Loading...
Loading...
NetWorker is configured to use LDAPS external authentication.When logging into NetWorker Management Console (NMC) with an AD/LDAP account, the following error appears: POST failed with HTTP-ERROR: 500 (Internal server error)POST failed with HTTP-ERROR: 404 (Could not parse server-response from JSON string)Verify that the authentication service on [server name] is running. NOTE: The difference in HTTP error code depends on the NetWorker server version; however, the cause is the same. Local NetWorker user accounts (such as the default Administrator account) successfully log in to the NMC. There is no communication issue with the LDAP/AD serverCertificate was reimported (If configuration is over SSL)
The user account used for login was not in the LDAP user search results configured in NetWorker. As a result, NetWorker was unable to locate the user during the authentication process, causing the login attempt to fail even though the authentication service and local NetWorker accounts were functioning correctly. To verify whether a user is visible through the configured LDAP domain, run the following command on the NetWorker server: authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=<tenantname> -D query-domain=<Domain name> The affected user was not returned in the command output, confirming that the user was outside the configured LDAP search scope or was not a member of the LDAP group mapped for NetWorker authentication. The user could not be authenticated through LDAPS and was unable to log in to NMC.
AdMake sure that there is no communication issue between NetWorker server and LDAP/AD server For Linux hosts, or Windows hosts with openssl installed: openssl s_client -connect <LDAP_Server>:636 openssl s_client -connect <LDAP_Server>:389 For Windows hosts that do not have openssl installed: curl.exe -kv <LDAP_Server>:636 curl.exe -v <LDAP_Server>:389 Validate LDAP Domain Configuration Run the below from an elevated prompt on the NetWorker server: authc_config -u Administrator -e find-all-configs authc_config -u Administrator -e find-config -D config-id=CONFIG-ID-FROM-ABOVE-COMMAND Verify: Configuration Tenant Id Tenants can be used in environments where more than one authentication method may be used or when multiple authorities must be configured. Creating a tenant is optional. You can use the default tenant, config-tenant-id=1. When the default tenant is used, you can log in to the NMC using "domain\user"When a tenant (other than default is used), you must specify it during authentication "tenant\domain\user" Is Active Directory.If you are using a Microsoft Active Directory (AD) server: true. If you are using an LDAP server (e.g: OpenLDAP): false.If this is set incorrectly, see: NetWorker: AD over SSL (LDAPS) NetWorker Login Fails With HTTP 404 or HTTP 500Configuration DomainThis is the domain name that is used for logging into NetWorker, for example: networker.lan. This field should match the Domain Component (DC) values of the domain.Configuration Server Address. The server and port used to process domain authentication requests: Port 389, not encrypted.Port 636, SSL encrypted (LDAPS). Configuration User DN.Specify the full Distinguished Name (DN) of a user account that has full read access to the LDAP or AD directory, for example: CN=Administrator,CN=Users,DC=my,DC=domain,DC=com.Configuration User Search Path. This field can be left blank in which case AUTHC can query the full domain. Permissions must be granted for NMC/ NetWorker server access before these users/groups can log in the NMC and manage the NetWorker server.Configuration User ID Attribute. The user ID that is associated with the user object in the LDAP or AD hierarchy. For LDAP, this attribute is commonly uid.For AD, this attribute is commonly sAMAccountName. Configuration User Object Class.The object class that identifies the users in the LDAP or AD hierarchy.For example, inetOrgPerson (LDAP)user or person(AD) Configuration Group Search Path.Like User Search Path field, this field can be left blank in which case AUTHC is capable of querying the full domain. If a Base DN was specified in the config-server-address, specify the relative path (excluding the Base DN) to the domain.Configuration Group Name AttributeThe attribute that identifies the group name. For example, cnConfiguration Group Name AttributeThe object class that identifies groups in the LDAP or AD hierarchy. For LDAP, use groupOfUniqueNames or groupOfNames NOTE:: There are other group object classes aside from groupOfUniqueNames and groupOfNames. Use whatever object class is configured in the LDAP server. For AD, use group Configuration Group Member AttributeThe group membership of the user within a group For LDAP: When the Group Object Class is groupOfNames, the attribute is commonly member.When the Group Object Class is groupOfUniqueNames, the attribute is commonly uniquemember. For AD, the value is commonly member. Configuration User Search Filter(Optional.) The filter that the NetWorker Authentication Service can use to perform user searches in the LDAP or AD hierarchy. RFC 2254 defines the filter format.Configuration Group Search Filter (Optional.) The filter that the NetWorker Authentication Service can use to perform group searches in the LDAP or AD hierarchy. RFC 2254 defines the filter format.Configuration Search Subtree(Optional.) A true or false value that specifies if the external authority should perform subtree searches.Default value: trueConfiguration User Group Attribute(Optional.) This option supports configurations that identify the group membership for a user within the properties of the user object. For example, for AD, specify the attribute memberOf.Configuration Object Class(Optional.) The object class of the external authentication authority. RFC 4512 defines the object class. Default value: objectclass. NOTE: Each of the configuration parameters must be validated; however, the issue in this specific article is related to search path configurations. If either User or Group Search Paths are used in the external authentication configuration, Validate that the user facing issues in NetWorker is part of the User and Group Search Paths specified. This can be done from the AD/LDAP server. For example, from the AD server: User Path Get-ADUser -Identity UserName | Select-Object DistinguishedName Example: PS C:\Users\Administrator> Get-ADUser -Identity bkupadmin | Select-Object DistinguishedName DistinguishedName ----------------- CN=Backup Administrator,CN=Users,DC=networker,DC=lan Group Path: Get-ADUser -Identity UserName -Properties MemberOf | Select-Object -ExpandProperty MemberOf Example: PS C:\Users\Administrator> Get-ADUser -Identity bkupadmin -Properties MemberOf | Select-Object -ExpandProperty MemberOf CN=NetWorker_Admins,OU=DELL,DC=networker,DC=lan If both User and Group Search Paths are used, then the user must be part of the search path. Typically, NetWorker permissions are assigned to domain groups. The domain group used to assign permissions in NetWorker must be part of the group search path. Paths do not reside beneath the search path specified are not visible to NetWorker AUTHC and thus result in an HTTP error when trying to authenticate the user. There are two options: Option One: Correct configuration in AD/LDAP so that the user and group are part of the search paths configured in NetWorker.Option Two: Change the search path configuration in NetWorker so that AUTHC can see the user and group paths for the impacted users or groups. Using blank search path fields means that NetWorker can read the entire domain organization; however, in large or busy domain environments this can result in authentication delays or errors. Consider the options that are most appropriate for your environment. After performing one of the above options, validate that the user is visible to AUTHC. From an elevated prompt on the AUTHC server run: authc_mgmt -u Administrator -e query-ldap-users -D query-tenant=<TenantName> -D query-domain=<DomainName> authc_mgmt -u Administrator -e query-ldap-groups-for-user -D query-tenant=<TenantName> -D query-domain=<DomainName> -D user-name=<UserName> NOTE: See command output from step 2 for correct tenant and domain values. If the user is still not returned in the query results, engage the AD/LDAP administrators to verify the user's location (Distinguished Name/OU path) and group membership within Active Directory. Ensure that the user's account resides within the configured LDAP search scope and is a member of the appropriate LDAP group mapped for NetWorker authentication. Once the user appears in the query-ldap-users output, reattempt the login and confirm successful authentication to the NetWorker Management Console (NMC).
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.