ZEN agent logins fail error -939589605

  • 7003486
  • 09-Jun-2009
  • 18-May-2012

Environment

Novell ZENworks 10 Configuration Management with Support Pack 2 - 10.2

Situation

ERROR (from zmd-messages.log):
 
[DEBUG] [06/09/2009 12:00:44.823] [1120] [ZenworksWindowsService] [24] [] [RemotingService] [] [ZENGetAuthToken took exception: -939589605 System.Exception: -939589605
   at Novell.Casa.Client.Auth.Authtoken.ObtainAuthToken(String sService, String sHost, WinLuid luid)
   at Novell.Zenworks.Native.RemotingService.RemotingServiceImp.ZENGetAuthToken(String SessionID, String ServiceName, String Host, String& AuthToken)] [] []

Resolution

The definition of this error is

CASA_STATUS_AUTHENTICATION_FAILURE -939589605 C7FF001B

Standard troubleshooting:
 
  1. Check that you can drill into ZCC users to the user that is failing login.
  2. Check that the CASA server service is running and that port 2645 is open. To test run https://server:2645/CasaAuthTokenSvc/ from a browser on the agent workstation.
  3. Enable CASA server logs per KB 3418069 and look for errors after all ZENworks services are restarted.
  4. Determine whether the problem is specific to SSL (port 636) or is also reproduceable in cleartext (389).
  5. Ensure that the iaRealms.xml file is created.  This file is dynamically generated when the ZENworks services are started.  Sometimes a services restart will fix the issue when this file is not created.
  6. If the LDAP user source sets 'Address restrictions' (ex: in the User object in eDirectory), add the ip-address of the zcm authentification server used.  The ldap requests go from the ZCM authentication server to the LDAP source.
  7. If the user source has multiple user contexts explicitly set, ensure that the users trying to login are in the containers listed for the User Source context objects.
  8. Ensure that the LDAP proxy user has sufficient rights to read the user attributes such as "cn".  See documentation for the explicit rights required and get dstrace or lan trace.
    Section 31.1 Prerequisites https://www.novell.com/documentation/zcm10/zcm10_system_admin/data/bamqj0p.html
    For example the following shows the zcm ldap proxy user authenticating and searching for test_user but test_user does not bind and ldapsearch.exe or other ldap tools confirm that the search returns no results for search filter cn=test_user :
    LDAP: DoBind on connection
    LDAP: Bind name:cn=zcm_proxy_user,o=novell, version:3, authentication:simple
    LDAP: Sending operation result 0:"":"" to connection
    LDAP: DoSearch on connection
    LDAP: Search request:
       base: "o=novell"
       scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
       filter: "(&(cn=test_user)(!(objectClass=aliasObject)))"
       no attributes
    LDAP: Sending operation result 0:"":"" to connection
    LDAP: DoUnbind on connection
    LDAP: Forcing abandon on operation on connection

Specific troubleshooting for Windows ZCM servers:

  1.  Since 10.1, the Windows CASA Authentication Token server service does not use iaRealms.xml to store the LDAP proxy credential information. But as a test try adding the following to iaRealms.xml:
    <bci:env prop="java.naming.security.authentication" value="simple" />
    <bci:env prop="java.naming.security.principal" value="cn=zenProxy,o=org" />
    <bci:env prop="java.naming.security.credentials" value="password" />

    where zenproxy is the ldap proxy and password is the ldap proxy password.
  2. If step 1 allows users to login then check the following:
  3. In addition to the CasaAuthToken service (Casa server service) The following services must be running on the server:
    Novell ZENworks Loader
    Novell Identity Store (miCasa service)
  4. For AD user source, confirm that the primary server or authentication satellite can resolve the AD domain name and controller server name forward and reverse lookup.
  5. Check that the CasaAuthToken service and Novell ZENworks Loader service are set with "Log On As" set to the __z* user. The server services use the __z* user to login to the service; the client side services use local system.

    If the loader service or CASA Auth token server service have been changed to login as another user such as local system, then after recreating the user source, no users can log in. In this case it is necessary to change the "Log on as" user back to _z* and remove and re-add the user source. NOTE: deleting and re-adding user source will cause all user associations to be lost.

    For more information about resetting the __z* user see KB 3446977 https://support.microfocus.com/kb/doc.php?id=3446977
    For more information about authentication see TID 7001109 https://support.microfocus.com/kb/doc.php?id=7001109

 

Additional Information

Error -939589605 means CASA_STATUS_AUTHENTICATION_FAILURE.
 
In the case where only one user fails to login this most likely means that the password was typed incorrectly or there may be some account restriction (limit concurrent logins, intruder lockout etc.).  Check dstrace logs if using eDirectory.
 
But if all users get this error, the back end CASA server service should be looked at.
 
If step 1 in Windows specific troubleshooting resolves, the iaRealms will be overwritten when the services are restarted.  If it is necessary to maintain the iaRealms.xml to preserve the proxy user and credentials, it is necessary to disable the Novell Identity Store service on the primary only.  This will disallow users from logging into ZENworks only on that primary.