Environment
ZENworks Configuration Management 11 Authentication
ZENworks Configuration Management 2017 Authentication
ZENworks Configuration Management 2017 Authentication
Situation
When SAMAccountName and CN are different in ActiveDirectory user object, ZENworks login may fail after a change to the user object (move, rename etc.)
ERROR (from ats.log with full debug enabled):
2013-02-26 15:16:49,464 DEBUG authtoksvc.PwdAuthenticate Starting Authentication for CN=Cathy Smith,OU=Test,DC=mydomain,DC=com
2013-02-26 15:16:49,464 DEBUG authtoksvc.PwdAuthenticate User has provided a valid FullDN name
2013-02-26 15:16:49,470 WARN authtoksvc.PwdAuthenticate invoke()-NamingException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 525, vece]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='mydomain.com']]
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='mydomain.com']]
2013-02-26 15:16:49,471 DEBUG authtoksvc.PwdAuthenticate Search roots length 2
2013-02-26 15:16:49,471 DEBUG authtoksvc.PwdAuthenticate Search with the value Cathy Smith
2013-02-26 15:16:49,473 DEBUG authtoksvc.PwdAuthenticate Searching the root:CN=Users,DC=mydomain,DC=com
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate Searching the root:OU=test,DC=mydomain,DC=com
2013-02-26 15:16:49,475 WARN authtoksvc.PwdAuthenticate invoke()- Failed to resolve identity for entity CN=Cathy Smith,OU=test,DC=mydomain,DC=com
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate invoke()- It seemsUser has entered wrong user name / Password
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate invoke()- Send Invalid Credential Code
2013-02-26 15:16:49,476 WARN authtoksvc.PwdAuthenticate Autheticated IdentID:Invalid Credentials
2013-02-26 15:16:49,476 INFO authtoksvc.Authenticate invoke()- identId NOT resolved because of Invalid Credentials, Invalid Credentials
ERROR (from zmd-messages.log):
[DEBUG] [02/26/2013 13:11:40.089] [1272] [ZenworksWindowsService] [40] [] [CommonCasa] [] [ObtainAuthToken took exception: -939589594 System.Exception: -939589594
at Novell.Casa.Client.Auth.Authtoken.ObtainAuthToken(String sService, String sHost, WinLuid luid, String()& extraData, IntPtr micasaContext, String& AuthMech)
at Novell.Zenworks.Zmd.Common.CasaHelper.ObtainAuthToken(String SessionID, String RealmName, String Host, String& AuthToken, String()& ExtraAttribs, IntPtr MicasaContext, String& AuthMech)] [] []
ERROR (from client casa log): C7FF0026
Example: 11.4.3
ERROR (ats.log - Note error and sub error specific to AD):
[WARN] [01/11/2016 20:41:50.282] [59343] [ATS] [192] [zenworks] [CASAServer] [] [(ClientAddr=192.168.0.17)invoke()-NamingException: (LDAP: error code 49 -80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
ERROR (from ats.log with full debug enabled):
2013-02-26 15:16:49,464 DEBUG authtoksvc.PwdAuthenticate Starting Authentication for CN=Cathy Smith,OU=Test,DC=mydomain,DC=com
2013-02-26 15:16:49,464 DEBUG authtoksvc.PwdAuthenticate User has provided a valid FullDN name
2013-02-26 15:16:49,470 WARN authtoksvc.PwdAuthenticate invoke()-NamingException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 525, vece]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='mydomain.com']]
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='mydomain.com']]
2013-02-26 15:16:49,471 DEBUG authtoksvc.PwdAuthenticate Search roots length 2
2013-02-26 15:16:49,471 DEBUG authtoksvc.PwdAuthenticate Search with the value Cathy Smith
2013-02-26 15:16:49,473 DEBUG authtoksvc.PwdAuthenticate Searching the root:CN=Users,DC=mydomain,DC=com
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate Searching the root:OU=test,DC=mydomain,DC=com
2013-02-26 15:16:49,475 WARN authtoksvc.PwdAuthenticate invoke()- Failed to resolve identity for entity CN=Cathy Smith,OU=test,DC=mydomain,DC=com
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate invoke()- It seemsUser has entered wrong user name / Password
2013-02-26 15:16:49,475 DEBUG authtoksvc.PwdAuthenticate invoke()- Send Invalid Credential Code
2013-02-26 15:16:49,476 WARN authtoksvc.PwdAuthenticate Autheticated IdentID:Invalid Credentials
2013-02-26 15:16:49,476 INFO authtoksvc.Authenticate invoke()- identId NOT resolved because of Invalid Credentials, Invalid Credentials
ERROR (from zmd-messages.log):
[DEBUG] [02/26/2013 13:11:40.089] [1272] [ZenworksWindowsService] [40] [] [CommonCasa] [] [ObtainAuthToken took exception: -939589594 System.Exception: -939589594
at Novell.Casa.Client.Auth.Authtoken.ObtainAuthToken(String sService, String sHost, WinLuid luid, String()& extraData, IntPtr micasaContext, String& AuthMech)
at Novell.Zenworks.Zmd.Common.CasaHelper.ObtainAuthToken(String SessionID, String RealmName, String Host, String& AuthToken, String()& ExtraAttribs, IntPtr MicasaContext, String& AuthMech)] [] []
ERROR (from client casa log): C7FF0026
Example: 11.4.3
ERROR (ats.log - Note error and sub error specific to AD):
[WARN] [01/11/2016 20:41:50.282] [59343] [ATS] [192] [zenworks] [CASAServer] [] [(ClientAddr=192.168.0.17)invoke()-NamingException: (LDAP: error code 49 -80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580
Resolution
To fix the problem, set the registry key for ReadCachedDN
ZCM Version 11.2.4 and later (including ZCM 2017) supports a new registry key:
HKLM\Software\Novell\ZCM\ZenLgn
Key (DWORD): ReadCachedDN
Value Data: 0
When the value is set to 0, the login history will be bypassed.
Workaround (for versions older than 11.2.4 only): Delete the user entry on the managed device in the registry.
Example:
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\ZenLgn\History\Cache\kszenad.com
CN=Cathy Schmidt,OU=royale,DC=kszenad,DC=com
For ZCM 11.2.3a: Workaround: if it is not possible to upgrade to ZCM 11.2.4 at this time, Novell has made a Patch available for testing, in the form of a Field Test File (FTF): it can be obtained at https://download.novell.com/Download?buildid=958gy6RI3i0~ as "ZCM 11.2.3a /ZCM 11.2.3a MU1 fix for Active Directory users fail ZENworks agent login after change in AD - see TID 7012424". This Patch should only be applied if the symptoms above are being experienced, and are causing problems.
This Patch has had limited testing, and should not be used in a production system without first being checked in a test environment. Some Patches have specific requirements for deployment, it is very important to follow any instructions in the readme at the download site. Please report any problems encountered when using this Patch, by using the feedback link on this TID.