Active Directory Security, listing users and roles

ben.rosales · November 6, 2015, 7:40pm

We are trying to use our existing Active Directory to utilize AD users. The system is not returning the list of users in AD.

We have configured an Authorization Profile as type pure ‘Active Directory’. When we use the ‘manage users’ link for that Authorization Profile the list is blank for both users and roles. When we use ‘Verify an Authorization Profile’ the system says “Login succeeded for user …” and it then displays various AD information about the test user.

Some items of note…

Our current default test profile is AD_Profile_3. It has had no changes to the Advanced settings. They are all default.
*Our AD is part of our corporate environment and has hundreds of users.
*We have an AD test tool that let’s us see our AD structure. We use the same credentials in the test tool that we use in the Ignition Authorization Profile.

The Log viewer indicates …

[profileName=AD_Profile_3] Error fetching users.
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

Another log msg indicates …

ActiveDirectory

[profileName=AD_Profile_3] Unable to read group attribute “cn” from group “CN=US-#USA Civil Midwest - PCI Skanska,OU=DLs,OU=Groups & Distribution Lists,OU=Groups,OU=USA,DC=skanska,DC=org”, using distinguished name instead.

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
‘OU=DLs,OU=Groups & Distribution Lists,OU=Groups,OU=USA,DC=skanska,DC=org’
]; remaining name ‘CN=US-\#USA Civil Midwest - PCI Skanska,OU=DLs,OU=Groups & Distribution Lists,OU=Groups,OU=USA,DC=skanska,DC=org’

End of LOG msgs forum msg

JordanCClark · November 6, 2015, 8:03pm

[quote][profileName=AD_Profile_3] Error fetching users.
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] [/quote]This is invalid credentials. Specifically, the username is okay, but the password is invalid.
Error code 49, data code 52e
http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0

Likely, it’s what’s causing all of your other symptoms.

ben.rosales · November 6, 2015, 9:51pm

Jordan, thanks for your response. It seems that way to me too. I rechecked my username and password, but no joy.

When I simply test or rather “Verify an Authorization Profile” the username and password seem to be accepted. But when I try to “Manage users” the process does not seem to accept the same username and password.

I edited the profile three times and reset the password using the same username and password.

I did see in the forum post that at one time someone was having an issue with username that have period in them. Our usernames are all bases on first and last name with a period in the middle.

 [url]https://inductiveautomation.com/forum/viewtopic.php?f=70&t=7383&p=22408&hilit=active+directory+user+users#p22408[/url]

I wonder if this could be related?

JordanCClark · November 6, 2015, 9:54pm

Can you make a user with a plain username? All it really does is poll AD for users and groups.

ben.rosales · November 6, 2015, 10:31pm

Hi Jordan, I do not have rights to create a plain username (meaning no period included). I will be looking into that on Monday with our IT resource.

ThanksBen

ben.rosales · December 1, 2015, 8:59pm

Today our client provided their information for the AD info and account. We were able to successfully connect and see the users using the Ignition Gateway. Since that was our end goal, we will leave it at that for now.

Thanks for everyone’s support in diagnosing the original issue where the account was not able to query LDAP.

Regards,
Ben