ZCM Agent not Passing full DN Login Fails

The Zenworks agent & CASA, all of a sudden, stopped passing the full DN LDAP name for the user source for authentication on ALL workstations. As a test of this , I try logging in with my credentials as "fname lname" and password, Login to the Zenworks Agent on the workstation fails. If I put the full DN of my user from AD/User source, IE:

[(ClientAddr= able to parse : Joe Blow. It is not a valid LdapName

"cn=fname lname, ou=office,ou=school,dn=place,dn=ca" and my password, the agent then logs into the user source, and I am authenticated.  The ATS log on Zenworks, shows that the username is being sent in plane format, instead of the properly translated DN LDAP format IE:

ClientAddr=] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.36] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= Setting value = /etc/CASA/authtoken/svc/iaRealms.xml] [authtoksvc.SvcConfig] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.36] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= It Seems Proxy Credentials are in iaRealms file] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.61] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= Authentication for Joe Blow] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= able to parse : Joe Blow. It is not a valid LdapName ] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= Roots are configured- Below is the list] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr= DC=nlpsad,DC=ca] [authtoksvc.PwdAuthenticate] [] [] [CASA]

This seems to be where authentication Falls Down, does anyone know why this started or how to fix it?




  • How are your "User Containers" defined in the User Source?

    Is it?







    If the 1st, try using Port 3269 instead of 636 (Assuming you are using SSL...If using 389 try 3268 instead).  


  • Verified Answer

    I'll Take option 1 for $5000 Alex.  Okay, this is an interesting suggesiton, so I try this different port in the user source conneciton, correct?

  • The alternate port I suggested is the "Catalog Port".  Any LDAP Requests to the Catalog Port do not generate any referral requests.    LDAP Requests to the Standard LDAP Port can result in Referrals where the requester is told to send queries to additional different LDAP servers. 

    And the "Server" to which the requester is redirected is not based on any high level of intelligence, but tends to just be another random AD Controller.  These referrals can be generated even if every single AD controller contains the entire tree.....These referrals can fail, especially with SSL,  because one of the AD controllers where it is sent may not even have any SSL certs configured.  

    Even excluding referral issues, the Catalog Port should in theory be slightly faster..

    ( in eDir, the LDAP Server itself will handle the referrals rather than tell the requester to go check with different LDAP servers.)




  • Craig, you bloody Genius!!!! Actually, I used a mix of your solution and my own. You triggered me to look at my defined User container when you did, that, I changed it to point at a Base OU INSTEAD of the base of the AD domain, and this Fixed it!!! Thank-you!!! You're the man!!!
  • Just as a side note, Technically the user container used to point to:

    Now it points to base:
    Which looks like this in Zenworks:

    I hope that helps others, and what a great explanation Craig!! Thank-you!