” maxlength=”256”
                    onFocus=”focus_UPD(this.form);” class=”loginEntries”
                    name=”domain” type=”hidden”>
   </form>

<script language=”JavaScript”>
   <!--
   function iChainPostForm()
     {
         document.forms[0].submit();
     }
   //-->
</script>
<a href=”JavaScript:iChainPostForm()”>Click to submit</a>
</body>
</html>

Make sure that the form declaration contains an action attribute. The action attribute specifies the URL that will process the form submission. This is a required attribute and Form Fill will not process the form if no action exists for the form.

The attribute doesn’t actually need to have a value, but the attribute needs to exist. For example:

<form action method="post">

The above example form declaration is sufficient for FormFill to process the form. If action has no value (as in the example above), the form is submitted back to the same URL as the page containing the form.

Make sure that you do not have a form element (input, select, button, etc.) named “submit.” This name causes problems with the auto-post feature of iChain. You can use a name of “Submit” (with a capital S), or any other value for the name of the form element. This needs to be changed in the original HTML source page.

The SecretStore Software Developer Kit (SDK) contains helpful debugging tools, such as the SSManager. To access the SecretStore SDK, see the SecretStore Developer Kit for C or the SecretStore Developer Kit for Java.

For more SecretStore information, see the SecretStore Administration Guide.

The pktscan.nlm, which ships with iChain, gathers traces.

This tool prevents you from needing to replicate a port on a switch to gather a LAN trace of traffic in and out of the iChain box. You might be able to use Sniffer or Ethereal to save and view this trace. To do this, you need to temporarily set up the accelerator for HTTP. HTTPS is not decodable with Sniffer or Ethereal.

The sso.nlm is a Form Fill module that includes the /Dx /Lx option (where x ranges from debug level 1 through 5, where level 5 contains the most detail.) For more information about loading the sso.nlm, see Section 14.4.6, Specifying Form Fill Switches.

The Form Fill operations are logged to a file through the iChain Web GUI Cache Logs tab.

Figure 14-2 iChain GUI Cache Logs

You can use this file to see if a policy has been matched and if any errors occurred during the processing of that policy.

The following example shows that a request came in for http://nfuse.novell.com/Citrix/NFuse17 /login.asp, and that a matching policy named metaFrameLogin was located. Another request came in for http://nfuse.novell.com/Citrix/NFuse17framseset.asp, but no matching policy was found:

[09/Nov/2004:11:51:39 +0100] SSO_1: No policy: ’nfuse.novell.com/Citrix/NFuse17/login.asp’ [09/Nov/2004:11:51:39 +0100] SSO_4: nfuse.novell.com/Citrix/NFuse17/login.asp[09/Nov/2004:11:51:39 +0100] SSO_4: Policy ’MetaFrameLogin’: nfuse.novell.com/Citrix/NFuse17/login.asp [09/Nov/2004:11:51:39 +0100] fillHtml: Start [09/Nov/2004:11:51:39 +0100] SSO_4: formfill no cache flag is turned on [09/Nov/2004:11:51:39 +0100] SSO_4: New page data [09/Nov/2004:11:51:39 +0100] SSO_1: No policy: ’nfuse.novell.com/Citrix/NFuse17/frameset.asp’