Windows 2012 R2 Protected Users Group Compatibility

DCIM_Support · ‎2020-07-03

Hi,

We are running DCE 7.3.1, and are trying to use the new 'Protected Users' group in Windows 2012.

This group basically forces Kerberos, and will not allow failback to NTLM if kerberos fails.

When trying to log on to DCE using an account in this group, we receive the error "The credentials you have entered are invalid for this StruxureWare Data Center Expert server"

If we remove the account from the group, we are able to log on successfully

We plan to upgrade to 7.4.1 soon, but I cannot see anything in the release notes that addresses this issue, is anybody else using this group with DCE successfully?

Thanks

Dean

DCIM_Support · ‎2020-07-03

Hi Dean,

Are you referring to Active Directory integration for the DCE login or is this something else? If so, was this already configured in DCE and then changed in the server's background afterwards? If so, can you try recreating that AD entry?

You also noted:

If we remove the account from the group

Are you adding the group to DCE? What rights have you provided it in DCE?

When you say you removed the account from the group, did you actually remove a user from a group in AD or did you just add the user individually to DCE but leave him in his AD group?

Just an FYI, I don't think this is a tested configuration. I'm not saying with certainty that it will not work, I just don't know that it has been tested. I'm unsure I have a system to check with but I will look.

Steve

DCIM_Support · ‎2020-07-03

Hi Steve,

Yes I am referring to AD integration for the login. AD integration has been configured from the start of our installation. I added my AD user account into the 'Protected Users' group and my login for DCE stopped working. When I remove my AD user account from the 'Protected Users' group it starts working again.

I have created a new AD user account and added it into'Protected Users' and then configured it in DCE (with the same permissions as my regular account), but the issue persists. When I remove the new AD user from the 'Protected Users' group, the DCE login works correctly

When adding / removing from the AD group, I am making no changes to DCE. Hope that makes sense!

Thanks

Dean

DCIM_Support · ‎2020-07-03

Hi Dean,

I'm checking with engineers. I have 2012 but not R2 so I do not have the protected user and I'm unable to test. I'm assuming the issue is due to the restrictions on the authentication types as noted in this doc:

https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx

but I'm attempting to get specifics if I can. The final answer is likely that it simply doesn't work with our integration but if I can, I'd like to be able to tell you why.

Steve

DCIM_Support · ‎2020-07-03

Thanks Steve, much appreciated

DCIM_Support · ‎2020-07-03

Hi Dean,

I was finally able to gain access to a 2012 R2 system and I was also able to replicate your issue. I guess for the time being the only thing I can say is don't use that feature. I'm entering an enhancement request and potentially they can update that functionality but I can not promise that. They may also say it works as designed. Either way, it will potentially be some time until there is even an answer. If they do decide to update the system, it could be quite some time down the road.

Steve

DCIM_Support · ‎2020-07-03

Hi Steve,

Thanks for confirming. I will pass on to my superiors. How are we best to keep up with updates on the subject? Will it be mentioned in the release notes?

Dean

DCIM_Support · ‎2020-07-03

Hi Dean,

It should be mentioned in the release notes. I'm also going to see that this gets added into k-base FA158395 which is for active directory configuration. Hopefully we can get that updated if it gets resolved as well.

Steve

DCIM_Support · ‎2020-07-03

Ran into this today as the AD account was moved into "Protected Users" Removing it resolved the issue. I see from the original thread this is 9 months old - has there been any update to DCE that operates properly for "Protected Users" ?

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.