ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

NullPointerException when attempting to logon to the Streaming Console when UDS configured for ADSI

book

Article ID: 161600

calendar_today

Updated On:

Products

Workspace Streaming (formerly AppStream)

Issue/Introduction

Network users may not be able to login to the Streaming Console and may receive a false message indicating their username or password was entered incorrectly when in fact no error has been made inputting the user's credentials when the User Data Source (UDS) is configured to use the Active Directory Services Interface (ADSI) instead of the legacy LDAP connector; ADSI is the default setting for new installations, upgrades will use the existing LDAP connector.

Streaming Console login error

In addition to the error message depicted above, you can enabling debug logging on the Streamlet Engine by editing the ste.conf file located at C:\Symantec\Workspace Streaming\Server\streamletEngine\conf and changing the parameter log4j.category.com.appstream.dbimpl and setting its value to DEBUG. The following message is recorded in DCI_all.log when dbimpl debug logging is enabled:

2014-10-09 15:36:20,252 DEBUG [http--172.27.16.182-9832-5] authenticateConsoleUser| [USER_SERVICE] authenticateUser username: username
2014-10-09 15:36:20,283 DEBUG [http--172.27.16.182-9832-5] authenticateConsoleUser| [USER_SERVICE] AdsiUserManagement.searchUsers count 1
2014-10-09 15:36:21,299 DEBUG [http--172.27.16.182-9832-5] authenticateConsoleUser| [USER_SERVICE] DBUserManagement getUser name [email protected]
2014-10-09 15:36:21,315 ERROR [http--172.27.16.182-9832-5] authenticateConsoleUser| java.lang.NullPointerException
2014-10-09 15:36:21,315 DEBUG [http--172.27.16.182-9832-5] authenticateConsoleUser|
java.lang.NullPointerException
at org.apache.torque.util.SqlExpression.processInValue(SqlExpression.java:662)
at org.apache.torque.util.SqlExpression.buildIn(SqlExpression.java:631)
at org.apache.torque.util.SqlExpression.build(SqlExpression.java:307)
at org.apache.torque.util.Criteria$Criterion.appendTo(Criteria.java:3436)
at org.apache.torque.util.Criteria$Criterion.toString(Criteria.java:3582)
at org.apache.torque.util.BasePeer$3.process(BasePeer.java:733)
at org.apache.torque.util.SQLBuilder.processCriterions(SQLBuilder.java:432)
at org.apache.torque.util.SQLBuilder.buildQueryClause(SQLBuilder.java:299)
at org.apache.torque.util.BasePeer.createQuery(BasePeer.java:730)
at org.apache.torque.util.BasePeer.doSelect(BasePeer.java:779)
at com.appstream.dbimpl.sql.om.BaseAsConsoleUserPeer.doSelectVillageRecords(BaseAsConsoleUserPeer.java:387)
at com.appstream.dbimpl.sql.om.BaseAsConsoleUserPeer.doSelect(BaseAsConsoleUserPeer.java:339)
at com.appstream.dbimpl.sql.om.AsConsoleUser.mergePermissions(AsConsoleUser.java:232)
at com.appstream.dbimpl.DAImpl.retrieveConsoleUser(DAImpl.java:4053)
at com.appstream.dbimpl.DAImpl.authenticateConsoleUser(DAImpl.java:3990)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.appstream.db.util.ClassUtilities.invoke(ClassUtilities.java:80)
at com.appstream.db.remote.DbMsg.invoke(DbMsg.java:226)
at com.appstream.dbimpl.DAMgr.handleMsg(DAMgr.java:259)
at com.appstream.db.remote.AbstractManager.doService(AbstractManager.java:120)
at com.appstream.db.remote.DAServlet.doPost(DAServlet.java:100)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
at java.lang.Thread.run(Thread.java:744)

Cause

The service account configured in the UDS that is used to access the directory service may not have sufficient privileges to read a group in the user's group membership list; this resulted in a searchGroupsInt call returning an empty array. The calling Java function didn't expect this as it constructed its SQL statement. We now return a NULL in ADSI's java_com_appstream_dbimpl_usermgmt_AdsiUserManagement_searchGroupsInt and the user can now login.

Resolution

This defect is targeted to be fixed in 7.5 SP1 HF3; upgrading to this version will resolve the problem.  

There are a couple of workarounds in the meantime:

  1. Change the UDS configuration to use the legacy LDAP configuration instead of the ADSI connector
  2. Contact Symantec Technical Support to obtain a point fix for this issue

 

Workaround 1

  1. Make a backup copy of the following file:
    1. C:\Symantec\Workspace Streaming\Server\streamletEngine\da\conf\provision.xml
  2. Replace the content of the original provision.xml with the data from the following file:
    1. C:\Symantec\Workspace Streaming\Server\streamletEngine\da\conf\provision_LDAP.xml
  3. Login to the Streaming Console
  4. Navigate to the UDS configuration screen
    1. Settings > System Settings > User Data Source
    2. Fill in the missing values as appropriate to connect to your directory service

 

Workaround 2

  1. Reproduce the problem to verify which users cannot login
  2. Stop the SWS Streamlet Engine (ASWEStreamletEngine) service
  3. Make a backup copy of the original awe_legacy.jar file and store it in a separate directory, e.g., c:\temp
    1. C:\Symantec\Workspace Streaming\Server\common\jboss\modules\appstream\lib\main\awe_legacy.jar
  4. Replace the awe_legacy.jar file in the location above with the attached awe_legacy.jar file
  5. Start the SWS Streamlet Engine (ASWEStreamletEngine) service
  6. Test the logon of the accounts that previously failed in step 1

 


Applies To

Symantec Workspace Streaming (SWS) 7.5.0.493 (GA) through SWS 7.5.0.770 (SP1 HF2) with the User Data Source (UDS) configured to use Active Directory Services Interface (ADSI).

Attachments

awe_legacy.jar get_app