Active Directory Authentication - AcceptSecurityContext 52e

[sav2880]

Good Morning,

I'm having some trouble with Active Directory integration currently. I'm working on fixing up a previous attempt at getting this working, and currently when I attempt to login with credentials that are valid, I get the following error:

Unable to authenticate: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

Now from reading posts from last year, I can see that this is due to invalid credentials. But, I've verified I'm using valid credentials. In looking at old posts on here, there appears to be things you can do to change debug settings to get a better idea of what's going on, but the specific files you change, I can't seem to find them in Nagios XI 5.2.1.

Is there a new place I can go to change the debug settings to better troubleshoot exactly why it's not getting correct credentials?

Thanks!

[rkennedy]

What version of the LDAP component are you running? (Admin -> Manage Components) I know that there were bugs fixed in previous versions, so upgrading might help. I believe you should be able to update this regardless of your XI version. Currently, I'm on 1.0.6.

Here's what we'll need from you for further debugging -

Add debugging:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Then, try to authenticate at the same time as you're running the following -

Code: Select all

tail -f /var/log/httpd/*error_log

Then, to turn it back off -

Code: Select all

sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

[sav2880]

Okay, we might have something here. My component is Version 1.0.4, so there's likely some room to update that. Where might I grab that up?

[rkennedy]

Navigate to Admin -> Manage Components -> Check for updates, you should see an available one for the LDAP component.

After updating, try again, and if no dice still - add the debugging and post back what you're seeing.

[sav2880]

Hmmm, no dice on that, but for an interesting reason. It has that component in there as a core function which in the page's words, "should not be removed or edited." I do have a ton of updates available though which I plan to go through, this one's just locked in the core functions.

Will a bump to 5.3.0 (might as well go as new as possible) bump this core component to 1.0.6? If so, I will start with that route tonight.

[rkennedy]

Ah, it might be a bundled component with the whole framework.

Yes, bumping things up to 5.3.0 should update this.

[sav2880]

No worries, I've already planned a time to do that here, so I'll push forward, do it tonight, and let you know how it goes.

[avandemore]

Sounds good - let us know how the upgrade goes.

[sav2880]

I think through looking at some other forum posts I've worked through the issues with upgrading, and now I've got a test server bumped up to 5.3.0, and that did update the core component to 1.0.6, so we're good there.

However now, instead of getting the error regarding AcceptSecurityContext, I'm not getting anything back at all. It just returns nothing and takes me back to the current page, this is even after entering Domain Admin credentials that should be able to return valid entries.

What error log can I look into to check into success or failure of the process? Definitely think I am getting closer.

Thanks!

[rkennedy]

What version of the LDAP component are you running? (Admin -> Manage Components) I know that there were bugs fixed in previous versions, so upgrading might help. I believe you should be able to update this regardless of your XI version. Currently, I'm on 1.0.6.

Here's what we'll need from you for further debugging -

Add debugging:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Then, try to authenticate at the same time as you're running the following -

Code: Select all

tail -f /var/log/httpd/*error_log

Then, to turn it back off -

Code: Select all

sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Please add the debugging I posted here, and then post the full result from the tail -f against your error_log. This should provide an output as to what's going on.