Hi Martin,

I remember one such incident where customer was not able to login using AD. They said nothing has been changed on AD but later they said some removed the group from AD accidentaly.

PAM is a module used for authentication purpose.

Pulling up a diagnostic log from VCS will help to perform additional torubleshooting.  Also reverify the configuration and AD setttings and check AD users groups and Base DN.

Thanks

Alok

I've triple checked the AD setup and it is correct.  What I am seeing in the Diag Log is:

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,546" Module="pam_unix(taa-chkpasswd:auth)" Level="WARNING"  CodeLocation="support.c(631)" Pid="6367" Thread="0" Detail="check pass; user unknown"

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,546" Module="pam_unix(taa-chkpasswd:auth)" Level="NOTICE"  CodeLocation="support.c(710)" Pid="6367" Thread="0" Detail="authentication failure; logname= uid=2 euid=0 tty= ruser= rhost= "

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,557" Module="pam_unix(taa-chkpasswd:account)" Level="ALERT"  CodeLocation="pam_unix_acct.c(210)" Pid="6367" Thread="0" Detail="could not identify user (from getpwnam(marty))"

May 22 10:39:43 VCSC web: Event="Authorization Failure" Detail="Failed to authenticate; User cannot be authenticated by PAM" User="marty" Src-ip="172.22.4.75" Src-port="63790" Level="1" UTCTime="2012-05-22 14:39:43"

May 22 10:39:43 VCSC web: User="marty" Event="Admin Session Login Failure" Src-ip="172.22.4.75" Src-port="63790" UTCTime="2012-05-22 14:39:43"

I know the password is correct.

I resolved the issue.  It turns out if the "Password Never Expires" option is not checked in AD the VCS will not authenticate the account.  Once you check this option it works fine.

Martin,

using a VCS running X7.1 and a 2008 R2 domain controller, I can successfully authenticate VCS admin users towards AD both when the user's 'Password never expires' flag is set and unset.

- Andreas