OC authentication failure - "nimexception: code: 12" and "nimexception: code == E_LOGIN, returning null"

book

Article ID: 212274

calendar_today

Updated On:

Products

DX Infrastructure Management

Issue/Introduction

Hi,

 

Some Active Directory users can't login to Operator Console although the login works fine for other users from the same AD group. This is the error message in wasp loglevel 5 that we can see for the non-working users, below example is for username John Kolancy (name changed to respect privacy):

 

May 18 14:00:21:631 DEBUG [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] Login from request usr e-john.kolancy
May 18 14:00:21:631 DEBUG [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] Login from request accountOverride null
May 18 14:00:21:631 DEBUG [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] Login from request accountOverride from request null
May 18 14:00:21:631 DEBUG [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] Check account override null
May 18 14:00:21:636 DEBUG [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'e-john.kolancy' trying to log in.
May 18 14:00:21:638 DEBUG [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query dRNhSELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
May 18 14:00:21:639 DEBUG [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query dRNh took: 0.001s
May 18 14:00:21:639 DEBUG [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: e-john.kolancy
May 18 14:00:21:639 INFO  [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNimbusUser: user: e-john.kolancy
May 18 14:00:21:657 INFO  [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code: 12, msg: login failed
May 18 14:00:21:657 INFO  [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] nimexception: code == E_LOGIN, returning null
May 18 14:00:21:657 ERROR [http-nio-80-exec-2, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] login() User 'e-john.kolancy' login failed
May 18 14:00:21:658 ERROR [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] Login failed for e-john.kolancy: javax.security.auth.login.FailedLoginException: login failed
May 18 14:00:21:658 DEBUG [http-nio-80-exec-2, com.firehunter.ump.auth.OCAuth] User: e-john.kolancy, NimBUS login milliseconds: 23
May 18 14:00:29:337 DEBUG [Catalina-utility-3, com.nimsoft.nimbus.probe.service.wasp.WaspLifecycleListener] Memory Status: Max Limit: 8039MB, Allocated: 8039MB, Free: 6554MB, Used: 1485MB
May 18 14:00:31:899 DBLOW [dashboard-akka.actor.default-dispatcher-121, com.nimsoft.events.client.EmsClientAlarmService] Alarm filter: {"filters":null,"origins":null,"lastUpdateTime":0,"includeClosed":false,"includeHidden":true,"returnRemovedAlarms":false}
May 18 14:00:31:899 DBLOW [dashboard-akka.actor.default-dispatcher-121, com.nimsoft.events.client.EmsClientNasAlarmDao] SQL used to query alarm data
May 18 14:00:31:899 DBLOW [dashboard-akka.actor.default-dispatcher-121, com.nimsoft.events.client.EmsClientNasAlarmDao] select a.*, d.cs_id, m.ci_metric_type, m.ci_id 

 

What does "nimexception: code: 12" and "nimexception: code == E_LOGIN, returning null" exactly represent/mean please? and how to fix this issue? The users were rechecked, they are part of the same AD group as the working accounts. if it was an AD-UIM integration/configuration issue, none of the users could login.

Cause

Dx Infrastructure Management product does not have true Unicode support, all characters are translated into ANSI using this codepage.

 

Accepted values are:

================

  • 28591* (Windows default)
  • Valid codepage number (Windows)
  • ISO-8859-1* (Linux default)
  • Text string that is passed to the iconv_open function (Linux)
  • * ISO 8859-1 Latin 1; Western European (ISO)

Environment

Release : 20.3

Component : UIM - HUB

Resolution

The errors "nimexception: code: 12" and "nimexception: code == E_LOGIN, returning null" can be better interpreted understanding the hub logs.

 

We set hub probe to loglevel 3, logsize 50000, replicated the issue.

 

From the hub.log, we observed for the above users with issue, the CN = Common Name in either firstname or lastname has an unrecognized character (replaced with ?). 

 

For example, when user John Koláčný (name changed to respect privacy) tries to login, the login fails without the below error in hub.log: 

May 13 14:30:28:236 [14192] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=Kolá?ný John (e-john.kolacny),OU=Externalsite,OU=MPSP,DC=AD,DC=MPSP,DC=CZ, filter:=(objectclass=*)): No Such Object

 

For example, when user Steven Matějek (name changed to respect privacy) tries to login, the login fails without the below error in hub.log:

May 13 14:30:28:236 [14192] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=CN=Mat?jek Steven (e-steven.matejek),OU=Externalsite,OU=MPSP,DC=AD,DC=MPSP,DC=CZ, filter:=(objectclass=*)): No Such Object

 

Solution:

=======

We found out the local keyboard layout for the users is Czech, from the below link we found out the Code Identifier to be 28592 as Czech would come under Central Europe.

 

Code Page Identifiers - Win32 apps | Microsoft Docs

 

We performed the following steps on the UIM Primary Hub Server to resolve the issue:

 

Note: The steps would require restart of Primary Hub Operating System


Step 1:

Set the ANSI Code Page on the UIM Primary Hub Server to Czech performing the following steps

- Open Windows Control Panel
- Select Region (and Language)
- Click on the "Administrative" tab
- Under Language for non-Unicode programs section, click "Change System Locale" button
- Select the locale
- Click OK

 

 

Restart the Operating System if prompted to

 

 

Step 2:

Open the hub probe on the UIM Primary Hub in raw configure mode, under /LDAP/server section, add:

key: codepage
value: 28592

 

 

After making the above changes, the users were now able to successfully login to Operator Console from their local computers

 

Note: Step 2 may not be required, if Step 1 alone does not resolve the issue, please complete Step 2 as well

 

Additional Information

For further reading:

Enable Login with LDAP (broadcom.com)