CA IDM with AD Authentication issue
Article ID: 131303
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
By default, CA Identity Manager comes with an out-of-the-box, Default authentication module. The Default module authenticates the user against the directory that is configured for their environment. Two other authentication module choices exist: The Active Directory or a custom module.
Having configured the Active Directory Module for external authentication and trying to login the following error is returned:
Error: AD Internal Error:Check AD
Having configured the Active Directory Module for external authentication and trying to login the following error is returned:
Error: AD Internal Error:Check AD
Environment
CA Identity Manager 14.x
CA Identity Suite 14.x
CA Identity Suite 14.x
Cause
This is caused by a congestion on the LDAP port.
Resolution
Configuring IM to use the Global Catalog port (3268) rather than the default AD LDAP port (389) addresses this issue.
Additional Information
In Identity Manager 14.0 and 14.1 the "ad_auth_settings.properties" file contains the configuration settings.
The "ad_auth_settings.properties" file is located as following PATH
../iam_im.ear/config/ad_auth_settings.properties
Change
SERVERS=hostname to SERVERS=hostname:3268
The ad_auth_settings.properties file no longer uses the Active Directory Server settings. In 14.2, you can now manage the configuration in the Authentication Properties section of the Management Console, Environment, <Environment>, User Console screen. The values are persisted with the environment in the CA Identity Manager object store.
Next Actions:
Follow these steps:
1. In the Management Console, select Environment,
2. Select the environment that you want to manage, and then click Advanced Settings.
3. The Advanced Settings page appears. Select User Console.
4. In the Authentication Properties section, select the radio button for "Active Directory"
5. Click on "Module Properties" enter a corresponding value:
SERVERS: Specifies the IP address of the Active Directory server(s). Use the following format (no spaces):
IP1:PORT,IP2:PORT
For example: 192.168.152.152:10261,192.168.154.127:10261
ADMINDN: Specifies the DN of the Administrator ID used to connect to Active Directory. This property is required. For example:
cn=Administrator,cn=Users,dc=companyX,dc=com
ADMINPWD: Specifies the Administrator Password for Active Directory. Enter and then confirm this password. This value is required.
BASEDN: Specifies the Base DN for the User Search in Active Directory. This property is required. For example: cn=Users,ca=companyX,dc=com
SSL: Determines whether to use SSL. Values are TRUE or FALSE.
SEARCHFILTER: Specifies a valid LDAP search filter with a variable substitution for an AD User. "%s" must be part of the filter, as it is replaced with the user name in authentication. This property is required. For example, to define a filter when using the default Active Directory User Schema, enter SEARCHFILTER=sAMAccountName=%s
Note: When using a custom Active Directory User schema, the objectCategory and ObjectClass filters clauses must both be defined in the filter and match the LDAP object classes of the custom schema. For example, enter: SEARCHFILTER=(&(objectCategory=person)(objectClass=CompanyXUser)(sAMAccountName=%s))
Once you have configured the settings (see below) , click SAVE and Restart the Environment.
The "ad_auth_settings.properties" file is located as following PATH
../iam_im.ear/config/ad_auth_settings.properties
Change
SERVERS=hostname to SERVERS=hostname:3268
The ad_auth_settings.properties file no longer uses the Active Directory Server settings. In 14.2, you can now manage the configuration in the Authentication Properties section of the Management Console, Environment, <Environment>, User Console screen. The values are persisted with the environment in the CA Identity Manager object store.
Next Actions:
Follow these steps:
1. In the Management Console, select Environment,
2. Select the environment that you want to manage, and then click Advanced Settings.
3. The Advanced Settings page appears. Select User Console.
4. In the Authentication Properties section, select the radio button for "Active Directory"
5. Click on "Module Properties" enter a corresponding value:
SERVERS: Specifies the IP address of the Active Directory server(s). Use the following format (no spaces):
IP1:PORT,IP2:PORT
For example: 192.168.152.152:10261,192.168.154.127:10261
ADMINDN: Specifies the DN of the Administrator ID used to connect to Active Directory. This property is required. For example:
cn=Administrator,cn=Users,dc=companyX,dc=com
ADMINPWD: Specifies the Administrator Password for Active Directory. Enter and then confirm this password. This value is required.
BASEDN: Specifies the Base DN for the User Search in Active Directory. This property is required. For example: cn=Users,ca=companyX,dc=com
SSL: Determines whether to use SSL. Values are TRUE or FALSE.
SEARCHFILTER: Specifies a valid LDAP search filter with a variable substitution for an AD User. "%s" must be part of the filter, as it is replaced with the user name in authentication. This property is required. For example, to define a filter when using the default Active Directory User Schema, enter SEARCHFILTER=sAMAccountName=%s
Note: When using a custom Active Directory User schema, the objectCategory and ObjectClass filters clauses must both be defined in the filter and match the LDAP object classes of the custom schema. For example, enter: SEARCHFILTER=(&(objectCategory=person)(objectClass=CompanyXUser)(sAMAccountName=%s))
Once you have configured the settings (see below) , click SAVE and Restart the Environment.
Feedback
Yes
No
Powered by
