cancel
Showing results for 
Search instead for 
Did you mean: 

Error Message - Login failed. Reason: NoRoles

SOLVED
spuluka
Super Contributor

Error Message - Login failed. Reason: NoRoles

I've started getting this error message recently and now have narrowed down some parameters.

I have seen kb21808 but we are NOT getting the event id 5722 on the domain controller. There are NO event log messages from this on the domain controller. And the message is "login failed" not "sign-in rejected". The computer names in AD do still match the cluster names in the interface.

But there are other similarities. This is due to group membership. If we map a role to a user account this works. This is a Windows AD 2003 domain authentication connection.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB21808

When the failure occurs I can failover the vip to the other cluster member (active/passive) and all is working again. But the second member will also fail over time.

The problem seems to be very close to a 12 hours cycle to occur. Logins will work and role map fine for 12 hours then fail. When I push the vip to the second member this one also works for 12 hours and then fails with the same message. At that point both fill fail and I have to restart services or reboot the cluster for it to work again.

The issue cropped up running 7.0 R7. I upgraded to 7.1 R4 since we were doing a Pulse 2 roll out anyway. But the issue still occurs on this release. Hardware is SA 4500. I'm not positive but I think this did not occur on the 7.0 R6 release.

Any ideas on why this would be happening or has anyone already solved this issue?

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
1 ACCEPTED SOLUTION

Accepted Solutions
Rickyrick_
Occasional Contributor

Re: Error Message - Login failed. Reason: NoRoles

Hi

I have been having a similar problem too and have found this, not sure if its related to our problem?

I am going to try the new version of software as soon as I can get some downtime here.

Thanks

Richard

http://www.juniper.net/techpubs/software/ive/releasenotes/j-sa-sslvpn-7.1R4.1-releasenotes.pdf(see item 3 on page 2 under first section) Ð

3. aaa-active-directory - When AD group lookup is enabled for role mapping, role mapping might fail

intermittently. (696332)

View solution in original post

6 REPLIES 6
Rickyrick_
Occasional Contributor

Re: Error Message - Login failed. Reason: NoRoles

Hi

I have been having a similar problem too and have found this, not sure if its related to our problem?

I am going to try the new version of software as soon as I can get some downtime here.

Thanks

Richard

http://www.juniper.net/techpubs/software/ive/releasenotes/j-sa-sslvpn-7.1R4.1-releasenotes.pdf(see item 3 on page 2 under first section) Ð

3. aaa-active-directory - When AD group lookup is enabled for role mapping, role mapping might fail

intermittently. (696332)

View solution in original post

spuluka
Super Contributor

Re: Error Message - Login failed. Reason: NoRoles

Thanks for this link. I had not gone back to the downloads again before posted. This is a fresh update and it does sound like my problem is fixed in this release.

I'll also be scheduling the upgrade and test and let you know the results.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
ruc_
Regular Contributor

Re: Error Message - Login failed. Reason: NoRoles

Steve/Richard,

 

The symptoms you describe (AD based Authentication works but AD based Authorization i.e. group lookup/role mapping fails) indicate that the Machine Account between SA and the Domain Controllers is in a state where it is not usable. Note that authentication will not require the machine account however authorization and password management will. That is why you see the "Login failed. Reason: NoRoles" issue which indicates authentication worked but authorization failed.

 

The key to understanding the root cause is finding why the machine account goes into an unusable state. If you would like for JTAC to investigate the root cause before you upgrade I would recommend opening a case with the data requested in the attached pdf.

 

Please note the pdf contians instructions to enable very detailed logging for AD and may have a slight impact on the system performance. Also note that the most important window will be the phase where the device goes from working to non-working state and it is important to capture logs close to the intial occurences of this issue else the logs will rollover.

 

Another helpful log will be the event logs from the Domain Controller for the SA's machine account name.

 

spuluka
Super Contributor

Re: Error Message - Login failed. Reason: NoRoles

Ruc, thanks for the information on how to collect logs for these AD related issues. I've kept that on file for future reference.

My issue is clearly a bug that has been fixed in the R4.1 release. I had been seeing the loss of role mapping at exactly 12 hour intervals very consistently. Since applying the update I've now passed four of these 12 hour intervals and have had no further issues. Thanks for the notice on the update Richard. I hope this also clears your issue.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
Rickyrick_
Occasional Contributor

Re: Error Message - Login failed. Reason: NoRoles

Thanks Steve. Good to know it fixed the issue.

Ours is down again, so Im grabbing the logs for juniper tac and then ill upgrade too, so fingers crossed !

ruc_
Regular Contributor

Re: Error Message - Login failed. Reason: NoRoles

Rickyrick, If you can wait for a couple more days then 7.1R5 is due and it will have an additional fix in Active Directory based authentication area (does not apply to LDAP). Like I mentioned in my previous response there could be different triggers that lead to the machine account going into an unusable state (which result in the noroles symptom) and 7.1R4.1 fixes a known trigger. 7.1R5 has a fix to yet another trigger that was recently discovered. If you have a JTAC case open they will be able to root cause your issue to one of those issues however given that 7.1R5 has both the fixes I would recommend using that for any AD role mapping issues..