Troubleshoot Authentication Issues
Active Directory User Cannot Authenticate with BeyondInsight or Password Safe
If an Active Directory user is a member of more than 120 Active Directory groups, the user may encounter the following error when attempting to log in to the BeyondInsight management console, Analytics & Reporting, or Password Safe, although correct credentials were supplied:
- Authentication fails with The username or password is incorrect. Please try again.
- An error is logged in the frontend.txt file associated with that login attempt, that includes A local error occurred.
The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. To correct this issue, you can increase the maximum size in the registry.
- Start the registry editor on the BeyondInsight server.
- Locate and click the following registry subkey:
If the Parameters key does not exist, create it now.
- From the Edit menu, select New, and then select DWORD Value, or DWORD (32-bit) Value.
- Type MaxPacketSize, and then press Enter.
- Double-click MaxPacketSize, type 1 in the Value box, select Decimal, and then click OK.
- From the Edit menu, select New, and then click DWORD Value, or DWORD (32-bit) Value.
- Type MaxTokenSize, and then press Enter.
- Double-click MaxTokenSize, type 65535 in the Value box, select Decimal, and then click OK.
- Close the registry editor, and then restart the BeyondInsight server.
For more information, please see Problems with Kerberos authentication when a user belongs to many groups.
Authentication Errors when using SAML 2.0 Web Applications
Both Runtime Error and Internal Server Error are for on-premises Password Safe deployments only. If an error shown below occurs using Password Safe Cloud, please contact BeyondTrust Technical Support.
If you receive a Runtime Error, add the following to the web.config file:
Set mode to Off < customErrors mode="Off" />
This provides an actual error.
Internal Server Error (500)
An Internal Server Error (500) message usually indicates that the web.config file is not formatted correctly.
- Open IIS on the U-Series Appliance.
- Browse to the SAML website, and then double-click Default Document.
- If there is a formatting error in the web.config file, an error displays, indicating the line number for the error.