ZEN agent logins fail error -939589605

1. Check that you can drill into ZCC users to the user that is failing login.
2. Check that the CASA server service is running and that port 2645 is open. To test run https://server:2645/CasaAuthTokenSvc/ from a browser on the agent workstation.
3. Enable CASA server logs per KB 3418069 and look for errors after all ZENworks services are restarted.
4. Determine whether the problem is specific to SSL (port 636) or is also reproduceable in cleartext (389).
5. Ensure that the iaRealms.xml file is created.  This file is dynamically generated when the ZENworks services are started.  Sometimes a services restart will fix the issue when this file is not created.
6. If the LDAP user source sets 'Address restrictions' (ex: in the User object in eDirectory), add the ip-address of the zcm authentification server used.  The ldap requests go from the ZCM authentication server to the LDAP source.
7. If the user source has multiple user contexts explicitly set, ensure that the users trying to login are in the containers listed for the User Source context objects.
8. Ensure that the LDAP proxy user has sufficient rights to read the user attributes such as "cn".  See documentation for the explicit rights required and get dstrace or lan trace.
   Section 31.1 Prerequisites https://www.novell.com/documentation/zcm10/zcm10_system_admin/data/bamqj0p.html
   For example the following shows the zcm ldap proxy user authenticating and searching for test_user but test_user does not bind and ldapsearch.exe or other ldap tools confirm that the search returns no results for search filter cn=test_user :
   LDAP: DoBind on connection
   LDAP: Bind name:cn=zcm_proxy_user,o=novell, version:3, authentication:simple
   LDAP: Sending operation result 0:"":"" to connection
   LDAP: DoSearch on connection
   LDAP: Search request:
      base: "o=novell"
      scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
      filter: "(&(cn=test_user)(!(objectClass=aliasObject)))"
      no attributes
   LDAP: Sending operation result 0:"":"" to connection
   LDAP: DoUnbind on connection
   LDAP: Forcing abandon on operation on connection
   

Specific troubleshooting for Windows ZCM servers:

1.  Since 10.1, the Windows CASA Authentication Token server service does not use iaRealms.xml to store the LDAP proxy credential information. But as a test try adding the following to iaRealms.xml:
   <bci:env prop="java.naming.security.authentication" value="simple" />
   <bci:env prop="java.naming.security.principal" value="cn=zenProxy,o=org" />
   <bci:env prop="java.naming.security.credentials" value="password" />
   where zenproxy is the ldap proxy and password is the ldap proxy password.
2. If step 1 allows users to login then check the following:
3. In addition to the CasaAuthToken service (Casa server service) The following services must be running on the server:
   Novell ZENworks Loader
   Novell Identity Store (miCasa service)
4. For AD user source, confirm that the primary server or authentication satellite can resolve the AD domain name and controller server name forward and reverse lookup.
5. Check that the CasaAuthToken service and Novell ZENworks Loader service are set with "Log On As" set to the __z* user. The server services use the __z* user to login to the service; the client side services use local system.
   
   If the loader service or CASA Auth token server service have been changed to login as another user such as local system, then after recreating the user source, no users can log in. In this case it is necessary to change the "Log on as" user back to _z* and remove and re-add the user source. NOTE: deleting and re-adding user source will cause all user associations to be lost.
   
   For more information about resetting the __z* user see KB 3446977 https://support.microfocus.com/kb/doc.php?id=3446977
   For more information about authentication see TID 7001109 https://support.microfocus.com/kb/doc.php?id=7001109