Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2122
Views
0
Helpful
5
Replies

VCS 7.1 won't authenticate to AD

Martin.Jefferson_2
Level 1
Level 1

‎05-18-2012 02:51 PM - edited ‎03-17-2019 11:11 PM

I just upgraded to 7.1 from 7.0 and now my AD Administration Authentication won't work.  It worked before the upgrade perfectly.  I get this error in the Event log of the VCS:

May 18 17:37:55web: User="mjefferson" Event="Admin Session Login Failure" Src-ip="172.16.3.28" Src-port="59753" UTCTime="2012-05-18 21:37:55"
May 18 17:37:55web: Event="Authorization Failure" Detail="Failed to authenticate; User cannot be authenticated by PAM" User="mjefferson" Src-ip="172.16.3.28" Src-port="59753" Level="1" UTCTime="2012-05-18 21:37:55"

I checked the VCS LDAP configuration and the status is Available.  I'm not using TLS for LDAP lookups.  What am I missing?

Labels:
0 Helpful
5 Replies 5

Martin.Jefferson_2
Level 1
Level 1

‎05-18-2012 03:28 PM

More information.  I can see the VCS hitting the AD server but then there is a logoff event.  Nothing has changed on the AD server since the upgrade.

0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Martin.Jefferson_2

‎05-18-2012 05:38 PM

Hi Martin,

I remember one such incident where customer was not able to login using AD. They said nothing has been changed on AD but later they said some removed the group from AD accidentaly.

PAM is a module used for authentication purpose.

Pulling up a diagnostic log from VCS will help to perform additional torubleshooting.  Also reverify the configuration and AD setttings and check AD users groups and Base DN.

Thanks

Alok

0 Helpful

Martin.Jefferson_2
Level 1
Level 1
In response to Alok Jaiswal

‎05-22-2012 07:52 AM

I've triple checked the AD setup and it is correct.  What I am seeing in the Diag Log is:

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,546" Module="pam_unix(taa-chkpasswd:auth)" Level="WARNING"  CodeLocation="support.c(631)" Pid="6367" Thread="0" Detail="check pass; user unknown"

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,546" Module="pam_unix(taa-chkpasswd:auth)" Level="NOTICE"  CodeLocation="support.c(710)" Pid="6367" Thread="0" Detail="authentication failure; logname= uid=2 euid=0 tty= ruser= rhost= "

May 22 10:39:43 VCSC taa-chkpasswd: UTCTime="2012-05-22 14:39:43,557" Module="pam_unix(taa-chkpasswd:account)" Level="ALERT"  CodeLocation="pam_unix_acct.c(210)" Pid="6367" Thread="0" Detail="could not identify user (from getpwnam(marty))"

May 22 10:39:43 VCSC web: Event="Authorization Failure" Detail="Failed to authenticate; User cannot be authenticated by PAM" User="marty" Src-ip="172.22.4.75" Src-port="63790" Level="1" UTCTime="2012-05-22 14:39:43"

May 22 10:39:43 VCSC web: User="marty" Event="Admin Session Login Failure" Src-ip="172.22.4.75" Src-port="63790" UTCTime="2012-05-22 14:39:43"

I know the password is correct.

0 Helpful

Martin.Jefferson_2
Level 1
Level 1
In response to Martin.Jefferson_2

‎05-23-2012 04:20 PM

I resolved the issue.  It turns out if the "Password Never Expires" option is not checked in AD the VCS will not authenticate the account.  Once you check this option it works fine.

0 Helpful

awinter2
Level 7
Level 7
In response to Martin.Jefferson_2

‎05-24-2012 12:44 AM

Martin,

using a VCS running X7.1 and a 2008 R2 domain controller, I can successfully authenticate VCS admin users towards AD both when the user's 'Password never expires' flag is set and unset.

- Andreas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents