FishEggStew Absent Member.
Absent Member.
428 views

eDirectory "Limit Concurrent Connections"and ZENworks login

Good morning all,

I was just baffled by an issue that just popped up on several workstations. After running fine for years (several upgrades of ZCM, currently running 2017sp4) I get reports that the ZENworks login window is all of a sudden appearing and users can't log in. After two days of troubleshooting, it appears the problem is that having the eDirectory user setting "Limit Concurrent Connections" enabled and set to 1 is preventing the ZENworks client from logging in. If I disable or increase the setting to 2 the user logs in normally.

The limit has been set for years as we are a school system and had used that setting to keep students from logging in other workstations with a generic login that does not belong there. For example, in a lab the computers log in as L101 - L130 (for 30 computers in lab #1). Having that setting set limits the students from using those logins on other workstations - most of the time. 🙂

I upgraded to 2017sp4 back in February and users were able to log in successfully until Monday afternoon when it suddenly stopped. The only thing I have found that might explain the issue is TID#7001549 that says the eDir login uses one NCP connection and ZCM uses an LDAP connection. That TID is for ZCM 10.

Does anyone have any idea why this setting has suddenly become an issue?

Thanks in advance for any insights,
Aubrey

Labels (1)
0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

I presume you are using DLU authentication.....
In that case, ZCM should authenticate 1st and then the OES Client...which may let this slip by with a single connection.

However, a rebind is often done on a refresh...which would fail.
Also if a user ever logged out, any attempt to rebind again would fail.
0 Likes
FishEggStew Absent Member.
Absent Member.

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

Good morning Craig,

Yes, we have a DLU policy. The OES login always works, but the ZCM does not. Users have their OES rights and mapped drives, but no bundles assigned to the user - which is correct if the user is not being logged into ZENworks. Device bundles are there and work normally.

It's weird though, on the several computers I tested this on, removing or upping the setting fixed them. Now I'm getting reports that the ZENworks login is still showing on some computers. I just tested one and even with the setting disabled, I'm still getting the ZENworks login. I'm doing more troubleshooting....

Aubrey

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory "Limit Concurrent Connections"and ZENworks login

On 22.04.2019 19:16, FishEggStew wrote:
>
> Good morning Craig,
>
> Yes, we have a DLU policy. The OES login always works, but the ZCM does
> not.


Which is, as Craig points out, rather odd, as ZCM logs in *first*. Aka,
the OES login should fail, not the ZCM one.

Nonetheless, with Zen in the mix (and actually, even generally with just
the OES client), retricting users to a single connection in eDir is
unfortunately not somethign that is recommend or usually without issues.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
FishEggStew Absent Member.
Absent Member.

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

Thanks guys.

I'm still at a loss with this. I was working on one computer trying to get it to work and all-of-a-sudden it started working. I don't know what changed, but here is a link to its zipped zcm-messages.log. The login for that computer is mc10 and it first shows up at line 3535. This log is for today only and I turned the full logs turned on starting about 2:30PM. When it was not working, there was lines in the log like: "[LoginService] [] [returning with empty string. Session or IZenIdentity is null or ZEN Name is empty]". When it started working, I see lines like: "[WorkSet] [] [WorkSet using session id (Name): mc10]"

I have removed the restriction on all of these users. In that room, there are 30 computers. All but about 5 are able to log in normally.

0 Likes
FishEggStew Absent Member.
Absent Member.

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

I have found some more information. This may be more of a certificate problem that the eDir setting.

Looking through some other threads here that have similar problems brought one thing to mind: I just had to move my eDirectory CA to another server due to the original server being decommissioned. I have the same AuditLogger error in post 3 of thread "Problem with agents after Certificate Remint Zenworks 20172a". But I have not reminted the CA in ZCC. It says it is valid until 2020. I have two primary servers and no satellites. The certs say they are fine in ZCC->Configuration->Certificates.

When changing the eDirectory CA, do I have to change the ZCC CA? I did update the certs in the user source page and they all have the correct information. I have three user sources set up for round-robin auth.

How can I get the workstation to update it's cert if necessary?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

If the User Source shows as Green in the ZCC you are probably fine....would not mess with certs.....

Now in regard to your ZCM/eDir Setup....
I have 2 general recommendations...
#1 - All eDir servers used by ZCM should have a full copy of your Tree.
#2 - ZCM should point to the top of your tree and not multiple low level containers.

ZCM use search using items that are all indexed by default, so breaking down to multiple lower level OUs does not reduce overhead, but actually increases it.
Futher, if you hit on edir server that does not hold a replica...it may have to chain and may not chain as expected causing performance issues......

Round Robin may not be necessary...as ZCM eDir overhead is not that high when configured as above...but I don't know your size.....

I only raise the configuration issue because you recently moved stuff around....maybe some of your servers don't hold replicas and maybe things are not reliably chaining....

Again...take care with anything I say.....I'm operating with little direct knowledge of your setup and if anything breaks.....I'm not there to fix............




FishEggStew;2498696 wrote:
I have found some more information. This may be more of a certificate problem that the eDir setting.

Looking through some other threads here that have similar problems brought one thing to mind: I just had to move my eDirectory CA to another server due to the original server being decommissioned. I have the same AuditLogger error in post 3 of thread "Problem with agents after Certificate Remint Zenworks 20172a". But I have not reminted the CA in ZCC. It says it is valid until 2020. I have two primary servers and no satellites. The certs say they are fine in ZCC->Configuration->Certificates.

When changing the eDirectory CA, do I have to change the ZCC CA? I did update the certs in the user source page and they all have the correct information. I have three user sources set up for round-robin auth.

How can I get the workstation to update it's cert if necessary?
0 Likes
FishEggStew Absent Member.
Absent Member.

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

Thanks Craig,

Yes they all have full copies: One is the master and the other two have R/W copies.
The container I have set is at the Org level. The setting looks like "/MC_BOE/MCBOE" with MC_BOE is the tree and MCBOE is the Org.
The communication status is green and the connections of the three servers all have checkmarks by them.

I had only the master in there until this issue reared it's head and looking at other TIDs/posts I was thinking maybe an LDAP communication issue. So I added the other two to help, but it didn't. It was about that time I noticed the users that were working had the connection limit unchecked and the non-working users had it checked. I upped the connection limit to 2 and that actually fixed most of them, but not all. Per Mr. Rosen's post, I plan to go back and remove the check from all users but haven't had time yet.


I guess comparatively, our eDir is small. A rough guess is about 2500 - 3000 objects.

0 Likes
FishEggStew Absent Member.
Absent Member.

Re: eDirectory "Limit Concurrent Connections"and ZENworks lo

A bit more. These workstations are Windows 7 and they have at least DotNet 4.5. I tried reinstalling the usermanagement msi (from TID 7022478)on one and it did not help. I have not completely uninstalled the agent and reinstalled it.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.