Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84505members
353724posts

DCO behavior with AD integration and Change module

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

Solved
Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
8
1945

DCO behavior with AD integration and Change module

Hi Team!

 

I need to clarify few moments regarding DCO/ITA and Active Directory integration.

 

How DCO will react if we configure AD groups parsing while user will authenticate with AD account?

I mean will it be enough if we will configure only groups and user management will be proceeded on AD side?

Will users appear in user list or how DCO/ITA will work with this?

 

For example, we are create two groups in AD and import them to DCO/ITA as "Managed by authentication server" groups and assign some rights to them.

Will be AD group users successfully authenticated by DCO/ITA (I suppose that they will) and will we be able to assign work order to exact user? Or it will work only for the groups?

 

Or we always need to add users to DCO/ITA manually to be able to assign work orders?

 

The goal is to leave user management at AD side, but save the opportunity to distribute work orders personally.

 

Any info will be very appreciated, thanks in advance!


Accepted Solutions
gsterling
Commander Commander
Commander
0 Likes
4
1916

Re: DCO behavior with AD integration and Change module

You are welcome. In regards to your follow-up question.

 

DCO/ITA resync's AD/LDAP group information under two conditions. It syncs member info in groups automatically on an hourly basis, and it checks group membership when a user authenticates in the web or desktop client.

 

So if you add a new user to an AD/LDAP group which is bound to DCO/ITA you will not immediately see the user account in the web client. But if the user tries to logon, DCO/ITA will check for the users membership in the group by querying AD/LDAP directly and if found authentication will succeed, and the user will immediately appear in the users list as well as the group members in the DCO/ITA web client.

 

I'll see if I can provide some sample screenshots.

 

Regards

 

Greg Sterling

See Answer In Context

8 Replies 8
ChrisLaurentius
Lieutenant JG Lieutenant JG
Lieutenant JG
0 Likes
7
1936

Re: DCO behavior with AD integration and Change module

Hi Valentin,

Great question!

 

I'm leaning towards your latter hypothesis, i.e

  1. Add individual AD users to ITA for you to be able to assign a specific Work Order(WO), task or change request to a specific AD user.
  2. And if you add an AD group, you can only assign WO/task to the group, not individual user.

 

Of course granularity of WO, task or change request assignment (whether to group or individual users) varies from customer to customers.

 

Anyone with access to test AD and ITA can help to validate this, preferably with pictures 🙂

@gsterling perhaps? +great addition to documentation on Change Management with AD user.

 

Regards,

Chris

gsterling
Commander Commander
Commander
0 Likes
6
1921

Re: DCO behavior with AD integration and Change module

Hello Valentin and Chris

 

Yes, DCO and ITA should be able to dynamically handle the members of AD bound groups.

 

I work with several customers in NAM who have moved to a groups focused security format where they have defined groups in their AD/LDAP, and bound those groups in DCO/ITA and set permissions.

 

Then when they add users to those groups on the AD/LDAP side those users will automatically have access to DCO/ITA using their AD credentials. Their user accounts in DCO/ITA literally appear in a dynamic manner. The users access can also be revoked by removing the user account as a member of the AD/LDAP group.

 

I might be able to show an example of this using my own sandbox domain if its required.

 

One caveat to this process is that when a user is removed from the AD/LDAP group, their user account is not actually deleted from DCO/ITA ... all its access is removed so they may still be able to logon to the web client (with no access the desktop client doesn't work) but they will see nothing ... screen will be blank. There is an open feature request to actually cleanup the users in this case but that has not happened yet as far as I know (I'd have to re-test this scenario).

 

Regards

 

Greg Sterling

Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
5
1918

Re: DCO behavior with AD integration and Change module

Great news, thank you Greg!

 

User must login to DCO/ITA to appear in user list?

Or it pull all accounts from the group?

 

I will be very grateful if you can show an example.

gsterling
Commander Commander
Commander
0 Likes
4
1917

Re: DCO behavior with AD integration and Change module

You are welcome. In regards to your follow-up question.

 

DCO/ITA resync's AD/LDAP group information under two conditions. It syncs member info in groups automatically on an hourly basis, and it checks group membership when a user authenticates in the web or desktop client.

 

So if you add a new user to an AD/LDAP group which is bound to DCO/ITA you will not immediately see the user account in the web client. But if the user tries to logon, DCO/ITA will check for the users membership in the group by querying AD/LDAP directly and if found authentication will succeed, and the user will immediately appear in the users list as well as the group members in the DCO/ITA web client.

 

I'll see if I can provide some sample screenshots.

 

Regards

 

Greg Sterling

Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
3
1890

Re: DCO behavior with AD integration and Change module

Hi Team!

 

I configure DCO as we discussed.

Now I have a group in DCO, but there are no users who are members of this group apperars.

Also when the user tried to login to DCO, we have errors in the log:

Spoiler
Apr 13 12:55:26 0400dcimdco-1 operations: 2020-04-13 12:55:26,233 ERROR [kqUtCv2+SsGy3kWhq2r00w] [2f183a4e6449] [com.apc.webservice.api.server.exception.mapper.APIExceptionMapper] (default task-99 kqUtCv2+SsGy3kWhq2r00w) API server error: [119002] Authentication server configuration may be wrong. - null (Status Code: 500)
Apr 13 12:55:34 0400dcimdco-1 operations: 2020-04-13 12:55:34,726 INFO [zwWWrk9nRUeitfCr/jaE8A] [2f183a4e6449] [com.apc.webservice.api.server.token.AuthenticationRestWebServiceImpl] (default task-126 zwWWrk9nRUeitfCr/jaE8A) User with anonymized name [a3ab747d76de] logged in
Apr 13 12:55:34 0400dcimdco-1 operations: 2020-04-13 12:55:34,824 WARN [e4DmKDa0SNGGXm+OL1NhCA] [a3ab747d76de] [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-48 e4DmKDa0SNGGXm+OL1NhCA) RESTEASY002142: Multiple resource methods match request "GET /users/current". Selecting one. Matching methods: [public abstract com.apc.webservice.api.users.model.UserVO com.apc.webservice.api.users.UserRestWebService.getUser(java.lang.String,java.util.List), public abstract com.apc.webservice.api.users.model.UserVO com.apc.webservice.api.users.UserRestWebService.getCurrentUser(java.util.List)]
Apr 13 12:55:34 0400dcimdco-1 operations: 2020-04-13 12:55:34,981 WARN [wxCSevoURMC0D/yeHQmLVg] [a3ab747d76de] [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-94 wxCSevoURMC0D/yeHQmLVg) RESTEASY002142: Multiple resource methods match request "GET /users/current". Selecting one. Matching methods: [public abstract com.apc.webservice.api.users.model.UserVO com.apc.webservice.api.users.UserRestWebService.getUser(java.lang.String,java.util.List), public abstract com.apc.webservice.api.users.model.UserVO com.apc.webservice.api.users.UserRestWebService.getCurrentUser(java.util.List)]
Apr 13 12:55:35 0400dcimdco-1 operations: 2020-04-13 12:55:35,617 INFO [sqMfzMwDTIyCWtOqgpnFOw] [2f183a4e6449] [com.apc.product.services.users.impl.UsersServiceImpl] (default task-63 sqMfzMwDTIyCWtOqgpnFOw) User with anonymized name f3ce642538f6 failed login: Username not found
Apr 13 12:55:35 0400dcimdco-1 operations: 2020-04-13 12:55:35,632 WARN [sqMfzMwDTIyCWtOqgpnFOw] [2f183a4e6449] [com.apc.webservice.api.server.exception.mapper.APIExceptionMapper] (default task-63 sqMfzMwDTIyCWtOqgpnFOw) API client error: [114004] The token is not valid - Login failed (Status Code: 401)
Apr 13 12:56:36 0400dcimdco-1 operations: 2020-04-13 12:56:36,615 INFO [vqftADLXRUK7V6APZ+oAyQ] [2f183a4e6449] [com.apc.product.services.users.impl.UsersServiceImpl] (default task-87 vqftADLXRUK7V6APZ+oAyQ) User with anonymized name f3ce642538f6 failed login: Username not found
Apr 13 12:56:36 0400dcimdco-1 operations: 2020-04-13 12:56:36,628 WARN [vqftADLXRUK7V6APZ+oAyQ] [2f183a4e6449] [com.apc.webservice.api.server.exception.mapper.APIExceptionMapper] (default task-87 vqftADLXRUK7V6APZ+oAyQ) API client error: [114004] The token is not valid - Login failed (Status Code: 401)
Apr 13 12:56:45 0400dcimdco-1 operations: 2020-04-13 12:56:45,626 INFO [40+4n7QiSAWhEdOmlRHlkw] [2f183a4e6449] [com.apc.product.services.users.impl.UsersServiceImpl] (default task-106 40+4n7QiSAWhEdOmlRHlkw) User with anonymized name fae3c78dbe10 failed login: Username not found
Apr 13 12:56:45 0400dcimdco-1 operations: 2020-04-13 12:56:45,627 WARN [40+4n7QiSAWhEdOmlRHlkw] [2f183a4e6449] [com.apc.webservice.api.server.token.AuthenticationRestWebServiceImpl] (default task-106 40+4n7QiSAWhEdOmlRHlkw) Login failed
Apr 13 12:56:45 0400dcimdco-1 operations: : java.security.GeneralSecurityException: Error connecting to AD server, credentials may be wrong.
Apr 13 12:56:45 0400dcimdco-1 operations: at com.apc.product.services.users.authentication.impl.ActiveDirectoryAuthenticationServerStrategy.lookupExternalUserInfo(ActiveDirectoryAuthenticationServerStrategy.java:45)
Apr 13 12:56:45 0400dcimdco-1 operations: at com.apc.product.services.users.impl.UsersServiceImpl.authenticateUser(UsersServiceImpl.java:1275)

I don't clearly understand if DCO can't fint user in AD, or it can't find user in user list?

AD Integration is worked, I can log in with user added manually to user list.

 

Could you advice something?

gsterling
Commander Commander
Commander
0 Likes
2
1885

Re: DCO behavior with AD integration and Change module

There is definitely something wrong with the AD configuration on this DCO/ITA server as one of the server.log entries you shared shows this message. So the actual connection from the DCO/ITA server to the AD server is not working and thus you're not seeing users as a result.

 

Apr 13 12:56:45 0400dcimdco-1 operations: : java.security.GeneralSecurityException: Error connecting to AD server, credentials may be wrong.
Apr 13 12:56:45 0400dcimdco-1 operations: at com.apc.product.services.users.authentication.impl.ActiveDirectoryAuthenticationServerStrategy.lookupExternalUserInfo(ActiveDirectoryAuthenticationServerStrategy.java:45)

 

The above error usually means there's a problem in one of the below fields (from my demo server) usually a combination of the username, password, domain, port and encryption settings. If you are using the secured connection, also check the "host" field has the properly named hostname as it appears in the AD servers SSL certificate. For example, if I change the below host field to the IP address of the AD server, my AD configuration will break.

 

Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
1
1872

Re: DCO behavior with AD integration and Change module

Greg, thank you very much!

 

I've check configuration and replace IP address in "Host" field with hostname from AD server's certificate.

Now users from AD group still can't login, but there is slightly different error in logs

Spoiler
Apr 14 14:48:22 0400dcimdco-1 operations: 2020-04-14 14:48:22,867 INFO [8eVd/7ckSOmxFim7a66lfQ] [2f183a4e6449] [com.apc.product.services.users.impl.UsersServiceImpl] (default task-104 8eVd/7ckSOmxFim7a66lfQ) User with anonymized name f3ce642538f6 failed login: Username not found
Apr 14 14:48:22 0400dcimdco-1 operations: 2020-04-14 14:48:22,887 WARN [8eVd/7ckSOmxFim7a66lfQ] [2f183a4e6449] [com.apc.webservice.api.server.exception.mapper.APIExceptionMapper] (default task-104 8eVd/7ckSOmxFim7a66lfQ) API client error: [114004] The token is not valid - Login failed (Status Code: 401)

There are no errors about AD configuration, but DCO still can't find username.

I suppose that it can be related to User search base field which is filled with "high-level" user OU in AD.

Is it necessary to point it to exact container which contain users?

 

Can you share proper settings example?

 

Our current settings below:

 

image.png

Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0
1807

Re: DCO behavior with AD integration and Change module

Just to save for the future 🙂

It works with following settings:

 

 
 
 
 
 
 
 
 
 
 

Right_AD.png