Posts

Unable to Authenticate User Lawson After Configuring ADFS

After configuring ADFS, if you attempt to launch LBI and receive the message “(security:3042) Unable to authenticate user”, go to the SystemOut.log to gather more information.  If the error is displayed there with a reference to the username, this is a known issue with LBI and ADFS.  Navigate to the SystemOut.log on the LBI server to gather more information.

 

7/2/19 11:58:30:986 EDT] 00000069 webapp        E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[GenericServletWrapper]: com.lawson.efs.security.GeneralAuthenticationException: (security:3042) Unable to authenticate user.

 

com.lawson.security.interfaces.GeneralLawsonSecurityException: Event request failed: Could not get identity for user – lawson

 

Stack Trace :

 

com.lawson.lawsec.authen.LSFSecurityAuthenException:Could not get identity for user – lawson

 

If your stack trace looks similar to the above, you will need to create a user in Lawson security where SSOP matches RMID.  This means, that you need a user whose RMID is formatted as their userPrincipalName.  To do this, you must have a service account that can be used for the purpose.  Also, you must load the user details with the loadusers command, as the characters “@” and “.” are not allowed when adding users in LSA.

 

First, have your networking team create a service account for this purpose.  Then, create a loadusers.xml file like this:

<?xml version=”1.0″ encoding=”ISO-8859-1″ ?>

<XML>

<ROLEDATA>

</ROLEDATA>

<USERDATA ProductLine=”LSAPPS”>

<USER ID=”lbirmadmin@company.com” RMID=”lbirmadmin@company.com” Name=”lbirmadmin” FirstName=”lbirmadmin” LastName=”lbirmadmin” Email=”lbirmadmin@company.com” CheckLS=”YES” Role=”SuperAdminRole”/>

</USERDATA>

</XML>

 

Next, on the Lawson server, run the command loadusers -f <full path to your loadusers file>.  In LSA, assign the LBI admins and LBI users groups that your organization uses to this account, and verify that the user has the SuperAdminRole.  In the Framework Services Configuration assistant in LBI, change the RM user to lbirmadmin@company.com and set the password.  This can also be done in the SYSCONFIG table of the EFS database.

 

Restart LBI WebSphere and try the connection again.

 

 

 

 

LBI 3042 error after configuring ADFS

After configuring ADFS, if you attempt to launch LBI and receive the message “(security:3042) Unable to authenticate user”, go to the SystemOut.log to gather more information.  If the error is displayed there without any reference to the user name, it is most likely that you need to update DSP on the LBI server.  To do this, download the latest DSP from the product downloads under Lawson Security.  Stop all the IBM services on the LBI server, then run the jar file and select the option to update your existing DSP.  Once DSP is updated, restart the IBM services.  You should be able to launch LBI now.

 

[12/18/21 14:16:53:783 PST] 000000ce LocalTranCoor E   WLTC0017E: Resources rolled back due to setRollbackOnly() being called.

[12/18/21 14:16:53:784 PST] 000000ce webapp        E com.ibm.ws.webcontainer.webapp.WebApp logServletError SRVE0293E: [Servlet Error]-[ServletNameNotFound]: com.lawson.efs.security.GeneralAuthenticationException: (security:3042) Unable to authenticate user.

at com.lawson.efs.security.authenticationprovider.AbstractSSOAuthenticationProvider.authenticate(AbstractSSOAuthenticationProvider.java:174)

Caused by: com.lawson.lawsec.authen.SecurityAuthenException: Failed to initialize authentication layer. Cause Connection error (inforapp.cosa.private, null). Cause: {2}.

… com.lawson.security.authen.AuthenMessages.Unable to create a connection

Stack Trace :

com.lawson.security.server.LawsonNetException: Unable to create a connection