Skyline

I was trying to enable Active Directory authentication on my v1.2 skyline appliance.

It seems to take the settings (there is a weird UI bug on that settings page where I will change the values, Hit Save, and receive an error that nothing has changed on the page)

After applying the settings I attempt to login to the collector with a member of the AD group that I granted access and I get an invalid credentials error.

Does the appliance have the ability to connect to more than one DC?

Is there a log on the appliance I can look at to see what is preventing the auth?

Thanks

-Chris

EA 111957025

Message was edited by: Chris Bujak

Hi Chris

I understand that we have issues integrating AD with skyline appliance.Can you please share the screenshot of the UI error while saving the configuration.The logs for the collector appliance is located in /var/log/skyline/collector.log.

Regards

Yuvaraj

Skyline Support Moderator

Ok dumb question.  How do i SSH into the appliance?  It is not taking the root password that I used when deploying.

I was able to get into the VAMI interface yesterday with the same password.

Using the root account: SSH gives me a permission denied. Login through the Console UI states that the account is locked due to bad password attempts. VAMI reports "Unable to connect to server. Please try again"

I'm interested in seeing what the log is so i can troubleshoot this AD auth.

I'm also wondering how this is doing the account lookups. There was no method to add the Skyline appliance to the Domain; LDAP look-ups require credentials, I don't see a place to provide these credentials.

The AD settings error save happens when i edit the existing information there and click save. It reports that no changes have been made.

Original settings:

I edited the DC information and received the error below:

Hi Chris

Thanks for the information.I will check this internally and update you the progress

Regards

Yuvaraj

Skyline Support Moderator

Hi Chris,

I have checked with our engineering team and they confirmed only Kerberos (GSSAPI) is allowed . If  AD don’t support it, login would fail.

Regards

Yuvaraj

Skyline Support Moderator

I was able to get a terminal session into the Skyline appliance and I did a grep on the /var/log/skyline/collector.log and the only reference to the domain is the account used to authenticate into the vCenters.

I do not see the failed login attempt in the log.

Hi Chris,

Thanks for the response.Can you please confirm whether Kerberos (GSSAPI) is allowed in your AD environment.

Regards

Yuvaraj

Skyline Support Moderator

Kerberos (GSSAPI) is allowed in our environment.

I asked the AD team and they suggested that it should support "AES256 encryption type for kerberos"

I have specified port 636 (LDAPS) as the port to connect to AD.  Should I be using the kerberos ports?

I checked with the firewall team and both LDAPS (TCP 636) and Kerberos (TCP/UDP 88, & TCP/UDP 464) are open to our Domain Controllers from the Skyline appliance.

The AD team also asked if we needed to add the root certificate authority for the certs used in our domain. Could this be preventing connectivity?

I have not seen any attempts to connect to the domain controller in the logs.  Is there a specific log i should be watching? Do i need to increase the log level?

Hi Chris,

Thanks for the response.Please try using port 88 and check the connectivity.

Regards

Yuvaraj

Skyline Support Moderator

I tried port 88 and had no luck.

Is there a log I can check to see what is happening?

Hi Chris ,

Thanks for the response.I will check this with our engineering team and will update you the progress by monday.

Regards

Yuvaraj

Skyline Support Moderator

Hi Chris

Can we try using the port number 389 and check the AD login again.

Regards

Yuvaraj

Skyline Support Moderator

I used 389 and I was still not able to authenticate with a domain account.

So far I tried LDAP (389), LDAPS (636), and Kerberos (88). And I have tried pointing directly to one Domain controller, the domain FQDN.  I have added users directly, and groups. 

I have attempted to logon with DOMAIN\username as well as username@domain.

I'm upgrading to V1.3 right now to see if that changes anything.

I'm going to keep asking,  What log file can I look in on the appliance to determine what it is doing when attempting AD auth?  Instead of just changing values i expect the logs will have a failure that will point us to a resolution.  Please let me know where to look,  or confirm that this information is not logged. 

Hi Chris,

Thanks for the update.I have confirmed that collector.log will not have any information regards to AD configuration.I will check with our engineering and let you know how we can proceed on this issue.

Regards

Yuvaraj.

Skyline Support Moderator.

Hi Chris,

We would need to enable the debug logging for the collector for further troubleshooting,please find the below steps

1.Login to the Skyline collector appliance via SSH (or console) as root

2.Navigate to /usr/local/skyline/ccf/config/

3.Make a backup of the collector.properties file

4.Open the file collector.properties

5.Change the value logger.level=INFO to logger.level=DEBUG

6.Save changes and restart the collector servive (systemctl restart ccf-collector)

Reproduce the issue and check the logs.Please change the logging level to info after reproducing the issue.

Regards,

Yuvaraj.

Skyline Support Moderator

I have increased the Logging level to DEBUG and I'm not seeing anything AD related in the collector.log file.

The events I'm witnessing all have to do with saving event data and uploading to the vcsa.vmware address.

I'm having problems authenticating with any account on the appliance. 

I navigate to https://<skylineIPaddress>/login and enter the admin credentials or my AD credentials and click the log In button and receive no response.

I have a console session into the appliance and the CPU load is <2% and memory is <25%.

Restarting the appliance or the services on it does not have any impact.

I'm running v1.3 of the appliance.

Hi Chris

I have raised a bug with our engineering team.I will keep you posted on updates

Regards,

Yuvaraj.

Skyline Support Moderator

Hi Chris,

I would need details for further investigation

1.what is the configured allowed groups list?

2.what is the configured allowed users list?

3.what is the username used during login attempt?

4.Collector.log with debugging enabled

Regards,

Yuvaraj.

Skyline Support Moderator.

Yuvaraj,

I will reply with this information in a Private message.

Yuva_1990​ I tried sending you a private message but I am getting errors on this site when hitting the send button.  Is there another way to get you a message?

Hi Chris,

I have sent you a PM with my contact details.Please respond to that

Regards

Yuvaraj

Skyline Support Moderator

This issue might be related to customer's environment which does not support kerberos anonymous authentication.LDAP authentciation is supported in future releases which is an alternate solution for configuring AD

Thank you Yuva.

I look forward to the LDAP authentication feature.