Test and Troubleshoot LDAP Authentication
Several activities can be completed for testing and troubleshooting the LDAP authentication process.
A tool for testing the configured authentication process with a given user name and password is available on the user interface of Web Gateway.
If running the tool shows that the process failed, carefully review what you have configured. If no errors can be found, you can create a debug log using another tool. If this does not explain the failure either, create a tcpdump using a third tool.
Test authentication for a given user name and password
The settings for the Authentication module include a section for testing purposes. You can enter a user name and password and let Web Gateway attempt to authenticate the user.
- Select Policy | Settings.
- On the Engines branch of the settings tree, click the settings for the Authentication module (engine) that you have modified or newly created, for example, the LDAP settings.
- Under Common Authentication Parameters, deselect Use authentication cache.
Otherwise no changes in the directory on the LDAP server are detected until the cache expiration time has elapsed. - Expand Authentication Test and type a user name and password in the fields that are provided.
- Click Authenticate User.
The result of the authentication process is shown under Test result.- If the process is successfully performed, an OK message appears.
The testing tool also displays any attribute values that you have configured queries for. - If the process fails, the following message appears:
Error: Authentication failed
.
- If the process is successfully performed, an OK message appears.
Create a debug log file for troubleshooting authentication
You can create a debug log file to record the authentication process and review it for troubleshooting purposes.
- Select Configuration | Appliances.
- On the appliances tree, select the appliance that you want to create a debug log file on, then click Troubleshooting.
- In the Authentication Troubleshooting section, select Log authentication events.
NOTE: We recommend that you also select Restrict tracing to one IP and specify a client IP address to prevent the log file from becoming too large. - Reproduce the authentication process.
A debug log file is created for the process. - Locate the debug log file.
- Select Troubleshooting
- On the troubleshooting tree, select the appliance that you created the debug log file on, then click Log files.
- Open the debug folder and look for the mwg-core.Auth.debug.log file with the appropriate time stamp.
The log file contains log lines showing failure IDs for the authentication process. The meaning of these IDs is as follows:
0 – NoFailure: Authentication was successful
2 – UnknownUser: Cannot map user name to user DN
3 – WrongPassword: Bind with user password failed
4 – NoCredentials: Credentials are missing or have invalid format
5 – NoServerAvailable: Could not get a server connection
6 – ProxyTimeout: Request is being processed longer than the configured timeout
8 – CommunicationError: Communication with server failed, for example, due to a timeout
Create a tcpdump for troubleshooting authentication
If the reason for a failed authentication process cannot be found by reviewing a debug log file, create a tcpdump to retrieve more information.
- Select Troubleshooting.
- On the troubleshooting tree, select the appliance that you want to create a tcpdump on, then click Packet tracing.
- In the Command line parameters field, type the following:
"-s 0 -i any port 389"
NOTE: The port parameter lets Web Gateway connect to the LDAP server over an unencrypted port, which is required for troubleshooting purposes. - Click tcpdump start.
- Reproduce the problem, then click tcpdump stop.
- Open the trace using the wireshark tool. Then work with the ldap.bindResponse display filter to find a response from the LDAP server.
The server response usually includes LDAP, Active Directory, and other error codes. For example, in the following line from a server response:
"invalidCredentials (80090308: LdapErr: DSID-0c09030f, comment: AcceptSecurityContext error, data 773, vece)"
the 773 error code is an Active Directory error code meaning that the user password must be changed.