Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4263: Kerberos or NTLM fails sporadically

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

12 April,16 at 11:13 AM

Applies to:
 
Centrify DirectControl earlier than 5.1.3 on all platforms
 
Question:
 
Sporadic logon failures (be it Kerberos or NTLM) are observed when using Centrify Apache/Tomcat module. The problem goes away by itself without any action or the workaround is to remove the custom attributes from the Apache module config.
 
The following lines are observed in the debug log when the issue happens. Is there any reason why?
 
Oct 29 10:24:28 localhost adclient[16705]: DEBUG <fd:28 CAPIAuthValidatePlainTextUser > base.adagent findByAttr: Found:username category:user attr=sAMAccountName
Oct 29 10:24:28 dal00puweb005 adclient[16705]: DEBUG <fd:28 CAPIAuthValidatePlainTextUser > util.except (System) : ADAttribute '_userPrincipalName' is empty (reference lrpc/adobject.cpp:73 rc: 1)
 
Nov 4 08:02:41 localhost adclient[3103]: DEBUG <fd:82 CAPIAuthValidateNtlmUser > util.except (System) : ADAttribute 'sAMAccountName' is empty (reference lrpc/adobject.cpp:73 rc: 1) 
Nov 4 08:02:41 localhost adclient[3103]: DEBUG <fd:82 CAPIAuthValidateNtlmUser > smb.rpc.rpcwrap Failed to find user or host 'yourdomain+username': ADAttribute 'sAMAccountName' is empty 
Nov 4 08:02:41 localhost adclient[3103]: DEBUG <fd:82 CAPIAuthValidateNtlmUser > util.except (cims::RPC) : Unable to find user or host yourdomain+username: The specified user does not exist. (reference ../smb/rpcclient/rpcwrap.cpp:546 rc
 
Answer:
 
Users should *always* have a sAMAccountName attribute.  The attribute gets lost because of a bug in the DirectControl local caching code.  It is exacerbated by defining custom attributes for Direct Control web server plug-ins.
 
Customers should upgrade to DirectControl 5.1.3 or later.  If they cannot upgrade and are using DirectControl web server plug-ins,  custom attributes can be disabled.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.