WebAccess Login Failure

sschaffer · ‎2013-03-31

Hi all.

I just finished recreating my certificate authority as it's certificate had expired. I then used PKIDiag and tckeygen to renew the DNS and IP certs for webaccess and re-export the key for Tomcat. This went smoothly without any errors.

However, when I try to log in to web access, I get the following error: "Please login again. You may have typed your name or password incorrectly. Remember that passwords are case sensitive.", even though they are the correct name and password. It also does not matter which user logs in.

Webaccess logs only show "Login failure" for the user.

Where do I begin to troubleshoot this? Does webaccess have better logs somewhere? Even on verbose the logs still only seem to show Login Failure.

Thanks for any information anyone has.
Scott

Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP

sschaffer · ‎2013-04-01

Here is the dstrace from the login. I don't know how to read it but am searching for the errors in it. Any ideas abut what it means or next troubleshooting steps?

--------------------------

New TLS connection 0x9e2b5000 from 192.168.100.150:17260, monitor = 0x31d, index = 3
Monitor 0x31d initiating TLS handshake on connection 0x9e2b5000
DoTLSHandshake on connection 0x9e2b5000
TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875. Error stack:
TLS handshake failed on connection 0x9e2b5000, err = -5875
Server closing connection 0x9e2b5000, socket error = -5875
Connection 0x9e2b5000 closed
New TLS connection 0x9e2b5000 from 192.168.100.150:17261, monitor = 0x31d, index = 3
Monitor 0x31d initiating TLS handshake on connection 0x9e2b5000
DoTLSHandshake on connection 0x9e2b5000
TLS accept failure 1 on connection 0x9e2b5000, setting err = -5875. Error stack:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
TLS handshake failed on connection 0x9e2b5000, err = -5875
BIO ctrl called with unknown cmd 7
Server closing connection 0x9e2b5000, socket error = -5875
Connection 0x9e2b5000 closed
Work info status: Total:3 Peak:3 Busy:0
Thread pool status: Total:7 Peak:7 Busy:3

---------------------
Thanks
Scott

Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-01-13 at 10:46 AM, in message <laurabuckley.5t4nmn@no-mx.forums.novell.com>, laurabuckley<laurabuckley@no-mx.forums.novell.com> wrote:

A dstrace would probably be a very sensible thing to do - filter on LDAP
traffic and see if you can see anything.

Cheers,

--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa
http://www.itdynamics.co.za
------------------------------------------------------------------------
laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
View this thread: http://forums.novell.com/showthread.php?t=465411

KonecnyA · ‎2013-04-02

In article <51598A1A.DFFF.0048.3@owzw.com>, Scott Schaffer wrote:
> TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875.

Did you make sure your LDAP was refreshed with the new cert? Make sure
your LDAP server and group objects point to them in ConsoleOne.
Perhaps unload and reload nldap will also be needed.

TLS is the newer specific form of SSL, but for most of us are the same
thing.

Andy Konecny
Knowledge Partner (voluntary SysOp)
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!

sschaffer · ‎2013-04-02

Thanks everyone for your help on this issue. I have opened an SR with Novell and they are working on it at the moment. We have traced the issue to some sort of certificate problem. Everything works fine when we turn off Secure LDap and just use port 389.

We recreated the CA and renewed all of the default certificates, then refreshed where NLDap was pointing to and reloaded it as you suggested, Andy but that did not resolve it.

Next step is to restart the poa with Secure LDap enabled, which I cannot do until the users have gone home for the night. I will update when I know more.

Scott

Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-01-13 at 8:35 PM, in message <VA.0000050e.030a968a@no-mx.forums.novell.com>, Andy Konecny<konecnya@no-mx.forums.novell.com> wrote:

In article <51598A1A.DFFF.0048.3@owzw.com>, Scott Schaffer wrote:

> TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875.

Did you make sure your LDAP was refreshed with the new cert? Make sure
your LDAP server and group objects point to them in ConsoleOne.
Perhaps unload and reload nldap will also be needed.

TLS is the newer specific form of SSL, but for most of us are the same
thing.

Andy Konecny
Knowledge Partner (voluntary SysOp)
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037

laurabuckley · ‎2013-04-03

Hi Scott,

Thanks for the update - please let us know when/how this is sorted out.

Cheers,

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

sschaffer · ‎2013-04-03

We having a working secure Webaccess again.

The trick seems to be to restart the POA after re-creating the CA and reminting all of the default certificates. Once I set Ldap to use the secure port and Synchronized it, then restarted the POA, everything worked great and I could see the secure ldap connection happening in the POA logs.

Also exporting the public key of one of the certificates and making sure that your Ldap is pointing to the correct location of this exported certificate is important.

During the course of this issue, I had read documentation that said to use the Public key from the CA, other documentation that said use the Public key from the SSL DNS and again another document that said to use the SSL IP cert. The Novell tech in my case used the DNS AG certificate public key. Does it make a difference which one you use?

Anyway, thanks again for all the suggestions and help.

Scott

Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-02-13 at 11:36 PM, in message <laurabuckley.5t7hxz@no-mx.forums.novell.com>, laurabuckley<laurabuckley@no-mx.forums.novell.com> wrote:

Hi Scott,

Thanks for the update - please let us know when/how this is sorted
out.

Cheers,

--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa
http://www.itdynamics.co.za
------------------------------------------------------------------------
laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
View this thread: http://forums.novell.com/showthread.php?t=465411

laurabuckley · ‎2013-04-04

Hi Scott,

Thank you very much for posting back and detailing the solution - much appreciated.

Cheers,

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

GW2008

Web Access