Symantec Access Management

I enabled external authentication (Active Directory) for CA SSO 12.7 by following the steps in attached document.

Once Jboss is restarted, I tried logging in CA SSO Admin UI with the super user selected during the configuration process, and I could login successfully.

After some point of time I tried logging in again with the same user, but this time I couldn't login.

User is still valid and I could use the same user to login other applications.

Not sure what has happened over the short time to make the login failed.

Let me know if anyone has come across the same issue in the past.

Hi Lakshman,

What do you have in the server.log?

After the Admin UI starts up, there is nothing in the server.log

2017-09-08 10:51:54,560 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 26 : Attempting to start SchedulerService
2017-09-08 10:51:55,069 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 27 : Attempting to start environments
2017-09-08 10:51:55,165 WARN  [ims.tmt.EnvironmentService] (MSC service thread 1-3) * Starting environment: CA Single Sign-On
2017-09-08 10:51:55,794 WARN  [ims.tmt.WorkPointScriptsImportPlugin] (MSC service thread 1-3) WF is not enabled for environment: CA Single Sign-On
2017-09-08 10:51:55,939 WARN  [ims.tmt.EnvironmentService] (MSC service thread 1-3) * Started environment: CA Single Sign-On
2017-09-08 10:51:56,088 WARN  [ims.default] (MSC service thread 1-3) ** FIPS mode enabled : false
2017-09-08 10:51:56,091 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 28 : Attempting to recover unprocessed events and runtime status details
2017-09-08 10:51:56,092 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 29 : Attempting to start ApplicationContextInitializer plug-ins
2017-09-08 10:51:56,092 WARN  [ims.default] (MSC service thread 1-3) ---- CA IAM FW Startup Sequence Complete. ----
2017-09-08 10:51:59,614 WARN  [ims.jdbc.JDBCManagedObjectProvider] (Thread-114) Finished pre-population of cache for 26 object types

Error I am seeing on the screen is "Username and password do not match".
But I am sure that this user is valid user and I am using correct credentials. With this user I can access emails and desktop.

We need to check policy server trace log & network capture (ldap) to see why the authentication is failing ..

Hi Ujwol,

There is nothing in the smtrace logs regarding this login.

Should I create a support ticket for this? so that we can have a close look at it.

Yes, please create one

Hi Lakshman,

Policy server administrative UI running on RedHat Linux platform ?

If so could you check the value of entropy?

cat /proc/sys/kernel/random/entropy_avail

or
watch -n 1 cat /proc/sys/kernel/random/entropy_avail

Refer : https://support.ca.com/us/knowledge-base-articles.tec1652849.html

Regards,

Leo Joseph.

Hi Leo,

Yes, PS Admin UI was running on RHEL. I checked the entropy value using "watch -n 1 cat /proc/sys/kernel/random/entropy_avail" command, and it was 143. Later I got the system admin to get this value increased to 4000. But still I am getting the same error "Error: Username and password do not match".

Note: After changing the entropy value, I rolled back the changes in PS Admin UI to have the default Siteminder user enabled and then configured AD as a external authentication source.

Lakshman,

Your steps are looking correct, these are the exact steps which I followed to register and I don't face any issue.

I would suggest you to give it a try by deleting "data, log, tmp & work" directories from jboss and re-registering it again.

Steps to Re-register Admin UI 

Regards

Ashok

Ashok,

Whenever I roll back this change, I used to stop admin ui, delete the data dir, re-register adminui to PS and start the adminui.

This time I tried deleting tmp and log dir in addition to data dir (there is no work dir), but still the same issue happens.

--Lakshman

When we configure External Authentication the information about the External Directory is stored in <Install_location>CA\siteminder\adminui\server\default\data\siteminder\directories folder in a *.xml file e.g. ActiveDirectory---15s78sd873.xml.

The WAM UI has to first make a successful connection to the External Directory using the connection credential specified for the External Directory. 

It seems like the credentials for the service account defined within the XML file is no longer valid. 

The username / password that you use on WAMUI can be valid, but if the connection credentials in the XML are no longer valid - this will cause the issue.

This the same credentials which is used in the external administrative authentication wizard. 

Configure an External Administrator Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

If that is also not the case, the only other thing I can think of at this moment is missing JCE.

I figured out the problem here with help of CA Support (Ujwol Shrestha).

I was trying to login CA SSO Admin UI with "CN" of the user, whereas while configuring Administrative Authentication I was using sAMAccountName as "User ID" attribute.