DAF Live Log

DAF version 4.0, 4.2

Overview

When enabled, the live log feature will report information on each authentication request (success or failure) as well as on all errors detected. It is very useful to troubleshoot most DAF configuration issues. There is one log per user database plus one main log which will report general information.

With some configurations the live log feature may be disabled due to an incorrect registry setting. To solve this problem, please refer to Article 62 in the knowledge base. 

If the DAF Configuration Tool is running in a Terminal Services Session, the live log window may remain empty. To solve this issue, please refer to Article 130.

Instructions to use a user database Live Log

1. Enable the Live Log

  • Launch the DAF Configuration Tool
  • Select a user database on the top button bar
  • Select tab "Logs" (NOT Main Log file)

    • Logs configuration

  • Check:

    • - "Log on DAF User logged"
    - "Log on DAF user NOT logged"
    - "Log on IIS "Access Denied"
  • Press [Live Log] on the middle left to open the Live Log window
  • Select your user database on the bottom of the Live Log window

    • (NOT on the top of the DAF Configuration window)
  • To enable the settings, it is necessary to restart the user Database:

    • - In the DAF Configuration window select tab "Database Type & Web Hosts"
    - Press [Re-start]. While restarting, the Live Log window should display information on the user database initialization.

    User Database initialization

 

2. Using the Live Log to retrieve information on authentication requests

When the Live Log is enabled, each authentication request success or failure will be reported.

  • Example 1: Access granted with a valid DAF User
When a browser loads, a protected URL box will display the authentication dialog. At this point the following message should be reported in the Live Log window: 
192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <>,<> to </daf/test/>
The first and second "<>" are for the DAF and mapped NT user logins. Here they are empty since the request is anonymous. "</daf/test/>" is the resource requested.

Now, if the user enters a valid DAF user login ("joe") and password, access will be granted and the following information displayed: 

192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : joe#goldgrp@ (-> ) in DAF db
The arrow ("->") points to the mapped NT user (if defined). In the sample, no NT user was mapped to DAF user "joe." "#goldgrp" means that joe is a member of DAF group "goldgrp."
  • Example 2: Access Denied with an invalid DAF and NT User
If the web user enters an unknown user login and password, lines below are reported: 
192.168.1.100,80,:(BA111)(DAF LOGON FAIL.) User NOT Found : <phil> in DAF db (Forward to NT)
192.168.1.100,80,:(EA100)(DAF&NT LOGON FAIL.) Access Denied. User <phil> NOT found in DAF database. 
Invalid NT user
The first line reports a DAF logon failure for user "phil." However, since option "Forward unfound DAF user to NT" is Enabled, access may still be granted if "phil" is a valid NT user. With the second line we know that the access was denied because "phil" is not a valid NT user.
  • Example 3: Access Denied with a valid DAF User and an Invalid NT User
In this sample, we assume that "john" is a valid DAF user (= defined in the DAF user database) mapped to NT user "webuser" which is an unknown NT user: 
192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : john#grp1@ (-> webuser) in DAF db
192.168.1.100,80,:(EC100)(NT LOGON FAIL.) Access Denied. User <john> found in DAF database. 
Mapped to Invalid NT user <webuser>
The first line shows that the DAF logon is successful and that access may be granted. However, with the second line we learn that user "john" is mapped to an invalid NT user ("webuser"). This is why access is finally denied.

Example 4: Access Denied due to a DAFAUTH.INI permission

When a valid DAF user cannot access a resource due to a DAFAUTH.INI permission, the following lines are displayed: 

192.168.1.100,80,:(AA100)(DAF LOGON SUCC.) User Found : joe#grp2;grp3@ (-> ) in DAF db
192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <joe>,<> to </daf/test/>
The first line shows that the login and password were found in the DAF user database and are valid. However, the second line reports that this user is not allowed to access the requested resource due to a DAFAUTH.INI setting.

3. Using the Live Log to retrieve information about ODBC errors

When enabled, the live log will also report ODBC errors when detected. The following error message will occur when an invalid column name was defined for the DAF group information: 

ODBC Error : (07001) [Microsoft][ODBC Microsoft Access 97 Driver] Too few parameters. 
Expected 1. Failed SQL request : <select dafuser as DAFUserX318 ,dafpass as DAFPassX318 ,
ntuser as NTUserX318 , ntpass as NTPassX318 , 0 as DAFNOVX318 , '' as DAFLVX318 , 
'' as DAFExpDate318 , 0 as difdate,dafgroups2 as DAFGroupsX318 , 0 as DisabledZ318 
from userdb where dafuser='phil'> Error validating user <phil> (\odbc.cpp:3218)
When an ODBC error occurs while processing an authentication request, access is denied and the error "The request was aborted" is displayed in the browser. The login dialog box is NOT displayed. For all ODBC errors, the SQL query which failed is displayed. In the sample, the invalid SQL query is: 
select dafuser as DAFUserX318 ,dafpass as DAFPassX318 ,ntuser as NTUserX318 ,
ntpass as NTPassX318 , 0 as DAFNOVX318 , '' as DAFLVX318 , '' as DAFExpDate318 , 
0 as difdate,dafgroups2 as DAFGroupsX318 , 0 as DisabledZ318 from userdb where dafuser='phil'
Possible reasons for this symptom are:
- invalid column name defined in the DAF Configuration Tool.
- invalid column type. For example, type "string" for an expiration date column.
- with a remote database server, the database system is stopped or cannot be reached due to a network problem.

4. Using the Live Log to retrieve information about a wrong IIS configuration

When enabled, the Live Log feature will report a login failure due to an incorrect IIS configuration. However, the message may not be explicit on the cause:

  • Example 1: "Windows NT challenge/response" instead of "Basic"
If after entering a valid DAF user and password the following message is reported, the important symptom to note here is that the DAF user information is not displayed (first empty "<>"). It is as if the login typed by the web user did not reach the DAF filter. 
192.168.1.100,80,:(FA100)(DAFAUTH.INI PERMISSION) Access Denied for user <>,
<> to </dafauth_test/denied/>
This symptom will happen when IIS is configured to use "Windows NT challenge/response" authentication scheme instead of basic. DAF will work only with basic authentication scheme.
  • Example 2: "Windows NT challenge/response" instead of "Basic"
After entering a valid DAF user and password the following message is reported: 
192.168.1.100,80,:(HA100)(CONFIG) Access Denied by IIS configuration 
(Probably Anonymous access not allowed for IIS)
Here the message reported is explicit. When no mapped NT account is defined for the DAF user, IIS option "Allow Anonymous Access" MUST be enabled.

Instructions to use the Main Live Log

For DAF release 4.0 an incorrect default registry setting will disable the main live log. For newer releases the Main Live Log is enabled by default.

important.GIF (334 bytes) To enable the Main Live Log with release DAF 4.0, refer to the knowledge base article ID 62.

When enabled, to use the Main Live Log, simply:

- Launch the DAF configuration Tool
- Press button [Live Log]
- On the bottom of the Live Log window, press [Main Log]

Using the Main Live Log to find against which user database is processed an incoming authentication request:

With a multi-user database configuration it can be handy to verify against which user database an incoming authentication request is processed. For this purpose, the easiest solution is to enable log option "Log all received HTTP requests":

- Launch the DAF configuration Tool
- Select a user database (any user database will work)
- Select tab "Logs"
- Check "Log all received HTTP requests"
- Restart the user database: Select tab "Database type & Web Hosts" and press [Re-start]
- Press button [Live Log]
- On the bottom of the Live Log window, press [Main Log]
- With a browser, load a resource. A message will report against which user database the request was processed.

For example, in the example below the request is attached to user database "userdb1" (note the end of the line "Attached to <userdb1>"): 

HTTP Request for <192.168.1.100>,<80>,<192.168.1.100> from <192.168.1.100>,
<Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)> - Attached to <userdb1>
In the example below the request is NOT attached to user database (note the end of the line "NOT Attached"): 
HTTP Request for <192.168.1.112>,<80>,<192.168.1.112> from <192.168.1.112>,
<Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)> - NOT Attached
         DAF is an OpenFuture Software, Inc. Product