Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Unable to authenticate on LEM manager: Invalid login

Unable to authenticate on LEM manager: Invalid login

Updated January 13, 2017

Overview

After configuring LDAP/SSO, the following error displays:

Unable to authenticate on manager: example.dc.com Invalid login

Logging in with an Active Directory (AD) account from Windows works fine. 

Logging in as adserver.local\username does not work, however, and the manager.log shows the following error:

Flex authentication failed: Authentication request not handled

Environment

LEM 6.3.1+

Cause 

  1. This error occurs when there is a time difference between the LEM VM and Active Directory (the LDAP server). To verify, check the watchlogs from cmc for errors related to Kerberos auth sessions.
  2. You are trying to use LDAPS and using not using Primary DC as LDAP host

Resolution

Scenario 1:

By default, all LEM deployments(VMware/Hyper-v) get their time-sync from the VM host computer.

  • If the host is VMware ESX(i), ESXi it will get its time-sync from a local or Internet NTP server.
  • If the host is Hyper-V, and the Hyper-V server is a member of Active Directory, the VM host will get its time from Active Directory.

If the Hyper-V host is not a member of the domain, the host needs to get its time from an NTP server.

If time-sync from the host VM is not possible, be sure to clear the time-sync option on the VM host, and enable LEM to get its time directly from an NTP server.


To configure NTP time-sync via CMC console:

  1.      Open a Vsphere console (or PuTTY session on port 32022) to LEM.
  2.      Enter the "appliance" menu.
  3.      Enter the "ntpconfig" command, and follow the prompts to point to a local or Internet NTP server.

 

Scenario 2:

  • If scenario 1 does not apply in your case, then verify the LDAP/LDAPS configuration via http://yourlem:8080/mvc/configuration
  • Verify the FQDN for LDAP and AD server name
  • Use IP address instead of host name for LDAP server
  • If you have Primary and Secondary Domain controller(s) and LDAP is configured to establish trust only from PDC then you need to use the Primary DC as the LDAP hostname.
  • Your internal certificate on your DC may have been changed. Go into the LDAP settings in LEM and save them again. If a new certificate is needed, you will be prompted to accept it.

Refer to this MS KB on how to Troubleshoot LDAPS issues

 


 

 

 

Last modified
10:38, 31 Aug 2017

Tags

Classifications

Public