Troubleshooting
Problem
Only some users cannot login from both FileNet Workplace XT and Content Navigator (ICN). Workplace XT returns an Invalid credentials entered error. ICN returns The user ID or password is not valid for the server.
Symptom
The following log entries were found in the ICN and p8 log files:
ICN.out
[06/26/14 23:03:04:748 PDT] 0000001a SystemOut O CIWEB Error: [vballam @ 10.65.84.109] com.ibm.ecm.struts.actions.authentication.ContainerLogonAction.doContainerLogin() javax.security.auth.login.LoginException: java.lang.SecurityException: java.lang.StackOverflowError
[06/26/14 23:15:50:405 PDT] 0000001a SystemOut O CIWEB Error: [vballam @ 10.65.84.109] com.ibm.ecm.struts.actions.p8.P8LogonAction.createP8Connection()
com.filenet.api.exception.EngineRuntimeException: FNRCE0040E: E_NOT_AUTHENTICATED: The user is not authenticated. Message was: javax.security.auth.login.LoginException: java.lang.SecurityException: User: <username>, failed to be authenticated.
p8_server_error.log
2014-06-24T09:06:35.440 6EAC6EAC WSI FNRCE0000I - INFO [WSIAuthenticatorImpl] login exception: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User <domain>\<username>javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User <domain>\<username> denied
2014-06-24T09:09:32.226 6BAB6BAB WSI FNRCE0000E - ERROR [WSIAuthenticatorImpl] login exception: javax.security.auth.login.LoginException: java.lang.SecurityException: [Security:090304]Authentication Failed: User <username>@ibm.corp.usa.com javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User <username>@ibm.corp.usa.com denied
The p8_server_trace.log file contains an INFO message that corresponds to a failed login attempt from ICN. The message shows a login exception followed by a group search that is repeated thousands of times:
2014-06-26T23:15:52.851 740A740A WSI FNRCE0000I - INFO [WSIAuthenticatorImpl] login exception: javax.security.auth.login.LoginException: java.lang.SecurityException: java.lang.StackOverflowError
Where the following line is repeated:
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.searchGroupUnlimited(LDAPAtnLoginModuleImpl.java:567)
Cause
The repeating searchGroupUnlimited indicates that Weblogic may be looping through the group memberships when trying to authenticate the users with possible issues with nested groups.
Environment
P8 CPE 5.2.0.3
Weblogic 12.1.1.0
Linux
ICN 2.0.2
WPXT 1.1.5
Resolving The Problem
Change the LDAP parameter available from the Performance page of provider realms configuration on BEA Weblogic.
- In the WLS Admin Console
- Navigate to Security Realms [Domain Structure]
- <Realm>
- Providers [Tab]
- <Authenticator>
- Providers [Tab]
- <Provider>
- Configuration [Tab]
- Provider Specific [Sub-tab] :
Change the Group Membership Searching from unlimited to limited.
This attribute controls whether group searches are limited or unlimited in depth. This option controls how deeply to search into nested groups. For configurations that use only the first level of nested group hierarchy, this option allows improved performance during user searches by limiting the search to the first level of the group.
If a limited search is defined, Max Group Membership Search Level must be defined.
Max Group Membership Search Level= 0
0—Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.
Group Hierarchy Cache TTL to 6000 sec.
This attribute specifies the number of seconds cached entries stay in the cache. The default is 60 seconds. A value of 6000 is recommended.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21678119