Anonymous_User Absent Member.
Absent Member.
814 views

NPUM RDPRelay is not authenticating with IDM


Hi,

according to http://tinyurl.com/qzjr58j
document I have deployed pum in windows 2008 R2 SP1 server and created
PUM Driver in IDM via RL.Schema's are extended in IDM (4.0.2) too. I
have set a privileged authentication account in PUM and used that
account in Framework user manager for RDPRelay authentication. My users
are coming from AD, those i want to manage from pum.

I have mentioned my idmadmin (default IDM Admin) account,LDAPS (639)
and correct password in pum privileged account that I am using to login
into iManager too, but from RDPRelay users authentication is showing
invalid username or password.

There was no password policy in IDM user container where AD users are
residing.

I have collected below dstrace log with LDAP and NMAS from IDM. Please
any one can help me on this issue?

Note: AD users are comming into IDM without password and we are
resetting it from IDM.

Thanks and Regards

Deb

*** Novell eDirectory Trace Utility - BEGIN Logging *** Thu Sep 18
16:15:05 2014
LDAP : New TLS connection 0x14a71380 from 192.168.16.3:49891, monitor
= 0x604, index = 3
LDAP : Monitor 0x604 initiating TLS handshake on connection
0x14a71380
LDAP : (192.168.16.3:49891)(0x0000:0x00) DoTLSHandshake on connection
0x14a71380
LDAP : BIO ctrl called with unknown cmd 7
LDAP : (192.168.16.3:49891)(0x0000:0x00) Completed TLS handshake on
connection 0x14a71380
LDAP : (192.168.16.3:49891)(0x0049:0x60) DoBind on connection
0x14a71380
LDAP : (192.168.16.3:49891)(0x0049:0x60) Bind
name:cn=idmadmin,ou=sa,o=system, version:3, authentication:simple
NMAS : 262155: Create NMAS Session
NMAS : 262155: Trying local password login shortcut for
CN=idmadmin.OU=sa.O=system
NMAS : 262155: IP client network address
NMAS : 262155: ERROR: -669 NDS password hash does not match
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: ERROR: -669 Local password login shortcut failed
NMAS : 262155: Proxy client address 192 168 16 3
NMAS : 262155: NMAS Client supplied user DN
CN=idmadmin.OU=sa.O=system
NMAS : 262155: Create thread request
NMAS : 262155: Using thread 0x149ab0c0
NMAS : 262155: Server thread started
NMAS : 262155: Proxy client started local server session
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: Pool thread 0x149ab0c0 awake with new work
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: CanDo
NMAS : 262155: IP client network address
NMAS : 262155: Selected default login sequence == "NDS"
NMAS : 262155: Login Method 0x00000007
NMAS : 262155: Server Module 0x00000007 Get attribute AID: 1
NMAS : 262155: Server Module 0x00000007 Get attribute AID: 39
NMAS : 262155: Server Module 0x00000007 Get attribute AID: 12
NMAS : 262155: Begin Server Module 0x00000007
NMAS : 262155: Server Module 0x00000007 Get attribute AID: 39
NMAS : 262155: Server Module 0x00000007 Get NDS Password Hash
NMAS : 262155: Server Module 0x00000007 Write
NMAS : 262155: Server Module 0x00000007 XWrite
NMAS : 262155: Server Module 0x00000007 XRead
NMAS : 262155: Begin Client Module 0x00000007
NMAS : 262155: Client Module 0x00000007 Get attribute AID: 6
NMAS : 262155: Client Module 0x00000007 Get attribute AID: 40
NMAS : 262155: Client Module 0x00000007 Read
NMAS : 262155: Client Module 0x00000007 XRead
NMAS : 262155: Client Module 0x00000007 XWrite
NMAS : 262155: Client Module 0x00000007 XRead
NMAS : 262155: ERROR: -1642 verifyPacket2V2
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: Server Module 0x00000007 XWrite
NMAS : 262155: ERROR: -1642 Server Module 0x00000007 End
NMAS : 262155: ERROR: -1642 NDS Login Method Failed
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: Client Module 0x00000007 Finished
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: WhatNext
NMAS : 262155: Failed login delay 3 seconds
NMAS : 262155: Failed login
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: Acknowledge
NMAS : 262155: NMAS Audit with Audit PA not installed
NMAS : 262155: NMAS Audit with XDAS not installed
NMAS : 262155: Server thread exited
NMAS : 262155: Pool thread 0x149ab0c0 work complete
NMAS : 262155: Client Session Destroy Request
LDAP : (192.168.16.3:49891)(0x0049:0x60) Failed to authenticate local
on connection 0x14a71380, err = failed authentication (-669)
LDAP : (192.168.16.3:49891)(0x0049:0x60) Sending operation result
49:"":"NDS error: failed authentication (-669)" to connection
0x14a71380
*** Novell eDirectory Trace Utility - END Logging *** Thu Sep 18
16:15:21 2014


--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=51777

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: NPUM RDPRelay is not authenticating with IDM

The ndstrace output is pretty clear: the password entered for the
'idmadmin' user is wrong. Why it is being sent incorrectly I cannot tell.
I suppose you could try to have the service authenticate over 389 and
then you could more-easily view the credentials sent to ensure they are
what you expect them to be (not different from what you type in, assuming
what you type in is correct for this account). You could also use
Wireshark to decrypt the current traffic on the wire to see what is being
sent, though that's a little more work. Either way the password being
sent to eDirectory is wrong.

Just to rule out an eDirectory problem, try binding as this user with this
password using an LDAP tool like Apache Directory Studio. The ndstrace
output should be very similar during the authentication portion, other
than allowing you in.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NPUM RDPRelay is not authenticating with IDM


Thanks for your response,

my apologize for mentioning wrong port into my post i.e. 639 I am using
636 LDAPS i.e. default port of LDAPS.

I downloaded and created a LDAPS connection in apache directory studio
with my IDM server using simple authentication & LDAPS and I can access
the IDM directory using my IDM admin id. i.e. cn=idmadmin,ou=sa,o=system
and password.

I am 100% sure that I am typing correct password in PUM. because I was
used copy past of password too.

Still users of pum RDPRelay can't authenticate with IDM. I think there
must be some issue in NMAS side.

Thanks and Regards

Deb


--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=51777

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.