This post is about a scenario where users were not able to authenticate on a FBA page published by ISA Server using LDAP as authentication repository. The error message that was showing up there was:
Figure 1 – Unable to authenticate.
Although it says to double check the domain name or password to see if it is wrong, this is a generic logon error and this may not be the case. We recently wrote an article at Tales from the Edge that has a troubleshoot framework for LDAPs authentication on ISA. More info check the article at http://technet.microsoft.com/en-us/library/dd316279.aspx.
2. Logging is your Friend
The ISA Server realtime logging can be very helpful in scenarios like this. In this case the error message was the one below:
Figure 2 – Error 58.
As you can see in the figure above the error message says that it was not possible to perform the requested operation. This can be a good start, but you can see even more information if you copy the whole logging to the clipboard using the option below in the task pane:
Figure 3 – Using the Clipboard option.
After copy, paste in a notepad file and save as TXT. Best thing to do is to open this file in Excel to see all the fields and be able to filter. After opening the file in Excel, I was able to see a key error in there:
Figure 4 – Using Excel to filter the logs.
Notice that in the Authentication Server field it says: dccont\No server available. This is it!! Now we can conclude that:
· ISA cannot reach the DC for some reason:
o Networking issue?
o Name resolution issue?
o DC not answering?
Before go crazy and start to investigate this deeper, what about just try to ping the server that are in the LDAP Server Set? This is what I did and the result was:
Figure 5 – unable to resolve the name.
Bingo, unable to resolve the name. After fix the name resolution problem the issue was gone and the authentication worked.