some users from same OU of Microsoft Active Directory are able to login and some are not.
Hi Team,
Background:
I am using CLM 6.0.2 with WAS+LDAP I have made changes in AD and formed two groups
1. OU= OU_EHS
2. OU=OU_ESS
and divide my users to the respective groups.
Problem:
When I try to login as a user from EHS and ESS some user are able to login and some others are not.
I configured WAS according to new LDAP setting.
anyone can suggest me on same?
Best Regards.
Krunal.
Accepted answer
HI Krunal
Updating for the benefits of others. (Based on investigation through Support PMR)
JTS Log Error for Users where Login Failed:
----------
000000fc LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.auth.AuthenticationFailedException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 531, v2580 ]
000000fc LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.auth.AuthenticationFailedException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 531, v2580 ]
----------
Following this Technote we see that the error is " User is not permitted to logon at this workstation"
Following this Technote we see that the error is " User is not permitted to logon at this workstation"
So we compared the users in AD (LDAP Server) that worked against the user that did not work. Using ADSI Edit we could see Users that did not work had a value set for attribute "userWorkstation" and through this the login would be permitted only from 1 workstation.
Clearing this attribute "userWorkstation" for the users whose login failed, helped resolved this issue.
Clearing this attribute "userWorkstation" for the users whose login failed, helped resolved this issue.
Comments
Thank you so much! for your suppport
Just add that some organizations use this particular attribute to have a tight control on where a user can log on, but it sure has some undesirable effects. It is more problematic when Linux machines are involved. For example, if the CLM server is running on a Linux machine, it would appear to the AD server that the authentication comes from the Linux machine, or the user tries to log on to the Linux machine, and the AD server would reject the authentication. We haven't found a way to put the Linux machine in the proved list yet.
One other answer
Hi Donald,
Sorry I am failed to convey you my Problem.
I will describe my problem in Details:
Background:
I am using CLM 6.0.2 with WAS+LDAP I have made changes in Active Directory and formed two groups,
1. OU= OU_EHS
2. OU=OU_ESS
and I divide my users to the respective groups.
Initially all user was under one group only. i.e into my Base DN.
My default groups are as it is i.e JazzUsers, JazzAdmin,JazzGuest,etc.
Problem:
I configured WAS according to new LDAP setting but
when I try to login into CLM/RQM/DNG as a user from OU_EHS and OU_ESS some user are able to login and some others are not.
I am not getting why this is happening.
Comments
Donald Nong
Feb 12 '17, 6:17 p.m.It seems that what you are trying to say is, I haven't done anything wrong, why does it not work? I haven't encountered any documents stating multi-group configuration in the CLM/WAS/LDAP integration. What exactly have you done? What document have you followed?