Jump to: navigation, search
MithiWiki Home > ConnectXf Home > ConnectXf Administration > Configuration > IMAP/POP/WEBMAIL authentication with AD not working for some users
Troubleshooting Icon.png
Troubleshooting
Product ConnectXf
Version All
Applies to Administrators
Level Advanced



Users unable to login via IMAP/POP or Web client when authentication is via external directory - MS ADS

The Connect Xf mail server is configured to authenticate with an external directory viz. MS ADS. This means that when a user connects to the server for accessing the services, the server in turn authenticates the user directly with the configured external directory server. Use this topic to troubleshoot situations where such users are unable to login.

Symptoms

  • Users whose authentication is configured on the external directory viz. MS ADS are unable to login via any protocol.

Diagnosis

Use the following steps to confirm that the configured connection between Connect Xf and MS ADS is working properly at all levels.

  • For the connector to work, Connect Xf stores the external directory information in the /mithi/mcs/modules/mithi-bl/conf/server/ent/directoryservers.ini filogle. From ths file determine the following information
ADS server ip
ADS base dn
ADS Admin dn
ADS Admin password

  • To get the information, follow these steps
vi /mithi/mcs/modules/mithi-bl/conf/server/ent/directoryservers.ini
Locate the relevant configuration for the ADS server. The configuration block will look as below
[ADSAuthServer]
ip=<ADS server ip>
basedn=<ADS base dn>
personalinfobasedn=<ADS base dn>
login=<ADS Admin dn>
password=<ADS Admin password>
...

Possible causes and solutions

Cause 1: Changes to the ADS parameters

  • Review with the MS ADS administrator the above information to confirm that no change pertaining to these parameters has been done on the MS ADS.
ADS server ip
ADS base dn
ADS Admin dn
ADS Admin password
  • Confirm that the parameters expected by MS ADS are entered correctly in this configuration file.

Cause 2: MS ADS server is not accessible

  • Confirm that the ADS server is accessible. The following command should open an LDAP session with the MS ADS server.
telnet <AD server IP> 389
  • If you are unable to telnet, you may want to diagnose this on the firewall, network or on the MS ADS server.

Cause 3: Wrong password entered by user

  • Using telnet, login to the local IMAP with the user's credentials (this in turn will authenticae with the configured MS ADS server). To know more about how to login to the IMAP server via the command line, click here.
  • If this does not work, attempt to reset the user's password on MS ADS and try the authentication test again. This normally happens if the user has forgotten his password.

Cause 4: Data or structure related issue

  • Do an ldapsearch from Connect Xf server to MS AD server IP using the below command
Syntax :
ldapsearch -vLLL -s sub -x -h <ADS IP Address> -p 389 -D "<Domain DN>" -b "<Base DN>" -w "<AD server password>" "(mail=*)" | more
For example :
ldapsearch -vLLL -s sub -x -h 10.6.0.38 -p 389 -D "cn=ad2ldap,cn=users,dc=myplanet,dc=cpx,dc=com" -b "OU=antartica,OU=world, 
OU=nature,OU=northpole,DC=myplanet,DC=cpx,DC=com" -w "XXXXXX" "(mail=*)"

  • If the above command is successful, then we attempt the same with the User and his password. This is the same user who is unable to login.
ldapsearch -vLLL -s sub -x -h <ADS IP address> -p 389 -D "<User DN>" -b "<Base DN>" -w "<User's password>" | more

For example :

ldapsearch -vLLL -s sub -x -h 10.6.0.38 -p 389 -D "CN=john,OU=Users,"OU=antartica,OU=world,OU=nature,OU=northpole,DC=myplanet,DC=cpx,DC=com" -w "YYYY" -b  "OU=antartica,OU=world,OU=nature,OU=northpole,DC=myplanet,DC=cpx,DC=com"
  • If the output is of the following type, the error is in somewhere in the MS ADS configuration
LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece
  • Here the error code 'data 531', gives the reason of failure. The different values(in hex) & meanings are :
525     user not found
52e     invalid credentials
530     not permitted to logon at this time
531     not permitted to logon at this workstation
532     password expired
533     account disabled
701     account expired
773     user must reset password
775     user account locked

Getting verbose logs for web client authentication to help diagnosis

You can turn on verbose logging for the authentication module of the web client to get a detailed report on what the possible errors are during authentication.

To turn on the Debug logging pertaining to the the web client authentication module

Open the log4j.properties file and to enable authenticate debug log.
vi /mithi/mcs/components/mithi-java-utils/conf/server/log4j.properties

add the below line and save the file.
log4j.logger.mithi.mcs.auth=DEBUG

Normally after a few seconds the catalina.out log starts showing DEBUG messages. Note: If this doesnt happen automatically, then it is required to restart the tomcat service.

IMPORTANT: Dont forget to turn off DEBUG by commenting or removing the line added in the above step, once you are done diagnosing the problem. Leaving DEBUG on for the logs, can severly impact performance.