How to avoid the following messages in the smps.log:

1. Error# '81' during search: 'error: Can't contact LDAP server' Search Query = '(&(uid=****)(objectclass=****)(!(myType=***)))'
2. Failed to initialize TCP client connection. Socket error 107
3. [sm-Server-06007] failed. Error code : 2
4. [sm-Ldap-00770] (AuthenticateUser) DN: 'cn=***,ou=Users,o=****,c=us' . Status: Error 48 . Inappropriate authentication
5. Bad security handshake attempt. Handshake error: 3154

Policy Server 12.8SP3 on RedHat 7

Here are the possible ways to investigate each error:

1. This error might appear if the LDAP User Directory closes the connection (1).
2. This issue happens when the Web Agent closes the connection and Policy Server has not received the info to close the connection (2). To help prevent that, consider implementing SM_ENABLE_TCP_KEEPALIVE (3).
3. This error means the data is not found in the Session Store (4). This error message might appear if there's a mixture of persistent and non-persistent realms in the environment (5).
4. Investigate with the LDAP vendor the reasons for this. It may be a configuration problem on the LDAP side (6).
5. This error means that the shared secret and/or the agent name doesn't match with the values from the Policy Store for that given Agent. Usually, the solution is to register the Agent again (7)(8)(9)(10)(11).

(1)   Error : '81' during search: 'error: Can't contact LDAP server'
    
      To avoid this message, configure the LDAP Backend Store to never close its connection with the Policy Server.

(2)   Failed to initialize TCP client connection. Socket error 107

      In almost all cases, Socket error 107 occurs due to an external network issue. It means "Transport endpoint is not connected". Basically, the communication between the Policy Server and the Agent was lost.

(3)   Policy Server Hangs after Web Agent Communication Failure

      If a Web Agent goes offline during a Policy Server request, for example, during a network outage, and does not notify the Policy Server of the communication failure, the Policy Server continues to wait for the Web Agent data. The Policy Server continues to wait, even after the Web Agent regains network functionality and closes the connection to the Policy Server.

      To configure the Policy Server to send KeepAlive packets to idle Web Agent connections, log into the Policy Server host system.  Do one of the
      following:

      (Windows) Create the following system environment variable with
      a value of 1: SM_ENABLE_TCP_KEEPALIVE

      (UNIX) Create the following system environment variable:
      SM_ENABLE_TCP_KEEPALIVE=1

      Export the environment variable.

      The value must be 0 (disabled) or 1 (enabled). If a value other than 0 or 1 is configured, the environment variable is disabled. If the environment variable is disabled, the Policy Server does not send KeepAlive packets to idle Web Agent connections.

Enable KeepAlives When Agents and Policy Servers are Separated a Firewall

    Symptom:
I use a firewall between my agent and Policy Server. Sometimes the agent returns a 500 error when I try to access a page.
    Solution:
Enable Keepalives on the agent by doing the following steps:
Locate the following environment variable on the computer hosting the web agent:
     SM_ENABLE_TCP_KEEPALIVE
Set the value of the previous environment variable to 1.

(4)   failed with code - 1001 erors post R12.8 upgrade

      Error code 2 shows there was an issue when the policy server tried to get the session from the session store. It searched in the session store but it couldn't find the session in the store. It may be a bad input for the search at the session store. You can get more details on the policy server trace (smtracedefault.log) log file on what was the search query that was sent to the session store.

(5)   SAML federation via IWA Sessionstore problem

      Check if the realms have persistence enabled and decide if persistence is needed or not. Having a mixture of persistent and non-persistent realms can provoke this error. Remove also all SLO configurations that are not in use.

(6)   LDAP Result Code Reference: Core LDAPv3 Result Codes

      inappropriateAuthentication (48)
      Applicable operation types: bind

      The inappropriateAuthentication result code indicates that the client attempted to bind in an inappropriate manner that is inappropriate for the target account. Some possible reasons for this result code include:

      The client attempted to perform anonymous authentication, but the server does not permit anonymous authentication.

      The client attempted to perform a type of authentication for which the target account does not have an appropriate set of credentials. For example, this result code may be returned if a client attempts to perform a password-based bind when the target user s entry does not contain a password.

      The client attempted to perform a type of authentication that is not allowed for that client. For example, the client attempted to perform a lower-security type of authentication (like simple authentication or SASL PLAIN) when a stronger method (e.g., a client certificate or a two-factor mechanism) is required.

(7)   What are the possible handshake errors in policy server?

      Bad security handshake attempt. Handshake error: 3154 - Client name does not match hash value - Shared secret sent by the agent is not correct/valid

(8)   LLAWP will not load

      Running smreghost to re-register the agent should resolve this issue. 

(9)   Bad security handshake attempt. Handshake error: 3154
    

(10)   Policy server not able to connect with webservices instance
    

(11)   Handshake error when using SM Test Tool from a different box