Technical Notes

Reflection Server Cannot Connect to Authentication Server
Technical Note 1649
Last Reviewed 03-May-2007
Applies To
Reflection for the Web version 7.0 or higher
Summary

If you configure Reflection for the Web management server to use an account to access the LDAP server, and then you change the password on that account without updating the Reflection configuration, then Reflection will continue to use the old password. This can cause the account to be locked out, and can also cause Reflection for the Web authentication failures. This technical note describes how to prevent this problem from occurring, and how to resolve it if it does.

Problem

As an example, if Reflection for the Web management server is configured to use a user’s network account to access an LDAP server, and that user changes his or her password, then Reflection will continue to use the old password to access the LDAP server, and two problems can occur:

1. The user may be locked out of the account. This happens because many network servers have automated policies that cause an account to be locked out if an incorrect password is used more than a certain number of times within a given time period. If Reflection for the Web repeatedly uses the old password to attempt to reach the LDAP server, then the network server may respond by locking the account, rendering it temporarily unusable. The user who normally uses the account to log into the network will be unable to log in.
2. Users may not be able to access terminal sessions using Reflection for the Web. Instead, they will see the following error message:

Solution

If your network account gets locked, the network administrator can unlock it. On some types of networks (for example, networks run on Microsoft NT and Windows 2000 servers), you can still log into your machine locally even if you can't log into the domain because your account is locked. You can then log into the Reflection Administrative WebStation using the Reflection administrator password. The administrator password will work even if the LDAP server cannot be reached. Once you have opened the Administrative WebStation, you can change the password used to access the LDAP server. Open the Access Control Setup utility under Tools. Select Configure, and then click Next twice to open the LDAP configuration screen. In the LDAP Server section, enter the new password.

Be sure to change the password used to access the LDAP server as soon as possible after changing your account password on the network. It is best to do this when the Reflection for the Web server is not heavily loaded. You may want to suspend the account lockout policy while you change the password.

Best Practices

In a production environment, it is not good practice to use a regular user account for automated server processes that need to authenticate. Regular user accounts are more likely to have problems for a variety of reasons. For example, the password may change due to a normal password aging policy, or a person's local machine may somehow malfunction, causing the account to be locked out, thus causing the server process to also be locked out.

In a production environment, it is better practice to use a special account for the server process that is not normally used to login for daily business and that is not subject to an automatic password aging policy.

Related Technical Notes

9988	Reflection for the Web Technical Notes