Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

VOM Authentication with Active Directory

Created: 30 Jul 2012 • Updated: 17 Aug 2012 | 8 comments
This issue has been solved. See solution.

We've had VOM installed for a while and I thought I'd got the authentication working with AD all setup but it appears that only local administrators on the VOM server (Windows 2008 R2) are allowed to logon to VOM via the web interface.

VOM seems to be talking to AD ok as it's happy to create a new security group based on what i sin AD, it just appears to ignore it when users try to logon who are not members of the local admins group.

 

I did see some KB article relating to this in 4.0 but we have 4.1 with all the latest hotfixes installed. It was upgraded from 4.0 though so maybe this is the problem.

Would really appreciate any help on this as we want to allocate sub-permissions to certain groups of admins and until I get this fixed we can't do it.

 

Thanks

 

Matt

 

 

 

Comments 8 CommentsJump to latest comment

ashirodk's picture

Hi,

Was the AD added as a separate LDAP server or is it configured as a domain on the MS box?

 

Regards,

Amit.

Nikhil Kaplingat's picture

What is the exact error you are seeing while trying to login with the non-administrator account ? Is it "Failed to authenticate client.Username/Password/Domain is incorrect." or "Failed to Log in. User is not Authorized." or something different ?

Relevant log snippets from WebDebugLog.txt.0 and vxatd.log on the CMS host immediately after a log attempt will be helpful.

matthew_smith's picture

I'm getting "Failed to Log in. User is not Authorized" but I know it's talking to the domain becuase if I deliberately type and incorrect password I do get "Failed to authenticate client.Username/Password/Domain is incorrect."

Not sure which bits you need from the log (and some of it might be sensitive I guess) but thiese look relevant from the Webdebuglog.txt.0 file.

[<2012-08-01 08:40:36>:<142802246>:<SEVERE><vrts.ob.web.core.mode.PluginViewManager>:<validateUser>:<EXCEPTION message: Credential is NULL for user: 

 

[<2012-08-01 08:40:36>:<142802246>:<WARNING><vrts.ob.web.core.exception.XErrorWeb>:<getLocalErrorDescription>:<Error while processing user given ResourceBundle from cat directory: null>]
[<2012-08-01 08:40:36>:<142802246>:<SEVERE><vrts.ob.web.core.InitializationServlet>:<validateUser>:<EXCEPTION stacktrace: Error during authentication ><>
Error: 0xcffd0049 Facility: 0xffd Severity: 0x3 Error number: 0x49 Failed to Log in. User is not Authorized.
at vrts.ob.web.core.mode.PluginViewManager.validateUser(PluginViewManager.java:357)
at vrts.ob.web.core.InitializationServlet.validateUser(InitializationServlet.java:642)
at vrts.ob.web.core.InitializationServlet.initialize(InitializationServlet.java:488)
at vrts.ob.web.core.InitializationServlet.processRequest(InitializationServlet.java:423)
at vrts.ob.web.core.InitializationServlet.doPost(InitializationServlet.java:582)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at vrts.ob.web.core.utils.I18NFilter.doFilter(I18NFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(null:-1)
>]
 
Previous to these errors I can see that it enumerates all the groups that my account is a memeber of correctly so it's talking to my AD servers fine.
 
From the the vxatd.log I can only see these lines that may be relevant...
 
Aug 01 08:51:16 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) Warning! Unable to Load Unified Logging settings.
Aug 01 08:51:16 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) Check if Unified Logging configuration exists for ProductID 50826 and OriginatorID 18.
Aug 01 08:51:16 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) ####################################################################
Aug 01 08:51:16 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) New thread spawned to handle the client request.
Aug 01 08:51:17 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) Finished handling client request.Thread exiting.
Aug 01 08:51:17 2012:50826,18,0,7584,14704,debug,AT,7: (7584|14704) ######################################################################
 
Thanks for any help you can give.
 
Matt
 
Nikhil Kaplingat's picture

So authentication is succesful, but authorization is failing, which means the issue is most likely with security groups.

Hope you have already setup the security groups as per the howto here:

http://www.symantec.com/docs/HOWTO31286

The Howto describes the unix case, but the concept applies for Windows as well.

In the logs, you mentioned that all the groups belonging to the account are enumerated. Of those, which group was used to create the security group in VOM ? Did you try creating security groups for all the enumerated groups and logging in ?

RodP's picture

Matthew:

 

I see that you have not selected a solution to your question. The entire method to complete the configuration is detailed in a knowledge article so you can confirm you completed all the steps to allow the process to complete.

The process simplified a bit is to authenticate a user and validate credentials with the  login authority (Domain and broker) and then verify authorization within the application to content based on security group membership added to a role with a scope based either across the domain or on defined assets grouped into a Business Entity (previously defined) and turn views access on or off.

Assuming you have completed all the steps and there is no access to the application then ensure the desired user is in fact a member of the defined security group in VOM which matches a group definition on a broker within a domain as these must match and pass the validity check when creating.

 

Your error: <SEVERE><vrts.ob.web.core.InitializationServlet>:<validateUser>:<EXCEPTION stacktrace: Error during authentication ><>

Error: 0xcffd0049 Facility: 0xffd Severity: 0x3 Error number: 0x49 Failed to Log in. User is not Authorized.

indicates this did not occur correctly.

Note: following the process in the article would also have you enable the Domain you have added which is required.

 

 

 

_________________________________________________________________________________________________________________________

If you find the information useful and valid for your issue please vote it up and use it as a resolution to improve our co

SOLUTION
matthew_smith's picture

I found this article previously and it did fix the problem but not in the way I had hoped.

Under VOM 3.1 I think you only had the choice of authenticating using LDAP but from VOM 4 onwards it allowed the configuration of "NT" authentication. This is what I was trying to get to work as it seemed a simpler way to achieve what I wanted.

In this case I was wrong as the "NT" style of authentication just doesn't seem to work despite it being able to detect all our domains and any groups within those domains.

In the end I configured LDAP for our domain and it works fine but it would be a pain to set this up for a large amount of domains.

Thanks for your help.

Matt

 

 

 

 

RodP's picture

Matt:

 

The NT Active Directory configuration is tricky in two parts. I configured one New Domain to the resource domain and it worked but since users are not part of that domain none could login to the VOM (Veritas Operations Manager) console even though I created a AD group and added them. The other issue was that I used a subdomain for my context as the users I wanted to add were in there but then later when I desired to add other users from a higher hierarchy in the tree I was thwarted since my context was too low to allow authentication above my context.

We had an issue in the old version with this and created a patch for VOM3.1 it was fixed later and LDAP instructions provided for VOM4.1. We now have a new version released and available for Download (requires your serial key) with LDAP instructions also posted for the VOM5.0 version.

Since your stated goal is to use AD authentication I suggest to actions to remedy and we can hopefully assist you in the configuration to gain the use of the product you desire.

First you should download and upgrade to VOM5.0 but there is a caveat if you use md5 encryption with PAM authentication on the Solaris 10 64 bit platform for the CMS (Central Management Server) and I can point you to some new libraries. Second we should know the context the parent of the user's domain that you wish to have authenticated in the VOM console.

My suggestion in any domain is to create groups that correspond to a role you would like to use (Domain Admin, Domain Operator, Guest) in the authentication hierarchy and add users into those groups as all group members are granted the role you allow when adding a Security Group.

If you Open a support case with Symantec they can assist you via an interactive tool such as Webex to ensure you attain the configuration you desire.

 

I hope the new information is useful.

 

Rod

 

_________________________________________________________________________________________________________________________

If you find the information useful and valid for your issue please vote it up and use it as a resolution to improve our co