Authentication Problems

Diagnose and resolve authentication failures including LDAP binding, OIDC token issues, JWT expiry, credential vault access, and SSH key rejection.

Overview

Authentication problems in NetStacks can occur at multiple layers: logging into the NetStacks web UI or Terminal application, authenticating to the Controller API, unlocking the credential vault, or authenticating to managed network devices. Each layer uses different mechanisms and has distinct failure modes.

Authentication Failure Categories

LDAP Binding Failures -- The Controller cannot connect to or authenticate against the LDAP/Active Directory server during user login.
OIDC Token Issues -- Single sign-on via OpenID Connect fails due to misconfigured providers, expired tokens, or callback URL mismatches.
JWT Expiry / Rejection -- API requests fail because the JSON Web Token has expired, is malformed, or was signed with the wrong key.
Credential Vault Access -- Users cannot retrieve stored credentials due to vault lock, permission issues, or encryption key problems.
SSH Key Rejection -- The target network device rejects the SSH key presented during device authentication.

Note

NetStacks supports local authentication, LDAP/Active Directory, and OIDC (OpenID Connect) for user login. Device authentication supports passwords, SSH keys, and certificates managed through the credential vault.

How It Works

NetStacks authentication involves a multi-stage flow from user login through to device access. Understanding each stage helps you pinpoint where failures occur.

Authentication Flow

User Login -- The user authenticates to NetStacks via local credentials, LDAP bind, or OIDC redirect. On success, the Controller issues a JWT access token and a refresh token.
JWT Session -- All subsequent API requests include the JWT in the Authorization header. The Controller validates the token signature, expiry, and permissions on every request.
Token Refresh -- When the access token expires, the client automatically uses the refresh token to obtain a new access token without re-prompting for credentials.
Credential Vault Unlock -- When a device connection is initiated, NetStacks retrieves the appropriate credential from the encrypted vault. Credentials are isolated by owner -- users can only access their own credentials or those explicitly shared with them.
Device Authentication -- The retrieved credential (password, SSH key, or certificate) is used to authenticate to the target device over SSH or Telnet.

Tip

If login succeeds but device connections fail with authentication errors, the problem is at stage 4-5 (credential vault or device auth), not at the user login stage.

Step-by-Step Guide

Use the appropriate diagnostic checklist based on which authentication method is failing.

Local Authentication

Verify the username is typed correctly (case-sensitive).
Reset the password through the admin panel if forgotten.
Check if the account has been disabled by an administrator.
Verify the Controller service is running and healthy.

LDAP / Active Directory

Verify the LDAP server is reachable from the Controller host.
Check the Bind DN and Bind Password in admin settings.
Confirm the User Search Base DN includes the target user's OU.
Verify the User Filter pattern matches the login attribute (e.g., sAMAccountName vs uid).
Test with ldapsearch from the Controller host to isolate LDAP vs NetStacks issues.
If using LDAPS (port 636), verify the TLS certificate is trusted.

OIDC / SSO

Verify the Redirect URI in the OIDC provider matches the NetStacks callback URL exactly.
Confirm the Client ID and Client Secret are correct.
Check that required scopes (openid, profile, email) are configured.
Verify the OIDC provider's discovery endpoint is accessible from the Controller.
Check system clock synchronization -- JWT validation is time-sensitive.

SSH Key Authentication (to devices)

Verify the correct credential is assigned to the device in NetStacks.
Confirm the public key is installed on the target device.
Check key file permissions (private key must be 600 or more restrictive).
Verify the key type is supported by the device (some older devices reject Ed25519).
If using a passphrase-protected key, verify the passphrase is stored correctly in the vault.

Warning

Never share SSH private keys between users. Each user should have their own key pair stored in their personal credential vault. Use credential sharing for shared service accounts only.

Code Examples

LDAP Connection Test

LDAP Debug Commandsbash

# Test LDAP bind from the Controller host
ldapsearch -x -H ldap://ldap.example.com:389 \
  -D "cn=netstack-svc,ou=ServiceAccounts,dc=example,dc=com" \
  -W \
  -b "ou=Users,dc=example,dc=com" \
  "(sAMAccountName=jdoe)" dn

# Test LDAPS (TLS) connection
ldapsearch -x -H ldaps://ldap.example.com:636 \
  -D "cn=netstack-svc,ou=ServiceAccounts,dc=example,dc=com" \
  -W \
  -b "ou=Users,dc=example,dc=com" \
  "(uid=jdoe)" dn

JWT Token Inspection

JWT Inspectionbash

# Decode a JWT token to inspect its claims (without verification)
# Split the token by '.' and base64-decode the payload (second segment)
echo "eyJhbGciOiJIUzI1NiIs..." | cut -d. -f2 | base64 -d 2>/dev/null | jq .

# Example decoded payload:
{
  "sub": "user-uuid-here",
  "username": "jdoe",
  "role": "admin",
  "iat": 1709856000,
  "exp": 1709859600
}

# Check if token is expired:
# Compare "exp" (expiry) timestamp to current time
date -d @1709859600  # Shows when the token expires

API Authentication Test

API Auth Testbash

# Test API authentication with curl
curl -s -o /dev/null -w "%{http_code}" \
  -H "Authorization: Bearer <your-jwt-token>" \
  https://controller.example.com/api/v1/users/me

# 200 = authenticated successfully
# 401 = token invalid or expired
# 403 = authenticated but insufficient permissions

SSH Key Permission Check

SSH Key Permissionsbash

# Verify SSH key file permissions
ls -la ~/.ssh/
# Expected:
# drwx------  .ssh/           (700)
# -rw-------  id_ed25519      (600)
# -rw-r--r--  id_ed25519.pub  (644)
# -rw-r--r--  authorized_keys (644)

# Fix permissions if incorrect
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

# Test SSH key auth directly
ssh -i ~/.ssh/id_ed25519 -o PreferredAuthentications=publickey admin@10.0.1.1

Q&A

Q: Why does LDAP authentication fail?: A: LDAP authentication failures are usually caused by one of: incorrect Bind DN or password in the NetStacks LDAP settings, the User Search Base DN not including the user's organizational unit, the user filter not matching the correct attribute (e.g., using uid when Active Directory uses sAMAccountName), or network connectivity issues between the Controller and the LDAP server. Test with ldapsearch from the Controller host to isolate whether the issue is LDAP configuration or NetStacks configuration.
Q: How do I debug OIDC/SSO login issues?: A: Start by verifying the Redirect URI configured in your OIDC provider matches the NetStacks callback URL exactly (including protocol, host, port, and path). Check the browser developer console for error details during the redirect flow. Common issues include mismatched Client ID/Secret, missing required scopes, and the OIDC discovery endpoint being unreachable from the Controller. If using a self-signed certificate on the OIDC provider, ensure the Controller trusts it.
Q: Why is my JWT token rejected?: A: JWT tokens can be rejected for several reasons: the token has expired (check the exp claim), the system clocks are out of sync between the client and Controller (JWT validation is time-sensitive), the token was issued by a different Controller instance, or the signing key has been rotated. If tokens expire too quickly, an administrator can adjust the token lifetime in Settings. The client should automatically refresh tokens before they expire.
Q: How do I fix "Permission denied (publickey)"?: A: This error means the target device rejected the SSH key. Verify that: the correct public key is installed in the device's authorized keys configuration, the private key file has correct permissions (600), the key type is supported by the device (older Cisco IOS may not support Ed25519 -- use RSA 2048+ instead), and the credential assigned to the device in NetStacks matches the key installed on the device. Also check if the device has a maximum number of authorized keys configured.
Q: Why can't I access the credential vault?: A: Credential vault access issues can stem from: the vault being locked (requires re-authentication), insufficient permissions (you can only access your own credentials or credentials explicitly shared with you via folder grants), or the encryption key being unavailable. If the vault was recently migrated, the encryption key derivation may need to be re-initialized. Contact your administrator if you believe you should have access to a shared credential.
Q: How do I reset my credentials if locked out?: A: If you are locked out of NetStacks, an administrator can reset your password through the admin panel under User Management. If LDAP/OIDC is the only authentication method and the provider is down, an administrator can temporarily enable local authentication as a fallback. For device credentials stored in the vault, those are preserved -- only the NetStacks login needs to be recovered.
Q: Why does my session expire faster than expected?: A: Session expiry is controlled by the JWT token lifetime configured in admin settings. If the refresh token is also expired, you will be prompted to log in again. Common causes of unexpected expiry include: system clock drift between the client and Controller, the administrator reducing token lifetimes, or the browser blocking the automatic token refresh request. Check that your browser allows cookies and JavaScript for the Controller URL.

Troubleshooting

Use this error message lookup table to quickly identify the cause and fix for common authentication errors.

Error Message	Cause	Fix
`Invalid credentials`	Wrong username or password for local/LDAP auth	Verify credentials, check LDAP bind settings
`LDAP bind failed: Invalid DN Syntax`	Bind DN is malformed	Verify the full DN path (e.g., cn=user,ou=svc,dc=example,dc=com)
`OIDC callback error: state mismatch`	Browser session expired during OIDC redirect	Clear cookies and retry the login flow
`Token expired`	JWT access token past its expiry time	Re-authenticate or check auto-refresh mechanism
`Permission denied (publickey)`	SSH key not authorized on target device	Install public key on device, verify key type compatibility
`Vault locked`	Credential vault requires re-authentication	Re-enter master password or re-authenticate to unlock
`Access denied: insufficient permissions`	User role lacks required permission for the action	Request permission from admin, check role assignment
`LDAP connection refused`	LDAP server unreachable or port blocked	Verify LDAP server address, check port 389/636 accessibility
`Certificate verify failed`	TLS certificate not trusted (LDAPS or OIDC)	Install CA certificate on Controller host
`Account disabled`	Administrator has disabled the user account	Contact administrator to re-enable account

Tip

For LDAP and OIDC issues, check the Controller logs for detailed error messages. The web UI may show a generic "Authentication failed" while the logs contain the specific LDAP error code or OIDC error response.

Admin: Authentication -- Configure LDAP, OIDC, and local authentication providers
Credentials: Vault -- Manage the encrypted credential vault and access permissions
Credentials: SSH, Passwords & Keys -- Store and manage SSH keys and passwords for device authentication
Credentials: Certificates -- Certificate-based authentication and CA management
API: Authentication -- API authentication endpoints, token management, and refresh flow
Troubleshooting: Connection Issues -- If authentication succeeds but the connection itself fails