Troubleshooting user login issues with LDAP authentication

TrueSight Server Automation users are unable to log in to the TrueSight Server Automation using LDAP Authentication. 

This topic helps you to locate and review the logs to determine the root cause of the login failures and either help you identify and resolve the issue or create a BMC Customer Support case. 

Related topic

Implementing-LDAP-authentication

Issue symptoms

  • One or more users cannot login to a TrueSight Server Automation environment using LDAP authentication.
  • The Application Servers are confirmed to be up and running and users can login successfully using other authentication types, such as Domain Authentication and SRP.

Issue scope

  • The issue may affect all or specific users attempting to login using LDAP authentication.
  • The issue may affect all or specific Application Servers in your environment.
  • This Troubleshooting Guide is specific to LDAP authentication and does not include issues with other supported authentication types, such as Domain, SRP, RSA, PKI, and Active Directory

Diagnosing and reporting an issue

Task

Action

Steps

Reference

1

Understand the problem scope.

Check the error message the is displayed when attempting to login to TrueSight Server Automation using LDAP authentication.

Example error messages from failed LDAP authentication attempt:

image2021-2-3_11-35-42.png


image2021-2-3_11-52-7.png

2

Understand the problem scope.

Confirm that other Authentication types are working to make sure that the issue is not a widespread Application Server issue and is specific to LDAP authentication.

  • If the SRP authentication also fails, it indicates that the issue is related to generic Application Authentication Server instead of only LDAP authentication.
  • If other authentication types succeed (SRP, Domain, Auth) then the issue is specific to LDAP authentication.


3

Understand the problem scope.

Has LDAP authentication previously been working successfully in this environment or is this the initial attempt at setting up LDAP authentication?


4

Understand the problem scope.

Is the issue affecting all users or confined to specific users? For example, is any user in the environment able to use LDAP authentication successfully?


5

Understand the problem scope.

If your environment contains multiple Application Servers, can users log in directly to any of these Application Servers or the log in issue occurs with specific Application Servers (CONFIG or ALL instance types)?


6

Identify recent changes.

If LDAP authentication was previously working in this environment, are there any known changes since the last time it worked? For example,


    • Upgrade
    • Addition or migration of Application Servers
    • Modification of LDAP Servers (Upgrade, Patching, Migration, or Server replacement)
    • Certificate changes


7

Capture configuration details.

  • Note the number and type (Job, Config, All) of Application Servers in the environment.
  • Note down the following blasadmin settings on each Application Server host:
    • blasadmin -a show auth all
    • blasadmin -a show ldap all


8

Identify and locate the Application Server log files.

The following Application Server log files can be used to troubleshoot LDAP authentication issues. These log files are located in the installDirectory/br/ directory on the Application Server: 

  • appserver.log*
  • console.log*

*If you have multiple Application Server deployments, the specified log file names are the log files of the default Application Server deployment. The names of the log files for other Application Server deployments are prefixed with the name of the deployment, connected with an underscore. For example, jobservera_appserver.log, jobserverb_console.log, and so on.

Collect the Application Server logs from each Application Server host. Note the exact time of a recent failed LDAP Authentication attempt so this time can be cross-referenced with the collected logs.


9

Analyze error(s) found in Application Server logs

Review the detailed error message found in the Application Server logs relating to the failed LDAP authentication attempt. Refer to the "Resolutions for common issues" section to review common errors that can result in LDAP authentication failures along with how they can typically be resolved.

If you are unable to identify and resolve the problem, create a BMC Support Case.


10

Creating a BMC Support Case

Provide the following information and log files when creating a case with BMC Customer Support:

  • Scope of the issue
  • Any recent changes to the environment
  • Configuration details
  • Application Server logs
  • Export of Application Server details

Resolutions for common issues

Symptom

Action

Reference

The following error is displayed in the TrueSight Server Automation console:

requested authentication method disabled on AuthSvc

This error suggests that the "auth IsLdapAuthEnabled" blasadmin setting is set to false on the Application Server that processes the LDAP authentication request.

image2021-2-3_11-50-21.png

Follow the steps in the referenced KA to check and update this setting on each Application Server that processes LDAP Authentication requests. An Application Server restart is required after updating IsLdapAuthEnabled.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

This error indicates that LDAP authentication is enabled but the user cannot be authenticated. Do the following:

  1. Check the Application Server log that provides more information about the failure.
  2. Follow the steps in the referenced KA to locate the detailed error message that you can use for the next step of troubleshooting.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[25 Feb 2021 04:26:36,609] [Authentication-Service-Thread-3] [WARN] [::123.45.67.89] [Appserver] User1 is not a valid LDAP name.

[25 Feb 2021 04:26:36,609] [Authentication-Service-Thread-3] [INFO] [Sanjay::123.45.67.89] [Appserver] user authentication failed: User1

The "User1 is not a valid LDAP name" error indicates one of the following:

  • The specified user was not created or synced in the RBAC Manager.
  • The user was created in the RBAC Manager but with a different name than what was used during the authentication attempt.

In this example, the Application Server log shows that the user name was "User1". Do the following:

  1. Open the RBAC Manager and navigate to Users.
  2. Review the list of users to see if the user specified in the Application Server log is present and whether the user name is an exact match.
  3. Follow the steps in the referenced KA to locate the detailed error message that you can use for the next step of troubleshooting.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-3] [WARN] [::123.45.67.89] [Appserver] The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

This specific error usually indicates the Application Server is not configured to use TLS v1.2.

Follow the steps in the referenced KA to further troubleshoot and resolve.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-4] [WARN] [::123.45.67.89] [Appserver] The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ldapserver1' does not match the hostname in the server's certificate.
..
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ldapserver1 found.

This specific error indicates a problem with the "subject alternative DNS name" defined in the certificate.

Follow the steps in the referenced KA to further troubleshoot and resolve.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-4] [WARN] [::123.45.67.89] [Appserver] The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.

javax.naming.ServiceUnavailableException: lab-domain.lab.com:636; socket closed

This error indicates that LdapServerURLs must point to LDAP version 3 servers that support the StartTLS extension. Port 636 is typically used for LDAPS.

LDAP communication over SSL uses StartTLS. TrueSight Server Automation does support using LDAPS. 

Follow the steps in the referenced KA to further troubleshoot and resolve.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-4] [WARN] [::123.45.67.89] [Appserver] The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

Follow the steps in the referenced KA to further troubleshoot and resolve.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-1] [ERROR] [::xx.xx.xx.xx] [Appserver] Fail: ldapsearch : couldnt detect user in configured ldap locations: {}

[12 Jun 2020 09:15:34,764] [Authentication-Service-Thread-1] [DEBUG] [::xx.xx.xx.xx] [Appserver] Using enhanced LDAP authentication with the following values:
userSearchBaseDn =

Debug logging shows that userSearchBaseDn is blank.

Follow the steps in the referenced KA to further troubleshoot and resolve.

The following error is displayed in the TrueSight Server Automation console:

User authentication failed

The corresponding error message in the Application Server log:

[Authentication-Service-Thread-0] [ERROR] [::<host_IP>] [Appserver] Path does not chain with any of the trust anchors

[Authentication-Service-Thread-0] [WARN] [::<host_IP>] [Appserver] Could not validate CN=<...CN...>,OU=people,OU=group,DC=<...DC...>,DC=com
[Authentication-Service-Thread-0] [WARN] [::<host_IP>] [Appserver] Cannot establish a TLS connection with ldap://<host_name>:xxxx. Most likely cause is failed certificate validation.

Follow the steps in the referenced KA to further troubleshoot and resolve.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*