User Authentication to the Cireson Portal

Steve_Barnard · September 2016

Customer has a number of users who have a standard AD user account and an Admin account. Both sets of accounts are in Service Manager. Both sets of accounts are members of Domain Users. Only the standard AD account can log into the portal.

In Service Manager, the admin account only has the username attribute populated in Configuration Items, even though more attributes such as FirstName etc are populated in AD.

The user role has Domain Users added to it so should be able to log in like the standard user account.

Anyone encountered this before?

Thanks

Steve

Brett_Moffett · November 2016

Partial information in the User CI can be from the "Automatically import users who are members of groups" option for importing groups in the AD connector.
If the AD connector or the connector account does not have rights to read all attributes then it will not populate all the data.

At least that's my understanding.....

Morten_Meisler · November 2016

As long as the service account has read permissions (is member of Domain Users) it should be able to read all common attributes. As Brett says, I think the admin users are coming from somewhere else, e.g. from groups or exchange connector in some cases perhaps. The admin accounts might be in another OU or the LDAP query is setup to not include these. Some people run with a LDAP query that checks if the object has an emailadress to verify it's a human being, but if the admin account does not have this they will be excluded.

Conner_Wood · September 2016

Can you confirm that in SCSM Console > Administration > Security > Run As Accounts > Active Directory Connector Run As Account > That the account being used has access to read all of the AD?

I have a feeling the account chosen for the Microsoft.SystemCenter.ADWriterAccount which is used for syncing AD Connectors is not a member of Domain Admin, therefore it is unable to retrieve all information from AD to write into SCSM.

Edit: The other possibility is the AD Connector(s) being used are only targeting certain OUs or have some odd filter on them, however as you are getting partial information back I can't help but think it's a permission issue.

Brett_Moffett · November 2016

Partial information in the User CI can be from the "Automatically import users who are members of groups" option for importing groups in the AD connector.
If the AD connector or the connector account does not have rights to read all attributes then it will not populate all the data.

At least that's my understanding.....

Morten_Meisler · November 2016

As long as the service account has read permissions (is member of Domain Users) it should be able to read all common attributes. As Brett says, I think the admin users are coming from somewhere else, e.g. from groups or exchange connector in some cases perhaps. The admin accounts might be in another OU or the LDAP query is setup to not include these. Some people run with a LDAP query that checks if the object has an emailadress to verify it's a human being, but if the admin account does not have this they will be excluded.

User Authentication to the Cireson Portal

Best Answers

Answers

User Authentication to the Cireson Portal

Best Answers

Answers

CIRESON COMMUNITY WEB SITE