Service Virtualization

Getting Bad Credentials Error. Please assist with the resolution. Thanks.

Hi,

Please post authentication-provider.xml here.  Else the only thing I can say is you have bad credential.

Thanks

-Tan

More info please- 

- just for a particular user or for all users?

- DevTest version

- did it work before or just connected to LDAP/AD and does not work?

Hi Koustubh,

1. Use is for all users

2. Using DevTest 9.1

3. Just connected to AD/LDAP and doesnt not work. But if we put properties in local.properties file then it works.

We have implemented current solution with local.properties configuration where users are authenticated, will be added to DevTest console on successful authorization and roles are managed in DevTest. Please suggest if you have any resolution to this issue - xml based LDAP ?

Here is my authentication-provider.xml which is having Bad Credentials error -

...

  autoAddUsers="true"

  authenticateOnly="false"

  enabled="true"

  type="LDAP"

  defaultRole="Guest"

  rejectUnmappedUsers="true">

  <url>ldap://*********.com</url>

  <user-dn>CN=XXXX,CN=Users,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx</user-dn>

  <user-password>{cry}******************</user-password>

  <user-dn-pattern>CN={0},CN=Users,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx</user-dn-pattern>

  <user-search-base>DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx</user-search-base>

  <user-search-filter>(&amp;(objectClass=user)(sAMAccountName={0}))</user-search-filter>

</authentication-provider>

Here is my properties in local.properties which is working fine.

lisa.acl.auth.module.impl=com.itko.lisa.acl.custom.BaseLDAPAuthenticationModule

lisa.acl.ldap.ldapUrl=ldap://*********.com

lisa.acl.ldap.securityPrincipal=CN=XXXX,CN=Users,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx

lisa.acl.ldap.securityCredential_enc=******************

lisa.acl.ldap.securityAuthentication=simple

lisa.acl.ldap.baseContext=DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx

lisa.acl.ldap.userSearchFilter=(objectClass=user)

lisa.acl.ldap.usernameAttribute=sAMAccountName

lisa.acl.ldap.userSearchAllDepths=true

lisa.acl.ldap.lisaDefaultRole=Guest

Looking at your authentication-provider.xml and it seems you have the wrong value for the type attribute.  If you are really connecting to Active Directory then the value must be "ActiveDirectory" (i.e. type="ActiveDirectory").  You also have 2 <user-search-filter> elements.  I would delete the 2nd.

Wendell.Beckwith

On a different but related train of thought - should we still let those properties be configured via the local.properties file especially now since we have the 2 new files for external configuration? This is based on the fact that Aniket was able to get it to work from the local.properties file.

Thanks!

Thought was that continuing to allow users to use the legacy api would be a non jarring introduction to the new way.  OOTB we actually never load the legacy ITKOAuthenticationModule because of a bug later discovered.  Instead we dynamically create a an equivalent new API implementation that has all the functionality of the old API along with the new features, like support for multiple auth. providers, enablement, etc.

Hi Wendell, I have updated the type attribute value to "ActiveDirectory" and removed duplicate <user-search-filter> element entry. But still I am getting BadCredentialsException Exception. When I define properties in local.properties instead of XML files then it works without any issue.

org.springframework.security.authentication.BadCredentialsException: Authentication failed for user [username=*********]

  at com.ca.dts.security.authentication.NamedDelegatingAuthenticationProvider.doAuthentication(NamedDelegatingAuthenticationProvider.java:73)

  at com.ca.dts.security.authentication.AbstractDevTestAuthenticationProvider.authenticate(AbstractDevTestAuthenticationProvider.java:195)

......

Caused by: org.springframework.security.authentication.BadCredentialsException: Bad credentials

  at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:98)

.....

That stacktrace indicates that the embedded provider through the exception.  If you have them ordered them ordered with the AD provider 1st and the Embedded 2nd, then that could be the reason.  You should have an acl.log in your logs directory and if you look at the bottom of the logging.properties file in the DevTest Home directory, then you will see several debug loggers for ACL that you can turn on if they aren't already enabled.  I would stop the registry, delete the acl.log and then restart the registry.  After the registry has completely started and before even trying to login, you should see a line in your acl.log that states

... date and time ... [main] INFO  com.ca.dts.security.authentication.internal.LdapAuthenticationProviderFactory - The manager userDN, password and url for the '<Provider Name Here>' authentication provider are valid and successfully created a read-only LDAP context.

If you see the above then things are configure right and then try logging in.  After that, check the logs again and see why LDAP failed to authenticate against AD.

Beyond this, I would open a support case.  Most issues fall down into configuration issues, so they typically are easy to address.

Thanks Wendell, The problem in my case is acl.log file is not generated. Is it means ACL is not enabled in my case ?

Just a thought....making sure that you have un-commented the appropriate lines in the xml file. By default those lines will be commented out. Please confirm

Of course Koustubh ! I was unable to login with default "admin" user to the workstation after un-commented the lines in the xml file.

Sorry ...had to ask

If you can send me your actual file, of course by masking your data, I can put it into my DevTest and check if it works by just replacing the relevant values against our AD tomorrow.

If that does not help, you would have to take it up with CA Support...

Thanks!

Hi Koustubh,

Here is my file content and file name is authentication-providers.xml. Thanks.

----------------------------------------------------------------------------------------------------

<?xml version="1.0" encoding="UTF-8" ?>

<authentication-providers>

  <authentication-provider

  name="Active Directory Server"

  autoAddUsers="true"

  authenticateOnly="false"

  enabled="true"

  type="ActiveDirectory"

  defaultRole="Super User"

  rejectUnmappedUsers="true">

  <url>ldap://***.com</url>

  <user-dn>CN=xxxx,CN=Users,DC=xxxx,DC=xxxx,DC=xxxx,DC=com</user-dn>

  <user-password>xxxxxxxxxxxxxx</user-password>

  <user-dn-pattern>CN={0},CN=Users,DC=xxxx,DC=xxxx,DC=xxxx,DC=com</user-dn-pattern>

  <user-search-base>DC=xxxx,DC=xxxx,DC=xxxx,DC=com</user-search-base>

  <user-search-filter>(&amp;(objectClass=user)(sAMAccountName={0}))</user-search-filter>

  <user-search-filter>(objectClass=user)</user-search-filter>

  <group-search-base>OU=Groups</group-search-base>

  <group-search-filter>(member={0})</group-search-filter>

  </authentication-provider>

</authentication-providers>

----------------------------------------------------------------------------------------------------

Same issue :- Authentication failed for user [username=xx99999] with LDAP for workstation and console

Could you please suggest me what might be the issue??

org.springframework.security.authentication.AuthenticationServiceException: Exception encountered for the 'DevTest Legacy Authentication Module' authentication provider.

               at com.ca.dts.security.authentication.AuthenticationModuleAuthenticationProvider.doAuthentication(AuthenticationModuleAuthenticationProvider.java:116)

               at com.ca.dts.security.authentication.AbstractDevTestAuthenticationProvider.authenticate(AbstractDevTestAuthenticationProvider.java:195)

               at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)

               at com.itko.lisa.test.LisaSecurityManager.authenticate(LisaSecurityManager.java:742)

               at com.itko.lisa.test.LisaSecurityManager.authenticate(LisaSecurityManager.java:699)

               at com.itko.lisa.coordinator.TestRegistryImpl.authenticate(TestRegistryImpl.java:2533)

               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

               at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

               at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

               at java.lang.reflect.Method.invoke(Unknown Source)

               at com.itko.lisa.net.RemoteMethodExec.execute(RemoteMethodExec.java:57)

               at com.itko.lisa.net.ServerRequestHandler.processRMIMessage(ServerRequestHandler.java:434)

               at com.itko.lisa.net.ServerRequestHandler.access$300(ServerRequestHandler.java:67)

               at com.itko.lisa.net.ServerRequestHandler$4.run(ServerRequestHandler.java:357)

               at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

               at java.util.concurrent.FutureTask.run(Unknown Source)

               at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

               at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

               at java.lang.Thread.run(Unknown Source)

Caused by: com.itko.lisa.acl.AuthenticationException: Authentication failed for user [username=xx60758] with LDAP

               at com.itko.lisa.acl.custom.BaseLDAPAuthenticationModule$1.doCallback(BaseLDAPAuthenticationModule.java:108)

               at com.itko.lisa.acl.custom.BaseLDAPAuthenticationModule.authenticateUser(BaseLDAPAuthenticationModule.java:124)

               at com.ca.dts.security.authentication.AuthenticationModuleAuthenticationProvider.doAuthentication(AuthenticationModuleAuthenticationProvider.java:102)

               ... 18 more

Aniket,

Are you still having this issue? If so, open up a support case and we can help you out.