APAR status
Closed as program error.
Error description
Env: SCA 1.4.46 and 1.5.78 on Windows Users authenticated via Active Directory Problem: Customer has configured SCA with users authenticated via Active Directory. He cannot login to SCA Interface with one of his users (ABCD), receiving the error: "There is no user matching the entered user name and password" even if the user credentials are correct and the user has been correctly configured in SCA. After running some additional troubleshooting with Wireshark trace to see the request sent to LDAP, we noticed SCA sends the request for the user ABCD with the filter: (&(&(objectCategory=Person)(|(sAMAccountName=*)(userPrincipalNam e=*)))(sAMAccountName=*ABCD*)) (note the wildcards for sAMAccountName surrounding ABCD). . The LDAP returns a matching user: LDAPMessage bindRequest(1) "CN=tABCD,OU=ORGUNIT1,OU=ORGUNIT2,DC=DOMAIN1,DC=DOMAIN2", different from ABCD . Immediately after SCA sends a bindRequests as LDAPMessage bindRequest(1) "CN=tABCD,OU=ORGUNIT1,OU=ORGUNIT2,DC=DOMAIN1,DC=DOMAIN2" simple . receiving the bindResponse as: LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1) Customer has removed the user tABCD and the login of the user ABCD worked correctly. So the login does not seem to work properly when Active Directory contains two users with matching pattern (or better the name of the problematic user is a substring of the second user name)
Local fix
Avoid the definition of SCA user with the name which is a substring of the name of another SCA user (f.i. avoid to define ABCD if another SCA user tABCD is already defined).
Problem summary
Problem Description: SCA user encounters error when logging and authenticating via Active Directory. Problem Summary: The user encounters the following error message 'There is no user matching the entered user name and password' when trying to log in. This is due to a problem SCA has with handling 2 users with the same name in the LDAP or Active Directory.
Problem conclusion
This issue is resolved in SCA 1.6.
Temporary fix
Comments
APAR Information
APAR number
IV66916
Reported component name
TV EP MG SEC CF
Reported component ID
5725C43SM
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-11-14
Closed date
2015-04-30
Last modified date
2015-04-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TV EP MG SEC CF
Fixed component ID
5725C43SM
Applicable component levels
R920 PSY
UP
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SSBQVS","label":"Tivoli Endpoint Manager"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
30 April 2015