DAF Live Log
DAF version 4.0, 4.2
When enabled, the live log feature will report information on each authentication request (success or failure) as well as on all errors detected. It is very useful to troubleshoot most DAF configuration issues. There is one log per user database plus one main log which will report general information.
With some configurations the live log feature may be disabled due to an incorrect registry setting. To solve this problem, please refer to Article 62 in the knowledge base.
If the DAF Configuration Tool is running in a Terminal Services Session,
the live log window may remain empty. To solve this issue, please refer to Article
Instructions to use a user database Live Log
1. Enable the Live Log
- "Log on DAF User logged"
- "Log on DAF user NOT logged"
- "Log on IIS "Access Denied"
(NOT on the top of the DAF Configuration window)
- In the DAF Configuration window select tab "Database Type & Web Hosts"
- Press [Re-start]. While restarting, the Live Log window should display information on the user database initialization.
2. Using the Live Log to retrieve information on authentication requests
When the Live Log is enabled, each authentication request success or failure will be reported.
192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <>,<> to </daf/test/>The first and second "<>" are for the DAF and mapped NT user logins. Here they are empty since the request is anonymous. "</daf/test/>" is the resource requested.
Now, if the user enters a valid DAF user login ("joe") and password, access will be granted and the following information displayed:
192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : joe#goldgrp@ (-> ) in DAF dbThe arrow ("->") points to the mapped NT user (if defined). In the sample, no NT user was mapped to DAF user "joe." "#goldgrp" means that joe is a member of DAF group "goldgrp."
192.168.1.100,80,:(BA111)(DAF LOGON FAIL.) User NOT Found : <phil> in DAF db (Forward to NT) 192.168.1.100,80,:(EA100)(DAF&NT LOGON FAIL.) Access Denied. User <phil> NOT found in DAF database. Invalid NT userThe first line reports a DAF logon failure for user "phil." However, since option "Forward unfound DAF user to NT" is Enabled, access may still be granted if "phil" is a valid NT user. With the second line we know that the access was denied because "phil" is not a valid NT user.
192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : john#grp1@ (-> webuser) in DAF db 192.168.1.100,80,:(EC100)(NT LOGON FAIL.) Access Denied. User <john> found in DAF database. Mapped to Invalid NT user <webuser>The first line shows that the DAF logon is successful and that access may be granted. However, with the second line we learn that user "john" is mapped to an invalid NT user ("webuser"). This is why access is finally denied.
Example 4: Access Denied due to a DAFAUTH.INI permission
When a valid DAF user cannot access a resource due to a DAFAUTH.INI permission, the following lines are displayed:
192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : joe#grp2;grp3@ (-> ) in DAF db 192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <joe>,<> to </daf/test/>The first line shows that the login and password were found in the DAF user database and are valid. However, the second line reports that this user is not allowed to access the requested resource due to a DAFAUTH.INI setting.
3. Using the Live Log to retrieve information about ODBC errors
When enabled, the live log will also report ODBC errors when detected. The following error message will occur when an invalid column name was defined for the DAF group information:
ODBC Error : (07001) [Microsoft][ODBC Microsoft Access 97 Driver] Too few parameters. Expected 1. Failed SQL request : <select dafuser as DAFUserX318 ,dafpass as DAFPassX318 , ntuser as NTUserX318 , ntpass as NTPassX318 , 0 as DAFNOVX318 , '' as DAFLVX318 , '' as DAFExpDate318 , 0 as difdate,dafgroups2 as DAFGroupsX318 , 0 as DisabledZ318 from userdb where dafuser='phil'> Error validating user <phil> (\odbc.cpp:3218)When an ODBC error occurs while processing an authentication request, access is denied and the error "The request was aborted" is displayed in the browser. The login dialog box is NOT displayed. For all ODBC errors, the SQL query which failed is displayed. In the sample, the invalid SQL query is:
select dafuser as DAFUserX318 ,dafpass as DAFPassX318 ,ntuser as NTUserX318 , ntpass as NTPassX318 , 0 as DAFNOVX318 , '' as DAFLVX318 , '' as DAFExpDate318 , 0 as difdate,dafgroups2 as DAFGroupsX318 , 0 as DisabledZ318 from userdb where dafuser='phil'Possible reasons for this symptom are:
- invalid column name defined in the DAF Configuration Tool.
- invalid column type. For example, type "string" for an expiration date column.
- with a remote database server, the database system is stopped or cannot be reached due to a network problem.
4. Using the Live Log to retrieve information about a wrong IIS configuration
When enabled, the Live Log feature will report a login failure due to an incorrect IIS configuration. However, the message may not be explicit on the cause:
192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <>, <> to </dafauth_test/denied/>This symptom will happen when IIS is configured to use "Windows NT challenge/response" authentication scheme instead of basic. DAF will work only with basic authentication scheme.
192.168.1.100,80,:(HA100)(CONFIG) Access Denied by IIS configuration (Probably Anonymous access not allowed for IIS)Here the message reported is explicit. When no mapped NT account is defined for the DAF user, IIS option "Allow Anonymous Access" MUST be enabled.
Instructions to use the Main Live Log
For DAF release 4.0 an incorrect default registry setting will disable the main live log. For newer releases the Main Live Log is enabled by default.
To enable the Main Live Log with release DAF 4.0, refer to the knowledge base article ID 62.
When enabled, to use the Main Live Log, simply:
- Launch the DAF configuration Tool
Using the Main Live Log to find against which user database is processed an incoming authentication request:
With a multi-user database configuration it can be handy to verify against which user database an incoming authentication request is processed. For this purpose, the easiest solution is to enable log option "Log all received HTTP requests":
- Launch the DAF configuration Tool
For example, in the example below the request is attached to user database "userdb1" (note the end of the line "Attached to <userdb1>"):
HTTP Request for <192.168.1.100>,<80>,<192.168.1.100> from <192.168.1.100>, <Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)> - Attached to <userdb1>In the example below the request is NOT attached to user database (note the end of the line "NOT Attached"):
HTTP Request for <192.168.1.112>,<80>,<192.168.1.112> from <192.168.1.112>, <Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)> - NOT Attached