Authentication failed with OpenID connect

Hello All,

We have integrated One Identity Manger with Forgerock AM . Once we enter the URL of the Web portal it redirects back to AM for authentication, after authentication it redirect back to the portal with the below error

The authentication process could not be completed. Contact your system administrator if the problem persists.

Failed to authenticate user.

Cannot find the requested object.

Got the below error message in the job queue

Login failed (Module: OAuth 2.0 / OpenID Connect (role based), Properties: , Identity: -, Client Machine: 10.11.46.133, Errors: [System.Security.Cryptography.CryptographicException] Cannot find the requested object.

If anybody have any idea, please let us know.

Thanks,

Pranav

Top Replies

pprathapgirija over 4 years ago in reply to pprathapgirija +1 suggested

Hello , The login issue has been resolved, Thank you for all your suuport

the config param is set to off

QBM\DebugMode\OAuth2\LogPersonalInfoOnException

and we removed all the references of certificates…

Parents

0 Troy Grandy over 4 years ago

You need to check the web portal logs
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to Troy Grandy

I found the below information in web portal logs

2020-09-21 15:24:32.0741 ERROR ( ObjectLog) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
at QER.OAuthAuthentifier.OAuth.<_GetSigningCertificatesFromServerAsync>d__17.MoveNext()
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 pprathapgirija over 4 years ago in reply to Troy Grandy

I found the below information in web portal logs

2020-09-21 15:24:32.0741 ERROR ( ObjectLog) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
at QER.OAuthAuthentifier.OAuth.<_GetSigningCertificatesFromServerAsync>d__17.MoveNext()
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 Troy Grandy over 4 years ago in reply to pprathapgirija

what version of IDM?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Troy Grandy over 4 years ago in reply to Troy Grandy

error is pointing to a certificate issue by the sound of it X509
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to Troy Grandy

8.1.3
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to Troy Grandy

just FYI We have two web servers behind the DNS, i am not sure about what kind of certificates is giving the problem
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Troy Grandy over 4 years ago in reply to pprathapgirija

It sounds as if you are using a certificate for the Identity Provider this is why the X509 log lines I would expect. I don't know if you went through the wizard manually or not but in the screen shot below is where you would have entered the certificate information
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to Troy Grandy

Yes you are correct we are using IDP cert here, We went through the wizard automatically , but we entered the cert details manually .
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Markus Weiss-Ehlers over 4 years ago in reply to pprathapgirija

The error message implies that the web portal is unable to access the cert.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to Markus Weiss-Ehlers

All the root/intermediate certs are installed on the Web servers, Is this error means web server is not able to access the IDP certs?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to pprathapgirija

Error after enabling debug mode

2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate was not found in local store.
2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate: Using certificate endpoint configured by identity client definition.
2020-09-24 07:52:29.0128 TRACE ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Getting signing certificate from URL https.........
2020-09-24 07:52:29.0909 ERROR ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 pprathapgirija over 4 years ago in reply to pprathapgirija

The IDP cert is added to the trust store of web servers, not sure what we are doing incorrect here , any suggestions?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel