IBM Support

IV66916: LOGIN OF "AMBIGUOUS" USERS AUTHENTICATED VIA ACTIVE DIRECTORY DOES NOT WORK

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Env: SCA 1.4.46 and 1.5.78 on Windows
    Users authenticated via Active Directory
    
    Problem:
    Customer has configured SCA with users authenticated via Active
    Directory. He cannot login to SCA Interface with one of his
    users (ABCD), receiving the error:
    
    "There is no user matching the entered user name and password"
    
    even if the user credentials are correct and the user has been
    correctly configured in SCA.
    
    After running some additional troubleshooting with Wireshark
    trace to see the request sent to LDAP, we noticed SCA sends the
    request for the user ABCD with the filter:
    
    (&(&(objectCategory=Person)(|(sAMAccountName=*)(userPrincipalNam
    e=*)))(sAMAccountName=*ABCD*))
    (note the wildcards for sAMAccountName surrounding ABCD).
    .
    The LDAP returns a matching user:
    LDAPMessage bindRequest(1)
    "CN=tABCD,OU=ORGUNIT1,OU=ORGUNIT2,DC=DOMAIN1,DC=DOMAIN2",
    different from ABCD
    .
    Immediately after SCA sends a bindRequests as
    LDAPMessage bindRequest(1)
    "CN=tABCD,OU=ORGUNIT1,OU=ORGUNIT2,DC=DOMAIN1,DC=DOMAIN2" simple
    .
    receiving the bindResponse as:
    LDAPMessage bindResponse(1) invalidCredentials (80090308:
    LdapErr:
    DSID-0C0903A9, comment: AcceptSecurityContext error, data 775,
    v1db1)
    
    Customer has removed the user tABCD and the login of the user
    ABCD worked correctly.
    So the login does not seem to work properly when Active
    Directory contains two users with matching pattern (or better
    the name of the problematic user is a substring of the second
    user name)
    

Local fix

  • Avoid the definition of SCA user with the name which is a
    substring of the name of another SCA user (f.i. avoid to define
    ABCD if another SCA user tABCD is already defined).
    

Problem summary

  • Problem Description:
    SCA user encounters error when logging and authenticating via
    Active Directory.
    Problem Summary:
    The user encounters the following error message 'There is no
    user matching the entered user name and password' when trying to
    log in. This is due to a problem SCA has with handling 2 users
    with the same name in the LDAP or Active Directory.
    

Problem conclusion

  • This issue is resolved in SCA 1.6.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV66916

  • Reported component name

    TV EP MG SEC CF

  • Reported component ID

    5725C43SM

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-11-14

  • Closed date

    2015-04-30

  • Last modified date

    2015-04-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TV EP MG SEC CF

  • Fixed component ID

    5725C43SM

Applicable component levels

  • R920 PSY

       UP

[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SSBQVS","label":"Tivoli Endpoint Manager"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
30 April 2015