CA Service Management

  • Private Community
Back to discussions
Expand all | Collapse all

EEM authetication failure

  • 1.  EEM authetication failure

    Posted Oct 27, 2016 06:02 AM

    Hi All,

    I am using CA EEM 12.0.2.40 and it is integrated with two active directory.

    I am receiving this error for some of the users 'EE_SPONSORERROR iSponsor ErrorISE_METHODNOTALLOWED wrong GET/POST semantics'.

     I have found that duplicate user id exist in both the active directory, Let say if my user id is 'A12345' then it exist in both the active directory and user is not able to login in CA service desk manager and getting above error in the stdlog for this user id.

    When I checked in AD then user id is disabled in other active directory and CA EEM is pulling the disabled user id also.

    Is there any way to search the active records in CA EEM so that only active user id gets authenticated in CA Service desk manager to avoid this error. 

    Please help me.

     

    Thanks,

    Manish



  • 2.  Re: EEM authetication failure

    Posted Oct 27, 2016 09:19 AM

    Hi Sanjay,

    If you rename the inactive duplicate record so that the username is different (such as OLD_username), does it then work?

    I dont believe there is a way to have it only look at active contacts for login attempts.

    Jon I.



  • 3.  Re:  EEM authetication failure

    Posted Oct 27, 2016 09:29 AM

    Hi Sanjay

     

    Are these 2 Ads from different domains?

    I mean, are you running SDM with multi-tenancy ON and each AD is for the respective tenant?

    If so, there is no way for SDM to understand from which AD the contact is unless you have the following set in the CA_Contact table for userid: domain\userid.

     

    Please, provide us a confirmation on this so we can provide a better guidance.

     

    Sandra

     



  • 4.  Re:  EEM authetication failure

    Broadcom Employee
    Posted Oct 27, 2016 12:47 PM

    Hey Sanjay,

     

    EEM -> Configure -> User Store ->  User Store  ->  click on the LDAP directory you configured there.  On the LDAP Directory configuration screen, you'll see  an Attribute Map.

     

    Note down the value of the attribute map there.

     

    Now on the left pane, select LDAP attribute mapping -> select appropriate mapping name you found out above.

     

    Then look for the User Search Filter option. It would be something like: (&(objectClass=user)(!(objectClass=computer)))

     

    Maybe this can be tweaked to ignore inactive users.   From what I know it is:
    (!(UserAccountControl:1.2.840.113556.1.4.803:=2))

     

    So it could look like:  (&(objectCategory=user)(!(objectClass=computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

     

    Then search EEM again for the user who has inactive + active user records and see if the inactive one shows up or not. If it doesn't anymore, maybe you're good to go?

     

    Hope this helps

    _R



  • 5.  Re:  EEM authetication failure

    Posted Oct 28, 2016 02:46 AM

    Hi Raghu,

     

    Thanks for your valuable input.

    But i didn't understand the number '1.2.840.113556.1.4.803:=2' , do i need to put in the same format or this is  something related with specific attribute value, which i need to check in AD.

     

    Thanks,

    Manish



  • 6.  Re:  EEM authetication failure

    Posted Oct 28, 2016 03:04 AM

    Hi Raghu,

    When i am updating the search filter with the value provided  by you then it is prompting a window, asking to provide the name of custom script.

     

    I have saved it with new name but still it is showing the old mapping linked with active directory.

    And after selecting the custom search filter, it is not getting linked with active directory.

     

    Do we need to do any additional steps to link this custom search filter with the Active directory.

     

    Thanks,

    Manish



  • 7.  Re:  EEM authetication failure

    Posted Oct 28, 2016 05:16 AM

    Hi Raghu,

     

    I have successfully done the configuration, now CA EEM is not showing the disabled contacts but still users are facing the login failure issue, which has duplicate user id and disabled in another active directory

     

    Thanks,

    Manish



  • 8.  Re:  EEM authetication failure

    Broadcom Employee
    Posted Oct 28, 2016 11:54 AM

    Hey Manish/Sanjay,

     

    Thanks for getting this through.

     

    Maybe SDM hit some previous EEM cache and is still finding the original inactive user.   When your users are logging in, are they doing any single sign-on?  Or are they doing a SDM Logon screen based login?

     

    Which release of SDM is this?

     

    _R



  • 9.  Re:  EEM authetication failure

    Posted Nov 01, 2016 01:11 AM

    Hi Raghu,

     

    We are not using single sign on,CA EEM is integrated  with two AD on different domain and integrated with SDM for authentication purpose.Users login in SDM and authetication is done via CA EEM integration with AD.

     

    But some of the user's id are duplicate in both the active directory, However these duplicate ids are disabled in other active directory but we are facing authentication failure issue.

     

    We are using CA EEM 12.0 and SDM 12.6 version.

     

    Thanks,

    Manish



  • 10.  Re:  EEM authetication failure
    Best Answer

    Posted Nov 01, 2016 05:29 AM

    Hi Raghu,

     

    I have found two filter , one is user search filter and other is user authentication filter. We have added the criteria not to display/search disabled users from AD only in user search filter.

     

    Now I have updated also the Authentication search filter as below and it seems to be  working.

     (&(objectCategory=Person)(sAMAccountName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

     

    Thanks,

    Manish



  • 11.  Re:  EEM authetication failure

    Broadcom Employee
    Posted Nov 01, 2016 03:21 PM

    If EEM is not returning the users anymore and you do not have active/inactive contact records for that userid in SDM,  then I would expect SDM to behave OK.

     

    However, the release of SDM is a bit old as well as the EEM release in question.    One option I can think of is to restart SDM (or the boplgin process) to see if that helps.

     

    http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec577385.html  article might help you setup debug, but this being a very old release, our insight will be very low on it.

     

    _R

     

     



  • 12.  Re:  EEM authetication failure

    Posted Nov 03, 2016 05:49 AM

    Hi Raghu,

     

    Thanks for your response.

     

    Thanks,

    Manish



  • 13.  Re:  EEM authetication failure

    Posted Nov 09, 2016 06:11 AM

    Hi Raghu,

     

    I have tested it and it is not working for those who is having duplicate user ids with disabled flag in other active directory.

     

    I am not sure ,what needs to be updated  in Authentication search filter (&(objectClass=user)(!(objectClass=computer))(sAMAccountName=))  to allow authetication only for enabled userid. However user search filter is working and It is not showing disabled user ids.

     

    Please help.

     

    Thanks,

    Manish



  • 14.  Re:  EEM authetication failure

    Broadcom Employee
    Posted Nov 09, 2016 09:14 AM

    That's a good point Manish. I assumed that if a user account can't be Searched, then it can't be authenticated against.

     

    We could try changing the authentication filter too -    (&(objectClass=user)(!(objectClass=computer)) (!(UserAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=))

     

    Something like that..

     

    _R

     



  • 15.  Re:  EEM authetication failure

    Posted Nov 14, 2016 02:15 AM

    Hi Raghu,

    Thank you so much for your valuable input, I have tested and it's working.

     

    Thanks,

    Manish



  • 16.  Re:  EEM authetication failure

    Broadcom Employee
    Posted Nov 14, 2016 09:24 AM

    Glad it helped out.

     

    For some reason I thought the auth filter comes into picture after search filter, and so I overlooked the previous clarification you made about it.  Sorry about that.

     

    _R



  • 17.  Re:  EEM authetication failure

    Posted Feb 06, 2017 07:32 AM

    Hi,

    I am facing new issue now, our CA EEM is already integrated with multiple active directory and some of the users are being migrated into different AD with the same user id.

    So it is duplicate user id exist in two domain AD with active state and we can not disable those duplicate user id in other domain because of customer needed both user ids should in active state in both the active directory due to some application constraints.

     

    Now when those users try to login in CA, they get the authentication failure error.

    Please suggest any solution, how we can allow duplicate user id  to login in CA tool.

     

    Thanks,

    Manish