Gateway Insight Displays Multiple Failed Logins with Authentication Error "User not found"
Article ID: CTX559030
Updated On:
Description
Gateway Insight displays multiple failed logins with authentication error "User not found".
Resolution
The error "User not found" in Gateway Insight generally means LDAP cannot find actual username in Active Directory. LDAP use base DN and search filter as scope to search username in Active Directory.
In this case, there are 2 ldap policies bound to first factor with different priority, the 2 ldap policies point to same ldap server but different groups by search filter.
bind authentication vserver aaa_vs -policy Corp-Adv-Pol-Group-A -priority 100 -nextFactor pollabel -gotoPriorityExpression NEXT
bind authentication vserver aaa_vs -policy Corp-Adv-Pol-Group-B -priority 110 -nextFactor pollabel -gotoPriorityExpression NEXT
add authentication ldapAction Corp-Adv-Act-Group-A -serverIP 1.1.1.1 -serverPort 636 -authTimeout 3 -ldapBase "dc=citrixlab,dc=local" -ldapBindDn citrixadmin@citrixlab.local -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_11_09_13_09_16 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=GroupA,OU=Citrix,DC=citrixlab,DC=local" -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication ENABLED -requireUser YES -passwdChange ENABLED -nestedGroupExtraction OFF -followReferrals OFF -referralDNSLookup A-REC -validateServerCert NO -email mail -CloudAttributes DISABLED
add authentication ldapAction Corp-Adv-Act-Group-B -serverIP 1.1.1.1 -serverPort 636 -authTimeout 3 -ldapBase "dc=citirxlab,dc=local" -ldapBindDn citrixadmin@citrixlab.local -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_11_09_13_09_16 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=GroupB,OU=Citrix,DC=citirxlab,DC=local" -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication ENABLED -requireUser YES -passwdChange ENABLED -nestedGroupExtraction OFF -followReferrals OFF -referralDNSLookup A-REC -validateServerCert NO -email mail -CloudAttributes DISABLED
Note: If the authentication policy fails, then the next lower priority (higher priority number) authentication policy in the same factor is evaluated.
When further check /var/log/nsvpn.log, find that there are 3 situations that wil cause authentication error "User not found" seen on Gateway Insight:
Scenario 1:
User1 doesn't exit in Active Directory, all the ldap policies in first factor fail, authentication error "User not found" is recorded twice in Gateway Insight.
Scenario 2:
User2 belongs to GroupA, If user2 enters an incorrect password, first ldap policy fails with invalid credential, the secondary ldap policy fails with "User not found".
Scenario 3:
User3 belongs to GroupB, when user3 login normally, first ldap policy fails with "User not found", the secondaty ldap policy succeeds.
In this case, there are 2 ldap policies bound to first factor with different priority, the 2 ldap policies point to same ldap server but different groups by search filter.
bind authentication vserver aaa_vs -policy Corp-Adv-Pol-Group-A -priority 100 -nextFactor pollabel -gotoPriorityExpression NEXT
bind authentication vserver aaa_vs -policy Corp-Adv-Pol-Group-B -priority 110 -nextFactor pollabel -gotoPriorityExpression NEXT
add authentication ldapAction Corp-Adv-Act-Group-A -serverIP 1.1.1.1 -serverPort 636 -authTimeout 3 -ldapBase "dc=citrixlab,dc=local" -ldapBindDn citrixadmin@citrixlab.local -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_11_09_13_09_16 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=GroupA,OU=Citrix,DC=citrixlab,DC=local" -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication ENABLED -requireUser YES -passwdChange ENABLED -nestedGroupExtraction OFF -followReferrals OFF -referralDNSLookup A-REC -validateServerCert NO -email mail -CloudAttributes DISABLED
add authentication ldapAction Corp-Adv-Act-Group-B -serverIP 1.1.1.1 -serverPort 636 -authTimeout 3 -ldapBase "dc=citirxlab,dc=local" -ldapBindDn citrixadmin@citrixlab.local -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_11_09_13_09_16 -ldapLoginName sAMAccountName -searchFilter "memberOf=CN=GroupB,OU=Citrix,DC=citirxlab,DC=local" -groupAttrName memberOf -subAttributeName cn -secType SSL -svrType AD -authentication ENABLED -requireUser YES -passwdChange ENABLED -nestedGroupExtraction OFF -followReferrals OFF -referralDNSLookup A-REC -validateServerCert NO -email mail -CloudAttributes DISABLED
Note: If the authentication policy fails, then the next lower priority (higher priority number) authentication policy in the same factor is evaluated.
When further check /var/log/nsvpn.log, find that there are 3 situations that wil cause authentication error "User not found" seen on Gateway Insight:
Scenario 1:
User1 doesn't exit in Active Directory, all the ldap policies in first factor fail, authentication error "User not found" is recorded twice in Gateway Insight.
Scenario 2:
User2 belongs to GroupA, If user2 enters an incorrect password, first ldap policy fails with invalid credential, the secondary ldap policy fails with "User not found".
Scenario 3:
User3 belongs to GroupB, when user3 login normally, first ldap policy fails with "User not found", the secondaty ldap policy succeeds.
Was this article helpful?
Yes
No
Powered by
