Authorization failure: unable to validate user credentials for half of business

[Josh Bridgens]

Around 3 months ago, I switched us from an LDAP import to an Azure import to incorporate 2 large areas of our company, did testing on quite a few accounts that all seemed to work fine, now I find that there are a number of accounts with the correct email address etc in Hornbill however theyu receive the following when attempting to sign in with SSO.

 

 

Our SSO profile is linked to our Azure AD so I cant see that being the problem, any ideas?

 

Josh

[Victor]

@Josh Bridgens for the affected users, the value for "Name ID" attribute in the SAML response is not matching any value for "Logon ID" for any users in Hornbill. I would say to check what is being used for "Name ID" for these users in AD then check the "Logon ID" for these users in HB.

[Josh Bridgens]

Victor, seems you are correct, these appear to be users with a different SAMAccountname... but I cant update it to match?

 

it says the specified user already exists (i cant find them though)

[Victor]

Just now, Josh Bridgens said:

seems you are correct

Ehm... seems?

You should be able to update the logon ID... unless that's not the issue and I am misunderstanding?

 

[Josh Bridgens]

"seems" was a figure of speech, you are definitely 100% correct. haha


Trying to change a user to "SReynolds" but get the error message... in images...

 

Howeveres theres no accounts with that anywhere in it..

[Victor]

@Josh Bridgens aham, ok, I understand... give me a minute then

[Victor]

@Josh Bridgens try this report. When you run it it should prompt you to input a user logon ID. Then it will display all users that have this logon ID (should only be one in teh list) and this will tell you what user already has that logon ID that you are trying to set for Sam...

users-for-josh.report.txt

 

[Josh Bridgens]

 

Nobody apparently!

[Victor]

@Josh Bridgens ummm... unless something broken, that should not happen... any users with that user ID in there (thinking maybe HB is confusing login ID with user ID)

[Victor]

@Josh Bridgens ok, so I did some checks and it seems changing the login ID also checks for matches against user ID... I can somehow see why it would do that but I am not convinced is right... I'll ask development.

[Josh Bridgens]

Thanks Victor, any help is appreciated!

[Victor]

@Josh Bridgens ok so, I was advised changing the login ID will indeed check for the value against the user ID and login ID for existing users. This is required as some API calls where user ID is still used which is internally mapped to login ID. Can you try this report to see what user has that value for login ID or user ID?

users-for-josh.report_2.txt

[Josh Bridgens]

Victor, ran the report from the test user "Sam Reynolds" with Sreynolds in the fields...

 

Im even more confused now.
 

[Victor]

@Josh Bridgens ok, so there is a user with ID "sreynolds" that's why we can't change the login ID for the user with ID "Sam.Reynolds"... can you locate the user with ID "sreynolds" in the user list?

[Josh Bridgens]

Ive tried to find it over the past few days and searched for anyone with Reynolds, Sam, anything in their setup and cant locate it. 

Happy for you to have a dig around if you want?

 

[Victor]

@Josh Bridgens looks like I have to... might have been a bad import that created incomplete user records that exist in the system (almost certain based on the report result above). These "broken" user records are not visible in the UI. I'll send you a PM.

[Josh Bridgens]

Whenever you're ready