The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

First LDAP connection failed then works...

jmalghem2009

Hello,

I have a strange problem with all my 5 WFA servers connected to Active Directory for authentication.

When a user try to log on for the first time since the browser was open, the authentication failed with the message : "The username or password is incorrect"

If the user retry one more time, the authentication works fine.

I have the same problem on different servers connected to different domains. All are Windows 2008 R2.

THe logon failure generates the following message on the server.log (nothing on wfa_ldap.log) :

2013-04-08 17:45:29,603 BST ERROR [org.jboss.web.tomcat.security.JBossWebRealm] (http-0.0.0.0-80-4) Error during authenticate

java.lang.IllegalStateException: Security Context has not been set

at org.jboss.web.tomcat.security.SecurityAssociationActions$SetPrincipalInfoAction.run(SecurityAssociationActions.java:70)

at java.security.AccessController.doPrivileged(Native Method)

at org.jboss.web.tomcat.security.SecurityAssociationActions.setPrincipalInfo(SecurityAssociationActions.java:270)

at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:388)

at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)

at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:383)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

at java.lang.Thread.run(Thread.java:722)

Any help will be appreciated.

Thanks,

Julien

24 REPLIES 24

korman

Hi everyone,

Just to tie some loose ends on this topic:

This issue has been treated and will be solved in our upcoming release, due to be released later this year.

Many thanks to all the contributors to understanding and solving this issue!!!

dburkland

Thank you for following up on this!

francoisbnc

Hi,

Probably misunderstanding, the fix will be released only end of year?

It's very anoying.

Regards,

francois

korman

No Francois,

Not end of year, just later this year

Sasha

GARDINEC_EBRD

Having the exact same problem here.  Did anyone ever find a solution?  First login attempt via LDAP/AD fails every time.  Second attempt is OK.

Thanks,

Craig

korman

Hi Craig,

We are trying to fix this issue, but unfortunately we are unable to reproduce it in our lab.

Please contact me if you would like to try custom version that will help us find the problem?

My mail is korman at netapp.com

Thanks,

Sasha

WFA Team

ostiguy

I don't believe the WFA team has a solution yet.

If you want to try what OCI 6.3.3 and higher are doing, backup your login-config.xml file, and then edit it:

<!--  Authenticate and Authrization through database -->

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

<module-option name="dsJndiName">java:/jboss-mysql-ds</module-option>

<module-option name="principalsQuery">select password from wfa.user where name=? and user_role_type != 'Backup'</module-option>

<module-option name="rolesQuery">select r.ejb_role, 'Roles' from wfa.user u, wfa.user_role_to_ejb_role r where u.name=? and u.user_role_type=r.user_role_type</module-option>

<module-option name="hashAlgorithm">SHA-1</module-option>

<module-option name="hashEncoding">base64</module-option>

<module-option name="unauthenticatedIdentity">guest</module-option>

</login-module>

<!--  Authenticate using LDAP -->

<login-module code="com.netapp.wfa.ldap.LdapLoginModule" flag="sufficient">

<module-option name="daoJndiName">wfa-0.5/LdapUsersDaoImpl/local</module-option>

</login-module>

I think you will find in your existing file, the LDAP section is on top of the through database section. Simply switch the two, so LDAP is tried second. It seems somewhat nonintuitive, but this may be the fix

korman

Hi Ostiguy,

Thank your for this solution proposal.

We've tried this solution with number of customers, but unfortunately it does not help.

Thanks,

Sasha

ostiguy

I believe the fix for OCI was to switch the order of login modules in login-config.xml.

If someone could email me ( ostiguy at netapp dot com ) their login-config.xml, I could take a look and offer a suggestion

dburkland

I also sent you an email with my current WFA "login-config.xml" config file.

Thanks!


Dan

korman

Hi Ostiguy,

I'll send you config file.

Thanks,

Sasha

niels

Interesting that OCI has been mentioned. I see similar behavior with my OC Report instance, which basically uses the same engine as OCI.

And I too have seen it with my WFA installation, but it appears to occur randomly.

regards, Niels

dburkland

I am also experiencing this issue. Hopefully somebody from the WFA team can provide some insight on how to resolve this.

sinhaa

Hi Julien and Dan,

     I'm unable to reproduce the problem with the information you have given. Can you provide a bit more detail into this?

1. What the are login attributes you are using? Are they same as what's provide in default setup?

2. How are you trying to login? Is it by "DOMAIN\username" or just "username"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

dburkland

Hi Sinhaa,

1. Login Attributes ->

2. We are logging in using "DOMAIN\username"

This issue happens every single time a user logs in.

Thanks,

Dan

korman

Hi Dan, Julien and jmalghem2009

I've created custom login module configuration as per ostiguy suggestion.

Please send me your mail if you want to try it and I'll send you the instructions.

My mail is: korman at netapp dot com

Thanks,

Sasha

OPTEAMAPROJET

Hello sinhaa,

1. My configuration uses 2 Active Directory servers with FQDN name. I tried with IP address with no luck. (Screen capture attached). Servers are separated by comma.

2. We are using DOMAIN\username to login.

Thanks,

Julien

We were having the same issue.  What resolved it for us is to use " LDAP server: ldap://<FQDN>"  No specific DC or AD servers.  It seems to work.  I will be testing it multiple users this weekend and next week.

korman

Hi Shalin,

Have you tried to run it against multiple LDAP servers, i.e. ldap://<FQDN1>, ldap://<FQDN2>?

Thanks,

Sasha

sinhaa

Nothing looks wrong here. But with similar configuration, I'm still unable to hit this problem. I need some more information.

Does it happen all the time? I mean every single time you try to login as an LDAP user, the first attempt will necessarily fail and the second one will pass. Is this correct?

Does it happen for all the users or a users in a specific WFA User group?

What browser are you using? Do you suspect any old browser cache causing it perhaps? Clear browser cache and try.

Is you LDAP configured over SSL?

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public