AMS LDAP user cannot login: "Authentication Failed. Please retry or contact the administrator."

AMS LDAP user cannot login: "Authentication Failed. Please retry or contact the administrator."

book

Article ID: KB0072977

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10.6 and later

Description

Login to TIBCO Artifact Management Server fails with the error message:
"Authentication Failed. Please retry or contact the administrator."

 

Issue/Introduction

Provides troubleshooting guidance for the case where AMS LDAP authentication fails.

Resolution

First, enable DEBUG level logging in the AMS server, as discussed in KB article 000045262. Then consider the following possible causes and related AMS log entries that identify each cause.
  • The username or password supplied by the user is incorrect.
2021-10-01 07:41:11.967 DEBUG (qtp1558127130-52) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'CN=User One,OU=Users,DC=example,DC=com': 
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, 
comment: AcceptSecurityContext error, data 52e, v4563]

2021-10-01 10:41:23.405 DEBUG (qtp1938456924-47) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'uid=user1,ou=users,ou=system': javax.naming.AuthenticationException: 
[LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=user1,ou=users,ou=system]
In the two messages above, we can see that the user's full distinguished name (DN) is found in the LDAP system, but the credentials could not be verified.
2021-10-01 10:42:19.411 DEBUG (qtp1938456924-74) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'user3': javax.naming.InvalidNameException: 
[LDAP: error code 34 - Incorrect DN given : user3 (0x75 0x73 0x65 0x72 0x33 ) is invalid]
This message reveals that AMS could not resolve the user's full DN, as only the username 'user3' is being identified in the log message. In this case, 'user3' did not actually exist in the LDAP system.
  • The selected principalRoot attribute is incorrect.
2021-10-01 10:43:47.058 DEBUG (qtp2121754508-52) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - 
Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]
Again, this message reveals that AMS could not resolve the user's full DN. However in this case, 'user1' is a valid LDAP user. Here, shortening the principalRoot is expected to resolve this issue. For example, change principalRoot from "ou=User Group A,dc=example,dc=com" to just "dc=example,dc=com".
  • The principalRoot value has a typo.
2021-10-01 08:58:49.692 WARN  (qtp1630986748-52) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - 
Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - 
user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1), [LDAP: error code 32 - 
0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=example,DC=com'
]
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: 
DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=example,DC=com'
]
Here, we see a 'NameErr', indicating that the value of principalRoot is wrong (and does not exist in LDAP).
2021-10-01 10:45:13.682 WARN  (qtp903663666-52) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - 
Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - user1, 
rememberMe=true (0:0:0:0:0:0:0:1), [LDAP: error code 32 - NO_SUCH_OBJECT: failed for MessageType : SEARCH_REQUEST
Message ID : 2
    SearchRequest
        baseDn : 'ou=sysstem'
        filter : '(&(objectClass=*)(uid=user1))'
        scope : whole subtree
        typesOnly : false
        Size Limit : no limit
        Time Limit : no limit
        Deref Aliases : deref Always
        attributes :
org.apache.directory.api.ldap.model.message.SearchRequestImpl@80e86995: ERR_268 Cannot find a partition for ou=sysstem]
Here, we see a different format for the same LDAP error code (32), which clearly shows the typo in the baseDN (i.e. the value should be 'ou=system', not 'ou=sysstem').
  • The selected principalSearch attribute (or its binding) is incorrect.
2021-10-01 09:44:49.329 WARN  (qtp1161209621-54) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:90 - 
Error authenticating with token org.apache.shiro.authc.UsernamePasswordToken - user1@example.com, 
rememberMe=true (0:0:0:0:0:0:0:1), number exceeds argument list: 1
Here, the selected principalSearch attribute is incorrectly bound using ={1}, meaning it will be bound to a corresponding distinguished name (DN). For this LDAP system, the principalSearch value should use ={0} instead. For example:
principalSearch = "mail{0}"
2021-10-01 10:46:56.986 DEBUG (qtp1938456924-50) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - 
Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]
Similar to the case shown above, this message reveals that AMS could not resolve the user's full DN, even though 'user1' is a valid LDAP user. If you've already verified that the principalRoot value is correct, try setting principalSearch to a different attribute (such as 'mail', 'uid', or 'cn'). Consult with your LDAP administrator as needed.
  • The principalSearch value has a typo.
2021-10-01 10:58:10.174 DEBUG (qtp1630986748-54) com.tibco.ep.ams.auth.AMSLdapContextFactory:84 - 
Error getting LDAP context for user 'user1': javax.naming.InvalidNameException: [LDAP: error code 34 - 
Incorrect DN given : user1 (0x75 0x73 0x65 0x72 0x31 ) is invalid]
A typo in the principalSearch value causes the same behavior in the above cases, and results in the same log message.
  • The roleRoot value has a typo.
2021-10-01 09:17:06.638 DEBUG (qtp903663666-50) com.tibco.ep.ams.auth.AMSAuthenticationFilter:468 - 
login failed with token org.apache.shiro.authc.UsernamePasswordToken - 
user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1)
Here, the AMSAuthenticationFilter class is emitting the message, which means the LDAP search filter being used is incorrect. In this case, that is due to a typo in the roleRoot value.
  • The selected roleAttribute attribute is incorrect.
2021-10-01 11:05:42.414 DEBUG (qtp1289213409-51) com.tibco.ep.ams.auth.AMSAuthenticationFilter:468 - 
login failed with token org.apache.shiro.authc.UsernamePasswordToken - 
user1@example.com, rememberMe=true (0:0:0:0:0:0:0:1)
Again, the AMSAuthenticationFilter class is emitting the message, which means the LDAP search filter being used is incorrect. In this case, the roleAttribute needed to be changed.