solarwinds / OrionSDK

SDK for the SolarWinds Orion platform, including tools, documentation, and samples in PowerShell, C#, Go, Perl, and Java.
https://thwack.com/OrionSDK
Apache License 2.0
401 stars 144 forks source link

API access failing against AD after 2020.2.6 upgrade. local auth fine. #291

Open njoylif opened 3 years ago

njoylif commented 3 years ago

This issue started after upgrading to 2020.2.6 I am having problems with AD creds into API. Local auth working fine. I had initial issues in web interface to with AD, but changed security to ntlm and worked. negotiate and basic did not work.

2021-07-23 09:56:45,823 [189] INFO SolarWinds.Orion.Web.OrionMixedModeAuth - (null) (null) Cannot logon 'eynqrr6@winrx' via Interactive/Default. System.Runtime.InteropServices.COMException: The user name or password is incorrect. (Exception from HRESULT: 0x8007052E) 2021-07-23 09:56:45,854 [189] WARN SolarWinds.Orion.Web.OrionMixedModeAuth - (null) (null) Failed to retrieve WindowsIdentity for user winrx\eynqrr6: System.Security.Authentication.AuthenticationException Cannot logon 'eynqrr6@winrx' via NetworkCleartext/Default. 2021-07-23 09:56:45,854 [189] ERROR SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null) Failed to validate username and password for user 'winrx\eynqrr6'. System.Security.Authentication.AuthenticationException: Cannot logon 'eynqrr6@winrx' via NetworkCleartext/Default ---> System.Runtime.InteropServices.COMException: The user name or password is incorrect. (Exception from HRESULT: 0x8007052E)
--- End of inner exception stack trace ---
at SolarWinds.Orion.Web.OrionMixedModeAuth.LogonUser(String user, String domain, String password)
at SolarWinds.Orion.Web.OrionMixedModeAuth.GetIdentity(String username, String password) at SolarWinds.Data.Providers.Orion.OrionAccountValidator.CheckPassword(String username, String password, OrionMembershipUser user)
at SolarWinds.Data.Providers.Orion.OrionAccountValidator.Validate(String username, String password)
2021-07-23 09:57:08,914 [112] INFO SolarWinds.Orion.Web.OrionMixedModeAuth - (null) (null) Successfully retrieved WindowsIdentity for user winrx\eynqrr6. 2021-07-23 09:57:09,633 [112] INFO SolarWinds.Orion.Web.AuthorizationManager - (null) (null) WindowsAuthorizationManager.CheckCreateUser() failed: System.ArgumentException: The (&(|(objectClass=user)(objectClass=group))(|(objectSid=S-1-5-21-3364058761-163709542-3752576580-1220)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1424)(objectSid=S-1-5-21-3364058761-163709542-3752576580-4448)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1164)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1388)(objectSid=)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1108)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1249)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1205)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1204)(objectSid=S-1-5-21-3364058761-163709542-3752576580-4203)(objectSid=S-1-5-21-3364058761-163709542-3752576580-1306)(objectSid=S-1-5-32-545))) search filter is invalid. at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
at SolarWinds.Orion.Web.Authentication.Windows.DirectoryServices.GetDistinguishedNames(IEnumerable1 sids) at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.GetDomainGroups(WindowsIdentity identity, IEnumerable1 orionDomainGroupsSids)
at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.CheckGroupMembership(WindowsIdentity identity)
at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.GetUpdatedVirtualUserFromGroupMembership(WindowsIdentity identity, String errorMessage) at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.CheckCreateUser(WindowsIdentity identity)
at SolarWinds.Orion.Web.AuthorizationManager.CheckCreateUser(IIdentity identity) 2021-07-23 09:57:09,633 [112] WARN SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null) Invalid username or password for user 'winrx\eynqrr6' via Windows Authentication.

njoylif commented 3 years ago

I've got a case open with support on this as well...00857247 we ran through a bunch of testing including removing AD group and re-adding, same with specific AD user. workaround is to create local account

mbrandon071629 commented 3 years ago

Same here. Case open with support - 00871415 - all AD auth is now failing via SWQL Studio - workaround is creating/utilizing a local account.

AnythingOverIP commented 1 year ago

related to https://github.com/solarwinds/OrionSDK/issues/290 ?

Mesverrum commented 3 months ago

Not sure if you all had run across this yet, but at some point a while back AD based auth stopped working on the orion server, but you could use the same credential successfully if you ran the script from a remote server.

TommyD-ITC commented 3 months ago

Not sure if you all had run across this yet, but at some point a while back AD based auth stopped working on the orion server, but you could use the same credential successfully if you ran the script from a remote server.

Yes I remember this and still think it's the case. I work with SWIS Powershell and find it's normally like this:

Orion Server: -certificate -username / -password -credential

Remote:

--

For powershell even going back as 2020.2.6, I've never been able to get -trusted to work when locally running a script from a sw server.

TobywL1 commented 2 months ago

Not sure if you all had run across this yet, but at some point a while back AD based auth stopped working on the orion server, but you could use the same credential successfully if you ran the script from a remote server.

thanks for this tip, this did indeed work for me just now after I was having trouble. Connected from MPE to EOC server and that worked.