Resolving login errors with Active Directory accounts

If you get an error when you log in to IBM® QRadar® with a valid Active Directory account, verify whether you have time synchronization issues.

About this task

When a valid Active Directory account is not synchronized with your QRadar Console, a login error similar to the following might occur:

The username and password you supplied are not valid. Please try again.

You can manually synchronize data between the QRadar server and the LDAP authentication server.

If you use authorization that is based on user attributes or groups, user information is automatically imported from the LDAP server to the QRadar console.

Each group that is configured on the LDAP server must have a matching user role or security profile that is configured on the QRadar console. For each group that matches, the users are imported and assigned permissions that are based on that user role or security profile.

By default, synchronization happens every 24 hours. The timing for synchronization is based on the last run time. For example, if you manually run the synchronization at 11:45 pm, and set the synchronization interval to 8 hours, the next synchronization will happen at 7:45 am. If the access permissions change for a user that is logged in when the synchronization occurs, the session becomes invalid. The user is redirected back to the login screen with the next request.

do these steps.

Procedure

  1. If your Active Directory was not recently configured, use SSH to log in to QRadar as the root user.
  2. Type the following command:

    cat /opt/qradar/conf/login.conf

  3. Verify that the server is configured for Active Directory authentication.
    For example, an authenticated server might resemble the following output:

    LDAPServerURL=ldaps://<server>:<port>

    The <server> option is the Active Directory domain controller that receives the QRadar authentication. 389 is the default Active Directory LDAP port.

  4. Copy the Active Directory domain controller IP address.
  5. Type the following command and use the Active Directory domain controller IP address for the <server> option:

    ntpdate -q <server>

  6. Verify that the offset time is more than +/- 300 seconds.
    The output might resemble the following example:

    server 192.0.2.0, stratum 3, offset -10774.586000, delay 0.04221 19 Nov 13:59:16 ntpdate[22011]: step time server 192.0.2.0 offset -10774.586000 sec

    If the offset time is more than +/- 300 seconds, then the time interval between the QRadar Console and the Active Directory server causes the authentication issues.

  7. Restart the QRadar web service by typing the following command:

    service tomcat restart

    Restarting the QRadar web service logs off all users, stops exporting events, and stops generating reports. You might need to manually restart some reports or wait for a maintenance window to complete this procedure.

  8. If the QRadar Console system time and the Active Directory server system time differ by at least 5 minutes, follow these steps:
    1. Click the Admin tab.
    2. On the navigation menu, click System Configuration.
    3. Click Authentication.
    4. In the Authentication Module list, select LDAP.
    5. Click Manage Synchronization > Run Synchronization Now.