I have setup WSO2 Identity server 5.0.0 on Windows 2012 R2 server.
I changed the primary user store to Active Directory following the instructions from WSO2 Documentation.
https://docs.wso2.com/display/IS500/Configuring+an+Active+Directory+User+Store
Since then i am not able to login into the Identity server Management Console.
I tried to login with the AD admin user as well as the WSO2 admin user, none of them work. Below are the errors from the log.
**TID: [0] [IS] [2016-01-05 10:17:22,965] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'wso2\test1[-1234]' at [2016-01-05 10:17:22,965+0000] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
TID: [0] [IS] [2016-01-05 10:17:35,420] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'test1[-1234]' at [2016-01-05 10:17:35,418+0000] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
TID: [0] [IS] [2016-01-05 10:17:46,485] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2016-01-05 10:17:46,485+0000] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}**
Below is the user-mgt xml file.
http://pastebin.com/zTJ2SJmN
Any help is greatly appreciated ..!!!
Thanks you
Kbasa
Related
When i have a single adfs configured as a identity server on wso2, authentication from wso2 fails with the below error.
ator returned: INCOMPLETE TID: [-1234] [] [2017-02-24 06:50:04,580]
DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
- SAMLSSOAuthenticator is redirecting TID: [-1234] [] [2017-02-24 06:50:04,580] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler}
- Step is not complete yet. Redirechttp://stackoverflow.com/questionsting to outside. TID: [-1234]
[] [2017-02-24 06:50:09,958] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils}
- Authentication Context is null TID: [-1234] [] [2017-02-24 06:50:09,959] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Session data key is null in the request TID: [-1234] [] [2017-02-24 06:50:09,959] ERROR
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Context does not exist. Probably due to invalidated cache
At the same time if there are more than one federated authentication say 2 adfs servers configured on wso2 as identity server and using the advanced configuration option on wso2-sp , authentication from travelocity is happening fine.
please guide what am i missing here.
This is supported out-of-the-box with Identity Server 5.1.0 M3 onwards. If you are to use this with Identity Server 5.0.0 (with SP 1) you’ll need to some modifications to the source. The details can be found at [1] & [2].
Follow Document[3] for more details for Setting ADFS 3.0 as a Federated Authenticator in WSO2 Identity Server
[1] - https://wso2.org/jira/browse/IDENTITY-3181
[2] - https://wso2.org/jira/browse/IDENTITY-3349
[3] - https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/
I use independent wso2 API manager 1.10.0 and wso2 DAS 3.0.0 on AWS ec2 to gather statistics of my API usage and I use postgresql to be external RDBMS to store summary data.
APIM configurations on Admin-Dashboard
Event Receiver Configurations :
tcp://DAS-IP:7611
Data Analyzer Configurations :
https://DAS-IP:9443
Statistics Summary Datasource :
My-postgresql-url
APIM configuration in api-manager.xml
Disable rest client and enable RDBMS client
DAS configuration
Set datasource WSO2AM_STATS_DB in master-datasources.xml
Scenario
Login to APIM publisher
Deploy sample API
Go to APIM store
Subscribe sample API
Go to APIM publisher
Click statistics > API usage
Only show example statistics page.
APIM Logs
[2016-04-22 06:12:47,787] INFO - EmbeddedRegistryService Configured Registry in 0ms
[2016-04-22 06:12:48,015] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,015+0000]
[2016-04-22 06:12:48,360] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,359+0000]
[2016-04-22 06:12:48,605] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,605+0000]
[2016-04-22 06:12:48,664] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,664+0000]
[2016-04-22 06:12:48,920] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2016-04-22 06:12:48,920+0000]
[2016-04-22 06:12:49,296] INFO - API Initializing API: admin--CalculatorAPI:v1.0
[2016-04-22 06:13:05,384] INFO - **ReceiverGroup Resending the failed published data...**
DAS Logs
[2016-04-22 04:09:00,218] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:09:32,439] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:09:47,474] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:33:10,239] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 04:35:28,672] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:05:18,848] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:12:53,017] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
[2016-04-22 06:13:09,173] INFO {org.wso2.carbon.databridge.core.DataBridge} - user admin connected
DAS WSO2_STATS_DB status
From DAS dashboard > configure > data sources,I've checked the status of all DB is active and tested connection is healthy.
I don't know if WSO2AM_STATS_DB doesn't support postgresql or my configuration gets something wrong.
thanks
I raised a public jira for the APIM Stat scripts folder does not have the PostgreSQL script.
APIM does not publish subscription events to the DAS. Subscription details are kept in the WSO2AM_DB database and we used AM_SUBSCRIBER and AM_SUBSCRIPTION table for that purpose.
Hope you followed this documentation.
I have setup a WSO2 Identity Server 5.0.0 and I was able to login to carbon managment console with the user "admin". But when I try to login to dashboard, it failed.
Been troubleshooting and reading the documentation and stackoverflow for clue but couldn't find one and I am not sure which part of the configuration I did wrong.
Following are the things that I set for my WSO2IS:
I change the host name from localhost to my server ip in the following files:
repository/conf/carbon.xml
repository/conf/identity.xml
repository/conf/security/sso-idp-config.xml
repository/conf/security/saml2.federation.properties
repository/conf/security/authenticators.xml
repository/conf/tomcat/catalina-server.xml
I also did the same steps indicated in this Cannot see any option in WSO2 Identity Server dashboard
Following are the server log produced from the server where I setup the WSO2IS
[2015-08-10 11:47:48,530] INFO {org.wso2.carbon.core.init.CarbonServerManager} - Repository : /opt/WSO2/wso2is-5.0.0/repository/deployment/server/
[2015-08-10 11:47:49,038] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234
[2015-08-10 11:47:49,774] INFO {org.wso2.carbon.identity.application.mgt.ui.internal.ApplicationMgtUIServiceComponent} - Application Management UI bundle acticated!
[2015-08-10 11:47:49,944] INFO {org.wso2.carbon.identity.sso.saml.admin.FileBasedConfigManager} - A SSO Service Provider is registered for : wso2.my.dashboard
[2015-08-10 11:47:50,039] INFO {org.wso2.carbon.idp.mgt.internal.IdPManagementServiceComponent} - Identity Application Management Database initialization not attempted since 'setup' variable was not provided during startup
[2015-08-10 11:47:50,299] INFO {org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent} - Identity Database schema initialization check was skipped since 'setup' variable was not given during startup
[2015-08-10 11:47:51,868] INFO {org.wso2.carbon.core.transports.http.HttpsTransportListener} - HTTPS port : 9443
[2015-08-10 11:47:51,868] INFO {org.wso2.carbon.core.transports.http.HttpTransportListener} - HTTP port : 9763
[2015-08-10 11:47:53,001] INFO {org.wso2.carbon.core.init.JMXServerManager} - JMX Service URL : service:jmx:rmi://172.18.64.178:11111/jndi/rmi://172.18.64.178:9999/jmxrmi
[2015-08-10 11:47:53,001] INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - Server : WSO2 Identity Server-5.0.0
[2015-08-10 11:47:53,002] INFO {org.wso2.carbon.core.internal.StartupFinalizerServiceComponent} - WSO2 Carbon started in 109 sec
[2015-08-10 11:47:53,410] INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - Mgt Console URL : https://172.18.64.178:9443/carbon/
[2015-08-10 11:47:54,205] INFO {org.wso2.carbon.identity.entitlement.internal.EntitlementServiceComponent} - Started thrift entitlement service at port:10500
[2015-08-10 11:48:09,003] INFO {org.wso2.carbon.identity.entitlement.internal.SchemaBuilder} - XACML policy schema loaded successfully.
[2015-08-10 11:49:08,437] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'WSO2/admin#carbon.super [-1234]' logged in at [2015-08-10 11:49:08,437+0800]
[2015-08-10 11:49:24,528] INFO {JAGGERY.login:jag} - connecting to https://172.18.64.178:9443/services
[2015-08-10 11:49:43,806] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234
[2015-08-10 11:49:43,847] ERROR {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is rejected. Authorization Failure.
[2015-08-10 11:49:43,848] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2015-08-10 11:49:43,848+0800]
A reason for this issue can be the user you try to login does not have log permission. Therefore Can you please check the user has login permission
You can view roles and users from the Identity Server management console.
Created user under tenant. I can even see my user in ldap.
But login fails when I am trying to login via IS management console.
The error shown after enabling user logs are :
TID: [0] [IS] [2015-04-30 06:51:49,527] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authenticating with uid=due#due.com,ou=wso2,ou=system {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager}
TID: [0] [IS] [2015-04-30 06:51:49,538] DEBUG {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager} - Authentication failed javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Attempt to lookup non-existant entry: uid=due#due.com,ou=wso2,ou=system:
org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException: Attempt to lookup non-existant entry: uid=due#due.com,ou=wso2,ou=system
at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.lookup(DefaultPartitionNexus.java:459)
at org.apache.directory.server.core.authn.AuthenticationInterceptor.bind(AuthenticationInterceptor.java:516)
at org.apache.directory.server.core.DefaultOperationManager.bind(DefaultOperationManager.java:439)
at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handleSimpleAuth(BindRequestHandler.java:178)
at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:625)
at org.apache.directory.server.ldap.handlers.request.BindRequestHandler.handle(BindRequestHandler.java:66)
at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:193)
at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
at java.lang.Thread.run(Thread.java:745)
BindRequest =
MessageType : BIND_REQUEST
Message ID : 1
BindRequest
Version : '3'
Name : 'uid=due#due.com,ou=wso2,ou=system'
Simple authentication : 'Due#123/0x44 0x75 0x65 0x40 0x31 0x32 0x33 '
] {org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager}
Please check the logs.. It says uid=due#due.com,ou=wso2,ou=system. Normally when you create a tenant, separate OU is created in the LDAP. Inside this OU, there must be the user. It seems to be that WSO2IS tries to authenticate the user with invalid OU. Please verify your how you create the tenant and user.. This must be something specific to your environment. If you take a fresh WSO2IS, this would work properly. You can do some debug by enabling user.core debug logs. Then you can get more idea and find out which can be the root cause for issue.
log4j.logger.org.wso2.carbon.user.core=DEBUG
You can add above in to log4j.properties file and restart the server and see.
I'm using the WSO2 ESB version 4.0.3, with some features installed like: Identity Provider, Identity SAML2.0 Single Sign-on, Identity XACML, also BPEL, Data Services Hosting etc.
Following the instructions from here, I set up SSO Authentication for the ESB Management Console. The sign-in works just fine, but not the sign-out. In the log I can see the following information:
TID: [] [WSO2 ESB] [2012-06-08 18:12:59,592]
INFO {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} -
'admin' logged out at [2012-06-08 18:12:59,0592]
{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator}
after what I get errors. Furthermore, in the browser shows like I'm still logged in.
Here are the errors I'm getting:
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,581]
WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -
Illegal access attempt at [2012-06-08 18:13:03,0581] from IP address :
Service is RegistryAdminService {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,584]
ERROR {org.apache.axis2.engine.AxisEngine} -
Access Denied. Please login first. {org.apache.axis2.engine.AxisEngine}
...
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,599]
ERROR {org.wso2.carbon.ui.clients.RegistryAdminServiceClient} -
Error occurred while checking registry mode {org.wso2.carbon.ui.clients.RegistryAdminServiceClient}
org.apache.axis2.AxisFault: Access Denied. Please login first.
...
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,879]
ERROR {org.wso2.carbon.server.admin.ui.ServerAdminClient} -
Cannot get server data. Backend service may be unavailable {org.wso2.carbon.server.admin.ui.ServerAdminClient}
org.apache.axis2.AxisFault: Access Denied. Please login first.
Am I missing something in the configuration? If not, can someone please explain what is happening?
Note: The errors are repeating.
These repetitive errors means you are logged out from the back end, and it tries to refresh a page like Carbon home page or statistics page by invoking the corresponding BE services.
Is WSO2 IS running as a separate node or the necessary IdP features are installed in ESB?
Thilina