Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Unable to authenticate on LEM manager: Invalid login

Unable to authenticate on LEM manager: Invalid login

Updated January 13, 2017

Overview

After configuring LDAP/SSO, the following error displays:

Unable to authenticate on manager: example.dc.com Invalid login

Logging in with an Active Directory (AD) account from Windows works fine. 

Logging in as adserver.local\username does not work, however, and the manager.log shows the following error:

Flex authentication failed: Authentication request not handled

Environment

LEM 6.3.1+

Cause 

  1. This error occurs when there is a time difference between the LEM VM and Active Directory (the LDAP server). To verify, check the watchlogs from cmc for errors related to Kerberos auth sessions.
  2. You are trying to use LDAPS and using not using Primary DC as LDAP host

Resolution

Scenario 1:

By default, all LEM deployments(VMware/Hyper-v) get their time-sync from the VM host computer.

  • If the host is VMware ESX(i), ESXi it will get its time-sync from a local or Internet NTP server.
  • If the host is Hyper-V, and the Hyper-V server is a member of Active Directory, the VM host will get its time from Active Directory.

If the Hyper-V host is not a member of the domain, the host needs to get its time from an NTP server.

If time-sync from the host VM is not possible, be sure to clear the time-sync option on the VM host, and enable LEM to get its time directly from an NTP server.


To configure NTP time-sync via CMC console:

  1.      Open a Vsphere console (or PuTTY session on port 32022) to LEM.
  2.      Enter the "appliance" menu.
  3.      Enter the "ntpconfig" command, and follow the prompts to point to a local or Internet NTP server.

 

Scenario 2:

  • If scenario 1 does not apply in your case, then verify the LDAP/LDAPS configuration via http://yourlem:8080/mvc/configuration
  • Verify the FQDN for LDAP and AD server name
  • Use IP address instead of host name for LDAP server
  • If you have Primary and Secondary Domain controller(s) and LDAP is configured to establish trust only from PDC then you need to use the Primary DC as the LDAP hostname.
  • Your internal certificate on your DC may have been changed. Go into the LDAP settings in LEM and save them again. If a new certificate is needed, you will be prompted to accept it.

Refer to this MS KB on how to Troubleshoot LDAPS issues

 


 

 

 

Last modified

Tags

Classifications

Public