Difference between revisions of "Authentication Failing"

From Swivel Knowledgebase
Jump to: navigation, search
 
m (1 revision imported)
 
(No difference)

Latest revision as of 12:52, 11 May 2017

Logo.gif


Overview

No users can authenticate


Prerequisites

PINsafe 3.x Database is MySQL (may also apply to Oracle or PostgreSQL - doesn't seem to affect Internal or MS-SQL).


Symptoms

All authentication for all users fails, although you are certain the credentials are correct.


Solution

Have you changed the time zone on the PINsafe server since users were imported? Or, in a HA solution, are the PINsafe servers in different time zones? There is a known issue that changing the time zone on the PINsafe server causes authentication to fail. The reason for this is that PINsafe uses a number of unique fields to encrypt each user's credentials. One of these fields is the user creation date and time. Unfortunately, in MySQL, the interpretation of this field changes if the time zone on the server changes. This causes decryption of the credentials to fail, and so authentication fails. Set the Time Zone back and restart the database i.e. for internal restart PINsafe or MySQL for appliances.

If you have a single PINsafe server, and you need to keep the time zone as it now is, you will have to reset credentials for all users individually. The preferable solution is to change the time zone back to what it was before. Be aware that if you have reset any credentials, or added any new users, since the time zone was changed, these users will have their credentials encrypted according to the new time zone, so reverting to the old one will cause their credentials to fail, and you will have to reset them again.

In a HA solution, if the servers are in different time zones, authentication may work on one server, but not the other. In this case, change the time zone on the failing server to match that on the working one. If users have been imported, or credentials reset, on both servers, you will have to choose one of the servers and set the time zone on the other to match it. All users who have credentials set by the second server will have to have their credentials reset.