R: Re: Intermittent AUTHENTICATION-200 with AD

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

R: Re: Intermittent AUTHENTICATION-200 with AD

mnhro@libero.it
Here the steps to reproduce the problem:

1st Login attempt (fails with msg="exAuth" and "AUTHENTICATION-200" error in
the log)
2nd Login attempt (fails with msg="failAuth" and "AUTHENTICATION-200" error in
the log)
3rd Login attempt (success)

In all three attempts I use the same AD user.

Do someone has experienced a similar issue?


>----Messaggio originale----
>Da: Peter Major <[hidden email]>
>Data: 15-mar-2016 18.42
>A: "Users"<[hidden email]>
>Ogg: Re: [OpenAM] Intermittent AUTHENTICATION-200 with AD
>
> > What can be the reason of such intermittent misbehavior?
>
>Using an almost 4 year old version?
>
>2016. 03. 15. 18:35 keltezéssel, [hidden email] írta:
>>
>> I'm using OpenAM 10.0.0 with "LDAP" as authentication module which
>> connects to an Active Directory. I'm facing a strange issue: sometimes
>> the user login succeeds and sometimes fails with code
>> "AUTHENTICATION-200" (always using the same user!) and when this happens
>> I restart the OpenAM's Tomcat and the authentication is back working
>> normally. Then "AUTHENTICATION-200" problem occurs again, at a random
>> time from the last Tomcat restart.
>>
>>
>> What can be the reason of such intermittent misbehavior?
>_______________________________________________
>Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
>OpenAM mailing list
>[hidden email]
>https://lists.forgerock.org/mailman/listinfo/openam
>

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: R: Re: Intermittent AUTHENTICATION-200 with AD

Paul Figura
Whenever I run into a problem that has seemingly random effects, I always start to look back towards the network.
  • How are you connect to the AD? IP or DNS?
  • Can the DNS switch between multiple repos for HA?
  • Is there a loadbalancer in front of your AD's? Maybe it's misconfigured?
  • Are there multiple users  for whatever attribute you are logging in with? For example, if you are using email to authenticate and multiple users have the same email alias defined, AD could behave irrationally. (same goes for uid, but that's less likely)

Also, instead of using the LDAP auth module, maybe you should be using the AD auth module?

Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 3/16/2016 3:58 AM, [hidden email] wrote:
Here the steps to reproduce the problem:

1st Login attempt (fails with msg="exAuth" and "AUTHENTICATION-200" error in 
the log)
2nd Login attempt (fails with msg="failAuth" and "AUTHENTICATION-200" error in 
the log)
3rd Login attempt (success)

In all three attempts I use the same AD user.

Do someone has experienced a similar issue?


----Messaggio originale----
Da: Peter Major [hidden email]
Data: 15-mar-2016 18.42
A: "Users"[hidden email]
Ogg: Re: [OpenAM] Intermittent AUTHENTICATION-200 with AD

What can be the reason of such intermittent misbehavior?
Using an almost 4 year old version?

2016. 03. 15. 18:35 keltezéssel, [hidden email] írta:
I'm using OpenAM 10.0.0 with "LDAP" as authentication module which
connects to an Active Directory. I'm facing a strange issue: sometimes
the user login succeeds and sometimes fails with code
"AUTHENTICATION-200" (always using the same user!) and when this happens
I restart the OpenAM's Tomcat and the authentication is back working
normally. Then "AUTHENTICATION-200" problem occurs again, at a random
time from the last Tomcat restart.


What can be the reason of such intermittent misbehavior?
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: R: Re: Intermittent AUTHENTICATION-200 with AD

Marc Priebee

I’ve had this problem with version 10. It was the connection pooling to the LDAP directory. If you have firewalls between openam and the directory, it is likely to silently drop connections with no activity. The next time openam tries to use the connection, it fails. A restart re-establishes all the connection pools.

 

Upgrading to V11 with fix it, because you can set up keep alives in the LDAP module and datastore

 

 

Marc

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Paul Figura
Sent: Thursday, 17 March 2016 3:09 a.m.
To: [hidden email]; [hidden email]
Subject: Re: [OpenAM] R: Re: Intermittent AUTHENTICATION-200 with AD

 

Whenever I run into a problem that has seemingly random effects, I always start to look back towards the network.

  • How are you connect to the AD? IP or DNS?
  • Can the DNS switch between multiple repos for HA?
  • Is there a loadbalancer in front of your AD's? Maybe it's misconfigured?
  • Are there multiple users  for whatever attribute you are logging in with? For example, if you are using email to authenticate and multiple users have the same email alias defined, AD could behave irrationally. (same goes for uid, but that's less likely)

Also, instead of using the LDAP auth module, maybe you should be using the AD auth module?

Regards,

Paul Figura
Identity & Access Management Architect

Indigo Consulting Canada

Tel: 514-432-6233

Email: [hidden email] 

http://www.indigoconsulting.ca

 

 

On 3/16/2016 3:58 AM, [hidden email] wrote:

Here the steps to reproduce the problem:
 
1st Login attempt (fails with msg="exAuth" and "AUTHENTICATION-200" error in 
the log)
2nd Login attempt (fails with msg="failAuth" and "AUTHENTICATION-200" error in 
the log)
3rd Login attempt (success)
 
In all three attempts I use the same AD user.
 
Do someone has experienced a similar issue?
 
 
----Messaggio originale----
Da: Peter Major [hidden email]
Data: 15-mar-2016 18.42
A: "Users"[hidden email]
Ogg: Re: [OpenAM] Intermittent AUTHENTICATION-200 with AD
 
What can be the reason of such intermittent misbehavior?
 
Using an almost 4 year old version?
 
2016. 03. 15. 18:35 keltezéssel, [hidden email] írta:
 
I'm using OpenAM 10.0.0 with "LDAP" as authentication module which
connects to an Active Directory. I'm facing a strange issue: sometimes
the user login succeeds and sometimes fails with code
"AUTHENTICATION-200" (always using the same user!) and when this happens
I restart the OpenAM's Tomcat and the authentication is back working
normally. Then "AUTHENTICATION-200" problem occurs again, at a random
time from the last Tomcat restart.
 
 
What can be the reason of such intermittent misbehavior?
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
 
 
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam