Troubleshoot Authentication Issues

Active Directory User Cannot Authenticate with BeyondInsight or Password Safe

If an Active Directory user is a member of more than 120 Active Directory groups, the user may encounter the following error when attempting to log in to the BeyondInsight management console, Analytics & Reporting, or Password Safe, although correct credentials were supplied:

  • Authentication fails with The username or password is incorrect. Please try again.
  • An error is logged in the frontend.txt file associated with that login attempt, that includes A local error occurred.

The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. To correct this issue, you can increase the maximum size in the registry.

  1. Start the registry editor on the BeyondInsight server.
  2. Locate and click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters

If the Parameters key does not exist, create it now.

  1. From the Edit menu, select New, and then select DWORD Value, or DWORD (32-bit) Value.
  2. Type MaxPacketSize, and then press Enter.
  3. Double-click MaxPacketSize, type 1 in the Value box, select Decimal, and then click OK.
  4. From the Edit menu, select New, and then click DWORD Value, or DWORD (32-bit) Value.
  5. Type MaxTokenSize, and then press Enter.
  6. Double-click MaxTokenSize, type 65535 in the Value box, select Decimal, and then click OK.
  7. Close the registry editor, and then restart the BeyondInsight server.

For more information, please see Problems with Kerberos authentication when a user belongs to many groups.

Authentication Errors when using SAML 2.0 Web Applications

Both Runtime Error and Internal Server Error are for on-premises Password Safe deployments only. If an error shown below occurs using Password Safe Cloud, please contact BeyondTrust Technical Support.

Screen Capture of SAML 2.0 Web Application Runtime Error

If you receive a Runtime Error, add the following to the web.config file:

Set mode to Off < customErrors mode="Off" />

This provides an actual error.

 

 

Screen Capture of setting Custom Error Mode to Off

 

An Internal Server Error (500) message usually indicates that the web.config file is not formatted correctly.

Screen Capture of IIS - Default Document Option

  1. Open IIS on the U-Series Appliance.
  2. Browse to the SAML website, and then double-click Default Document.

 

Screen Capture of Default Document Formatting Error

  1. If there is a formatting error in the web.config file, an error displays, indicating the line number for the error.