Symantec Access Management

 View Only
Expand all | Collapse all

CA SSO external authentication for Admin UI is not working as expected

Jump to Best Answer
  • 1.  CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 07, 2017 08:35 AM
      |   view attached

    I enabled external authentication (Active Directory) for CA SSO 12.7 by following the steps in attached document.

    Once Jboss is restarted, I tried logging in CA SSO Admin UI with the super user selected during the configuration process, and I could login successfully.

    After some point of time I tried logging in again with the same user, but this time I couldn't login.

    User is still valid and I could use the same user to login other applications.

    Not sure what has happened over the short time to make the login failed.

    Let me know if anyone has come across the same issue in the past.

    Attachment(s)



  • 2.  Re: CA SSO external authentication for Admin UI is not working as expected

    Posted Sep 07, 2017 08:37 AM

    Hi Lakshman,


    What do you have in the server.log?





  • 3.  Re: CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 07, 2017 09:06 PM

    After the Admin UI starts up, there is nothing in the server.log

     

    2017-09-08 10:51:54,560 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 26 : Attempting to start SchedulerService
    2017-09-08 10:51:55,069 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 27 : Attempting to start environments
    2017-09-08 10:51:55,165 WARN  [ims.tmt.EnvironmentService] (MSC service thread 1-3) * Starting environment: CA Single Sign-On
    2017-09-08 10:51:55,794 WARN  [ims.tmt.WorkPointScriptsImportPlugin] (MSC service thread 1-3) WF is not enabled for environment: CA Single Sign-On
    2017-09-08 10:51:55,939 WARN  [ims.tmt.EnvironmentService] (MSC service thread 1-3) * Started environment: CA Single Sign-On
    2017-09-08 10:51:56,088 WARN  [ims.default] (MSC service thread 1-3) ** FIPS mode enabled : false
    2017-09-08 10:51:56,091 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 28 : Attempting to recover unprocessed events and runtime status details
    2017-09-08 10:51:56,092 WARN  [ims.default] (MSC service thread 1-3) * Startup Step 29 : Attempting to start ApplicationContextInitializer plug-ins
    2017-09-08 10:51:56,092 WARN  [ims.default] (MSC service thread 1-3) ---- CA IAM FW Startup Sequence Complete. ----
    2017-09-08 10:51:59,614 WARN  [ims.jdbc.JDBCManagedObjectProvider] (Thread-114) Finished pre-population of cache for 26 object types

     

    Error I am seeing on the screen is "Username and password do not match".
    But I am sure that this user is valid user and I am using correct credentials. With this user I can access emails and desktop.



  • 4.  Re: CA SSO external authentication for Admin UI is not working as expected

    Posted Sep 08, 2017 02:33 AM

    We need to check policy server trace log & network capture (ldap) to see why the authentication is failing ..



  • 5.  Re: CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 12, 2017 04:38 AM

    Hi Ujwol,

     

    There is nothing in the smtrace logs regarding this login.

    Should I create a support ticket for this? so that we can have a close look at it.



  • 6.  Re: CA SSO external authentication for Admin UI is not working as expected

    Posted Sep 12, 2017 04:40 AM

    Yes, please create one



  • 7.  Re: CA SSO external authentication for Admin UI is not working as expected

    Posted Sep 12, 2017 04:48 AM

    Hi Lakshman,

     

    Policy server administrative UI running on RedHat Linux platform ?

     

    If so could you check the value of entropy?

     

    cat /proc/sys/kernel/random/entropy_avail

    or
    watch -n 1 cat /proc/sys/kernel/random/entropy_avail

     

    Refer : https://support.ca.com/us/knowledge-base-articles.tec1652849.html

     

    Regards,

    Leo Joseph.



  • 8.  Re: CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 13, 2017 12:18 AM

    Hi Leo,

     

    Yes, PS Admin UI was running on RHEL. I checked the entropy value using "watch -n 1 cat /proc/sys/kernel/random/entropy_avail" command, and it was 143. Later I got the system admin to get this value increased to 4000. But still I am getting the same error "Error: Username and password do not match".

    Note: After changing the entropy value, I rolled back the changes in PS Admin UI to have the default Siteminder user enabled and then configured AD as a external authentication source.



  • 9.  Re: CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 13, 2017 10:13 AM

    Lakshman,

     

    Your steps are looking correct, these are the exact steps which I followed to register and I don't face any issue.

     

    I would suggest you to give it a try by deleting "data, log, tmp & work" directories from jboss and re-registering it again.

     

    Steps to Re-register Admin UI 

     

    Regards

    Ashok



  • 10.  Re: CA SSO external authentication for Admin UI is not working as expected

    Broadcom Employee
    Posted Sep 13, 2017 09:10 PM

    Ashok,

     

    Whenever I roll back this change, I used to stop admin ui, delete the data dir, re-register adminui to PS and start the adminui.

    This time I tried deleting tmp and log dir in addition to data dir (there is no work dir), but still the same issue happens.

     

    --Lakshman



  • 11.  Re: CA SSO external authentication for Admin UI is not working as expected

    Posted Sep 14, 2017 12:49 PM

    When we configure External Authentication the information about the External Directory is stored in <Install_location>CA\siteminder\adminui\server\default\data\siteminder\directories folder in a *.xml file e.g. ActiveDirectory---15s78sd873.xml.

     

    The WAM UI has to first make a successful connection to the External Directory using the connection credential specified for the External Directory. 

     

    It seems like the credentials for the service account defined within the XML file is no longer valid. 

     

    The username / password that you use on WAMUI can be valid, but if the connection credentials in the XML are no longer valid - this will cause the issue.

     

    This the same credentials which is used in the external administrative authentication wizard. 

    Configure an External Administrator Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

     

    If that is also not the case, the only other thing I can think of at this moment is missing JCE.



  • 12.  Re: CA SSO external authentication for Admin UI is not working as expected
    Best Answer

    Broadcom Employee
    Posted Sep 18, 2017 02:26 AM

    I figured out the problem here with help of CA Support (Ujwol Shrestha).

    I was trying to login CA SSO Admin UI with "CN" of the user, whereas while configuring Administrative Authentication I was using sAMAccountName as "User ID" attribute.