This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM End User Portal - Reason Denied

 I have a single user that cannot login to the End User Portal.

Things I have checked looking at other forum threads:

  • The user's password doesn't expire until the end of the month
  • The user's password is entered correctly
  • Security Event log on the PDC shows valid authentication
  • Definitions & Users > Auth Services > Servers > AD Server => Test authenticates properly
  • A newly created user works perfectly fine
  • I allow all users to access the portal
  • Automatic user creation is enabled
  • AD Background sync is enabled

I did notice that the user in question did not populate under the users tab, however my brand new test user did.

Here are the log entries:

2017:10:02-15:50:18 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="Trying PDC-IP (radius)"
2017:10:02-15:50:18 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="Trying PDC-IP (adirectory)"
2017:10:02-15:50:19 remote aua[3489]: Use of uninitialized value $email in regexp compilation at aua.pl line 3070.
2017:10:02-15:50:22 remote aua[17782]: id="3006" severity="info" sys="System" sub="auth" name="updateUserObject: failed to set object for user "USERNAME" - error "AAA_USER_EMAIL_PRIMARY""
2017:10:02-15:50:22 remote aua[17782]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="PDC-IP" host="" user="USERNAME" caller="portal" reason="DENIED"
 
I noticed the AAA_USER_EMAIL_PRIMARY error but could not find any information about it. I did notice that it appears on users that are able to login as well. We did just migrate to Office365 and had to adjust the ProxyAddresses and the UPN to reflect the email address rather than internal domain.


This thread was automatically locked due to age.
Parents
  • "I did notice that the user in question did not populate under the users tab, however my brand new test user did."

    Hmmm. Try an experiment.  At the bottom of the 'Advanced' tab in 'Definitions & Users >> Authentication Services', configure 'Prefetch Directory Users' to sync your problem user and hit [Apply]. Start the Prefetch Live Log, wait for a moment to give it time to start up and then click on [Prefetch Now].

    My guess is that the remotely-authenticated user object won't be created because there's a conflict with an email address entered for a locally-authenticated user object.  What did you see?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just jumping in to say, this thread is the only hit on Google for "AAA_USER_EMAIL_PRIMARY" and had the answer I needed. Thank you!

Reply Children
No Data