Guest

Preview Tool

Cisco Bug: CSCvh80768 - ISE 2.3 no patches, unable to login to sponsor portal with internal user

Last Modified

Aug 21, 2019

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.3(0.298)

Description (partial)

Symptom:
errors observed in the GUI : 
"[ 400 ] Bad Request The request is invalud due to malformed syntax or invalid data."

errors observed in the Reports:
"NO_SPONSOR_GROUP_MEMBERSHIP"

Conditions:
- ISE 2.3 no patches
- configured connection with active directory
- Identity Source Sequence configured as:
	'Internal Hosts'
	'Do not access other stores in the sequence and set the "AuthenticationStatus" attribute to "ProcessError"'
- internal user with the same name as in AD
- sponsor portal configured to use ISS described above

ad_agent.log clearly indicates an attempt to resolve identity of the user,
though the sponsor portal identity store configured for Internal Users only

==> ad_agent.log <==
01/02/2018 11:23:54,DEBUG  ,140067429365504,Lsa User Manager - checking user credentials refresh list,LsaUmpCheckUsers(),lsass/server/auth-providers/ad-open-provider/lsaum_p.c:702
01/02/2018 11:23:54,DEBUG  ,140067429365504,LsaDmpIsDomainOffline: checking status of domain EXAMPLE.COM,LsaDmpIsDomainOffline(),lsass/server/auth-providers/ad-open-provider/lsadm.c:3158
01/02/2018 11:23:55,DEBUG  ,140068841023232,Permission granted for (uid = 300, gid = 300, pid = 9887) to open LsaIpcServer,LsaSrvIpcCheckPermissions(),lsass/server/api/ipc_state.c:85
01/02/2018 11:23:55,VERBOSE,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b) Accepted <local euid:300 egid:300 pid:9887>,lwmsg_peer_log_accept(),lwmsg/src/peer-log.c:230
01/02/2018 11:23:55,TRACE  ,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b >> 0) call req LSA2_Q_RESOLVE_ID: 
    {
        pszIdentity = "jakrupa"
        ppszJoinPoints = 
        {
            "example.com"
            <null>
        }
        dwSearchFlags = 1
        pszSessionId = "mgmt-srv-ise-1/306848915/13"
    },lwmsg_peer_log_message(),lwmsg/src/peer-log.c:153
	
01/02/2018 11:23:56,TRACE  ,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b >> 0) call res LSA2_R_RESOLVE_ID: 
    {
        pResolvedIdentitiesDataList = 
        {
            dwCount = 1
            ppResolvedIdentityData = 
            {
                {
                    pszResolvedIdentity = "jakrupa@example.com"
                    pszProviderInstance = "EXAMPLE.COM"
                    pszResolvedDN = "CN=jakrupa,CN=Users,DC=example,DC=com"
                    pszResolvedDNSDomain = "example.com"
                    pszResolvedNetBiosName = "EXAMPLE0"
                    pszResolvedObjectCategory = "CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com"
                }
            }
        }
        pFGLogData = 
        {
            pMessagesListData = 
            {
                dwStringsCount = 4
                ppszStrings = 
                {
                    "1517480635501 24325 "jakrupa" AD-Log-Id=1517474440/411, 
"
                    "1517480635501 24313 "example.com" AD-Log-Id=1517474440/412, 
"
                    "1517480636057 24319 "example.com" AD-Log-Id=1517474440/415, 
"
                    "1517480636057 24323 "" AD-Log-Id=1517474440/416, 
"
                }
            }
            pAttributesListData = 
            {
                dwStringsCount = 1
                ppszStrings = 
                {
                    "AD-Log-Id=1517474440/416"
                }
            }
        }
        dwError = 0
    },lwmsg_peer_log_message(),lwmsg/src/peer-log.c:153
	
	
==> console.log <==
2018-02-01 11:23:56,198 WARN   [RMI TCP Connection(198)-127.0.0.1][] SystemConsole -::::- com.cisco.epm.exceptions.AttributeNullException: envMap value should not be null
2018-02-01 11:23:56,199 WARN   [RMI TCP Connection(198)-127.0.0.1][] SystemConsole -::::-       at com.cisco.epm.common.Assert.assertObject(Assert.java:98)

==> guest.log <==
2018-02-01 11:23:56,281 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.utils.SponsorUtil -:jakrupa:- Authenticating sponsor user belongs to the following sponsor groups: <none>
2018-02-01 11:23:56,282 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: uniqueSubjectId=878994c10060f1800d2937e03f685290944bed3b fqSubjectName=fc38f410-6d8f-11e5-978e-005056bf2f0a#jakrupa@example.com authStoreName=Internal Users normailzedUserName=jakrupa
2018-02-01 11:23:56,283 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction did not find 2.1 user, guid=fc38f410-6d8f-11e5-978e-005056bf2f0a userName=jakrupa@example.com
2018-02-01 11:23:56,283 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: userName12=jakrupa@example.com
2018-02-01 11:23:56,283 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: correct adUserResolvedId=jakrupa@example.com
2018-02-01 11:23:56,284 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: adUserResolvedId=jakrupa@example.com userName12_legacy=jakrupa
2018-02-01 11:23:56,284 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.imhandler.sponsor.SponsorUserHandler -:jakrupa:- getSponsorUserLikeName list size=0
2018-02-01 11:23:56,285 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction correct 1.3 list13 size=0
2018-02-01 11:23:56,285 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction merge dup sponsor user, update guest user table, count=0
2018-02-01 11:23:56,285 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Creating new Sponsor User jakrupa@example.com authStoreName=Internal Users
2018-02-01 11:23:56,285 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Sponsor User-jakrupa@example.com come from ISE internal Store, going to create it!
2018-02-01 11:23:56,292 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- Can not find NSF User with userName=jakrupa@example.com
2018-02-01 11:23:56,292 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.exception.GuestAuthException -:jakrupa:- Employee(jakrupa@example.com) can not be found in ISE!
2018-02-01 11:23:56,292 INFO   [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Exception :Employee(jakrupa@example.com) can not be found in ISE!
com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Employee(jakrupa@example.com) can not be found in ISE!
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.retrieveNSFUser(SponsorLogin.java:889)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.createSponsorUserFromInternalUser(SponsorLogin.java:785)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:647)

2018-02-01 11:23:56,293 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.exception.GuestAuthException -:jakrupa:- Guest Access Exception
2018-02-01 11:23:56,293 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- authenticate
com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Guest Access Exception
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:704)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.parseAuthResult(SponsorLogin.java:271)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.authenticate(SponsorLogin.java:201)

Caused by: com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Employee(jakrupa@example.com) can not be found in ISE!
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.retrieveNSFUser(SponsorLogin.java:889)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.createSponsorUserFromInternalUser(SponsorLogin.java:785)
        at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:647)
		
2018-02-01 11:23:56,294 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.flowmanager.exception.FlowProcessorException -:jakrupa:- Software Error
2018-02-01 11:23:56,294 ERROR  [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.ise.portalwebaction.controller.PortalStepController -:jakrupa:- Flow Processor Exception: Software Error

==> ise-psc.log <==
2018-02-01 11:23:56,286 WARN   [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.cpm.nsf.impl.NSFUser -:::jakrupa:- User jakrupa@example.com was not found in UPS - trying to retrieve from legacy
2018-02-01 11:23:56,292 WARN   [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.cpm.nsf.impl.NSFUser -:::jakrupa:- nsflegacy is null

==> prrt-server.log <==
ADClient,2018-02-01 11:23:56,187,WARN ,0x7f28c938d700,cntx=0000001214,sesn=mgmt-srv-ise-1/306848915/13,CPMSessionID=mgmt-srv-ise-1:userauth13,user=jakrupa,[ActiveDirectoryClient::getUserAttributes] Could not retrieve attribute 'mail' for user jakrupa,ActiveDirectoryClient.cpp:1635
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.