It seems one of the LDAP strategies has stopped working for an unknown reason. I have confirmed the password and the settings are correct. I have also checked the Map Groups field and confirmed that the user role has been added and I am able to see all the user that should be in there under LDAP Users I have also tried reloading authentication configuration with no luck. Any help or suggestions would be greatly appreciated. Below is the message I am getting. Any help or tips would be greatly appreciated not sure where else to go from here.
3/11/20
8:30:46.318 AM
03-11-2020 08:30:46.318 -0500 ERROR UiAuth - user=myuser action=login
status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows
NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/80.0.3987.132 Safari/537.36" clientip=123.123.123.123
host = abc001source = \Splunk\var\log\splunk\splunkd.logsourcetype =
splunkd
3/11/20
8:30:46.318 AM
03-11-2020 08:30:46.318 -0500 ERROR UserManagerPro - LDAP Login
failed, could not find a valid user="myuser" on any configured servers
host = abc001source = *\Splunk\var\log\splunk\splunkd.logsourcetype =
splunkd
Please double check your bindDNPassword for LDAP Service account and LDAP password policy.
I encountered the same error when I kept the wrong password and Service account got locked.
I had to reset the password and it worked for me. Give it a try.
Thank you.
Related
My Http protocal, where I am setting disableFollowRedirects. However there is one get call I am making for which I want the execution to follow redirect. Can we do that ? I tried disableProtocolChecks but it isn't working
.baseUrl(brokerHost)
.acceptHeader("text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") // Here are the common headers
.acceptEncodingHeader("gzip, deflate")
.acceptLanguageHeader("en-US,en;q=0.5")
.upgradeInsecureRequestsHeader("1")
.userAgentHeader("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36")
.disableFollowRedirect
For this request I want to execution to follow redirects
.exec(http("Post SAML request to IDP")
.post(/authentication/SSOPOST/")
.check(status.is(302))
.check(header("Location").saveAs("redirecturl"))
)
No, it's not currently (as of gatling 3.4) possible, neither one way (disable globally and re-enable locally) or the other (enable globally and disable locally). There's no control over followRedirect behavior at the request level.
Now, could you please explain why you would be able to do that?
Usually, people want to disable followRedirect because they think they should capture the Location response header in the redirect response so they can capture data from the landing page url.
This is wrong. Instead, they should let followRedirect enabled and use the currentLocation and currentLocationRegex checks.
Actually, we're considering removing the disableFollowRedirect option, unless we really have a compelling reason not to do so.
For Microsoft OAuth 2.0 auth code grant, we have encountered an issue with scopes.
When we requestion only the User.Read scope, our client is asked to grant permission to us for Sign you in and read your profile and Access your data anytime. Where we didn't state we need offline_access scope.
This is only happening after Microsoft switched to new permission grant interface. Have someone else encounter the same issue or we did something wrong?
The response_type we pass in is code only.
I have double checked, the application we registered is under https://apps.dev.microsoft.com.
The URL we use for authorizing is following.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
As I said earlier, the only scope we pass in through query was User.Read.
Edit 3
Request URL: (I have removed client id.)
https://login.microsoftonline.com:443/common/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A19974%2Fapi%2Fv1%2Fmicrosoft%2Foauth2%2Fsession&response_mode=form_post&scope=User.Read&state=1527572151-IIZ0D&nonce=1527572151-IIZ0D&prompt=consent&domain_hint=organizations
Response that logged with fiddler:
POST http://localhost:19974/api/v1/microsoft/oauth2/session HTTP/1.1
Host: localhost:19974
Connection: keep-alive
Content-Length: 798
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-NZ;q=0.9,zh-TW;q=0.8,zh;q=0.7,zh-CN;q=0.6
DNT: 1
code=OAQABAAIAAADX8GCi6Js6SK82TsD2Pb7rUmGhJoHUB3devvTffqTlhRhg9XZ202zgEA8B37CzgkeLNVBc4FFstw3sTjNmYhKCYLE_jcl7KeCrtYgPVFYOKUuazv_B3vHKIM8ttwIzOlV_3GL4vqxPgjvXbWUdas5Sj9Z1X9fEBB63Wa1Ig0AnisnHk6qagIimFEPApYx473RzgIve2erM3r5fnX5Q0L1-pHppSFUJoWop6MPTkUh-umPzuXQgB280rHyUds3odS6_cJP6SbI70aLNOqHV_AnaV_VUZqQ6hLfBZMVKFMYMg_r_harPOU5EE2gf2d15FIKMsmjPRTR2vryaJRyg0TblF_jr-kWyeURwpbkPzsU6r3avEqM6dfTqhhASoXB4VmeZ2zw75pZgK4v8cfcd3J_tIpFRjcEY1TqPz5E3QrYQGfFSeBEEbjwqvj2X5_4VBvve7ABdrt3OCjid8E_837mLX-Fv5t3nk_nfnV0SY6XrFQQmoPClyqSyn44FTv_WFY7Af74SfeBrWDYSSiTuwphEmVTeT6U2R4Rs4wR8G0uHW2L53U-4UbkODd-_-JZYIahAohDAF-8TaguUwb4mOK497wsFOkgpmYz-np4MX3sTweSLmn6bAOy9Y91E3o4fuERzX9m9N_HBt64cv6k8JROKJqs6cx1Gb9EoYCRLCn2ihWi_crZh2PH5LACMCLWYgH0gAA&state=1527572151-IIZ0D&session_state=1faeaab9-0f00-45cb-a776-356463a54684
Edit 4
Today, I have done few more testing while upgrading project to .Net Core 2.1. I have notice that even though from interface it is confirming Access your data anytime, but when I use code to exchange access token, it doesn't contain refresh token.
The other thing I have notice is, when I pass scope as User.Read, and when I exchange access token, the scope came back as: User.Read User.ReadBasic.All. This is a bit of inconsistent, but not big issue.
It’s not currently possible to remove the offline_access scope from the initial consent screen when using the v2 endpoint with an AAD account. When requesting tokens the offline_access scope is still explicitly requested though.
This is an issue which is in a planned state on Azure Active Directory suggestions and feedback site.
Admin's post (Oct 2, 2018) mentions a plan to fix this "within the next 3 months".
Cuase:
For v1 endpoint, the scope isstatically configured in AAD App registration. If you have add access user's data anytime permission, you will also get the offline_access scope in your request.
Solution:
If you don't want to let user have offline_access permission, you can unpick up the Access user's data anytime permission in Microsoft Graph delegated permissions.
More about offline_access :
offline_access is one of OpenID permissions. It's name is offline_access and it's Display String in v1 endpoint is Access user's data anytime.You can see more details about this permission in this documentation.
Activity ID: 00000000-0000-0000-4d00-0080000000c0
Error time: Wed, 27 Jul 2016 21:27:20 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
seems it is caused because of Form based authentication not enabled for ADFS. Solution for ADFS 3.0 is available and documented by Microsoft. Could not find working solution for ADFS 2.0 - form based auth configuration to resolve the above error.
Windows event logs shows:
EventID 364
Version 0
Data Saml
Data https://localhost:8443/spring-security-saml2-sample/saml/metadata
Data Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost:8443/spring-security-saml2-sample/saml/metadata' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.Validate() at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Any insight will be helpful.
Based on what you outputted, it looks like ADFS 3.0. So, https://blogs.msdn.microsoft.com/samueld/2015/06/05/office-modern-auth-adfs-making-it-work/ should help you.
You should not have seen an issue on ADFS 2.0 if it is the same issue unless your ADFS environment is not using the defaults. To change local authentication type in ADFS 2.x see http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx
Thanks, Sam (#MrADFS)
I've been trying to configure Sonar with Active Directory for a while with no luck so I was really excited to see the new LDAP 1.5 plug-in. Unfortunately it's still not working for me but it's so close! The lookup is successful but then something fails:
DEBUG web[w.s.NegotiateSecurityFilter] logged in user: CORP\My.UserName (S-1-5-21-1305660829-1405082133-723345943-15257)
DEBUG web[w.s.NegotiateSecurityFilter] roles: CORP\My.UserName, CORP\Domain Users, Everyone, BUILTIN\Administrators, BUILTIN\Users, NT AUTHORITY\NETWORK, NT AUTHORITY\Authenticated Users, NT AUTHORITY\This Organization, [etc.]
INFO web[w.s.NegotiateSecurityFilter] successfully logged in user: CORP\My.UserName
DEBUG web[o.s.p.l.w.s.s.SsoAuthenticationFilter] Validating authenticated user
DEBUG web[http] GET /sessions/new?return_to=%2F | time=1527ms
ERROR web[rails] Error from external users provider: exception Java::Com4j::ComException: 80040e37 (Unknown error) : A referral was returned from the server.
DEBUG web[http] GET /ldap/validate | time=1738ms
This was with the Negotiate protocol but I got the same error using the default NTLM protocol as well. Running Sonar 5.2.
The 1.5.1 update fixed this issue for me.
https://jira.sonarsource.com/browse/LDAP-49
I'm new to google-app-engine and I'm trying to migrate a PHP site that currently uses the meekrodb class for mysql (http://www.meekro.com/) to connect to a db stored with my webhost with access enable from any IP.
When I run the site on the local app-engine instance there are no issues, but when I deploy it I get an error 500 error with the following log:
90.202.109.98 - - [12/Jul/2015:04:31:36 -0700] "GET / HTTP/1.1" 500 0 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36" "*.appspot.com" ms=145 cpu_ms=0 loading_request=1 exit_code=204 instance=00c61b117ce2904f41b4d706f60338b416a908e1 app_engine_release=1.9.23
The page being run was index.php and it did nothing except load up the class and DB attributes (which works fine alone), but when I add the following code:
DB::query('select * from places');
The error occurs, again, only on the remote instance.
Any thoughts on why?
Figured it out, it's because my db is remotely hosted and Google doesn't allow that for free apps. I'd have to enable sockets. See https://stackoverflow.com/a/20254933/1254900