0 Replies Latest reply: Jan 28, 2013 12:59 PM by MaLau RSS

    EM12c: sporadic error while Microsoft Active Directory Based Authentication

    MaLau
      Hi,

      we decided to manage our Cloud Control(CC) accounts and privileges with our Active Directory(AD).
      Everything works fine (create an Authentication Provider, create AD-Groups and map them to CC-Roles etc.)

      From time to time the colleagues lament over problems with the log in and i faced them sometimes too.
      (it is no typing error - i think everybody is able to type in the right credentials after the fifth attempt!)
      Then they have to wait a minute and the problem disappears.

      When the log in fails in the described situations, the error message is really short. ("Authentication failed. If problem persists, contact your system administrator.)
      Message in + \gc_inst\user_projects/domains\GCDomain\ldap_trace.logATN:
      --------------------------------
      ldc=1757 op=7007 SearchResult {resultCode=10, errorMessage=0000202B: RefErr: DSID-0310063C, data 0, 1 access points
      ref 1: 'dc.<international_company_domain>'
      ^@, referrals=ldap://dc.<international_company_domain>/OU=01Groups,OU=CloudControl,OU=02Application,DC=dc,DC=<international_company_domain>}
      --------------------------------

      1. Any idea how to analyse it? Oracle Support told me that it is a LDAP-Error-Message so i work on the issue with our AD-administrators.

      How does the authentication really work with multiple providers(e.g. the order to find a AD-account) and many different domains?
      --> See System description at the end of the post at first.

      My own Active Directory[AD] User is also located in the international region sub-domain.

      So if i understand this right. When i try to log in with my user in CC Console with my credentials (AD-username and the corresponding pw), the principal-user will connect to a Domain-Controller of the domain a configured under host in the WebLogic Provider definition and search for my user and check if the pw is correct. (--> this is the <region>.<international_company_domain>)
      After that he will connect to a Domain Controller of the domain where the groups are located(dc.<international_company_domain>) and will check which groups i belong to, so that the privileges will be set correct.

      2. Is this understanding right?

      3. Are there other log-files with more details of the log in-process? In the ldap_trace.logATN it is difficult to find the start and the end of one login-process. Are there possibilities to increase the logging level?

      4. What happens when i configure 3 provider for different regions and the account is located in the second domain? Can someone describe the authentication-way?

      Thanks and regrads,
      Martin


      System Description:
      ------------------------------------------------------------------------------------------------------------------------------------
      EM Platform (OMS) 12.1.0.2.0
      Two OMS-Server(Oracle Enterprise-Linux 6.2) Environment with SLB-Config.

      Our Principal-User and the CC-groups which are used to map the CC-Roles to grant privileges to the Users were created in the DataCenter domain. (dc.<international_company_domain>)
      Most of the users i added to the groups are located in other international sub-domains <region>.<international_company_domain>

      Problem occurs with different internet browsers.
      ------------------------------------------------------------------------------------------------------------------------------------