Defect #1820
closed
Authentication against AD from IdM will fail, if you use both connectors for search operation
Added by Roman Kučera over 5 years ago.
Updated about 4 years ago.
Description
It need to be tested what causing this issue. But it seems when you want to use WinRM and AD for search together you can't authenticate against AD.
How to test it:
- Configure ad system via this connector and use scripts for local exchange for example
- Use both connectors options for search operation
- Configure IdM so authentication will be against AD system
- Try to login - IdM will not log you and you will see error in log.
affected version: all
workaround: Use only AD for search when you want to authenticate against AD. Then it's working correctly.
- Status changed from New to In Progress
- Assignee set to Roman Kučera
- Target version changed from version 1.0.2 to version 1.0.3
- Target version changed from version 1.0.3 to version 1.0.4
- Target version changed from version 1.0.4 to version 1.0.5
- % Done changed from 0 to 60
I did some testing with IdM 10.3.0 and connector in version 1.0.5-SNAPSHOT which is basically 1.0.4 but with updated jackson dependencies.
I wasn't able to simulate this error.
Tried to return only some log message from powershell
Tried to return __UID__ and __NAME__ and SamAccountName values
Tried to return some attribute which is not AD
Every time I was able to login into IdM correctly. I checked the log files and no errors there to.
I will leave this ticket still open, because we will test this feature again on test environment of one of our customer.
It's possible that the issue which caused this was already fixed indirectly with some other bugfix in connector or in IdM.
- % Done changed from 60 to 70
I validated this behavior on test environment with same result.
So authentication is working correctly when you are using both methods for search operation.
The only downside is that login to IdM takes longer because we are waiting for WinRM search execution. I'll look into this if there is something how to speed the process.
- % Done changed from 70 to 90
Roman Kučera wrote:
The only downside is that login to IdM takes longer because we are waiting for WinRM search execution. I'll look into this if there is something how to speed the process.
IdM perform get before authentication, so there is no option now how to speed this up. If you will have some big logic in winrm search script then user will wait. On our test environment when I don't have any logic in powershell just contacting WinRM and getting output took 5s from clicking on "Log in" to the redirect to dashboard
Login with IdM password took 1,3s on the same environment.
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
- Affected versions version 1.0.1, version 1.0.2, version 1.0.3, version 1.0.4 added
Also available in: Atom
PDF
