BAM-00404, Authentication failed. User is marked inactive
Objective
This blog will help you determine the causes that contributed to the defect the issue that led to the users getting marked as inactive while logging in to the BAM console. From this Blog, we will determine the cause for the issue and resolution for the issue on what, how, and why this event occurred, a list of root causes will be developed. This list of root causes will help you to overcome the BAM-00404, Authentication failed issue and to prevent another similar failure.
In this Blog I will share my experience on how I resolved this issue.
Context:
We had an issue with BAM login where users were getting marked as inactive while logging in to the BAM console.
We see this error only after adding an LDAP Authentication Provider to the default WebLogic Security realm. BAM login fails with BAM-00404: AUTHENTICATION FAILED. USER IS MARKED INACTIVE error.
We receive this error when logging into the BAM console, sometimes it will log in and after 5 minutes it throws the error.
Cause:
It is a product defect. BAM uses Java Portlet Specification as security framework which does not support multi authentication. Only provider which is on top of the list will be used by JPS.
BAM will look up for the user using user or role API on regular intervals and it is not finding user in the security provider.
When the users login to BAM, they will be registered in table “SysIterUser”, the “INACTIVE” field will be set to 0, which means it is active user. There is a schedule in BAM which will synchronize the users between Authentication Provider and BAM this is scheduled to run for every 5 minutes by default. If users can not be identified in the first authentication provider, the synchronization process will fail and mark the users as inactive.
We can disable this synchronization (Part 3 in the solution will help you in disabling this).
Solution:
For resolving this issue we should add an entry in BAM config files that disables Background User Group Validation and running SQL queries in the database with BAM user which will clear the users which are already marked as inactive in DB.
I will divide the solution into 2 parts and 4 steps.
Part 1: Adding entry in BAM config files which disables Background User Group Validation
Part 2: Running sql queries in database with BAM user which will clear the users which are already marked as inactive in DB.
PART 1:
Step 1 :
Stop weblogic servers and take a backup copy of BAMServerConfig.xml located under:
(a) <MWHOME>/user_projects/domains/<DOMAINNAME>/config/fmwconfig/servers /bam_server1/applications/oracle-bam_11.1.1/config.
(b)<MWHOME>/user_projects/domains/<DOMAINNAME>/servers/bam_server1/tmp/_WL_user/oracle-bam_11.1.1/1o1igs/config.
Step 2 :
Edit BAMServerConfig.xml in the above 2 paths, and add the following line at the end of the file
<EnableBackgroundUserGroupValidation>false</EnableBackgroundUserGroupValidation>
Save the file
Step 3 :
Edit /home/oracle/Oracle/Middleware/user_projects/domains/soadomain/config/fmwconfig/jps-config.xml in the server
Search for the section <! — JPS WLS LDAP Identity Store Service Instance → and add the highlighted tags:
<serviceInstance name=”idstore.ldap” provider=”idstore.ldap.provider”>
<property name=”idstore.config.provider” value=”oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider”/>
<property name=”CONNECTION_POOL_CLASS” value=”oracle.security.idm.providers.stdldap.JNDIPool”/>
<property name=”username.attr” value=”sAMAccountName”/>
<property name=”user.login.attr” value=”sAMAccountName”/>
</serviceInstance>
PART 2:
Step 4 :
Run the below Query in the database with BAM user for e.g xxx_ORABAM.
UPDATE “SysIterUser” SET “SysIterUser”.”GUID” = NULL,”SysIterUser”.”Inactive” = NULL;
commit;
Start Weblogic and Retry the BAM login.
This should resolve your issue with BAM login.
