Friday, October 5, 2012

SBL-SEC-10006: The authentication system cannot find the user with the specified username.



Applies to:


Siebel Life Sciences CRM - Version: 8.0.0.5 SIA [20420] and later   [Release: V8 and later ]
Information in this document applies to any platform.



Symptoms


Customer found that they are unable to connect to the Siebel
applications using Web Client after deploying a new language pack. In
the Object Manager log, we found the following errors:
SecAdptLog
3rdpartyTrace 3 000000074cfc0d50:0 2010-12-06 02:38:02
(IDirectorySearch*)182d54->ExecuteSearch() with Filter
'(&(objectClass=user)(uid=ANON_WEBUSER))' returns 0.
SecAdptLog
3rdpartyTrace 3 000000074cfc0d50:0 2010-12-06 02:38:04
(IDirectorySearch*)182d54->GetFirstRow(1833c0) returns 5012.
..
GenericLog
GenericError 1 000000074cfc0d50:0 2010-12-06 02:38:04 (secmgr.cpp
(2538) err=4597526 sys=0) SBL-SEC-10006: The authentication system
cannot find the user with the specified username. Please check that you
have entered the username correctly or contact your system administrator
for assistance.
ObjMgrSessionLog Error 1 000000074cfc0d50:0
2010-12-06 02:38:04 (physmod.cpp (9244)) SBL-DAT-00568: The
authentication system cannot find the user with the specified username.
Please check that you have entered the username correctly or contact
your system administrator for assistance.


Cause


During the investigation, we found that the UsernameAttributeType has been set to uid in the ADSISecAdpt



Solution


As per 'Bookshelf:Siebel Security Guide > Security Adapter Authentication > Configuring LDAP/ADSI Security Adapters'
Siebel
Username Attribute: The Siebel user ID attribute used by the directory.
An example entry for an LDAP directory is uid. An example entry for
ADSI is sAMAccountName (maximum length 20 characters).
If your
directory uses a different attribute for the Siebel user ID, enter that
attribute instead. Corresponds to the UsernameAttributeType parameter.

The issue is resolved after customer change the UsernameAttributeType to sAMAccountName








Applies to:


Siebel System Software - Version: 7.7.2.6 [18372] and later   [Release: V7 and later ]
Oracle Solaris on SPARC (64-bit)

This document was previously published as Siebel SR 38-3098870703.






Symptoms


SBL-UIF-00272, SBL-DAT-00539, SBL-DAT-00700, SBL-SEC-10018, SBL-SEC-10001, SBL-SEC-10002, SBL-SEC-10006

Hello,

We are using the LDAPSecAdpt to authenticate against an
Active Directory server.  When logging in with a wrong password on the
Siebel Field Service login page, we discovered that it would kick out
users, kill their Siebel sessions and give the following error:

The
server you are trying to access is either busy or experiencing
difficulties. Please close the Web browser, open a new browser window,
and try logging in again.[16:42:21]

Normally when logging in
with the wrong password, it would display an error message stating that
your User ID or Password is incorrect and allow you to retry.

Thanks!




Solution



Message 1


For the benefit of other readers:

Customer
started getting “Server Busy” error after applying 7.7.2.6 Fix Pack on
top of 7.7.2.3 whenever users type a wrong password in the login page
while using LDAP Security Adapter on Solaris platform to authenticate
end users against Microsoft Active Directory.

The following error messages can be found in the Application Object Manager log files:

(secmgr.cpp
(2340) err=7010006 sys=0) SBL-SEC-10006: The authentication system
cannot find the user with the specified username. Please check that you
have entered the username correctly or contact your system administrator
for assistance.
Login Status: Failed
(mainlgin.cpp (1436)) SBL-UIF-00272: The user ID or password that you entered is incorrect.
Please check the spelling and try again.
ldap_result(3abd060, 3, ..., 3475fc8) returns 97.
ldap_parse_result(..,
3475fc8, 49, 3512fb0, 80090308: LdapErr: DSID-0C09030B, comment:
AcceptSecurityContext error, data 52e, v893, 0, serverctrls, 1) returns
0.


[CONT 1/3...]


Message 2


[... CONT 2/3]


We
have configured the Siebel Dedicated Web Client to use ADSI Security
Adapter, and we got the following errors in the Dedicated Client log
files:

(IADs*)1d41a0->Get('userAccountControl') returns 8000500d.
SBL-DAT-00700: Unable to check flag 'Password never expires'.
User password status is 0.
SecurityLogin() return 3.
(secmgr.cpp (2288) err=7010018 sys=127) SBL-SEC-10018: Unable to check flag 'Password never expires'.(SBL-DAT-00700)
SecurityFreeCredentials(<?INT?>)
(secmgr.cpp
(2360) err=7010001 sys=0) SBL-SEC-10001: An internal error has occurred
within the authentication subsystem for the Siebel application. Please
contact your system administrator for assistance.
(secclnt.cpp (256)
err=7010002 sys=0) SBL-SEC-10002: Cannot perform the requested operation
due to an invalid security context. If you have already logged in,
please try to log in again or contact your system administrator for
assistance.

We found that this behavior was occurring because the
Application User did not have the required permissions on the directory
specified by Base DN parameter, as described in Bookshelf Version 7.7,
Rev. A (May 2005) > Security Guide for Siebel eBusiness Applications
> Chapter 6 – Security Adapter Authentication > Section Security
Adapter Deployment Options > Item Configuring the Application User.


[CONT 2/3...]


Message 3


[... CONT 3/3]


In
order to grant the necessary permissions, please have your AD
Administrator open Active Directory Users and Computers, right-click the
container specified by BaseDN parameter, and choose Delegate Control.
Add
the Application User, check name, and delegate at least “Create,
delete, and manage user accounts”, “Reset passwords on user accounts”
and “Read all user information” tasks.
In fact, if you right-click
the container, choose Properties, go to Security tab and click Advanced,
you should see the Application User with at least “Read All
Properties”, “Write All Properties”, “Create User Objects” and “Delete
User Objects” rights applied onto “This object and all its child
objects”.
The Security tab is only shown if you enable menu View > Advanced Features.

Application
Object Manager crashes have also been observed on other customers using
Group Policies on the Active Directory Server, after applying 7.7.2.6
Fix Pack on Solaris platform.
Please note that when running Siebel on
Solaris and using the LDAP Security Adapter to authenticate against
Microsoft Active Directory, account policies such as password expiration
are not supported.
For further details, please refer to Technical
Note 596: Configuring Siebel Applications on Solaris Implementations To
Authenticate Against Microsoft Active Directory.
In this case, please ensure Password Never Expires is set for all users on ADS.

Thank you,








Applies to:


Siebel System Software - Version 7.8.2.5 [19227] and later
z*OBSOLETE: Microsoft Windows Server 2003

Product Release: V7 (Enterprise)

Version: 7.8.2.5 [19227]

Database: Oracle 10.1.0.4

Application Server OS: Microsoft Windows 2003 Server SP1

Database Server OS: Sun Solaris 9



This document was previously published as Siebel SR 38-3383724421.







Symptoms


SBL-UIF-00272, SBL-SEC-10006


Hello,



We have an Active Directory Forest with the parent domain and a child domain.

We have created all Siebel staff users on the parent domain and Siebel
service accounts on the child domain and are trying to use them to
authenticate.

Any users from the parent domain can log into the child domain.



We can display the Graphical User Interface.

However, if you attempt to log into Siebel while integrated to the child domain, you receive the following error message:



The user ID or password that you entered is incorrect. Please check the spelling and try again.

(SBL-UIF-00272)



If you check the domain controller on the child domain, it shows that same user authenticating successfully.

Why am I not able to log into Siebel?



Thanks!



Cause


Bug 10462680







Solution



Message 1


For the benefit of other readers:



The current ADSI Driver developed by Siebel was not designed to support
an ADSI multi-domain environment, which means that the Siebel Security
Adapter architecture currently does not allow multi-domain
authentication via ADSI.

This functionality is not yet incorporated within the Siebel Application.

Also, please note that the use of Global Catalogs is not supported by
Siebel Technical Support, since the ADSI Security Adapter was not
designed to work with GC, and has not been tested by Siebel Engineering,
or certified by our Quality Assurance Team to work with a Global
Catalog.



In this case, we recommend one of the following approaches, which are in
agreement with how the ADSI Security Adapter is intended to work:



1. Create all Siebel users under one single domain within Microsoft
Active Directory, by moving all Service Accounts from the child domain
to the parent domain, for example, and then pointing parameters
ServerName and BaseDN to the parent AD Server.



2. If you require to maintain Siebel users spread into two distinct
domains, you can create a new Application Object Manager for each
domain, through the use of distinct Named Subsystems for each AOM, each
one pointing to its specific domain.





[CONT 1/2...]



Message 2


[... CONT 2/2]





For further details on the use of multiple domains on ADSI, please refer to the following SupportWeb postings:



    - Multiple Activer Directory Servers (Doc ID 528364.1)

    - ADSI Authentication Using Global Catalog Port 3268 (Doc ID 517259.1)

  

Bug 10462680 was previously logged to address this Enhancement Request, but they have not been implemented yet.

The information above is still true for Siebel Version 7.8 and 8.x.














Applies to:


Siebel CRM - Version: 8.1.1.1 SIA [21211] and later   [Release: V8 and later ]
Information in this document applies to any platform.



Goal



=== ODM Question ===


When user enters credentials for non-existent user that does not
exist in the LDAP directory, following error is reported in the UI:

"SBL-UIF-00272: The user ID or password that you entered is incorrect. Please check the spelling and try again.".

In the object manager log file, you will see errors in following order:

GenericLog
GenericError 000000064ce4172c 1: 0 11.17.2010 19:04:51 (secmgr.cpp
(2731) err = 4597526 sys = 0) SBL-SEC-10006: The authentication system
cannot find the user with the username specified. Make sure you typed
the user name correctly, or contact your system administrator for
assistance.

ObjMgrLog 000000064ce4172c Error 1: 0 17.11.2010
19:04:51 (mainlgin.cpp (1695)) SBL-UIF-00272: The logon username /
password pair entered is incorrect.
Re-enter the logon parameters.


How could we show force LDAP security adapter to display first error
message SBL-SEC-10006 on the login page when non-existent user tries to
login instead of last error message SBL-UIF-00272?



Solution



=== ODM Answer ===


Currently, it is not possible to customize or force LDAP to return
the second error message to the user.  An enhancement request 12-E29NSZ
was logged requesting to customize LDAP messages, however, Siebel
Engineering had declined such request and it was recommended that
customers write custom security adapter to trap the LDAP messages and
customize it.  In the vanilla product, it is not possible to customize
messages. Siebel is showing message what comes out of LDAP and this is
correct behavior.



In conclusion, it is not possible to modify the error messages or custom configure what comes out of the LDAP security adapter.














Applies to:


Siebel Workflow - Version: 7.7.2 SIA [18325] and later   [Release: V7 and later ]
z*OBSOLETE: Microsoft Windows 2000

Product Release: V7 (Enterprise)

Version: 7.7.2 [18325] Pub Sect

Database: Oracle 9.2.0.4

Application Server OS: Microsoft Windows 2000 Advanced Server SP 2

Database Server OS: Microsoft Windows 2000 Advanced Server SP 2



””Checked for Relevance on 13-01-2012””

This document was previously published as Siebel SR 38-2424118427.



Symptoms


SBL-DAT-00192, SBL-DAT-00227, SBL-DAT-00381, SBL-DBC-00111, SBL-SEC-10006TS,

We are using the OOTB workflows to allow users to register through eService. During
self registration, address information is requested. Sometimes this address information is being
written to the DB and some times it is not. One user seems to be able to create this at will from
his machine as well as other machines. I don't think it has anything to do with a machine but I
don't think we can rule anything out.

We have also run into an issue outlined in SR
38-2292561770. The country field that is being populated on the user registration screens is not
be captured when the address is written to the DB (when the address is committed to the
DB).

The workaround to address the country field not being populated works. However, this
is an OOTB workflow and making changes to make it work shouldn't have to be done. From my
perspective, this is a product defect.

And now I'm wondering if the country field issue
has anything to do with the address not being written sometimes.

Would like your input on
how to proceed and trouble shoot this issue.






Cause


Enhancement


Solution



Message 1


For the benefit of the other users:



Scenario:



When using LDAP as a security adapter the S_ADDR_PER_U1 index is being
violated with a duplicate key on the User Registration Process (New User
link).



This is basically happening because the Anonymous user Id is being used
instead of the new user Id. Based on that two different users that are
registering themselves thru the eService application with the same
address will generate a duplicate key and the address will not be
filled.



Workaround:



The field Calculated Address Name should be changed BC "Personal
Address" . The [Id] field should be added to the calculated value in
order to avoid the duplicate key. Please see bellow:



Left([Street Address],[Street Address Len]) + [Calculated Address
Comma1] + [City] + [Calculated Address Comma2] + [State] + [Id]



Change Request:


Bug 10501346 - Duplicate key on S_ADDR_PER table when using LDAP security adapter has been logged to address this behavior








Applies to:


Siebel CRM Service - Version 8.1.1.4 SIA [21225] and later
Information in this document applies to any platform.



Symptoms


Environment:

-------------------

Product Type: Siebel CRM Service

Version: 8.1.1.4 SIA [21225]

OS platform: N/S

DB: Microsoft SQLServer

Env type: Dev



Statement of Issue:

-----------------------------

An inbound web service is called using WS-Security's UserName Token
mechanism where the username and password are specified in the SOAP
request document. This works with database authentication. The
requirement is to use LDAP authentication. The following parameters are
set on the EAI OM:



Security Adapter Mode : LDAP

Security Adapter Name : LDAPSecAdpt

User Name : A3N7MZZ



When the web service is called, the EAI OM task is failing with an error.



Error:

-------

14:13:08 (secmgr.cpp (2731) err=4597526 sys=0) SBL-SEC-10006: Das
Authentisierungssystem kann den Benutzer mit dem angegebenen
Benutzernamen nicht finden. Stellen Sie sicher, dass Sie den
Benutzernamen korrekt eingegeben haben, oder wenden Sie sich an den
Systemadministrator.

14:13:08 Login failed for Login name : SADMIN



In English:

14:13:08 (secmgr.cpp (2731) err=4597526 sys=0) SBL-SEC-10006: The
authentication system cannot find the user with the specified username.
Please check that you have entered the username correctly or contact
your system administrator for assistance.

14:13:08 Login failed for Login name : SADMIN



Business Impact:

-------------------------

This has to be resolved because the customer uses LDAP to authenticate users.



Cause


SADMIN is not set-up as an LDAP user.





Solution


LDAP authentication was working for the Call Center application
object manager. The task log showed that the task authenticated
SiebelAnonUser and then authenticated the user that was logging into the
application (A3N7MZZ):



Security Adapter Mode : LDAP

Security Adapter Name : LDAPSecAdpt

User Name : SADMIN

14:47:55 LDAP SecurityLogin8 with username=SiebelAnonUser.

14:49:13 LDAP SecurityLogin8 with username=A3N7MZZ.



SiebelAnonUser is set-up as an LDAP user.



Eapps.cfg included the following:



[/callcenter_deu]

AnonUserName = SiebelAnonUser

AnonPassword = xxxxx



AnonUserName was not specified for the subsection [/eai_anon_deu]. As a
result, it was using the AnonUserName specified in the [defaults]
section, which was SADMIN.



The inbound web service call completed correctly when AnonUserName and
AnonPassword were specified in [/eai_anon_deu] and set to a user who was
set-up in LDAP.










No comments:

Post a Comment