I have a new production instance of WSO2. When I add a new user through the console of the Identity Server, it is added and I can see in users list and in the SQL DB. However I am unable to log on to IS with this user name. The only err is:
TID: [0] [IS] [2015-12-28 09:39:50,292] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'txritter[-1234]' at [2015-12-28 09:39:50,291-0500] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Any ideas appreciated.
Thanks
I found the problem. When creating a new user in WSO2 console, it shows the internal/subscriber role as selected but after adding the user the role is not selected. Selecting this role and updating user allows new user to log on. We are using version 5.0.
Related
I setup IS as Key Manager for API-M. Then I tried to create new tenant
Login IS carbon console with super tenant
Create new tenant with domain and admin user
Login IS carbon console with new tenant's admin successfully
Try to login API-M carbon console with new tenant's admin.
Console of API-M shows: CarbonAuthenticationUtil Failed Administrator login attempt 'newuser[3]'
However, i can login in API Publisher with new user
What additional configuration that i should do ?
It looks like you haven't shared user store and permission DB correctly across APIM and IS. Please check user-mgt.xml in both products. If possible attache user-mgt.xml and master-datasources.xml in both products by removing sensitive information like database, LDAP passwords ...etc.
We are running WSO2 IDS, ESB, BPS in Docker containers. All components are using Identity Server and all works great, but when I'm trying to login to bpmn-explorer I'm getting "Username or password invalid!" I tried with default admin credentials, and also I have created new user directly in BPS but nothing works. Could you please tell me where can I find bpmn-explorer logs or what files I need to modify.
Had the same problem, and the solution is allowing more privileges to the admin account role on the carbon console of the BPS.
Adding more permissions on BPS to the associated admin role
And the internal exception throwed with the problem was registered on the BPS carbon.log file:
Caused by: org.wso2.carbon.user.core.UserStoreException: Invalid Permission root
path provided
Now you can enter to the bpmn-explorer console.
When I try to log into the Store with the Admin account, it displays the following message:
No Privileges to login
You do not have permission to login to this application. Please contact your administrator and request permission.
I have checked and made sure the Admin account does indeed have the permissions it needs to log into the Store. I even created a new account and gave it all permissions, and it won't allow that account to log in either.
I even went as far as to dig into the database itself through MySQL, and best I can tell the proper permissions are there.
The last time this happened to me, I ended up unzipping a fresh copy of the EMM product and creating a brand new database for it because I couldn't figure out a solution. I tried unzipping a fresh copy of the EMM product, but running on the same database, it had no change in behavior. I have a database full of data I don't want to lose now, so I'd much rather find a fix than have to wipe it all out again!
WSo2 EMM 2.0.0
Windows Server 2012 R2
MySQL 5.5
EDIT: relevant logs:
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - Failed Administrator login attempt 'admin[-1234]' at [2016-03-25 05:21:19,862-0500]
TID: [-1234] [] [2016-03-25 05:21:19,862] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2016-03-25 05:21:19,0862] from IP address 10.200.201.108 while trying to authenticate access to service RemoteAuthorizationManagerService
TID: [-1234] [] [2016-03-25 05:21:19,909] WARN {JAGGERY.controllers.acs:jag} - User admin#carbon.super does not have permission to access the store application. Make sure the user has the store role.
I figured it out!
The issue is specifically triggered by changing the password on the admin account to anything but "admin". Changing it back appears to rectify the issue.
Obviously this is a bug, as the admin account should be able to have its password changed and still be able to log into the Store. To be clear, there was never any issue logging into the Publisher; just the Store. Additionally, if the admin password was changed, no accounts could log into the Store at all, regardless of their permissions level.
I tested this with a fresh EMM pack, version 2.0.0 and 2.0.1, using the H2 and MySQL 5.5. In all cases the issue occurred.
A bug report has been filed on WSo2's JIRA board here.
Is there are any configuration changes in your side.I got EMM 2.0.0 fresh pack and configure mysql 5.5.I tried to login emm store but It is working properly.
This issue is raised in once we are trying change the password from the EMM console. But We can change the admin password from the /repository/conf/user-mgt.xml
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
and /repository/conf/app-manager.xml admin credintials.
I have attached my Active Directory as a secondary user store and can see the list of users when i select "Users" however when accessing an APP through tomcat that is linked to SAML SSO i cannot login using an AD Account
can anyone suggest what i am missing?
the error in the system logs is
TID[-1234] [IS] [2014-02-13 13:49:02,321] DEBUG {org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator} - user authentication failed due to invalid credentials.
however my login credentials are correct...
Because i was using email address as a login that was causing the issue!
the steps i took are as follows:
IS_HOME/repository/conf/carbon.xml file.
Open carbon.xml
Locate EnableEmailUserName element and uncomment it.
Finally, it should be similar to the following
true
Now, restart IS
You should be able to login using your user name
Could you check whether you can login to WSO2 management console using above credentials. If you can not, please go to Management Console -> Configure -> Users and Roles -> Roles and you can see the internal\everyone role. And configure "login" permission for everyone role. Then please try to login...
Also, if you enable the debug logs in org.wso2.carbon.user.core, you can see more debug logs about authentication failure.
I think your configuration is not ok.same login issue already solved here.cannot login to wso2 Identity server with the ldap credentials.
Make sure UserDNPattern property is correct
I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.