We have just installed version 8.7 successfully on Windows Server 2008 R2. We switched to LDAP authentication apparently successfully ("Test connection" reported success).
But now we can't login using any of the clients, including Web Console and WAS Console. The error reported in these is user name or password incorrect, but we can log in to Windows using these.
In the Windows security log there is a message (Event ID 5157) advising that "The Windows Filtering Platform has blocked a connection."
Has anyone experienced this and, even more usefully, has anyone resolved this?
Thank you for your time.
Windows Filtering Platform
Moderators: chulett, rschirm, roy
Can you connect from a client using an internal admin ID like isadmin?
I'm not sure, but I think you would have to do that first, like in the web console, and use it to assign Information Server security roles to your existing LDAP IDs before you're allowed to connect from a client using an LDAP ID.
I'm not sure, but I think you would have to do that first, like in the web console, and use it to assign Information Server security roles to your existing LDAP IDs before you're allowed to connect from a client using an LDAP ID.
Choose a job you love, and you will never have to work a day in your life. - Confucius
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
If they've converted to LDAP they've probably run DirectoryAdmin.bat -delete_users so that isadmin and wasadmin (created during installation) no longer exist. They would also have run AppServerAdmin.bat -was to specify the new initial WAS and IIS administrator user.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
On similar lines, IBM says that if the User Registry in WAS was set to Federated Repository, then you can add the isadmin and wasadmin to the local repository, and hence, be able to authenticate against both, LDAP or the local internal registry. Check the link here -
https://www-304.ibm.com/support/docview ... wg21469402
Anyways, any success with the IBM PMR? Please post the resolution once done. We have a similar issue, and will appreciate any help. Since the isadmin (and wasadmin) are deleted upon using LDAP, I can't even install the Fix Pack as it requires those 2 users and their passwords to install the FP1....ispkg.
Thanks
https://www-304.ibm.com/support/docview ... wg21469402
Anyways, any success with the IBM PMR? Please post the resolution once done. We have a similar issue, and will appreciate any help. Since the isadmin (and wasadmin) are deleted upon using LDAP, I can't even install the Fix Pack as it requires those 2 users and their passwords to install the FP1....ispkg.
Thanks
gateleys
With help from IBM support we worked out that we'd missed just one of the Save, Apply or OK clicks when switching WAS to use LDAP, so it was still set to "internal user registry". We used DirectoryAdmin.bat to create a user in the internal user registry then use AppServerAdmin.bat to make that user an administrator, and were then able to go through the "switching to LDAP" process again, this time not missing any one of the critical Save, Apply or OK clicks. Support agreed that this is a very bewildering interface.
Now all is good and we're up and running, except that "they" (our admins) have created the needed Active Directory groups but have yet to put users into the groups. Doubtless this will happen soon.
Thank you again for your time.
Now all is good and we're up and running, except that "they" (our admins) have created the needed Active Directory groups but have yet to put users into the groups. Doubtless this will happen soon.
Thank you again for your time.
In your above response, you've mentioned that support from IBM pointed to the fact that you were still pointing to the "Internal User Registry" due to some misses in OK/SAVE clicks. If that were the case, how is it that your isadmin and wasadmin users were deleted.... as suggested in your earlier post :-
Thanks,
Anyways, so now you are using LDAP after recreating the isadmin and wasadmin?U wrote:Ray is entirely correct. Users isadmin and wasadmin no longer exist.
Thanks,
gateleys
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Users can be deleted from the internal registry irrespective of which user registry is in use, and even when WAS is shut down, using DirectoryAdmin.bat -delete_users command (or DirectoryAdmin.sh -delete_users on UNIX),
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.