Issue
Users login to EBO using Windows Authentication via the Workstation client encounters the error "User account not associated with a group. Contact your administrator".
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Enterprise Server - SXWSWESXX00001
- Building Operation Enterprise Central - SXWSWECXX00005
- Building Operation Workstation - SXWSWWORK00002
Cause
The "Local System account" used to run the "Building Operation Enterprise Server" service does not have sufficient permissions for EBO/Active Directory integration. One function call from EBO to the Active Directory fails when EBO tries to fetch the groups for the user logging in.
Resolution
The service account used to run the "Building Operation Enterprise Server" service must be able to read the token-groups-global-and-universal (TGGAU) attribute. The IT department or the Active Directory administrator needs to grant this explicit access to the service account by adding the service account to the built-in group in Active Directory called "Windows Authorization Access Group". For more details regarding the TGGAU attribute, see this article from Microsoft Support, Some Applications and APIs Require Access to Authorization Information.
