LDAP authentication fails on CA NFA when integrated with NPC.

Document ID : KB000008014
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

 

You will see in the SingleSignOnAuditlogDate;

Username: xyz@xyz.com

Remember Me: false

SSO version: 7.0

Error Message: Unable to authenticate user.

Error Message: Unable to authenticate user.

 

 

 

Environment:
NFA 9.3.7 on Windows 2012 R2 and NPC 6.2.103 on Windows 2008 R2 and NFA is added as a datasource in NPC.
Cause:

CA Support will raise this with engineering. It's possibly a bug. This KD will be updated with a bug reference if CA engineering consider this a bug.

Resolution:

It was found that the issue is with user logins with username@domain.com in NPC. 

The user is created in NPC as username, then it is synced down to NFA.

The user then tries to login to NFA with username@domain.com, LDAP validation succeeds, but username@domain.com can't be looked up in NFA, because it's only stored as a username 'without' the domain. 

But you can alter the sign-in-process.jsp file so it removes @domain.com if the Ldap validation is successful, then the LDAP login in NFA works. 

 

Code to set in the sign-in-process.jsp file...

ldapAuthenticationPassed = ldapAuthentication.authenticate(username, password, session, singleSignOnWSSoap); 

if (ldapAuthenticationPassed) 

int spaceIndex = username.indexOf("@"); 

if (spaceIndex != -1) 

username = username.substring(0, spaceIndex); 

password = StringUtils.EMPTY; 

}

 

Additional Information:

There could be other reasons why you have an authentication failure using LDAP/SSO. If unsure of the root cause and solution then please open a support case with CA support, and perhaps reference this technical document.