Question

AD/LDAP login loop


Badge

Hello!

I've setup the AD authentication in Prism.
Everything seems to be right with the settings. Even using the "Test" function works well and the account can be verified from our Active Directory.

For some reason as I log out and try to login with my AD credentials it starts some kind of loop.
I try to type the account in my.name@domain.local format at the login screen. If I try to login with wrong credentials it warns me for it.

So it seems that the authentication from AD works but when I type in correct credentials it starts to login in and shows the Nutanix logo but then falls back to login screen again.
In the Prism Web Console tasks view I can see that I've successfully logged in but immediately also logged out.

Does anyone have any clue what is happening?
Prism is using https with certificate
LDAP is over ldaps and the connection is working (many other ldaps is used from the AD server without issues)

Cluster is in the latest version


9 replies

Userlevel 1
Badge +1
Do you have the recursive (I think that is what it’s called) lookup checkbox selected?
Badge
I tried with and without. No change 😟
Userlevel 2
Badge +5
You may want to double check your assignments under "Role Mapping" to make sure that your AD users or groups have the correct (or any) privileges on your cluster.
Badge
Hello!

I've double checked and tested it.
In role mapping I made first a "cluster admin" role to existing AD-group. After that I made a single "cluster admin" role only for my AD-account.

Both ways had the same issue. Instantly after login it logs out.
Seems like the authentication is working but something is forcing me to log out. Prism events section is full of successful logins and logouts. No fails for user authentication.
Userlevel 2
Badge +4
I have seen this before if the actual Prism service is crashing on the current node and moving to a new node. Can you log in with the local admin user with no issues?
Userlevel 4
Badge +19
@Zumi
Are you on AOS 5.10.4? Can you open a support case so that we can check this?
Badge

Hello!

The issue was in the AD reader account. The account didn't have enough permissions to read the directory.
At least giving more permissions to the user fixed the issue.

Badge +1

I am having exact same issue. Any way to fix it?

I just encountered a similar issue.  Make sure you have the host configuration set with hostname.domain.ext.  I’ve been told that changing the ports to either 636 (ldaps), 3268 or 3269 (global catalog LDAP ports).  In my case I didn’t have to do that, but I did have to specify an AD server as my LDAP host.  I don’t control any of the AD, and I’ve yet to get an answer as to why I had to do that, but it did work.  Maybe it will work for you as well.  Good luck!

Reply