OAM/EBS Logins Fail the First Time for OID Users Sync'd from AD | OAM log error: OAMSSA-20023: Authentication Failure for user : <USERNAME>, for idstore <ID_STORE> with exception invalid username/password with primary error message null
(Doc ID 1903188.1)
Last updated on JANUARY 09, 2024
Applies to:
Oracle Internet Directory - Version 10.2.1.0 and laterOracle Access Manager - Version 11.1.2.0.0 to 11.1.2.0.0 [Release 11g]
Information in this document applies to any platform.
Symptoms
Oracle Internet Directory (OID) 11g integrated with Microsoft Active Directory (MS AD) (using External Authentication Plugins) and Oracle Access Manager (OAM) with EBusiness Suite (EBS).
EBS/OAM logins for user synchronized from AD to OID work consistently and fast on one OAM/OID environment but not on another.
The first time, the login returns a message that the SSO login is not in sync with EBS and prompts to enter the EBS password.
After that, a subsequent login retry no longer prompts for the password and the login succeeds.
Most (~99%) of the time, the login works on the second try.
The oam.log shows:
oracle.security.am.engine.authn.api.exception.AuthenticationException
at oracle.security.am.engine.authn.internal.executor.AuthenticationModuleExecutor.checkAndThrowAuthenticationException(AuthenticationModuleExecutor.java:321)
at oracle.security.am.engine.authn.internal.executor.AuthenticationModuleExecutor.execute(AuthenticationModuleExecutor.java:242)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:98)
...<etc>...
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20023: Authentication Failure for user : <USERNAME>, for idstore <ID_STORE> with exception invalid username/password with primary error message null
at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.authenticateUserByName(UserProviderImpl.java:1040)
at oracle.security.am.engines.common.identity.provider.impl.IdentityProviderImpl.authenticateUserByName(IdentityProviderImpl.java:911)
at oracle.security.am.engines.common.identity.provider.impl.OracleUserIdentityProvider.authenticateUserByName(OracleUserIdentityProvider.java:461)
at oracle.security.am.engine.authn.internal.executor.AuthenticationModuleExecutor.execute(AuthenticationModuleExecutor.java:212)
... 42 more
Caused by: oracle.security.idm.AuthenticationException: invalid username/password
at oracle.security.idm.providers.oid.OIDUserManager.authenticateUser(OIDUserManager.java:369)
at oracle.security.idm.providers.oid.OIDUserManager.authenticateUser(OIDUserManager.java:92)
at oracle.security.am.engines.common.identity.provider.impl.UserProviderImpl.authenticateUserByName(UserProviderImpl.java:1028)
... 45 more
]]
The corresponding (ecid) entries in the level 1 debug OID server log shows the ldapcompare operation succeeds (RESULT=6), but has a long delay (e.g., OPtime=8024000 micro sec):
BEGIN
ConnID:<CONN_ID> mesgID:<MESG_ID> OpID:<OP_ID> OpName:search ConnIP:::ffff: ConnDN:cn=orcladmin
orclinmemFilter:
Orig Filter(numAVAFilters=2):(&(cn=<USERNAME>)(objectclass=inetorgperson))
Removed Filter: (objectclass=inetorgperson)
New Filter(numAVAFilters=1):(cn=<USERNAME>)
2014-06-18T12:31:04 * INFO :gslfseADoSearch BASE = cn=users,dc=<COMPANY>,dc=com FILTER = (cn=<USERNAME>) #REQDATTR = 7 SCOPE = 2 REQDATTRS = mail cn description orclguid objectclass displayname cn
TIMELIMIT = 0 SIZELIMIT = 0 DEREF = 3
2014-06-18T12:31:04 * INFO:gsleswrASndResult OPtime=2867 micro sec RESULT=0 tag=101 nentries=1
END
]]
[2014-06-18T12:31:04-05:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <HOSTNAME>] [pid: <PID>] [tid: <TID>] [ecid: <ECID>] ServerWorker (REG):[[
BEGIN
ConnID:<CONN_ID> mesgID:<MESG_ID> OpID:<OP_ID> OpName:compare ConnIP:::ffff: ConnDN:cn=orcladmin
gslfcmADoCompare: <IP> (::ffff:) dn (cn=<USERNAME>,ou=<OU>,cn=users,dc=<COMPANY>,dc=com) attr (userpassword) value(******)
2014-06-18T12:31:12 * INFO:gsleswrASndResult OPtime=8024000 micro sec RESULT=6 tag=111 nentries=0
END
]]
Checking further ldapcompare operations in the OID log shows the OPtime values vary, for example:
2014-06-18T12:29:55 * INFO:gsleswrASndResult OPtime=8042413 micro sec RESULT=6 tag=111 nentries=0
2014-06-18T12:29:58 * INFO:gsleswrASndResult OPtime=16866 micro sec RESULT=6 tag=111 nentries=0
2014-06-18T12:30:23 * INFO:gsleswrASndResult OPtime=15188 micro sec RESULT=6 tag=111 nentries=0
2014-06-18T12:31:12 * INFO:gsleswrASndResult OPtime=8024000 micro sec RESULT=6 tag=111 nentries=0
2014-06-18T12:31:14 * INFO:gsleswrASndResult OPtime=17039 micro sec RESULT=6 tag=111 nentries=0
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |