Unexpected - /api/atelier login failure

Question

Question

Scott Roth · Dec 4, 2023

#API #Authentication #LDAP #Security #System Administration #Web Gateway #Health Connect #InterSystems IRIS #InterSystems IRIS for Health #VSCode

We recently moved from using the Private Web Server, to using an Apache/Web Gateway setup and moved towards using the built in LDAP functionality within IRIS. Since then, we have 1 user that uses VSCode (/api/atelier) heavily that continues to have issues signing into IRIS through VS Code and the /api/atelier extension.

I am trying to troubleshoot two issues..

User having login failures with correct password.

ERROR #798: LDAP login failed
ERROR #971: Invalid LDAP password, error 49, Invalid credentials:80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839:ERROR_LOGON_FAILURE:Invalid password
Web Application: /api/atelier

UnknownUser trying to authenticate

ERROR #815: User not authorized for service %Service_WebGateway
Web Application: /api/atelier

When I started reviewing the login failure, I noticed that after he attempts to sign in and it fails that I am getting a warning about UnknownUser attempting to access %Service_WebGateway.

settings.json on vs code is configured..

"intersystems.servers": {

        "iristest": {

            "webServer": {

                "scheme": "https",

                "host": <server name>,

                "port": 443
            },

            "username": <user name>

        }

}

Are there additonal intersystems.server configuration settings I am missing that is possibly causing the UnknownUser and LDAP Authentication issues? I don't want to risk opening %Service_WebGateway and opening it to UnknownUser

Product version: IRIS 2022.1

Discussion (7)3

Log in or sign up to continue

Ian Minshall · Dec 11, 2023

Have you got the /api/atelier web app set to accept LDAP logins?

0 0

score 0 · Answer 1 · 2023-12-11T10:37:17-05:00

Yes...

I have no issues with VSCode, its just the one user. The issue with the user I believe is with LDAP not InterSystems as the same error happens when trying to sign into the Management Portal, periodically.

Does /api/atelier need to have unauthenticated turned on? Why am I seeing the

ERROR #815: User not authorized for service %Service_WebGateway
Web Application: /api/atelier

I don't want Unauthenticated users to access the system or be able to get through the Web Gateway at all...

score 0 · Answer 2 · 2023-12-11T11:03:32-05:00

Eduard Lebedyuk · Dec 11, 2023

Any chance user has multibyte unicode characters in the password?

0 0

score 0 · Answer 3 · 2023-12-11T11:17:45-05:00

Scott Roth · Dec 11, 2023

That I am not sure of... Why?

0 0

score 0 · Answer 4 · 2023-12-11T18:43:49-05:00

I would try a password with just a-z, A-Z, 0-9, !#$%^&*()[]{}. Maybe there's some issue with wide characters?

score 0 · Answer 5 · 2023-12-11T11:33:16-05:00

Ian Minshall · Dec 11, 2023

Does the user have the %Development resource?

0 0

score 0 · Answer 6 · 2023-12-11T11:35:37-05:00

Yes %Development resource is set as part of the Role he is assigned from the detail we get from LDAP.

The user is not really the issue I have at the moment, I am trying to track down why UnknownUser keeps trying to access the Gateway.