IBM Support

QRadar: Cannot log in to QRadar with a valid Active Directory account

Troubleshooting


Problem

The following error message is display when QRadar attempts to log in with a known valid Active Directory account: "The username and password you supplied are not valid. Please try again."

Symptom

This error message can occur when Active Directory authentication worked in the past and suddenly stopped working. The error message can also display when Active Directory authentication is initially configured for QRadar.

If you did not make changes to your Active Directory recently, you might be experiencing a time synchronization issue.

Cause

The time difference between the system time of the QRadar console and the system time of the Active Directory server is a greater than 5 minutes (300 seconds).

Diagnosing The Problem

Primary troubleshooting method

 
Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. Type the following command: cat /opt/qradar/conf/login.conf
    Review the output to determine that the server that is configured for Active Directory authentication.

    Example:
    LDAPServerURL=ldaps://<server>:port

    The <server> is the Active Directory Domain Controller that QRadar is authenticating to and port is the Active Directory LDAP port (389 by default).
  3. Copy the IP address displayed in the server value.
  4. Type the following command: ntpdate -q <server>
    Replace the value <server> with the IP address or server address from step 2.
  5. Review the output to determine whether the offset time is more than 300 seconds off. If the offset time is more than 300 seconds, then the time interval between the Console and the Active Directory server is the root cause of the authentication issue.

    Output example:
    server 9.24.207.12, stratum 3, offset -10774.586000, delay 0.04221 19 Nov 13:59:16 ntpdate[22011]: step time server 9.24.207.12 offset
    -10774.586000 sec
  6. Then, to synchronize the QRadar console to the LDAP server, issue the following command: ntpdate <server>
  7. Check the offset again to ensure it is within 300 seconds: ntpdate -q <server>

    Important: The next step will restart the web interface, which logs off all users, stops any event exports in progress, and stops any reports being generated. If you complete the next step, you might need to manually restart some reports or wait for a maintenance window to complete this procedure.
  8. To restart tomcat from the command line of QRadar, type: systemctl restart tomcat
 

Alternate troubleshooting method

 
Procedure
  1. To edit the login.conf file, type: vi /opt/qradar/conf/login.conf
  2. Locate the value debug=false in the file.
  3. To enable debug, type debug=true.
  4. Save changes to the login.conf file.
  5. Log in to the QRadar user interface with your Active Directory account.
  6. Review the log entries in /var/log/qradar.log for the failed log-on message.

    Example:
    javax.security.auth.login.FailedLoginException: LDAPReader()::connect: Login error: com.ibm.security.krb5.KrbException, status code: 37
    message: Clock skew too great


    Important: The next step will restart the web interface, which logs off all users, stops any event exports in progress, and stops any reports being generated. If you complete the next step, you might need to manually restart some reports or wait for a maintenance window to complete this procedure.
  7. To restart tomcat from the command line of QRadar, type systemctl restart tomcat

Resolving The Problem

Administrators that use QRadar Versions 7.3 can update the QRadar system time to match the Active Directory system time by adjusting the time in the QRadar User Interface (UI). If time synchronization is the cause of your authentication issues, then the administrator can configure the time server synchronize QRadar with the Domain Controller.

Option 1: Adjusting the time manually

  1. Log in to the QRadar UI.
  2. Click Admin page.
  3. Click License and System Management.
  4. Highlight the Console and double-click.
  5. Click the System Time tab.
  6. Scroll down to Set Time Manually.
  7. Change the time to match the time on the Domain server.
  8. Click Save.

Option 2: Add NTP Servers

  1. Go to the System Time tab, as outlined in Option 1.
  2. Click Specify NTP Servers.
  3. Click the plus to add NTP servers.

    image-20190610085617-3
  4. When complete click Save.

Option 3: Synchronize LDAP Time

  1. Log in to the QRadar UI,
  2. Click Admin page.
  3. Click Authentication.
  4. From the Authentication Module list, select LDAP.
  5. Click Manage Synchronization.
  6. Click Run Synchronization Now.

    image-20190610085440-2
Results
The time synchronization occurs and all managed hosts synchronize to the Console. This process might take some time to complete.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

1138

Document Information

Modified date:
07 January 2021

UID

swg21622862