Need to access iiq console with Windows credentials in command prompt despite having SSO activated

Patrick_Pare · November 20, 2024, 3:31pm

Reproduction Steps : I logged into the PROD VM with my standard Windows Account. I go to the bin directory (\myComputer\c$\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin) with a command prompt, I enter iiq console and then I enter my Windows credentials.
Outcome/Errors : java.lang.IllegalStateException: Authentication Failed
But if we deactivate the SSO in IdentityIQ, then it’s working with the Active Directory passthrough. I need it to work even if the SSO is enabled.

Which IIQ version are you inquiring about? 8.3p3

Error message we receive: java.lang.IllegalStateException: Authentication Failed

arjun_sengupta · November 20, 2024, 7:09pm

Hi Patrick,

The spadmin credentials should work. I have not checked if any other accounts can authenticate with local credentials if SSO is enabled.

Regards
Arjun

Patrick_Pare · November 20, 2024, 7:32pm

Hi Arjun, yes spadmin works and my IdentityIQ local account works too (If I have reset the password). But we would like to login the iiq console using our Windows Credentials with the Active Directory passthrough which is working only when SSO is disabled in IdentityIQ. So Is there a way to like bypass SSO when using iiq console in command prompt or something like that. Thanks

patrickboston · November 20, 2024, 7:38pm

In your Login Settings, you need to turn on pass-thru authentication and tie it to your AD application. With this enabled, you can log in with AD credentials via the console (or via the IIQ login page if someone is able to manually navigate to it). The AD account should be correlated to the identity context you want them to log in as once authentication is successful with those AD credentials. It will always try pass-thru first after turned on, and if pass-thru fails, it will fall back to local IdentityIQ authentication.

Patrick_Pare · November 20, 2024, 7:55pm

Hello Patrick, it’s passthrough is already set-up

Do you mean I must check that box: Refresh pass through account after successful login

Thanks
?

patrickboston · November 20, 2024, 8:10pm

No need to check that off. It should work already.

Patrick_Pare · November 20, 2024, 8:51pm

That’s what I had tried. I just tried again and I have the error: java.lang.IllegalStateException: Authentication Failed

for your information I used as login the AD samAccountName and this AD account password.

patrickboston · November 20, 2024, 9:12pm

I doubt this would have been changed, but is sAMAccountName in your list of authSearchAttributes in the Application XML?

<entry key="authSearchAttributes">
        <value>
          <List>
            <String>sAMAccountName</String>
            <String>msDS-PrincipalName</String>
            <String>mail</String>
          </List>
        </value>
      </entry>

Patrick_Pare · November 20, 2024, 9:24pm

Hi, yes it’s there:

Arpitha1 · November 21, 2024, 6:05am

Can you check, is identity name and sAMAccountName value is same?

Patrick_Pare · November 21, 2024, 12:58pm

Hi Arpitha, no it’s not the same.
For example from the Identity in the debug page:
name=“814385”

Topic		Replies	Views
SSO Checklist or Best Practices IIQ Discussion and Questions identityiq	11	259	August 14, 2024
How to ByPass Pass Through Authentication when AD is down? IIQ Discussion and Questions identityiq	1	86	May 6, 2025
SSO in IIQ with Entra ID IIQ Discussion and Questions workflows , apis , identityiq	4	116	May 6, 2026
How to Know login authentication source IIQ Discussion and Questions identityiq , active-directory	4	70	December 24, 2025
Password now shown in IIQ console login IIQ Discussion and Questions identityiq	11	174	August 12, 2025

Need to access iiq console with Windows credentials in command prompt despite having SSO activated

Which IIQ version are you inquiring about? 8.3p3

Related topics