Service Catalog Access to new Domain Users

Steve_Barnard

Hi,

Working with a customer who has acquired a new domain. Two-way trust relationship between domains. Created a new connector to bring users into Service Manager. All good. Created another AD connector to bring in 'Domain Users' from new domain. All good.

Created new Group and added to user role with Service and Request Offerings that should be scoped to these users (they are based in Germany so should only see German based offerings). Added the <NewDomain>\Domain Users group to the user role. Restarted the CacheBuilder but these users cannot see any offerings.

Querying the ServiceManagement Db, the users appear, the new Domain Users group appears but the users are not associated with any Offerings.

Anyone seen this before?

Thanks

Steve

Matthew_Dowst

Have you checked the CacheBuild log file. I ran into this situation previously, and ended up creating a group in the same domain as the Service Manager install that contained all the users from every domain. It seems that the CacheBuilder had difficulty query group membership from group in different domains, but was fine when the users we added directly 

Joe_Burrows

Hi Steve

The cachebuilder will have an error that it cant enumerate the membership of the NEW DOMAIN\Domain users group. You will need to implement cross domain nesting to grant role permissions (which will mean you cant nest domain users in your domain local group where you will grant the permissions).

See the below thread for a simalir discussion:
https://community.cireson.com/discussion/comment/799#Comment_799

Cheers
Joe

Matthew_Dowst

Have you checked the CacheBuild log file. I ran into this situation previously, and ended up creating a group in the same domain as the Service Manager install that contained all the users from every domain. It seems that the CacheBuilder had difficulty query group membership from group in different domains, but was fine when the users we added directly 

Steve_Barnard

Hi Matthew, we enabled logging on the Cachebuilder log file set to 'INFO' but the log file never expanded. I added an individual user to the user role which worked - they could see the offerings. Add them to a group and they don't appear. I think I'll open a ticket with Cireson! Thanks for your insight.

Joe_Burrows

Hi Steve

The cachebuilder will have an error that it cant enumerate the membership of the NEW DOMAIN\Domain users group. You will need to implement cross domain nesting to grant role permissions (which will mean you cant nest domain users in your domain local group where you will grant the permissions).

See the below thread for a simalir discussion:
https://community.cireson.com/discussion/comment/799#Comment_799

Cheers
Joe

Steve_Barnard

Hi Joe,

The customer created a Global group in the second domain and nested this to a Domain Local group in Domain 1. This was added to the role in SCSM. They skipped the UG. Users still cannot access request offerings. Is the UG needed? Also, we imported the DL group to the CMDB. Do we also need to add the nested groups?

Cheers

Steve 

Joe_Burrows

Hi Steve

The customer created a Global group in the second domain and nested this to a Domain Local group in Domain 1. This was added to the role in SCSM. They skipped the UG. Users still cannot access request offerings. Is the UG needed?

See http://ss64.com/nt/syntax-groups.html you may need the UG, I havent tested without it to confirm but it notes

"- Global groups can be nested within Domain Local groups, Universal groups and within other Global groups in the same domain.
- Universal groups can be nested within Domain Local groups and within other Universal groups in any domain."

The nested groups must also exist in the CMDB as it grabs the DN from here to do the AD lookup to return the group membership.

If you still having issues try get the cachebuilder.log file with logging set to ALL that should give us some more clues as to what is wrong.

Cheers
Joe