IBM Security Verify

​Respected fellows,

We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

HPDIA0114E Could not acquire a client credential.

However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

Hope to hear,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jahanzaib,

This behavior sounds to me as if the TCP connection to the AD timed out on a firewall. So ISAM still tries to use the old connection which is discarded on the firewall. After this request timed out ISAM will open a new connection and so subsequent requests work. Check your firewall logs and decrease the TCP keepalive intervall on ISAM via advanced tuning parameters. You can set sysctl parameters via advanced tuning parameters.
Try playing around with the following parameters:
sysctl.net.ipv4.tcp_keepalive_time
sysctl.net.ipv4.tcp_keepalive_probes
sysctl.net.ipv4.tcp_keepalive_intvl

Best regards,

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Sun October 06, 2019 04:24 PM
From: Jahanzaib Sarwar
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

​Respected fellows,

We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

HPDIA0114E Could not acquire a client credential.

However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

Hope to hear,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Try changing on your policy server ldap.conf connection-inactivity.
You may have to play a bit with the timing but this should fix your problem. I would not recommend using advanced tuning unless its directed by support via case. 

# The following parameter specifies the connection inactivity time, in seconds,
# after which an unused connection to the LDAP server will be taken down.
# A value of zero (0) indicates that inactivity will not be tracked
# and the connection will remain established (permanent).
# The default is zero (0) meaning connections are permanent.
connection-inactivity = 20

------------------------------
Robert Graham
Cloud Security Consultant
IBM
(330) 314-5946
------------------------------

Original Message:
Sent: Sun October 06, 2019 04:24 PM
From: Jahanzaib Sarwar
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

​Respected fellows,

We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

HPDIA0114E Could not acquire a client credential.

However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

Hope to hear,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

​Hi Laurent and Robert,

Thank you for the help.

As suggested by Robert, I changed the policy server ldap.conf connection-inactivity parameter and it solved the problem.

Thank you.

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Tue October 08, 2019 09:28 AM
From: Robert Graham
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

Try changing on your policy server ldap.conf connection-inactivity.
You may have to play a bit with the timing but this should fix your problem. I would not recommend using advanced tuning unless its directed by support via case. 

# The following parameter specifies the connection inactivity time, in seconds,
# after which an unused connection to the LDAP server will be taken down.
# A value of zero (0) indicates that inactivity will not be tracked
# and the connection will remain established (permanent).
# The default is zero (0) meaning connections are permanent.
connection-inactivity = 20

------------------------------
Robert Graham
Cloud Security Consultant
IBM
(330) 314-5946

Original Message:
Sent: Sun October 06, 2019 04:24 PM
From: Jahanzaib Sarwar
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

​Respected fellows,

We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

HPDIA0114E Could not acquire a client credential.

However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

Hope to hear,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

GREAT!! You are welcome!

------------------------------
Robert Graham
Cloud Security Consultant
IBM
(330) 314-5946
------------------------------

Original Message:
Sent: Wed October 09, 2019 04:02 AM
From: Jahanzaib Sarwar
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

​Hi Laurent and Robert,

Thank you for the help.

As suggested by Robert, I changed the policy server ldap.conf connection-inactivity parameter and it solved the problem.

Thank you.

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Tue October 08, 2019 09:28 AM
From: Robert Graham
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

Try changing on your policy server ldap.conf connection-inactivity.
You may have to play a bit with the timing but this should fix your problem. I would not recommend using advanced tuning unless its directed by support via case. 

# The following parameter specifies the connection inactivity time, in seconds,
# after which an unused connection to the LDAP server will be taken down.
# A value of zero (0) indicates that inactivity will not be tracked
# and the connection will remain established (permanent).
# The default is zero (0) meaning connections are permanent.
connection-inactivity = 20

------------------------------
Robert Graham
Cloud Security Consultant
IBM
(330) 314-5946

Original Message:
Sent: Sun October 06, 2019 04:24 PM
From: Jahanzaib Sarwar
Subject: ISAM Error: HPDIA0114E Could not acquire a client credential.

​Respected fellows,

We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

HPDIA0114E Could not acquire a client credential.

However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

Hope to hear,

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------