X

This blog introduces how to diagnose Agile PLM related issues.

  • July 28, 2014

An example to show how to use 3rd party tools to diagnose Agile PLM LDAP problem

Jie Chen
Senior Principal Technical Support Engineer

If all LDAP configuration set up correctly in Agile PLM and expected LDAP user accounts synchronized to system as well, but ldap user is still not able to logon Agile system, it may be caused by wrong setting on LDAP Server itself.
This article demonstrates how to use different kinds of 3rd party tools to diagnose such LDAP authentication issue.

We usually get below error trace from Agile PLM server log, but it does not help to us because the real error message (and error code) is wrapped and customized by Agile, and invisible to external.

<2014-07-09 00:48:11,107>  Login failed for user : fg3bvj
Actual message : Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error!
14/07/09 00:48:11 Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error!
14/07/09 00:48:11 com.agile.util.exception.CMAppException: Authentication Failed. Please make sure the username and password are correct! Job was cancelled due to this error!
14/07/09 00:48:11

at com.agile.admin.ldap.DirService.getFailOverDirContext(DirService.java:300)
14/07/09 00:48:11

at com.agile.admin.ldap.DirService.checkUserAuthentication(DirService.java:1480)
14/07/09 00:48:11

at com.agile.admin.ldap.DirService.validateCredentials(DirService.java:246)

In this case, we have to use Wireshark (or tcpdump on Linux) to collect all TCP package data for troubleshooting. First, we validate if Agile hands over the right ldap user account with correct password to LDAP Server.

From above screenshot we know yes it is.

As an Acknowledge response to package 7702, the package 7703 contains the feedback of authentication from LDAP Server. And it says invalidCredentials(49) which means LDAP Server rejects the authentication internally.

LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1)

We have the error data 531 which is defined by LDAP Server vendor only. Since this is Microsoft Active Directory, we need to go to Microsoft to analyze the error code.
We download the Err program from link http://www.microsoft.com/en-us/download/details.aspx?id=985 and get the error detailed explanation.

err 0x531
# for hex 0x531 / decimal 1329 :
ERROR_INVALID_WORKSTATION winerror.h
# Logon failure: user not allowed to log on to this computer.
# 1 matches found for "0x531"

The "computer" here is not the user‘s working machine, it is the Agile Application Server machine where Agile communicates with LDAP server in back end. In this scenario, the Agile server is Linux. It could be the problem that the LDAP Server does not allow user to logon AD from a Linux machine.
If go through all the AD attribute on Microsoft website http://msdn.microsoft.com/en-us/library/ms680868(v=vs.85).aspx , we get the attribute User-Workstations and it says

User-Workstations attribute
Contains the NetBIOS or DNS names of the computers running Windows NT Workstation
or Windows 2000 Professional from which the user can log on.
Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.

Again we use another tool Softera LDAP Browser to get the attributes definition of the problematic user "fg3bvj" and get below value.

Absolutely the AD Administrator prevents user from logon AD on other unauthenticated machines. Solution is to add the Agile Server linux host name to userWorkstations or remove its all the values.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.