Windows Filtering Platform

U · Post by U » Tue Dec 13, 2011 12:25 am

We have just installed version 8.7 successfully on Windows Server 2008 R2. We switched to LDAP authentication apparently successfully ("Test connection" reported success).

But now we can't login using any of the clients, including Web Console and WAS Console. The error reported in these is user name or password incorrect, but we can log in to Windows using these.

In the Windows security log there is a message (Event ID 5157) advising that "The Windows Filtering Platform has blocked a connection."

Has anyone experienced this and, even more usefully, has anyone resolved this?

Thank you for your time.

qt_ky · Post by **qt_ky** » Tue Dec 13, 2011 10:09 am

Can you connect from a client using an internal admin ID like isadmin?

I'm not sure, but I think you would have to do that first, like in the web console, and use it to assign Information Server security roles to your existing LDAP IDs before you're allowed to connect from a client using an LDAP ID.

ray.wurlod · Post by **ray.wurlod** » Tue Dec 13, 2011 1:31 pm

If they've converted to LDAP they've probably run DirectoryAdmin.bat -delete_users so that isadmin and wasadmin (created during installation) no longer exist. They would also have run AppServerAdmin.bat -was to specify the new initial WAS and IIS administrator user.

U · Post by U » Tue Dec 13, 2011 7:10 pm

Ray is entirely correct. Users isadmin and wasadmin no longer exist.

We have opened a PMR with IBM to seek assistance.

Thank you for your time.

ray.wurlod · Post by **ray.wurlod** » Tue Dec 13, 2011 7:18 pm

Welcome to the "leading edge"! :D

Please do post the resolution once you have it.

gateleys · Post by **gateleys** » Wed Dec 14, 2011 8:52 am

On similar lines, IBM says that if the User Registry in WAS was set to Federated Repository, then you can add the isadmin and wasadmin to the local repository, and hence, be able to authenticate against both, LDAP or the local internal registry. Check the link here -
https://www-304.ibm.com/support/docview ... wg21469402

Anyways, any success with the IBM PMR? Please post the resolution once done. We have a similar issue, and will appreciate any help. Since the isadmin (and wasadmin) are deleted upon using LDAP, I can't even install the Fix Pack as it requires those 2 users and their passwords to install the FP1....ispkg.

Thanks

U · Post by U » Thu Dec 15, 2011 3:56 pm

With help from IBM support we worked out that we'd missed just one of the Save, Apply or OK clicks when switching WAS to use LDAP, so it was still set to "internal user registry". We used DirectoryAdmin.bat to create a user in the internal user registry then use AppServerAdmin.bat to make that user an administrator, and were then able to go through the "switching to LDAP" process again, this time not missing any one of the critical Save, Apply or OK clicks. Support agreed that this is a very bewildering interface.

Now all is good and we're up and running, except that "they" (our admins) have created the needed Active Directory groups but have yet to put users into the groups. Doubtless this will happen soon.

Thank you again for your time.

gateleys · Post by **gateleys** » Fri Dec 16, 2011 2:27 pm

In your above response, you've mentioned that support from IBM pointed to the fact that you were still pointing to the "Internal User Registry" due to some misses in OK/SAVE clicks. If that were the case, how is it that your isadmin and wasadmin users were deleted.... as suggested in your earlier post :-

U wrote:Ray is entirely correct. Users isadmin and wasadmin no longer exist.

Anyways, so now you are using LDAP after recreating the isadmin and wasadmin?

Thanks,

ray.wurlod · Post by **ray.wurlod** » Fri Dec 16, 2011 2:33 pm

Users can be deleted from the internal registry irrespective of which user registry is in use, and even when WAS is shut down, using DirectoryAdmin.bat -delete_users command (or DirectoryAdmin.sh -delete_users on UNIX),