Secure Global Desktop Administration Guide > Applications, documents and hosts > When X authorization is enabled, applications fail to start

When X authorization is enabled, applications fail to start

In a default Secure Global Desktop installation, X authorization is enabled. If there are any problems with X authorization, users will not be able to start applications. If applications are failing to launch because of X authorization, the message "Failed to find xauth" or "Attempt to run xauth failed" will display in the application launch details dialog in the user's browser or Native Client.

Use the following checklist to establish why X authorization is causing application launches to fail:

Is X authorization installed on the application server?

Is X authorization installed on the application server?	For Secure Global Desktop to be able to use X authorization, xauth must be installed on every application server. If xauth is not installed, you must either install it or disable X authorization on the Security properties panel in Array Manager. Note This disables X security for the entire array.
Can Secure Global Desktop find the xauth binary?	If the message "Failed to find xauth" displays in the application launch dialog, Secure Global Desktop can't find the xauth binary. By default, Secure Global Desktop searches the following locations for the xauth binary: `/usr/bin/X11/xauth` `/usr/X/bin/xauth` `/usr/X11R6/bin/xauth` `/usr/bin/X/xauth` `/usr/openwin/bin/xauth` If the xauth binary is in a different location, you must add its location to the `/opt/tarantella/var/serverresources/expect/vars.exp` login script. Look for the line beginning "`set xauthcmds`". Note If the xauth binary is only in one location, you can speed up application launches by removing the unnecessary locations from the `vars.exp` login script.
Does the user have a UNIX account on the application server?	When the user starts an application, the Secure Global Desktop X Protocol Engine generates a cookie and stores it in the `.Xauthority` file in the user's home directory on the application server. The cookie is used to validate whether or not the user has permission to connect to the X display. If the user does not have a home directory, the cookie cannot be stored in the user's `.Xauthority` file and so the user cannot be validated. You can either: Create a UNIX account for the user on the application server; Disable X authorization on the Security properties panel in Array Manager; or Edit the launch script so that the cookie is stored in a temporary directory. The launch script you need to edit is `/opt/tarantella/var/serverresources/expect/procs.exp`. Change the following line: `execute "[lindex $xauthcmds $i] add $XDISPLAY . $xauthcookie\n"` to something like: `execute "[lindex $xauthcmds $i] -f /tmp/.xauth$username add $XDISPLAY . $xauthcookie\n"`

For Secure Global Desktop to be able to use X authorization, xauth must be installed on every application server.

If xauth is not installed, you must either install it or disable X authorization on the Security properties panel in Array Manager.

Note This disables X security for the entire array.

Can Secure Global Desktop find the xauth binary?

If the message "Failed to find xauth" displays in the application launch dialog, Secure Global Desktop can't find the xauth binary. By default, Secure Global Desktop searches the following locations for the xauth binary:

/usr/bin/X11/xauth
/usr/X/bin/xauth
/usr/X11R6/bin/xauth
/usr/bin/X/xauth
/usr/openwin/bin/xauth

If the xauth binary is in a different location, you must add its location to the /opt/tarantella/var/serverresources/expect/vars.exp login script. Look for the line beginning "set xauthcmds".

Note If the xauth binary is only in one location, you can speed up application launches by removing the unnecessary locations from the vars.exp login script.

Does the user have a UNIX account on the application server?

When the user starts an application, the Secure Global Desktop X Protocol Engine generates a cookie and stores it in the .Xauthority file in the user's home directory on the application server. The cookie is used to validate whether or not the user has permission to connect to the X display.

If the user does not have a home directory, the cookie cannot be stored in the user's .Xauthority file and so the user cannot be validated.

You can either:

Create a UNIX account for the user on the application server;
Disable X authorization on the Security properties panel in Array Manager; or
Edit the launch script so that the cookie is stored in a temporary directory.

The launch script you need to edit is /opt/tarantella/var/serverresources/expect/procs.exp.
Change the following line:
execute "[lindex $xauthcmds $i] add $XDISPLAY . $xauthcookie\n"
to something like:
execute "[lindex $xauthcmds $i] -f /tmp/.xauth$username add $XDISPLAY . $xauthcookie\n"

Further logging

If the checklist above does not help you resolve problems with X authorization, check the log file in /opt/tarantella var/log. The log file will be execpePID_error.log.

If this does not help, you can increase the amount of information that is logged. To do this, you need to amend the log filter on the Secure Global Desktop and enable debugging in the login script.

You amend the log filter by running the tarantella config edit --tarantella-config-execpeconfig-logfilter command. In a default installation, the following filters are set:

execpe/*/*error,pem/*/*error,launchhelper/*/*error

Change the filters to:

execpe/*/*,pem/*/*,launchhelper/*/*error

To enable debugging in the login script, edit the /opt/tarantella/var/serverresources/expect/unix.exp file and uncomment out the startdebug line.

Related topics
Security properties (array-wide)