The 'Test Configuration' button for IWA Direct fails for some users in AD.

book

Article ID: 166992

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

  • You are using IWA Direct for authentication (as introduced in SGOS 6.3.1.1).
  • The 'Test Configuration' button is not working for some user accounts that you are trying to test.
  • You receive the error "Authentication Failed General error communicating with Active Directory."
  • You may also notice that the same usernames cannot log in to the ProxySG via an Admin Access Layer.
  • Browsing through the ProxySG as an authenticated user is unaffected by this problem (only 'Test Configuration' button and admin access do not work).

For example, after clicking 'Test Configuration' you see the following error:

 

Resolution

This problem can occur if the user belongs to an Active Directory group that contains international characters.

In testing, the following characters are known to cause issues with the 'Test Configuration' button and any admin access layers:

á, é, í, ó, ú, £

There may be other characters that are not listed. One customer has reported that spaces (" ") also cause the issue.

For example, if you have a group named "Téstíng" and your user is in this group, the 'Test Configuration' and Admin Access layers will not work.

If the user is part of many groups, you must run an LSA Debug in order to find the group that is causing the problem:

1) Go to: https://x.x.x.x:8082/lsa/debug/debugmask.

2) Click on 'Enable All' at the top.

3) Click [Set mask] button.

4) Click 'View Debug Log'.

5) Click 'Clear Log'.

6) Reproduce the problem by clicking the 'Test Configuration' button and entering a failing username.

7) Load the debug and look for something similar to:

Failed to find memberships for user 'ROSS2003\téstíng' (error = 40067)
Error code: 40067 (symbol: LW_ERROR_STRING_CONV_FAILED)
Failed to group memberships of SID=S-1-5-21-3248416004-2975801735-1193386114-2158. [error code:40067]
Error code: 40067 (symbol: LW_ERROR_STRING_CONV_FAILED)
Cache entry for user's group membership for sid S-1-5-21-3248416004-2975801735-1193386114-2158 is incomplete

As above, you will see the AD group "téstíng" could not be converted. The SID for this group is also shown. If the problematic group you see in the debug does NOT contain international characters, you will need to look at what groups the problematic group is a 'member of' (any nested groups) or at the full path of the OU it belongs to.

To resolve the issue:

1) Remove the user from the group.

or

2) Rename the group, removing any international characters.

This issue has been raised as a bug internally: 172476

Issue has now been resolved under SGOS 6.3.2.2

 

 

 

 

Fixed the issue where IWA Authentication might fail if a username or group

contained international characters. (B#172476, SR 2-432052802 2-433816302 2-

434486340)

Attachments