AD Authentication setup

DCIM_Support · ‎2020-07-03

I am working on using AD for authentication with DCE 7.4.1

I have configured the authentication server and selected a group that I created in AD. However, I am not realizing any benefit from this as the credentials are not accepted at login. Unless I'm unclear on what to expect.

Secondly, while the Group I've selected appears, individual users do not (2nd screenshot)

DCIM_Support · ‎2020-07-03

Hi Ed,

A good place to start is to look at k-base FA158395. This should help you with a lot of the little stuff.

If you've set up an AD group and have added it to DCE, the next thing you have to do is to give that groups permissions inside of DCE. We don't pull permissions from the server, just names, passwords, and e-mails for server level events.

If your users can't log in. please be sure they are in the same search base used to add the group. If DCE can't search for both the group AND it's included users, you won't be able to log in with those credentials. Make sure you also do not have duplicate users where they exist on the DCE server as well las the AD group as this could cause conflicts.

Finally, if you had started this incorrectly, delete the AD entry and make a new one. I have seen issues where you choose LDAP and then go all the way to the end and logins fail (even though it appears to allow you to add them) or even if you choose LDAP and go part of the way to finish, go back and change to AD, sometimes the change doesn't take and you'll still get a failure.

Thanks,

Steve

DCIM_Support · ‎2020-07-03

Ok. I change the AD group to Universal and tried removing it from DCE and adding back as the scenario you described could have happened. Still no luck.

The search base is essentially the entire directory : DC=milbank,DC=local. Perhaps I'm hitting a size limit that was mentioned in the technote but the users and the group are in different OUs below this base.

I have specified DCE permissions to the group once it has been selected.

Ed

DCIM_Support · ‎2020-07-03

Hi Ed, I just re-read your initial post. Hopefully this is just a secondary question but you mentioned: while the Group I've selected appears, individual users do not You should know that the users will not show, only the groups. Rights are then associated based on those groups. Steve

DCIM_Support · ‎2020-07-03

Back to the login issue, can you create a test group and in the same container, create a user. Make it very simple with no difference between long and short names. Add that group and give that groups rights within DCE. Can that user log in? Steve

DCIM_Support · ‎2020-07-03

If you look at the screenshot I inserted in the original post what I meant to convey was that if I chose individual users rather than a group the did not (and do not) appear under the "Users" heading.

DCIM_Support · ‎2020-07-03

Sorry, I must have misunderstood. I thought you expected to see the users once you added the group. Ok, so if you DID add individual users through the authentication server, they did not show up? Could you try the test I suggested and again, create this as a new authentication server entry? Steve

DCIM_Support · ‎2020-07-03

I've added a user in the same container as the group. Removed the group from DCE and added it back.

DCIM_Support · ‎2020-07-03

Hi Ed,

I feel there's something we're missing and doing this over the forum may not be the best way to reach a resolution. What region are you in? US, Europe? I think it may be best if we contact you directly. I can get your e-mail from the system but want to verify who to get to contact you.

Steve

DCIM_Support · ‎2020-07-03

This issue has been resolved. I followed the very useful technote but in the end I believe the ultimate resolution to enable AD authentication (after the components were configured) was a restart of the server

DCIM_Support · ‎2020-07-03

That's weird. It shouldn't be required but I'm glad it worked!

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.