Users receive an "ADALOGIN_004" Error while trying to login to PingOne when ADConnect is the Identity Repository

Users receive an "ADALOGIN_004" Error while trying to login to PingOne when ADConnect is the Identity Repository

Published: 03/13/2017
Issue Description:

When you've configured ADConnect as the Identity Repository for PingOne, users may receive an error "ADALOGIN_004" after they enter their credentials in the login form. There are a number of reasons that ADALOGIN_004 will be presented to the end user, so checking the Event Viewer on the ADConnect server is necessary to find the specific error. The solution in this article applies to a situation where the following exception is logged on the ADConnect Server.
 
​2017-02-24 09:18:18,923 ERROR com.pingidentity.adconnect.ad.impl.AttributeLookupImpl [(null)] - Unable to obtain claims for account: DOMAIN\USER System.Runtime.InteropServices.COMException (0x8007200A): The specified directory service attribute or value does not exist.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)    
at System.DirectoryServices.DirectoryEntry.Bind()    
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at com.pingidentity.adconnect.ad.impl.AttributeLookupImpl.GetClaims(String identity, String sp) in C:\hudson\workspace\PingOne\ADConnect\ADConnect 3.0\ADConnectCore\com\pingidentity\adconnect\ad\impl\AttributeLookupImpl.cs:line 152

Cause:

This error will occur if the account running the ADConnect Services does not have Read permissions on the default Users and default Computers containers in Active Directory. ADConnect does not specify the container while doing an LDAP Lookup, so it will first try to read the default Users and default Computers containers. If the account that's running the ADConnect Service does not have read permissions on these containers, the process will fail.


Solution:

1. Check the default Users and Computers containers for the domain. By default they are CN=Users,DC=Domain,DC=com and CN=Computers,DC=Domain,DC=com, but you can check by running this command in Powershell:
Note: This command requires the Active Directory module for Powershell, which is installed by default on a domain controller. If you're unable to access the domain controller, refer to the Microsoft Documentation for your particular Operating System to install it for other computers in your environment.
​​
Get-ADDomain | select computerscontainer,userscontainer
 
2. Check the account that's running the ADConnect Authentication Agent Service
  • Open Computer Management
  • Expand Services and Applications, and then click Services
  • Double-click on ADConnect Authentication Agent Service, view the Log On tab, and note the account that's listed there. By default this will be LOCAL SYSTEM, however it may have been changed to a service account created by an administrator.
3.  Check/Grant Read Permission on the containers.
Note: These steps can be performed from the Domain Controller, or from any computer in the network that has Active Directory Users and Computers, as long as the user has appropriate permissions on the domain.
  • Open Active Directory Users and Computers and find the containers that were found in step 1. For each of them, right click and choose Properties, and then view the Security tab.
  • Click Add
  • If the account that runs ADConnect is LOCAL SYSTEM, follow these steps
    • Click the Object Types button and make sure Computers is selected.
    • Enter the name of the server where ADConnect is installed and click Check Names to ensure the computer account is found.
  • If the account that runs ADConnect is another domain account, enter the account name and click Check Names to ensure the user account is found.
  • In the permissions selection box, ensure that Read is selected under the Allow column, and not in the Deny column.
4. Confirm that users are now able to login successfully. In some situations it might be necessary to restart the ADConnect Authentication Agent Service.
 
 
 


 
Category:
ADConnect , 
KB or other URL: