Guest

Preview Tool

Cisco Bug: CSCvv98015 - Group lookup in authentication 'Start Test' fails if Kerberos DNS TXT record is invalid/unreachable

Last Modified

Oct 08, 2020

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

12.0.1-334

Description (partial)

Symptom:
Running authentication test using CLI command - testauthconfig - shows the below error for the 'fetch AD group information' section

Attempting to fetch AD group information...
Failure: Exception on query to server '<AD-Server-IP>', port 389 failed :
Exception('Inquiry timed out: (\'python2.6_10_amd64_nothr/base64.py b64decode|76\', "", \'Incorrect padding\', \'[egg/ldap_client.py setup_connection_thread|2440] [_coro.pyx coro._coro.sched.with_timeout (coro/_coro.c:11765)|1099] [egg/ldap_client.py setup_connection|2522] [egg/ldap_client.py authenticate_connection|2621] [egg/config_util.py decrypt|55] [python2.6_10_amd64_nothr/base64.py b64decode|76]\')',)

Group lookup in access or decryption policies will fail when the above error is seen in the authentication test.

Conditions:
NTLM Authentication realm configured on WSA
Kerberos DNS TXT record for the domain is incorrect or not reachable
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.