Skip to main content
Solved

SSO Fails when logging into the console


Forum|alt.badge.img+1

We recently set up a CommCell in our dev environment and SSO appears to keep failing attempting to sign in to the comcell console. when I try to launch the CommCell. It attempts to SSO then fails and prompts us to enter our password. Entering our passwords is not a long term option as we need to authenticate our accounts using certificates on a smart card(how we rdp to the commserv). We have tested entering a password and it does successfully authenticate to the main domain that we set up in the security section of the CommCell.

We have our main domain with our authenticating groups and the dev domain where our CommCell is joined. 

We also have SSO set up identically to our other CommCell’s in our production domains per https://documentation.commvault.com/commvault/v11/article?p=3793.htm . 

 

I also tried validating the user account in the domain settings and it validates successfully without issue, so I am not entirely sure if it is a networking/domain issue. I have also examined the EvMgrs logs and it appears SSO just stops after it tries to validate the admin account? I thought that this was odd …. 

 

 



7820  2e94  04/21 16:26:05 ### authenticateThread() - Challenge client[10.32.48.37] on socket[4816]
7820  2498  04/21 16:26:09 ### CVSimpleDB::SQLINFO() - INFO: [Operation invalid at this time] [RecNum:1, Spid:105] 
7820  2498  04/21 16:26:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of  User [admin], id[1] failed with error [0]

However, when I looked at the EvMgrs logs on a commcell that has sso functioning properly, it does appear to get past the attempt to log in as the admin user.

 

13896 4374  04/21 16:23:19 ### CVSimpleDB::SQLINFO() - INFO: [Operation invalid at this time] [RecNum:1, Spid:243] 
13896 4374  04/21 16:23:19 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of  User [admin], id[1] failed with error [0]
13896 436c  04/21 16:23:21 ### onMsgEncryptedLogin() - Socket [0x0000000000000620]: Login Successful [7-MAIN\USERNAME]  has unrestricted visibility  Setting locale to US English by default. CVLocaleId=[0]  Updating Browser Session [4] with locale [0]  Successful login for [GUI Browser:GUI Browser@COMMSERVE] on port [8401] 
13896 435c  04/21 16:23:22 ### AlertLiveFeeds::fetchFeedItems() - No live Feed returned by stored procedure[Br_NTGetLiveFeedAlert] for Last Feed Id[0] user Id [7] pageStartId = [1] lastLiveFeedIdSend = 0
13896 435c  04/21 16:23:22 ### LiveFeeds::sendLiveFeedsToGui() - Sending Console alert to GUI for request with sequence number[4437124456850], xml:[<App_LiveFeedListResp/>], retCode [2]
13896 4358  04/21 16:23:24 ### LibConfigAppClientProp::getBasicClientProperties() - Overall Elapse Time: 0.680178

I was wondering if anyone else has experienced this issue with sso?

Best answer by Cheyenne Jarvis

@Kyle32042 Nice! Now we are getting somewhere.

 

The line I pulled out below is what I was expecting to see which indicates this is a security related issue:

7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - AD Login requires additional Blob protocol.  Notifying GUI

 

Setting the account to use AES 128 & 256 in AD would correct the issue on this particular CommCell, but I would suggest discussing with your security team/AD admin to determine what should be set here. My assumption is that selecting RC4_HMAC_MD5 in the local security policy would also correct this, but acting on assumptions isn’t always the best idea. 

 

Let me know if you are able to discuss internally with your team and test adjusting either the AD user account or the local security policy on this CommServe as well as the result.

View original
Did this answer your question?

10 replies

Mike Struening
Vaulter
Forum|alt.badge.img+23

Hey @Kyle32042 !  Welcome to the community!

We just had a very similar conversation here:

 

Can you look at the user you have specified in the Domain Name config in the Console under the ‘main’ domain?


Forum|alt.badge.img+8

Hi Kyle, 

Error [0] means no error so that was successful

I have also examined the EvMgrs logs and it appears SSO just stops after it tries to validate the admin account? I thought that this was odd …. 

 

7820 2498 04/21 16:26:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of User [admin], id[1] failed with error [0]

Could you increase the debug on the EvMgrs to debug 10 and Versions to 30 (as it will roll through faster being very busy).  This should should a more granular account of what is happening during the SSO. 


Forum|alt.badge.img+15

Hi @Kyle32042 

The “admin” user with id=1, is in fact the default internal Commcell admin user account, so wouldn’t qualify for SSO - it is authenticated internally.

So, I would ignore the log messages around User [admin], id[1] as these won’t be related to SSO.

I am wondering as suggested by @Mike Struening if there is an issue with the user specified in the Domain Name config - maybe if this user is for a parent domain it is not getting interpreted correctly when passed with SSO users? Maybe there is some ambiguity with that account?

As @Blaine Williams suggests, increasing the debug level in EvMgrS will reveal more info as these parameters are passed from Commserve to AD for SSO.

Thanks,

Stuart


Forum|alt.badge.img+1
  • Author
  • Bit
  • 4 replies
  • April 22, 2021

Hey @Blaine Williams 

I increased the debug level for the  EvMgr logs and got a lot of more information see below. I saw that at 

248c  04/22 10:08:11 “No default domain is set. Domainless Login is disabled” 

Could it be that the CommCell is not defaulting to the MAIN/ domain for authentication?

7820  39ac  04/22 10:08:06 ### authenticateThread() - Challenge client[10.32.48.37] on socket[4796]
7820  20d8  04/22 10:08:07 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[48]
7820  20d8  04/22 10:08:07 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[9]
7820  2490  04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :[USER_LOGIN_RETURN]
7820  2490  04/22 10:08:07 ### onUserLogin() - Socket [0x00000000000012BC]: Registering Browser Session [7]
7820  2490  04/22 10:08:07 ### initiateNewHandshake() - Socket [0x00000000000012BC]: sent browser session id [7] to gui
7820  2490  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [CSLicenseId]
7820  2490  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [MiniBrandId]
7820  2490  04/22 10:08:07 ### initiateNewHandshake() - Socket [0x00000000000012BC]: sent OEM license id1 [1] id2 [0]to gui
7820  20d8  04/22 10:08:07 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[47]
7820  2498  04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :[MSG_ENCRYPTED_SESSION_KEY]
7820  2498  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Enable password check for Commcell Console]
7820  2498  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [CSLicenseId]
7820  20d8  04/22 10:08:07 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[47]
7820  20d8  04/22 10:08:07 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[47]
7820  249c  04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :[MSG_XML_PRELOGIN]
7820  249c  04/22 10:08:07 ### onMsgXMLSystem2() - XML request [<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_UMDSProviderCheckReq><header localeId="0" userId="0"/><provider domainName="APT" id="0"/></EVGui_UMDSProviderCheckReq>]
7820  249c  04/22 10:08:07 ### ExecuteBusinessLogicWorkFlow() - Message [EVGui_UMDSProviderCheckReq] is not mapped to workflow.
7820  249c  04/22 10:08:07 ### EvAppUMDS::handle_UMDSProviderCheckReq() - Got UMDSProviderCheckReq. Retrieving ...
7820  249c  04/22 10:08:07 ### EvAppUMDS::handle_UMDSProviderCheckReq() - Successfully retrieved.
7820  249c  04/22 10:08:07 ### onMsgXMLSystem2() - XML response [<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_UMDSProviderCheckResp bFullyQualifiedName="vq+ro7O7vq+tipGRmo0=&#xA;" domainName="APT" fullyQualifiedName="" hasProvider="2" ssoEnabled="1"/>]
7820  249c  04/22 10:08:07 ### ExecuteBusinessLogicWorkFlow() - Message [EVGui_UMDSProviderCheckResp] is not mapped to workflow.
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [License Expiry Alert Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Client Offline Alert Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Operational Alert Injection Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Job Pending Check Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Custom Query Execution Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [MoveJobStatsToHistoryDB]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Runtime Job Anomaly Check Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Event Anomaly Check Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Pending Jobs Anomaly Check Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Failed Jobs Anomaly Check Notification Interval]
7820  2554  04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName [Succeeded Jobs Anomaly Check Notification Interval]
7820  20d8  04/22 10:08:09 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[47]
7820  2494  04/22 10:08:09 ### handleLoginOperations() - Login Thread Pool processing request :[MSG_XML_PRELOGIN]
7820  2494  04/22 10:08:09 ### onMsgXMLSystem2() - XML request [<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_AutomaticLoginReq/>]
7820  2494  04/22 10:08:09 ### ExecuteBusinessLogicWorkFlow() - Message [EVGui_AutomaticLoginReq] is not mapped to workflow.
7820  2494  04/22 10:08:09 ### CVSimpleDB::SQLINFO() - INFO: [Operation invalid at this time] [RecNum:1, Spid:60] 
7820  2494  04/22 10:08:09 ### CVGlobalParam::getProperty() - fetching for propName [Hide external users]
7820  2494  04/22 10:08:09 ### EvSecurityMgr::filterUsers() - Returning all users.
7820  2494  04/22 10:08:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of  User [admin], id[1] failed with error [0]
7820  2494  04/22 10:08:09 ### onMsgXMLSystem2() - XML response [<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_AutomaticLoginResp username=""/>]
7820  2494  04/22 10:08:09 ### ExecuteBusinessLogicWorkFlow() - Message [EVGui_AutomaticLoginResp] is not mapped to workflow.
7820  2ca0  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [JMJobActivityLevelLowWaterMark]
7820  2ca0  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [JMJobActivityLevelHighWaterMark]
7820  2ca0  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [JMCurrentJobActivityLevel]
7820  20d8  04/22 10:08:11 ### receiveMessage() - Request received: Socket [0x00000000000012BC]: Message Type Received:[9]
7820  248c  04/22 10:08:11 ### handleLoginOperations() - Login Thread Pool processing request :[MSG_ENCRYPTED_LOGIN]
7820  248c  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [DefaultADUserDomain]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::getDefaultDomain() - No default domain is set. Domainless Login is disabled
7820  248c  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [CSLicenseId]
7820  248c  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [MiniBrandId]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: application.id = [5][GUI Browser], oemId = [1]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: GUI_OPTIONS_ITEM[isUMDSSO = true, isSSO = false, isPost70GA_GUI = true,isConnectionReInitated = false]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - default domain: [], attemp domainless login:[0], galaxy domain:[]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: Received LOCALE_ID_ITEM from GUI: localeItem->name = [en_US]
7820  248c  04/22 10:08:11 ### EvExternal::getCvLocaleId() - [en-US]
7820  248c  04/22 10:08:11 ### EvExternal::getCvLocaleId() - Input [en-US], using [0].
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: After lookup, cvLocaleId = [0]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: After lookup, LCID = [1033]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket [0x00000000000012BC]: locale = [0], lcid = [1033]
7820  248c  04/22 10:08:11 ### EvSecurityMgr::userLogin() - login[0] = [a], isUMDSSO[true], isSSO[false], randomNumberSize[8], hasValueSize[20]
7820  248c  04/22 10:08:11 ### GetAvailableRedirectForUser() - Response from MCC_HandleRedirectsForUser [<RedirectsForUser isRouterCommcellConfigureAsGlobalIDP="0"><error errorCode="0" errorMessage="SUCCESS"/></RedirectsForUser>]
7820  248c  04/22 10:08:11 ### GetAvailableRedirectForUser() - No valid external authenticator found for user [MAIN\username]
7820  248c  04/22 10:08:11 ### isUserAccountLocked() - Checking if account is locked for user MAIN\username
7820  248c  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [FailedLoginAttemptLimit]
7820  248c  04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName [AccountLockDuration]
7820  248c  04/22 10:08:11 ### GetFromUsersPropDB() - Enter
7820  248c  04/22 10:08:11 ### GetFromUsersPropDB() - No [Disable login for SAML Users] found for userId=10
7820  248c  04/22 10:08:11 ### GetFromUsersPropDB() - Exit
7820  248c  04/22 10:08:11 ### ::processAdUser() - ::processAdUser
7820  248c  04/22 10:08:11 ### ::processAdUser() - processSSORequest[MAIN, runner]

 

 

@Mike Struening I actually saw that post as well which led me to start digging into the EvMgrS logs! I also checked the user specified the domain config. It appears that the account was listed as main\runner instead of just runner like the other comcells. Removing the domain prefix, revalidating the user, and enabling ldaps like the other domains also does not solve the issue.


Cheyenne Jarvis
Vaulter
Forum|alt.badge.img+2

Hi @Kyle32042 -

Can you confirm that the account specified to connect to the MAIN domain controller has the following settings enabled within Active Directory?

 

If not, please enable both AES 128 & 256 encryption and reset the account password within AD.

You will then need to update this password within the Domain Controller properties from the CommCell Console by logging in with a local CommCell user.

 

Hope this helps!


Forum|alt.badge.img+1
  • Author
  • Bit
  • 4 replies
  • April 22, 2021

Hey Cheyenne! 

Thanks for the suggestion. 

I am a little hesitant to make changes to the runner account as some other applications(other comcells) use that ad account. What would be a reson where one commcell browser allow sso without the kerberos 128 & 256 encryptions settings enabled and the other not? If they are using the same domain account and same service pack/ maintenance release to authenticate to the MAIN domain?


Cheyenne Jarvis
Vaulter
Forum|alt.badge.img+2

Hi @Kyle32042,

 

If the local security policy on the CommServe differs from that of another in a separate CommCell this could be a reason.

If you review Local Security Policies > Security Options > Network Security: Configure encryption types: allowed for Kerberos you can verify if anything is defined here. If not we can rule this out altogether.

 

Was there any further logging after the last snippets you had provided? Anything that references ‘generateSSORequest’ ?

 

 

 

 


Forum|alt.badge.img+1
  • Author
  • Bit
  • 4 replies
  • April 22, 2021

Hello @Cheyenne Jarvis  I found that the following network security types were enabled on its local policy 

AES128_HMAC_SHA1

AES256_HMAC_SHA1

Future encryption types

HOWEVER….I noticed that RC4_HMAC_MD5 is not enabled on this comserve and is enabled on every other one!

 

 

Here is also what comes after processSSORequest

48c  04/22 14:15:45 ##### ::processAdUser() - Blobsize returned from processSSORequest = [1289], dwErr=[0x90312]
7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - AD Login requires additional Blob protocol.  Notifying GUI
7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - Socket [0x0000000000001158]: Blob Sent to GUI [1289]


Cheyenne Jarvis
Vaulter
Forum|alt.badge.img+2

@Kyle32042 Nice! Now we are getting somewhere.

 

The line I pulled out below is what I was expecting to see which indicates this is a security related issue:

7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - AD Login requires additional Blob protocol.  Notifying GUI

 

Setting the account to use AES 128 & 256 in AD would correct the issue on this particular CommCell, but I would suggest discussing with your security team/AD admin to determine what should be set here. My assumption is that selecting RC4_HMAC_MD5 in the local security policy would also correct this, but acting on assumptions isn’t always the best idea. 

 

Let me know if you are able to discuss internally with your team and test adjusting either the AD user account or the local security policy on this CommServe as well as the result.


Forum|alt.badge.img+1
  • Author
  • Bit
  • 4 replies
  • April 22, 2021

@Cheyenne Jarvis I submitted a change request and got RC4_HMAC_MD5 approved on that OU. That seems to have fixed the issue!! I have no idea why that wasnt enabled on that OU since they are all supposed to be identical. 

 

Thanks all!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings