Unable to Authenticate User Lawson After Configuring ADFS

After configuring ADFS, if you attempt to launch LBI and receive the message “(security:3042) Unable to authenticate user”, go to the SystemOut.log to gather more information.  If the error is displayed there with a reference to the username, this is a known issue with LBI and ADFS.  Navigate to the SystemOut.log on the LBI server to gather more information.

 

7/2/19 11:58:30:986 EDT] 00000069 webapp        E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[GenericServletWrapper]: com.lawson.efs.security.GeneralAuthenticationException: (security:3042) Unable to authenticate user.

 

com.lawson.security.interfaces.GeneralLawsonSecurityException: Event request failed: Could not get identity for user – lawson

 

Stack Trace :

 

com.lawson.lawsec.authen.LSFSecurityAuthenException:Could not get identity for user – lawson

 

If your stack trace looks similar to the above, you will need to create a user in Lawson security where SSOP matches RMID.  This means, that you need a user whose RMID is formatted as their userPrincipalName.  To do this, you must have a service account that can be used for the purpose.  Also, you must load the user details with the loadusers command, as the characters “@” and “.” are not allowed when adding users in LSA.

 

First, have your networking team create a service account for this purpose.  Then, create a loadusers.xml file like this:

<?xml version=”1.0″ encoding=”ISO-8859-1″ ?>

<XML>

<ROLEDATA>

</ROLEDATA>

<USERDATA ProductLine=”LSAPPS”>

<USER ID=”lbirmadmin@company.com” RMID=”lbirmadmin@company.com” Name=”lbirmadmin” FirstName=”lbirmadmin” LastName=”lbirmadmin” Email=”lbirmadmin@company.com” CheckLS=”YES” Role=”SuperAdminRole”/>

</USERDATA>

</XML>

 

Next, on the Lawson server, run the command loadusers -f <full path to your loadusers file>.  In LSA, assign the LBI admins and LBI users groups that your organization uses to this account, and verify that the user has the SuperAdminRole.  In the Framework Services Configuration assistant in LBI, change the RM user to lbirmadmin@company.com and set the password.  This can also be done in the SYSCONFIG table of the EFS database.

 

Restart LBI WebSphere and try the connection again.