commvault.com commvault.com
Solved

AD account login issue to Commserve Console

Z
Rank
Userlevel 1
Badge +6

Hi,

 

We are currently running 11.24.48. After the upgrade from 11.24.29 to 11.24.34, I was unable to log in to the Commcell Console using my AD admin account.

Web Console works fine, and I can log in there without any problems.

For the time being, the only way to log in to Commcell Console is using a local admin account. Is there a parameter or a setting that prevents us using our AD credentials since 11.24.34? Upgrading to 11.24.48 hasn’t solved this issue.

Thank you,

Zoltan

icon

Best answer by Zoltan 6 June 2022, 08:44

View original

21 replies

D
Rank
Userlevel 1
Badge +5

@Zoltan check the account you used when setting up the integration with your AD

Z
Rank
Userlevel 1
Badge +6

@Dmitriy  The web-based Console continued to work after Commcell Console stopped accepting our AD credentials.

Could you point me to the documentation if there are separate settings for Commcell Console and Admin Console?

Onno van den Berg
Rank
Userlevel 7
Badge +19

@Zoltan just out of curiosity but have you tried changing your password? does it contain strange characters? reason I ask is that 11.24.41 contains a fix especially targeting this so it might be that you found another issue….

Z
Rank
Userlevel 1
Badge +6

@Onno van den Berg we must change our passwords periodically. If I remember correctly, I was denied the login using my AD credentials after patching Commvault and not after I changed my password. I did have to change it since the problem first occurred and am still unable to log in. In the meantime, Web Console continues working fine.

D
Rank
Userlevel 1
Badge +5

@Zoltan try to check this post 

https://kb.commvault.com/article/55322

 

Onno van den Berg
Rank
Userlevel 7
Badge +19

Please re-read my question….. you ran into the issue after updating to a newer MR. So it might be that your current password contains a character that causes the issue, hence my suggestion to change your password now to see if that resolves the issue for the CommCell console. Or did you already changed it afterwards and took into account to alter characters. special  If that is indeed the case then you ran into a possible bug and I would topen a TR. 

S
Rank
Userlevel 6
Badge +14

@Zoltan ,

What error/warning do you get please, can you check EvMgrS.log?

I would recommend you log a case with Commvault so we can resolve this issue asap.

Best Regards,

Sebastien

T
Badge +2

I will also suggest you restart your Tomcat services on commserve and try again.

 

or better still, raise support ticket to resolve it

Z
Rank
Userlevel 1
Badge +6

@Sebastien Merluzzi these are the corresponding logs.

The ones at 12:30 are related to an attempt through Commcell Console (I changed the IP, hostname and DOMAIN/user). The one at 12:31 are for logging in with the same user through Web Console:

14536 6844  06/01 12:27:58 ### TPool [IOCPServerPool]. Ser# [1] Tot [8], Pend [8], Comp [0], Max Par [0], Avg Work Time [0.00 s], Avg Wait Time [0.00 s]

14536 64c0  06/01 12:29:38 ### authenticateThread() - Challenge client[10.10.10.10] on socket[0x0000000000002CD0]

14536 7288  06/01 12:29:42 ### CVSimpleDB::SQLINFO() - INFO: [Operation invalid at this time] [RecNum:1, Spid:138]

14536 7288  06/01 12:29:42 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of  User [admin], id[1] failed with error [0]

14536 41fc  06/01 12:30:01 ### IsTFADisabledForUser() - TFA is disabled for user with id=[4]

14536 41fc  06/01 12:30:02 ### cvldap() - CvLdap::simpleBind(3245): -Debug-: ldap bind error. [49]

14536 41fc  06/01 12:30:04 ### cvldap() - CvLdap::simpleBind(3245): -Debug-: ldap bind error. [49]

14536 41fc  06/01 12:30:04 ### EvSecurityMgr::userLogin() - processAdUser returned [-5], "Invalid username/password. Please use valid credentials to log in."

14536 41fc  06/01 12:30:04 ### EvSecurityMgr::userLogin() - Socket [0x0000000000002CD0]: LOGIN ERROR: Invalid login/password attempt with UserName [DOMAIN\user] from [commserve], Attempt [1/3]

14536 41fc  06/01 12:30:04 ### ::sendResponse() - FAILED [Invalid username/password. Please use valid credentials to log in.]

14536 41fc  06/01 12:30:04 ### handleLoginOperations() -  Encrypted Login Failed.Browser Session Id [29]

14536 1f74  06/01 12:30:04 ### handleLoginOperations() - Socket [0x0000000000002CD0] is not found in the socketRegMap. Rejecting MSG_GET_COMM_CELLS

14536 7a50  06/01 12:30:16 ### EvAppPlan::ProcessDeletionPendingPlan() - Abandoned plan items deletion status: no abandoned entities found.

14536 6bac  06/01 12:31:58 ### authenticateThread() - Challenge client[127.0.0.1] on socket[0x000000000000371C]

14536 5adc  06/01 12:31:58 ### authenticateThread() - Challenge client[127.0.0.1] on socket[0x00000000000031C8]

14536 1f74  06/01 12:31:58 ### EvSecurityMgr::userLogin() - Detected a reinitiated or force login request from system for user:[4]. Proceeding further.

14536 1f74  06/01 12:31:58 ### onMsgEncryptedLogin() - Socket [0x000000000000371C]: Login Successful [4-DOMAIN\user]  has unrestricted visibility  Setting locale to US English by default. CVLocaleId=[0]  Updating Browser Session [30] with locale [0]  Successful login for [CLI Connection:Command Line Interface@gva-ccs-01] on port [8401]

14536 6414  06/01 12:31:59 ### EvSecurityMgr::userLogin() - Detected a reinitiated or force login request from system for user:[4]. Proceeding further.

14536 6414  06/01 12:31:59 ### onMsgEncryptedLogin() - Socket [0x00000000000031C8]: Login Successful [4-DOMAIN\user]  has unrestricted visibility  Setting locale to US English by default. CVLocaleId=[0]  Updating Browser Session [31] with locale [0]  Successful login for [CLI Connection:Command Line Interface@gva-ccs-01] on port [8401]

14536 3c1c  06/01 12:32:16 ### EvAsyncXMLRequest::AsyncXMLProcessingThread() - Clean up will be performed, Last Cleanup Time [1652365939] Current Time [1654079536].

14536 742c  06/01 12:32:40 ### LibConfigAppPlanDeferredAssociation::CleanupDeferredEntities() - No. of entities deleted= [0]. cleanupModeOn[1]

14536 742c  06/01 12:32:40 ### LibConfigAppPlanDeferredAssociation::ProcessDeferredEntities() - No. of entities processed= [0]. ignoreDeferredEntityFlag[1]

14536 7d28  06/01 12:32:57 ### pruneAuditSessions() - Commencing pruning of UMSessionAudit table stale entries

14536 7d28  06/01 12:32:57 ### CVSimpleDB::SQLINFO() - INFO: [deleting user sessions on an individual basis] [RecNum:1, LineNum:26, Spid:69]

14536 7d28  06/01 12:32:57 ### CVSimpleDB::SQLINFO() - INFO: [deleting bulk user sessions] [RecNum:2, LineNum:36, Spid:69]

14536 6844  06/01 12:32:58 ### TPool [EvMgrsSpooler]. Ser# [0] Tot [18], Pend [0], Comp [18], Max Par [1], Avg Work Time [69.15 us], Avg Wait Time [29.63 us]

Z
Rank
Userlevel 1
Badge +6

@Onno van den Berg  no such errors in the logs (see them above) and Web Console works well. No wildly special characters in my password either. I did already change the password since the login error occured.

Z
Rank
Userlevel 1
Badge +6

The Web Console adds “4-” to the domain name, even though I don’t type that in at the login prompt. Could that be causing the issue?

S
Rank
Userlevel 6
Badge +14

@Zoltan ,

There a few things you can check:

  • First increase Debug Level to 10 on EvMgrS:
  • Second check Windows System Events on DC and Commserve. 
  • Third, use ldap.exe on Commserve and check you can connect to AD using the same Domain User and 
S
Rank
Userlevel 6
Badge +14

You actually see the error “ldap bind error”, so no need to increase debug level

Please follow steps 2 and 3 and speak to the Domain Administrator if needed.

Z
Rank
Userlevel 1
Badge +6

@Sebastien Merluzzi Unfortunately, I didn’t find ldap.exe in the CommServe to verify step 3. Will check with the AD Team and let you know.

S
Rank
Userlevel 6
Badge +14

It’s a MSFT Tool. Can you check with the AD Admin.

Onno van den Berg
Rank
Userlevel 7
Badge +19

@Zoltan have you opened a TR already, because I think they already have a patch for it! I noticed an update for FR26 that was release containing the following description:

After Microsoft Windows Updates 2022, login of AD users may fail in Commcell console.

 3460

 

Z
Rank
Userlevel 1
Badge +6

Not yet, will open one now.

S
Rank
Userlevel 6
Badge +14

@Zoltan I spoke to the engineer and told him about the Diag 3460.

Z
Rank
Userlevel 1
Badge +6

Dear All,

 

Thank you for your time and effort. There is an update bundle available for 11.24, however, it requires the addition of a specific parameter:
Additional setting:
---------------------
Name: bUseServerNameForDomain
Path: CommServe
Type: Boolean
Value: true

 

We found another solution to the problem with our AD Team:

The validation worked when changing the generic AD address to one of the AD controllers. Instead of picking a single DC out of the pool to authenticate against, we chose to use the VIP address of our LB.

 

Have a wonderful day,

Zoltan

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Thanks for sharing, @Zoltan !

https://www.linkedin.com/in/michael-struening
H
Badge

Thanks for sharing, @Zoltan !

It worked for me after trying to DR restore to other server out of domain. (version 11.25.36)

 

Reply


Terms & ConditionsCookie settings