WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

Websphere - global security AD failover - adding new domain controller under failover - giving Authentication error

  • 1.  Websphere - global security AD failover - adding new domain controller under failover - giving Authentication error

    InnerCircle
    Posted Mon January 10, 2022 12:56 AM
    Hi All,

    we have an AD domain controller configured in Websphere standalone 8.5.5.11 under federated. now we got a new domain controller which I have  to add under failover. After adding when I am clicking ok I am getting the below error. this is throwing error for primary domain controller. I do not have bindDN password now.
    1) Now, how to add/change a new domain controller primary/failover?
    2) Any possibility to get the the password from any of the websphere files?
    3) If AD configured user authentication is failing how app logins are authenticating now, should be an issue for all applications right? they are working.



    ------------------------------
    Ram
    ------------------------------


  • 2.  RE: Websphere - global security AD failover - adding new domain controller under failover - giving Authentication error

    IBM Champion
    Posted Tue January 11, 2022 06:00 AM
    Hello Ram,
    the AuthenticationException makes me believe that the bind password is missing or nor correct. Which matches your statement "I do not have bindDN password now" but it seems that the AD DC does not accept anonymous binds. Please can you double check that?

    What exactly you you want to achieve? Should the new DC be added as a backup LDAP server? Or do you want to add the new DX as an additional user registry? If it should be configured as a backup LDAP it must be setup the same as the primary LDAP (it represents the same user population) and the bind user / pwd must be the same as well. 

    ad 2) The current bind password should be available either on security.xml or wimconfig.xml (in base64 encoded format --> you have to decode it before using it)

    ad 3) Well you still have the primary AD working - right? So I assume that this one will be used. But you can in the logs to which user registry the server is connected

    Hope this helps - Hermann


    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------



  • 3.  RE: Websphere - global security AD failover - adding new domain controller under failover - giving Authentication error

    Posted Tue January 11, 2022 08:45 AM
    Ram

    As Herman indicated your bind id/password combination is incorrect, which are required with AD since it doesn't allow for an anonymous bind. Since the problem seems to have occurred after adding in the fail-over domain controller so in addition to the steps outlined by Hermann, you should review this tech note from Microsoft cover troubleshooting the AD configuration  

    https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/domain-controller-not-functioning-correctly

    while the scenario may not be exactly the same as yours, the steps outlined should help insure that the AD configuration is correct, and then you can determine that your tWAS configuration is correct for AD access

    ------------------------------
    Tom Alcott
    Senior Technical Staff Member
    IBM
    ------------------------------