lsf 9.0.0 to 9.0.1 upgrade authentication issues

 22 Replies
 0 Subscribed to this topic
 27 Subscribed to this forum
Sort:
Author
Messages
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
upgraded my hpu-ux lsf 9.0.0 environment to lsf 9.0.1. no errors during upgrade process.
portal & sec admin authentication is now broke. came accross some errors in security_authen.log.
1) from startup
Security factory was unable to find class com.lawson.security.authen.ManagerFactoryLMImpl
2) from authentication
26965103: >> processLoginAction More info: none.
26965103: returning mgrFactory
26965103: returning mgrFactory
26965103: Authenticating...
26965103: returning mgrFactory
26965103: returning mgrFactory
26965103: returning mgrFactory
26965103: searchBase: 'DC=kindermorgan,DC=com'
26965103: searchFilter: '(&(sAMAccountName=tstuser)(objectclass=user))'
26965103: unknown
26965103: Exception while looping through found entries.
26965103: Invalid authentication. Sending to login page again.
EricS
Veteran Member Send Private Message
Posts: 80
Veteran Member
I upgraded my AIX environment form 9.0.0.4 to 9.0.1. Incuded in the upgrade process installing DB2 9.5, TDS 6.2. Had more problems than I could count, some of them self induced. I did find out, from the Lawson Consultant we had to hire to straighten out the mess, that installing Tivoli Directory Intgrator is incompatible with Lawson, and that using the Tiviol Migration tools is not recomended. It is better to export an LDIF file, install TDS, and import the LDIF file. If you have upgraded TDS, that might be the cause?
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
ldap is using microsoft ADAM
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
Can you login thru LID?
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
LID works fine
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
Are you on LAUA security or LS security?
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
LS
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
Have you redeployed the your Lawsec, BPM, IOS websphere modules after the upgrade? (You probably did) Just double checking.

Next:
Check your default ldap login account against your ADAM. The account should be valid admin account in ADAM. You can find the account in your %LAWDIR%\system\authen.dat in the RMCONFIG tag. (DO NOT CHANGE THiS FILE)
You should be able to use a ldap broweser and connect with this ADAM admin account. Verify the password to see if it has been changed.

Check your LDAPBIND settings, if you are binding it to AD, the account(most likely not your ADAM Admin account) should have access to browse the user tree.

Next:
Check for corrupted user entry. tstusr is a good start.
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
ears have been redeployed
i can connect to adam with the the default ldap login acct. (password has not changed)
the search user is valid
fyi....this environment worked just fine prior to the upgrade
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
Did you upgrade your portal to 9.0.1.x also? And which version of hp-ux are you running? which verison of 9.0.1.x you upgraded to? what's your websphere version?
hsuhsen
Basic Member Send Private Message
Posts: 23
Basic Member
Josh, can you get to the Portal page or to the sec admin page, or do you get the error before you get to the login screen?
Brian Allen
Veteran Member Send Private Message
Posts: 104
Veteran Member
Was there an LDIF update required for 9.0.1 (you would have been prompted to apply the update)? If so, did you apply it? Do all of the smoke tests from the install guide pass?
hsuhsen
Basic Member Send Private Message
Posts: 23
Basic Member
There is a valuable tool you can use to troubleshoot SSO log in errors. Go to LAWDIR/system/sso_tracing.properties. Set the TRACING_ON value to true. Re-start the application server for this change to be effective. Run the following smoketests:

Portal URL:
http://server:port/sso/SSOServlet
http://server:port/ssoconfig/SSOCfgInfoServlet

Lawson Insight Desktop (LID) Command Prompt:
lsconfig -l
ssosmoketest
ssoconfig -c
lase

The results will be in SSO_*.log files in LAWDIR/system. I have found these logs to be very helpful in troubleshooting errors that are specific to ldap, lawson security, and SSO problems.
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
hpux 11.23
lsf 9.0.1.5
portal 9.0.1.5
websphere 6.1.0.29 (i upgrade websphere from 6.0.0.27 to 6.1.0.29 before the lsf upgrade....lawson worked fine)
there were no ldif updates
portal login screen comes up...if i enter valid userid/password screen comes back with password blanked out in white and no message
sec admin...authentication fails
any portal smoketest that requires authentication....fails
lid...lsconfig & ssosmoketest work just fine
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
Apr 12, 2010 2:32:05 PM com.lawson.lawsec.authen.FormLoginScheme ldapBindSearch
WARNING: LDAP authentication failed for user with dn 'CN=lawson,OU=SystemAccount
s,DC=kindermorgan,DC=com'. Message: javax.naming.AuthenticationException: [LDAP
: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityConte
xt error, data 52e, vece]
Stack Trace : javax.naming.AuthenticationException: [LDAP: error code 49 - 80090
308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vec
e]

is this a websphere/bouncycastle issue since lid ssosmoketest works?
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
error 49/52e is indication of invalid credential. Did you reapply bouncycastle to the websphere 6.1.0.29 upgrade?
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
yes bouncy was reapplied.
$JAVA_HOME/bin/java -version...1.5.0.07 $WAS_HOME/java/bin/java -version...1.5.0.03
is the java version mismatch an issue?
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
I would redo your LDAPBIND, point it to a GC via port 3268, verify lawson account and password.
Brian Allen
Veteran Member Send Private Message
Posts: 104
Veteran Member
Having a different Java version between JAVA_HOME and WAS_HOME should be fine. We have different versions currently after a recent Websphere update (under 9.0.0.x).
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
ssosmoketest from lid verifies that ldap & dc are talking...correct?
houux66: >ssosmoketest -u lawson -w K1nder123!
tracing log is /lsfp1/law/system/SSO_31782850.log
......
......
Testing completed!
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
Redo your LDAPBIND to one of your global catalog domain controller via 3268.

The binding account probably will need to be accountname@domain.com instead of DOMAIN\accountname. Make this account a domain admin/service account only just for testing. Ii ran into the same issue about a year ago when I did the upgrade to 9.0.1.x from 9.0.0.4 . Only portal wouldn't recognize any valid password but I was able to connect via LID.
John Hosanna
Basic Member Send Private Message
Posts: 11
Basic Member
changing the ldapbind port to 3268 WORKED!!!!!!!!!!!

why?
Bart Conger
Advanced Member Send Private Message
Posts: 18
Advanced Member
Microsoft has some good documentation regarding 389 vs 3268.
http://technet.microsoft....ers-work(WS.10).aspx