I have installed the Dynatrace client and I've been using if for months. After a Windows password reset I am getting this error. I have tried entering the new and old password.
Error on Login - The login failed because either the specified user name or password is incorrect, or you are not allowed to access this Dynatrace Server.
Thank you
This could be cache issues or something at the AppMon server:
If the LDAP server is down completely, LDAP users cannot log in.
However, successful user authentications are cached on the AppMon
Server for 10 minutes by default. If the same user logs in within this
time frame, no LDAP request is sent again and the user's
authentication timeout is prolonged. The user's group membership is
not verified or updated within this time frame.
You can configure the authentication timeout by changing the value of the following system property in the dtserver.ini file:
-Dcom.dynatrace.diagnostics.ldapAuthenticationTimeout=600
Reference: Dynatrace AppMon Documentation
Related
I'm using Docker to setup some services and Traefik 2 acts as a reverse proxy for these services.
So far I was using Basic Auth to protect the access to the services, but I'm trying to get rid of the user/pass prompt.
Looking at the Traefik's documentation, I found the "ForwardAuth" middleware which seems fine. I'm planning to use it to replace Basic Auth, but a full implementation example is not provided as an example, and I'm having a hard time trying to set it up.
So far, thanks to Traefik forward-auth, I'm successfully calling a specific URL on a remote server in charge of the authentication (this server is developped with Spring Boot by myself). I understand that if the authentication server answers 200, it means "authentication success" while another code means "authentication failure".
Yet, I'm currently unable to write the authentication code on the remote server as I don't know how to check if I must return 200 or something else. Especially I don't know how to communicate information between Traefik and the authentication server.
Basically, the problems I have are:
I can't ask the user for his/her username/password using Traefik
When the authentication server receives the request from Traefik, it has no way to define that the source request was a previously authenticated user
The following picture shows most of my concerns:
What I'd like to achieve is the following behavior:
The user tries to access to the Docker services without entering any username/password
Traefik determines that the user is not authenticated, thanks to forward-auth it asks the authentication server for authentication
The authentication server determines that the user is not authenticated, the user is redirected to the login page
The user enters his/her username/password on the authentication server
The user is redirected to the Docker services
Traefik determines that the user is authenticated
So far, I can successfully achieve step 1 to 5, but I don't know how to achieve step 6.
Is this the right way to use ForwardAuth?
If it is, are there some headers I must use to transfer the auth information? If not, is it possible to achieve what I want using ForwardAuth?
As far as i understand, traefik also forwards Any headers accompaning the original request. If you are not filtering Any. see docs traefik forward-auth.
I am trying to do the performance testing of a logistics application. 2 types of users are there - Internal users & External Users. For internal users the authentication process happens normally; usual database. I was successful in executing the jmx script for Internal users. But for External users, the authentication process happens with Active Directory. In this case when i tried to execute the jmx script, the user is not getting logged in to the application. But the login api doesn't gives any error, the Response Code is 200 but in Response I'm getting the message "Try again". Do we need to do any additional settings in Jmeter for Active Directory Authentication? Can anybody help me in this?
For "internal" users you might need to add HTTP Authorization Manager and configure not only username and password but also domain, realm and use appropriate mechanism for NTLM or Kerberos
See Windows Authentication with Apache JMeter article for more detailed explanation and example configurations
You may be missing out on a few key things such as HTTP Headers or some additional data that needs to be sent with the request.
To resolve this. you can analyze the request in the developer tools of your browser and then generate the same headers with the request. This will resolve the issue.
I've been following Caroline's blog to setup a multi-user composer rest server. So, I have two servers viz. Admin Server and the User Server.
As mentioned in the tutorial I:
Started the Admin Server with no authentication and single user mode. I started this server with Admin's card.
Started the User Server with JWT authentication in multi-user mode. I started this server with Admin's card as well.
Created a User participant and generated a card for user from the admin server.
Exchanged the first JWT token for this user on the User Server. So now the user has an access token.
Using this access-token I imported the user's card generated in #3 into the User Server.
Checked the Wallet status using user's access-token and was able to see the card to be set as default. i.e. default:true
This seems to have worked fine. However, now I'm trying to ping the network using User Server and User's access token. And it results in:
Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:7054]
I tried setting this card to be default again but with no luck. When I list the identities issued from the admin server, I'm able to see this identity. But the status of this identity is "ISSUED". While the status of admin identity is "ACTIVATED". Is this an issue?
Or am I missing out on any of the important step here?
In my application I use web services to get required information. To actually use this services you have to login first, you get your token - encrypted password, afterwards this token is attached to SOAP requests to identify current user. The thing is, when you do not use service for 15 minutes, your token changes and when you are trying to obtain another bunch of information from the server it denies old token. As a result app do not get required information and throws a heap of errors.
How to send user (load Login.axm) to Login page when token has been changed?
Thank you, Shay Shmeltzer for your answer.
How I solved this problem:
1) First I read how does sessions work in my particular case. I used stateless session which means -
A new session is opened for an initial request and the session remains
open for subsequent requests. Relogin occurs automatically
(transparent to the user) if the session is closed. UsernameToken and
PasswordText must be included as SOAP headers in the initial request
to open a stateless session.
Stateless session management is the best method to use for high-load
Web service applications. Using Stateless mode, the application
provides the username and password only once, that is for the initial
request. A session is opened on the server and is dedicated for this
user.
In the response Siebel Business Applications return the SessionToken,
which is an encrypted string containing the information about
username, password, and timestamp. For subsequent requests the
application must use the SessionToken to reuse the session.
For security reasons SessionTokens are regenerated for each response.
The application must provide the last received SessionToken for the
next request.
The SessionToken-Siebel session map is maintained in the Siebel Web
Server Extension (SWSE); based on the SessionToken value SWSE sends
the request to the correct Siebel session (task).
Although the session is persistent, authentication happens for each
request (SWSE decrypts the UserName and Password from the
SessionToken).
the main problem was :
NOTE: Reconnecting or automatic logging in again will only happen if
the token has not timed out. If it times out, then the user must
manually log in again. Token timeout must be greater than or equal to
session timeout. For more information on session token timeout, see
Session and Session Token Timeout-Related Parameters.
in my case standard session token live time was 15 minutes.
That is why I included counter in my code and checked it before each request. If counter time > 15 minutes, I sent log in request to the server to get new session token. The reason, I did not change current page to log in page straight away after the counter exceeds 15 minutes is: place in code, where I check counter is already initiated by the bindings to get required value to render it, so if your token has expired you will get a heap of errors. That is why firstly I renew the session sending log in request, get active session token and put it into the last request which is requested by binding. After app renders page without any errors, it shows pop up message "Session has expired" and goes to log in page.
You can programmatically set the soap header being sent to your SOAP service from ADF Mobile - http://docs.oracle.com/cd/E37975_01/doc.111240/e24475/amxwebservices.htm#CHDIBIIE
I want to secure my RESTful webservice in some way, i read for past few hours about spring security and I am not sure if I can achieve what I want with it.
Here is typical scenario:
User tries to access www.address.com/rest/getSomething - he gets 401 Unauthorized and he is not redirected.
He goes to www.address.com/rest/login with username and password parameters
His credentials are checked against those in database (I'm using JPA over Hibernate)
If they are correct user receives 200 OK, and info that he's logged in is stored in session, so he does not need to send username and pass when accessing other addresses. Info that he logged in succesfully (or not) is stored in DB
If login is unsuccessful he receives 401
User uses webservice as much as he wanst (on each access, his session is checked)
After lets say 10 minutes of inactivity his session ends, and he needs to log in again
He may visit www.address.com/rest/logout to logout properly (session invalidate maybe?)
I also want to introduce some kind of password recovery, if user accesses www.address.com/rest/remindPass an email will be sent with newly generated password.
EDIT:
And i forgot, about one more thing. I also need another filter for checking if user has enough privilage to access an address.