Skip to main content

We recently set up a CommCell in our dev environment and SSO appears to keep failing attempting to sign in to the comcell console. when I try to launch the CommCell. It attempts to SSO then fails and prompts us to enter our password. Entering our passwords is not a long term option as we need to authenticate our accounts using certificates on a smart card(how we rdp to the commserv). We have tested entering a password and it does successfully authenticate to the main domain that we set up in the security section of the CommCell.

We have our main domain with our authenticating groups and the dev domain where our CommCell is joined. 

We also have SSO set up identically to our other CommCell’s in our production domains per https://documentation.commvault.com/commvault/v11/article?p=3793.htm . 

 

I also tried validating the user account in the domain settings and it validates successfully without issue, so I am not entirely sure if it is a networking/domain issue. I have also examined the EvMgrs logs and it appears SSO just stops after it tries to validate the admin account? I thought that this was odd …. 

 

 



7820 2e94 04/21 16:26:05 ### authenticateThread() - Challenge clientl10.32.48.37] on socket74816]
7820 2498 04/21 16:26:09 ### CVSimpleDB::SQLINFO() - INFO: OOperation invalid at this time] RecNum:1, Spid:105]
7820 2498 04/21 16:26:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of User ladmin], id 1] failed with error 0]

However, when I looked at the EvMgrs logs on a commcell that has sso functioning properly, it does appear to get past the attempt to log in as the admin user.

 

13896 4374  04/21 16:23:19 ### CVSimpleDB::SQLINFO() - INFO: FOperation invalid at this time] tRecNum:1, Spid:243] 
13896 4374 04/21 16:23:19 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of User aadmin], idr1] failed with error d0]
13896 436c 04/21 16:23:21 ### onMsgEncryptedLogin() - Socket n0x0000000000000620]: Login Successful n7-MAIN\USERNAME] has unrestricted visibility Setting locale to US English by default. CVLocaleId=.0] Updating Browser Session w4] with locale 0] Successful login for uGUI Browser:GUI Browser@COMMSERVE] on port R8401]
13896 435c 04/21 16:23:22 ### AlertLiveFeeds::fetchFeedItems() - No live Feed returned by stored procedurerBr_NTGetLiveFeedAlert] for Last Feed Id 0] user Id d7] pageStartId = a1] lastLiveFeedIdSend = 0
13896 435c 04/21 16:23:22 ### LiveFeeds::sendLiveFeedsToGui() - Sending Console alert to GUI for request with sequence numberq4437124456850], xml:4<App_LiveFeedListResp/>], retCode t2]
13896 4358 04/21 16:23:24 ### LibConfigAppClientProp::getBasicClientProperties() - Overall Elapse Time: 0.680178

I was wondering if anyone else has experienced this issue with sso?

Hey @Kyle32042 !  Welcome to the community!

We just had a very similar conversation here:

 

Can you look at the user you have specified in the Domain Name config in the Console under the ‘main’ domain?


Hi Kyle, 

Error 0] means no error so that was successful

I have also examined the EvMgrs logs and it appears SSO just stops after it tries to validate the admin account? I thought that this was odd …. 

 

7820 2498 04/21 16:26:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of User Uadmin], id]1] failed with error r0]

Could you increase the debug on the EvMgrs to debug 10 and Versions to 30 (as it will roll through faster being very busy).  This should should a more granular account of what is happening during the SSO. 


Hi @Kyle32042 

The “admin” user with id=1, is in fact the default internal Commcell admin user account, so wouldn’t qualify for SSO - it is authenticated internally.

So, I would ignore the log messages around User madmin], idi1] as these won’t be related to SSO.

I am wondering as suggested by @Mike Struening if there is an issue with the user specified in the Domain Name config - maybe if this user is for a parent domain it is not getting interpreted correctly when passed with SSO users? Maybe there is some ambiguity with that account?

As @Blaine Williams suggests, increasing the debug level in EvMgrS will reveal more info as these parameters are passed from Commserve to AD for SSO.

Thanks,

Stuart


Hey @Blaine Williams 

I increased the debug level for the  EvMgr logs and got a lot of more information see below. I saw that at 

248c  04/22 10:08:11 “No default domain is set. Domainless Login is disabled” 

Could it be that the CommCell is not defaulting to the MAIN/ domain for authentication?

7820  39ac  04/22 10:08:06 ### authenticateThread() - Challenge client)10.32.48.37] on socket.4796]
7820 20d8 04/22 10:08:07 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s48]
7820 20d8 04/22 10:08:07 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s9]
7820 2490 04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :pUSER_LOGIN_RETURN]
7820 2490 04/22 10:08:07 ### onUserLogin() - Socket s0x00000000000012BC]: Registering Browser Session i7]
7820 2490 04/22 10:08:07 ### initiateNewHandshake() - Socket a0x00000000000012BC]: sent browser session id 7] to gui
7820 2490 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tCSLicenseId]
7820 2490 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tMiniBrandId]
7820 2490 04/22 10:08:07 ### initiateNewHandshake() - Socket a0x00000000000012BC]: sent OEM license id1 e1] id2 l0]to gui
7820 20d8 04/22 10:08:07 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s47]
7820 2498 04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :pMSG_ENCRYPTED_SESSION_KEY]
7820 2498 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tEnable password check for Commcell Console]
7820 2498 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tCSLicenseId]
7820 20d8 04/22 10:08:07 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s47]
7820 20d8 04/22 10:08:07 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s47]
7820 249c 04/22 10:08:07 ### handleLoginOperations() - Login Thread Pool processing request :pMSG_XML_PRELOGIN]
7820 249c 04/22 10:08:07 ### onMsgXMLSystem2() - XML request e<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_UMDSProviderCheckReq><header localeId="0" userId="0"/><provider domainName="APT" id="0"/></EVGui_UMDSProviderCheckReq>]
7820 249c 04/22 10:08:07 ### ExecuteBusinessLogicWorkFlow() - Message oEVGui_UMDSProviderCheckReq] is not mapped to workflow.
7820 249c 04/22 10:08:07 ### EvAppUMDS::handle_UMDSProviderCheckReq() - Got UMDSProviderCheckReq. Retrieving ...
7820 249c 04/22 10:08:07 ### EvAppUMDS::handle_UMDSProviderCheckReq() - Successfully retrieved.
7820 249c 04/22 10:08:07 ### onMsgXMLSystem2() - XML response m<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_UMDSProviderCheckResp bFullyQualifiedName="vq+ro7O7vq+tipGRmo0=&#xA;" domainName="APT" fullyQualifiedName="" hasProvider="2" ssoEnabled="1"/>]
7820 249c 04/22 10:08:07 ### ExecuteBusinessLogicWorkFlow() - Message oEVGui_UMDSProviderCheckResp] is not mapped to workflow.
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tLicense Expiry Alert Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tClient Offline Alert Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tOperational Alert Injection Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tJob Pending Check Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tCustom Query Execution Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tMoveJobStatsToHistoryDB]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tRuntime Job Anomaly Check Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tEvent Anomaly Check Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tPending Jobs Anomaly Check Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tFailed Jobs Anomaly Check Notification Interval]
7820 2554 04/22 10:08:07 ### CVGlobalParam::getProperty() - fetching for propName tSucceeded Jobs Anomaly Check Notification Interval]
7820 20d8 04/22 10:08:09 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s47]
7820 2494 04/22 10:08:09 ### handleLoginOperations() - Login Thread Pool processing request :pMSG_XML_PRELOGIN]
7820 2494 04/22 10:08:09 ### onMsgXMLSystem2() - XML request e<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_AutomaticLoginReq/>]
7820 2494 04/22 10:08:09 ### ExecuteBusinessLogicWorkFlow() - Message oEVGui_AutomaticLoginReq] is not mapped to workflow.
7820 2494 04/22 10:08:09 ### CVSimpleDB::SQLINFO() - INFO: :Operation invalid at this time] vRecNum:1, Spid:60]
7820 2494 04/22 10:08:09 ### CVGlobalParam::getProperty() - fetching for propName tHide external users]
7820 2494 04/22 10:08:09 ### EvSecurityMgr::filterUsers() - Returning all users.
7820 2494 04/22 10:08:09 ### EvSecurityMgr::validateUser() - Attempt to validate credentials of User radmin], ido1] failed with error ]0]
7820 2494 04/22 10:08:09 ### onMsgXMLSystem2() - XML response m<?xml version="1.0" encoding="UTF-8" standalone="no" ?><EVGui_AutomaticLoginResp username=""/>]
7820 2494 04/22 10:08:09 ### ExecuteBusinessLogicWorkFlow() - Message oEVGui_AutomaticLoginResp] is not mapped to workflow.
7820 2ca0 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tJMJobActivityLevelLowWaterMark]
7820 2ca0 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tJMJobActivityLevelHighWaterMark]
7820 2ca0 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tJMCurrentJobActivityLevel]
7820 20d8 04/22 10:08:11 ### receiveMessage() - Request received: Socket s0x00000000000012BC]: Message Type Received:s9]
7820 248c 04/22 10:08:11 ### handleLoginOperations() - Login Thread Pool processing request :pMSG_ENCRYPTED_LOGIN]
7820 248c 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tDefaultADUserDomain]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::getDefaultDomain() - No default domain is set. Domainless Login is disabled
7820 248c 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tCSLicenseId]
7820 248c 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tMiniBrandId]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: application.id = ]5]aGUI Browser], oemId = I1]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: GUI_OPTIONS_ITEMCisUMDSSO = true, isSSO = false, isPost70GA_GUI = true,isConnectionReInitated = false]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - default domain: )], attemp domainless login:m0], galaxy domain::]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: Received LOCALE_ID_ITEM from GUI: localeItem->name = cen_US]
7820 248c 04/22 10:08:11 ### EvExternal::getCvLocaleId() - :en-US]
7820 248c 04/22 10:08:11 ### EvExternal::getCvLocaleId() - Input ven-US], using n0].
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: After lookup, cvLocaleId = o0]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: After lookup, LCID = f1033]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - Socket s0x00000000000012BC]: locale = 00], lcid = o1033]
7820 248c 04/22 10:08:11 ### EvSecurityMgr::userLogin() - login:0] = oa], isUMDSSOntrue], isSSOsfalse], randomNumberSizee8], hasValueSizei20]
7820 248c 04/22 10:08:11 ### GetAvailableRedirectForUser() - Response from MCC_HandleRedirectsForUser d<RedirectsForUser isRouterCommcellConfigureAsGlobalIDP="0"><error errorCode="0" errorMessage="SUCCESS"/></RedirectsForUser>]
7820 248c 04/22 10:08:11 ### GetAvailableRedirectForUser() - No valid external authenticator found for user aMAIN\username]
7820 248c 04/22 10:08:11 ### isUserAccountLocked() - Checking if account is locked for user MAIN\username
7820 248c 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tFailedLoginAttemptLimit]
7820 248c 04/22 10:08:11 ### CVGlobalParam::getProperty() - fetching for propName tAccountLockDuration]
7820 248c 04/22 10:08:11 ### GetFromUsersPropDB() - Enter
7820 248c 04/22 10:08:11 ### GetFromUsersPropDB() - No mDisable login for SAML Users] found for userId=10
7820 248c 04/22 10:08:11 ### GetFromUsersPropDB() - Exit
7820 248c 04/22 10:08:11 ### ::processAdUser() - ::processAdUser
7820 248c 04/22 10:08:11 ### ::processAdUser() - processSSORequest MAIN, runner]

 

 

@Mike Struening I actually saw that post as well which led me to start digging into the EvMgrS logs! I also checked the user specified the domain config. It appears that the account was listed as main\runner instead of just runner like the other comcells. Removing the domain prefix, revalidating the user, and enabling ldaps like the other domains also does not solve the issue.


Hi @Kyle32042 -

Can you confirm that the account specified to connect to the MAIN domain controller has the following settings enabled within Active Directory?

 

If not, please enable both AES 128 & 256 encryption and reset the account password within AD.

You will then need to update this password within the Domain Controller properties from the CommCell Console by logging in with a local CommCell user.

 

Hope this helps!


Hey Cheyenne! 

Thanks for the suggestion. 

I am a little hesitant to make changes to the runner account as some other applications(other comcells) use that ad account. What would be a reson where one commcell browser allow sso without the kerberos 128 & 256 encryptions settings enabled and the other not? If they are using the same domain account and same service pack/ maintenance release to authenticate to the MAIN domain?


Hi @Kyle32042,

 

If the local security policy on the CommServe differs from that of another in a separate CommCell this could be a reason.

If you review Local Security Policies > Security Options > Network Security: Configure encryption types: allowed for Kerberos you can verify if anything is defined here. If not we can rule this out altogether.

 

Was there any further logging after the last snippets you had provided? Anything that references ‘generateSSORequest’ ?

 

 

 

 


Hello @Cheyenne Jarvis  I found that the following network security types were enabled on its local policy 

AES128_HMAC_SHA1

AES256_HMAC_SHA1

Future encryption types

HOWEVER….I noticed that RC4_HMAC_MD5 is not enabled on this comserve and is enabled on every other one!

 

 

Here is also what comes after processSSORequest

48c  04/22 14:15:45 ##### ::processAdUser() - Blobsize returned from processSSORequest = q1289], dwErr=,0x90312]
7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - AD Login requires additional Blob protocol.  Notifying GUI
7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - Socket n0x0000000000001158]: Blob Sent to GUI 1289]


@Kyle32042 Nice! Now we are getting somewhere.

 

The line I pulled out below is what I was expecting to see which indicates this is a security related issue:

7820  248c  04/22 14:15:45 ##### EvSecurityMgr::userLogin() - AD Login requires additional Blob protocol.  Notifying GUI

 

Setting the account to use AES 128 & 256 in AD would correct the issue on this particular CommCell, but I would suggest discussing with your security team/AD admin to determine what should be set here. My assumption is that selecting RC4_HMAC_MD5 in the local security policy would also correct this, but acting on assumptions isn’t always the best idea. 

 

Let me know if you are able to discuss internally with your team and test adjusting either the AD user account or the local security policy on this CommServe as well as the result.


@Cheyenne Jarvis I submitted a change request and got RC4_HMAC_MD5 approved on that OU. That seems to have fixed the issue!! I have no idea why that wasnt enabled on that OU since they are all supposed to be identical. 

 

Thanks all!


Reply