Search the VMware Knowledge Base (KB)
View by Article ID

Authentication to VMware vRealize Log Insight fails with the error: DuplicateUserException: A matching user already exists (2120135)

  • 1 Ratings
Language Editions

Symptoms

  • Authenticating to VMware vRealize Log Insight 2.5 fails.

  • During login, you see one of these errors:

    • Incorrect username or password
    • Unable to Authenticate user

  • In the /storage/core/loginsight/var/runtime.log file, you see entries similar to:

    com.vmware.loginsight.commons.exceptions.AuthenticationException:
     at com.vmware.loginsight.aaa.ad.ActiveDirectoryAuthenticator.authenticate(ActiveDirectoryAuthenticator.java:225)
     at com.vmware.loginsight.aaa.ad.ActiveDirectoryAuthenticator.authenticate(ActiveDirectoryAuthenticator.java:165)
    ...
    Caused by: com.vmware.loginsight.rbac.DuplicateUserException: A matching user already exists.
     at com.vmware.loginsight.database.dao.RBACUserDAO.createUser(RBACUserDAO.java:174)
     at com.vmware.loginsight.database.dao.RBACUserDAO.createAdUser(RBACUserDAO.java:164)
     at com.vmware.loginsight.aaa.ad.ActiveDirectoryAuthenticator.authenticate(ActiveDirectoryAuthenticator.java:222)

Cause

This issue occurs when VMware vRealize Log Insight 2.5 access control is configured with an Active Directory Group, and the affected user was a member of that group. When the user logs in, an explicit record is created in the users list with a group-based role. If a Log Insight administrator deletes this record from the users list, but keeps the group, subsequent authentication attempts by this user fails.

Resolution

This is known issue affecting VMware vRealize Log Insight 2.5 when using Active Directory integration and group-based user roles. When a user is deleted using the access control user interface, the user's records in the the logdb.user_auth table are not removed.

This issue is resolved in VMware vRealize Log Insight 3.0, available from VMware Downloads.

To work around this issue, fully remove the affected user's records from the logdb.user_auth table using the attached shell script within the Log Insight virtual appliance.

Validation of user record

To identify whether there are affected user records in the logdb.user_auth table, use the attached kb2120135_clear_user_auth.sh script with no arguments.

  1. Determine the SAM Account Name (for example, DOMAIN\Username) and User Principle Name (UPN) (for example, Username@domain) of the affected user.

  2. Open a console or SSH connection to the Log Insight appliance and login as root user.

  3. Download the kb2120135_clear_user_auth.sh.zip file attached to this article and extract it. Copy the kb2120135_clear_user_auth.sh script file to the Log Insight virtual appliance.

  4. Make the shell script executable with this command:

    chmod +x ./kb2120135_clear_user_auth.sh

  5. Run the script with no arguments. No changes are made to the system. A list of all user_auth records is displayed.

    For example:

    # ./kb2120135_clear_user_auth.sh
    Usage: ./kb2120135_clear_user_auth.sh USER_NAME DOMAIN [UPN]

    If UPN is not provided, USER_NAME@DOMAIN will be used instead.

    Known user_auth records:

     user_name   | type | domain      | upn
    -------------+------+-------------+--------------------------
                 |    1 | example.com |      user@ad.example.com
            user |    1 | example.com |
                 |    1 | example.com | user_acct@ad.example.com
        USERACCT |    1 | example.com |
           admin |    0 |             |


  6. Validate that the affected user is listed.

Deleting a user record

To delete the affected user records from the logdb.user_auth table, use the attached kb2120135_clear_user_auth.sh script.

Warning: Once the user account is deleted, it cannot be recovered. A new user account can be created with the same name.

  1. Use the kb2120135_clear_user_auth.sh script to delete the affected user_auth record, specifying the Username and Domain name. For example:

    ./kb2120135_clear_user_auth.sh user@example.com

    If the UPN does not match the format username@domain, specify it explicitly. For example:

    ./kb2120135_clear_user_auth.sh user_acct@example.com user_acct@ad.example.com 

  2. The script displays a list of records which it deletes, and ask for confirmation. Review the output.

  3. To delete the user records, type y and press enter.

  4. Run the script with no arguments again. A list of all user_auth records is displayed. Validate that the affected user is no longer listed.

  5. If the user's Active Directory group is still permitted to authenticate, the user should be able to authenticate to Log Insight using their Domain credentials and a new user account is created.

See Also

Update History

10/09/2015 - Log Insight 3.0 released. 11/05/2015 - Attachment updated. 04/05/2017 - Attachment updated.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: