Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Unable to authenticate on LEM manager: Invalid login

Unable to authenticate on LEM manager: Invalid login

Updated January 13, 2017

Overview

After configuring LDAP/SSO, the following error displays:

Unable to authenticate on manager: example.dc.com Invalid login

Logging in with an Active Directory (AD) account from Windows works fine. 

Logging in as adserver.local\username does not work, however, and the manager.log shows the following error:

Flex authentication failed: Authentication request not handheld

Environment

LEM 6.3.1+

Cause 

  1. This error occurs when there is a time difference between the LEM VM and Active Directory (the LDAP server). To verify, check the watchlogs from cmc for errors related to Kerberos auth sessions.
  2. You are trying to use LDAPS and using not using Primary DC as LDAP host

Resolution

Scenario 1:

By default, all LEM deployments(VMware/Hyper-v) get their time-sync from the VM host computer.

  • If the host is VMware ESX(i), ESXi it will get its time-sync from a local or Internet NTP server.
  • If the host is Hyper-V, and the Hyper-V server is a member of Active Directory, the VM host will get its time from Active Directory.

If the Hyper-V host is not a member of the domain, the host needs to get its time from an NTP server.

If time-sync from the host VM is not possible, be sure to clear the time-sync option on the VM host, and enable LEM to get its time directly from an NTP server.


To configure NTP time-sync via CMC console:

  1.      Open a Vsphere console (or PuTTY session on port 32022) to LEM.
  2.      Enter the "appliance" menu.
  3.      Enter the "ntpconfig" command, and follow the prompts to point to a local or Internet NTP server.

 

Scenario 2:

  • If scenario 1 does not apply in your case, then verify the LDAP/LDAPS configuration via http://yourlem:8080/mvc/configuration
  • Verify the FQDN for LDAP and AD server name
  • Use IP address instead of host name for LDAP server
  • If you have Primary and Secondary Domain controller(s) and LDAP is configured to establish trust only from PDC then you need to use the Primary DC as the LDAP hostname.

Refer to this MS KB on how to Troubleshoot LDAPS issues

 


 

 

 

Last modified
05:23, 13 Jun 2017

Tags

Classifications

Public