This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Issue with AD authentication

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-06 01:38 AM

I’m facing a strange issue in which I have added AD group of my team and mapped “Analyst” role for the group in external group mapping. However not all members of the group are unable to login to SA. I have tried using 10 different users out of 6 were able to login.

 

Any suggestions to resolve this issue?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2015-01-22 12:26 PM

Hello,

 

I am the Product Manager for Security Analytics.  What would be very helpful here is some additional context on your configuration.  You mention that some users of the group can login, but some can't.

 

  • Are you using PAM or the built-in AD functionality?
  • What is different about the two users? 
  • Are the group members of different domains?  SA's built-in AD capability only supports group members who are in the same domain as the group.
  • Is the user that can't login a member of the mapped group via another group?
  • Do the users who cannot login have any special characters in their username?
  • Can you confirm whether your AD instance is using UserPrincipleName (UPN) or sAMAccountName for the username? In 10.4.0.2 and older, the built-in AD functionality uses only the UPN field to match on user ID, so if the UPN field in your AD users isn't implemented consistently across all accounts, that could possibly explain it.  In a near-future release, you will be able to choose between these two fields for username mapping.


The answers to all these questions could help determine whether this is a misconfiguration, a bug, or an unsupported configuration.


For all those having issues setting up AD, opening a case with Customer Support will help us to track your problems internally and help to improve the experience in a future release.


Thank you!

View solution in original post

0 Likes
18 REPLIES 18

Go to solution
Anonymous
Not applicable

‎2015-01-07 01:33 AM

Hello,

 

First check that the users which are not able to get the access on RSA SA, are they really able to get the access with their domains ID's on any of windows network system.

 

Regards,

Deepanshu Sood.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-07 07:00 AM

What version of SA are you running?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-07 07:07 AM

Hi all,

 

We are using version 10.4.0.2.

 

Another strange thing i noticed today is those users who are not able to login if they try wrong password then it do show "Bad Credentials". But with correct password, it keeps showing the login page

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-07 08:17 AM

I do not have an answer for you, but I have also experienced this issue with 2 out of the 8 AD groups we have.  Hopefully someone has an answer. 

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-07 09:20 AM

We've never had complete success with the AD authentication integration, that's going back to 10.0.2.  Last serious attempt we made was in 10.3.2.  I hope to hear you find some resolution. 

 

Even after the AD auth, the larger problem we had was around how to limit which meta keys a particular user/group can access, you have to assign user/group permissions per meta field.  If I recall correctly... its been a while since looking into this heavily.  We just restrict access to SA to only certain authorized personnel.

0 Likes

Go to solution
Anonymous
Not applicable

‎2015-01-12 09:15 AM

Is the group name in AD has space or any special character  ? What method of integration you are using for instance are you using LDAP or PAM?

Also please run "tailf /var/lib/netwitness/uax/logs/sa.log " in SA command line and then try to login to see if it shows any error message .

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-15 03:30 PM

So I also have this same issue, only with some AD users.  We have just implemented new AD groups for SA so I was hoping the users that were having issues would have it fixed but that was not the case. 

 

Some additional info for RSA.  I turned on addtional logging to the com.rsa.netwitness.carlos.security to see additional activity.

 

 

When the user logs in we get this.

 

2015-01-15T15:21:06.929

DEBUG

Processing authentication request for user: xxxxxxx

 

But when the user uses the wrong password we get

 

Authentication for xxxxx@xxxxxxxxx failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

 

 

 

Again when they use the correct password we see no additional logging and they just return to the log in screen.

0 Likes

Go to solution
AdamRasnick
Beginner
Beginner

‎2015-01-21 11:55 AM

I have seen similar errors.  However, even when I can get all the users to authenticate correctly, the roles mapped to the imported AD groups never seem to work. 

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-21 04:50 PM

Having the same issues with a new SA install. The only users that are able to login are ones that logged in before the Active Directory SSL option was enabled. With the SSL option now enabled any new users just get redirected to the login page with no error, original users can still log in.

 

Edit: This is the Active Directory option under Administration -> System -> Security -> Settings, External Authentication set to Active Directory and only with the SSL option set to yes. There are no spaces in the mapped group names.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.