Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Environment
Advanced Authentication
AA 6.4.0
GroupWise
GW 18.5
Symptoms
Users are not able to login to GroupWise when Advanced authentication is enabled.
Users get an error loging into GroupWise after authenticating through AA
Users receive one of the following error messages
Problem occurs for some users but not for others
Problem began after running third party application
Cause
Third party application changed the Active Directory DN attribute for the problem users to be all UPPERCASE instead of just the first letter being Uppercase.
Resolution
Change the DN back to First letter uppercase.
Additional Information
When AA and GW are integrated, the user enters name and password in the GW Client, GW sends an authentication request to AA, AA authenticates the user to the directory, and AA returns results to GW. In this case logs showed that AA successfully authenticated the problem users to the directory without fail, but the GroupWise POA log showed an error on the GW side.
The Advanced Authentication UWSGI log shows successful login attempts by the problem users, as follows:
Line 74845: 2024-04-10 13:03:38 INFO [aucore.logger.client] CEF:0|NetIQ|AA|6.4.0.0|100|User logon started|4|ep=OSP ep_addr=10.0.10.150 event=GroupWise OAUTH method_name=PASSWORD:1 session_id=xdU1iqbgdwFmiBsIg4C62qoG3NyWxUUoz tenant_id=def0def0def0def0def0def0def0def0 tenant_name=TOP user_name=SOMETHING\\someone p=22604
Line 74882: 2024-04-10 13:03:44 INFO [aucore.logger.client] CEF:0|NetIQ|AA|6.4.0.0|101|User was successfully logged on|7|chain_name=Password Only ep=OSP ep_addr=10.0.10.150 event=GroupWise OAUTH method_name=PASSWORD:1 session_id=xdU1iqbgdwFmiBsIg4C62qoG3NyWxUUoz template_owner=SOMETHING\\someone tenant_id=def0def0def0def0def0def0def0def0 tenant_name=TOP user_name=SOMETHING\\someone p=1487
The GroupWise POA log shows the error:
8:20:12 B70C *** NEW APP CONNECTION, Tbl Entry=47, Check ID=1712737238
8:20:12 B70C C/S Login Windows Net Id=someone ::GW Id=SOMEONE ::
And later
15:27:08 B65B Notifying client at: 10.2.103.209 UDP port 64649
15:27:08 C441 C/S Login Admin Service ::GW Id= SOMEONE:: ::ffff:192.168.2.15
15:27:08 C441 Validating OAuth2 token with the AA server (SOMEONE)
15:27:08 C441 Error on request to AA server: HTTP 400 (SOMEONE)
15:27:08 C441 Error: Required User Database rights not granted [D01B] User: SOMEONE (SOMEONE)