TKGI environment credentials rejected with error: "Error: Credentials were rejected, please try again"
search cancel

TKGI environment credentials rejected with error: "Error: Credentials were rejected, please try again"

book

Article ID: 429188

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

  • You have authentication issues with credentials being rejected when trying to authenticate to PKS/TKGI environments.
  • This failure occurs for LDAP users associated to TKGI UAA via a UAA group.
  • The LDAP group has been mapped in TKGI UAA using the Grant Tanzu Kubernetes Grid Integrated Edition Access to an External LDAP Group documentation.
  • The uaa.log in TKGI might report errors like:

    DEBUG --- BindAuthenticator: Failed to bind with any user DNs []

Environment

TKGI Environments, this may happen on any version

Cause

This error is returned when the LDAP AD server fails to bind the user with any DNs. The cause of the failure in this instance is that the group was mapped to TKGI UAA using only the group name rather than the full OU. When mapping a group to UAA from LDAP, it is necessary to use the full OU of the group. For example, for group named "tkgigroup" in LDAP OU "admingroups.security.domain.com":

 

Incorrect: tkgigroup

Correct: cn=tkgigroup,ou=admingroups,ou=security,dc=domain,dc=com

 

Another potential cause for this failure is if the TKGI Tile > Settings > UAA section > Group Max Search Depth doesn't go deep enough for the LDAP depth of the group in use. In the above example, the user tkgigroup.admingroups.security.domain.com is 2 levels deep, so the Group Max Search Depth value must be at least 2 in order for LDAP to bind the user.

Resolution

  1. Use the full OU when mapping the group in TKGI UAA:

    uaac group map --name pks.clusters.admin.read cn=tkgigroup,ou=admingroups,ou=security,dc=domain,dc=com --origin ldap


    Reference the Integrate UAA with an LDAP server in the TKGI documentation along with the Grant Tanzu Kubernetes Grid Integrated Edition Access to an External LDAP Group documentation for reference.

  2. If the group is correctly mapped in TKGI UAA, check to ensure the TKGI Tile > Settings > UAA section > Group Max Search Depth value is large enough to search the group depth in LDAP. Examples:

    tkgigroup.admingroups.security.domain.com   = Requires depth of at least 2
    tkgigroup.new.admingroups.security.domain.com   = Requires depth of at least 3

 

NOTE: When adding an LDAP group to TKGI UAA, it is required that the group be added to the External Groups Whitelist in the TKGI Tile.

Additional Information

Note there is a KB article that details the same error message with different resolution, if you still hit the failure, please reference this KB.

Powered by Wolken Software