IBM Support

SECJ0118E error. LDAPSYNC will bring user successfully and it is active but at log in time system will not recognize it as valid user

Troubleshooting


Problem

LDAPSYNC cron task working fine and bringing the user to MAXUSER table. The user is active and system security is correctly set to Application Server. Despite of all correct configuration and settings system will not recognized the user/password as valid input on the login window.

Symptom

Application Server security in place and correct user/password provided but it is not recognized as valid. System will issue the following error message when this user tries to log in (sample):

“[03/17/13 10:05:57:886 EST] 000008af FormLoginExte E SECJ0118E: Authentication error during authentication for user <user name>”

Cause

WebSphere winconfig.xml file is configured to search for MS AD uid attribute value against the user name we use at log in page, but uid value is empty on MS AD (null) so the corresponding user will never be found.

The user will be correctly synchronized on Maximo with valid value because Usermapping will be using sAMAccountName and not uid.

Environment

Maximo 7.1 and Maximo 7.5 using MS AD and LDAPSYNC and WebSphere.

Diagnosing The Problem

When checking Application Server security setting and configuration as per the IBM document “Master Document - LDAP Configurations Flow Chart” everything seems to be correctly setup.

The user is on MS AD on the appropriate folder able to be accessed by the PRINCIPAL user established for the connection with the MS AD. No issues here as well.

Usermapping XML parameter for the LDAPSYNC cron task's instance running is correct. We will likely see in there the following (sample):

<column name="LOGINID" type="ALN">sAMAccountName</column>

 <column name="PERSONID" type="UPPER">sAMAccountName</column>

When LDAPSYNC runs we see the user on the logs with no issue for the synchronization operation.

The user is active on MAXUSER table and there is corresponding record on PERSON table.

There is no communication problem between WebSphere and MS AD.

At login try the user is not recognized as valid and we see the following message on the system's log file (sample):

“[03/17/13 10:05:57:886 EST] 000008af FormLoginExte E SECJ0118E: Authentication error during authentication for user <user name>”

When checking WebSphere winconfig file:

- In a stand-alone version - not in cluster, the file is on following path:

<wsas profile root>/config/cells/cellname/wim/config/wimconfig.xml

- In a cluster environment, the file is placed on the path bellow:

<dmgr profile root>/config/cells/cellname/wim/config/wimconfig.xml

… you might see the following (sample):

</config:supportedEntityTypes>
 <config:supportedEntityTypes defaultParent="CN=IBM Sample IBMTest,CN=GroupsIBM,DC=ibmcorp,DC=ibm,DC=com" name="PersonAccount">
 <config:rdnProperties>uid</config:rdnProperties>
 </config:supportedEntityTypes>
<config:loginProperties>uid</config:loginProperties>
<config:attributes name="userprincipalname" propertyName="kerberosId">
 <config:entityTypes>PersonAccount</config:entityTypes>
 </config:attributes>
<config:attributeNames>uid</config:attributeNames>

This means MS AD UID (uid) will be used for searching the user we enter on the login page.

When checking MS AD uid attribute value we will see it is empty (null).

Resolving The Problem

On such scenario the recommended solution will be having a valid value for MS AD uid attribute for all users on MS AD that will be synchronized to IBM MAM 7 using LDAPSYNC. The uid value MUST be unique value on MS AD database so that when WAS searches against it find only a single record.

If business needs don't allow the use of MS AD uid attribute and demands sAMAccountName to be used instead, we may change WebSphere config file to consider sAMAccountName instead of uid. For doing so, please do the following:

W1) Create a backup for your winconfig.xml file;

W2) Open the winconfig.xml file up with a text editor that will not add any special character to it.

W3) Change the following line from:

<config:attributes name="userprincipalname" propertyName="kerberosId">
 <config:entityTypes>PersonAccount</config:entityTypes>
 </config:attributes>

.. to

<config:attributes name="sAMAccountName" propertyName="cn">
 <config:entityTypes>PersonAccount</config:entityTypes>
 </config:attributes>

W4) Also add:

<config:attributes name="sAMAccountName" propertyName="uid">
 <config:entityTypes>PersonAccount</config:entityTypes>
 </config:attributes>

W5) Save the file;

W6) Stop all JVMs and clear up the WAS cache and log files;

W7) Restart WebSphere server and your MAM 7 applications (JVMs);

[{"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"System Related","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0;6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
17 June 2018

UID

swg21628873

Page Feedback