SecureAuth Idp Version affected: All
Description: The SecureAuth IdP may randomly return a "Bad user" error when a user tries authenticate against any realm. Active Directory data store connections when using FQDN in the connection string will fail; however, if connection string is using IP addresses the test connections will succeed.
Cause: If customer has multiple domain controllers in the environment, and one (or more) of them does not have proper DNS records assigned, this could result in kerberos tickets not being validated if the service account is issued a kerberos ticket from the DC missing a DNS record. This can be found when running a wireshark trace from the appliance and there are KRB_ERROR_5 entries when the appliance tries to connect to a DC with the service account in question.
Resolution: Verify that ALL domain controllers in the domain are known, and have accompanying DNS records (SVC, A, ms, etc) published on the DNS server. Reboot the IdP appliance so that the service account will request and receive a new Kerberos ticket. Test data store connections using FQDN connection strings and confirm successfully connection.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.