Home Analyst Portal

How do I configure permissions for a Single Forest/Multi Domain instance of SSP

Bryan_TaylorBryan_Taylor Customer Adept IT Monkey ✭✭
edited November 2017 in Analyst Portal

We've recently setup our production environment for Service Manager and the self-service portal. Our Active Directory environment is setup as follows:

  1. Root Forest Domain (RootDomain)
  2. Domain A (DomainA)
  3. Domain B (DomainB)
  4. Domain C (DomainC)


Our SCSM servers, service accounts, and groups exist primarily within DomainA. When we configured our test instance of SCSM and SSP, we were only making it available to members of DomainA, however now that we've built the production system we need to provide access to users from DomainB and DomainC.


From within the SCSM Console I've setup a User Role name "Self-Service Portal End Users"; this role currently does not limit access to any queues, groups, config items, or forms (we've selected the "All work items can be accessed" radio button in each of these areas). The users for this group consist of the following:

  • DomainA\Domain Users
  • DomainA\SSP_EndUsers (this is a domain local group, more on that below)


After reviewing this post, we created additional groups in Domain B and Domain C. Both of these domain have the following groups:

  • SSP_EndUsers (Universal security group)
  • SSP_DomainUsers (Global security group)

SSP_DomainUsers includes all user objects for the domain, and SSP_EndUsers contains SSP_DomainUsers as it's only member.


We've added the SSP_EndUsers group from both Domain B and Domain C to the SSP_EndUsers group in Domain A (which is where all of the SCSM components live), and restarted the CacheBuilder service; we see no errors in the CacheBuilder logs, but the users in Domain B and Domain C do not see the single request offering/service offering we've published.


At this point, I've running out of ideas for things to check and options to enable. What is the best way of providing access for users in the other domains to view/submit requests?


EDIT: Just to be clear... members of Domain A are able to see and submit requests without issues, it's Domain B and Domain C that are causing trouble

Best Answers

  • Bryan_TaylorBryan_Taylor Customer Adept IT Monkey ✭✭
    edited December 2017 Answer ✓

    Just wanted to make good on my promise and ensure I posted the final resolution here...

    Our fix was threefold

    1. Fix corrupted Cireson Licensing App DLL files (logs indicated a license problem and the Cireson Licensing App settings in the console would crash the whole console)
    2. Truncate the CI$User table (this ensured that cache builder had a clean environment to populate)
    3. Ensure that user scoping was enabled within the portal



    Once we did these three things and cycled the server, the other domain users were able to log in. There is an issue where if you've opened up the browser on the server as a user from a different domain, nothing will display, however that is a use case that should never happen anyways. If you run into a similar issue and you're trying to test on the server itself, be aware of the fact that this won't work.


    Thanks again to Matt, Joe, and Cireson support for the quick turnaround and resolution with this one!

Answers

  • Joe_BurrowsJoe_Burrows Cireson Devops Super IT Monkey ✭✭✭✭✭
    Hi Bryan

    Sounds like this is configured correctly, Which direct is the AD trust? Both Ways?

    First thing to check is if the cachebuilder does pull the Domain B & C users. Set logging level to ALL - then restart cache-builder and check the logs for where it attempts to enumerate the membership for DomainA\SSP_EndUsers, you should see it pull sub group member groups and users from Domain B & C.

    Also as a test if you disabled scope access from the admin settings, settingitems and restart website - do the offerings show for domain B & C users?
  • Bryan_TaylorBryan_Taylor Customer Adept IT Monkey ✭✭
    Hi Joe:

    We actually only have the inherited transitive trust from our forest domain; we don't have an explicit trust between the domain. Is the explicit two-way trust a requirement?

    When I updated the CacheBuilder logging and restarted the service, I am left with a 0 KB log file. I see the users in the ServiceManagement database, however I don't see anything specific around CacheBuilder.

    I've also disabled scope access from the admin settings and restarted the site (and the server). The offerings still do not show for the users. They actually see nothing. There are no options on the left hand navigation pane, the search bar has neither Service Offerings or Knowledge Base as options, and clicking on their user names brings up no options (not even user settings).
  • Joe_BurrowsJoe_Burrows Cireson Devops Super IT Monkey ✭✭✭✭✭
    edited November 2017
    Hi Bryan

    You should be seeing more in the logs, I suspect its not set to ALL correct, double check you set it as per the below KB:
    https://support.cireson.com/KnowledgeBase/View/34

    Can you confirm the groups from Domain B & C are also in the CMDB and Servicemanagement DB?

    As long as the cachebuilder has permissions and can enumerate the group membership from each domain then I believe it should work. This can be checked with the below Powershell:

    $groupName = ‘Cireson_All_Analysts’ #Change me to be w/e AD group.
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $group = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$groupName)
    $groupMembers = $group.GetMembers() #Get all one-level group members of this group
    $recGroupMembers = $group.GetMembers($true) #Get all recursive child objects of this group.
    ($groupMembers | measure).Count #list the length.
    ($recGroupMembers | measure).Count #list the length.
    

    If still an issue after confirming the above it may be better to raise in a support ticket.

    Thanks!
    Joe


  • Matt_MedleyMatt_Medley Member Advanced IT Monkey ✭✭✭
    Hi Joe:

    We actually only have the inherited transitive trust from our forest domain; we don't have an explicit trust between the domain. Is the explicit two-way trust a requirement?

    When I updated the CacheBuilder logging and restarted the service, I am left with a 0 KB log file. I see the users in the ServiceManagement database, however I don't see anything specific around CacheBuilder.

    I've also disabled scope access from the admin settings and restarted the site (and the server). The offerings still do not show for the users. They actually see nothing. There are no options on the left hand navigation pane, the search bar has neither Service Offerings or Knowledge Base as options, and clicking on their user names brings up no options (not even user settings).
    Hey Bryan, while digging further into this issue, I discovered this article. It may help in this situation. 

    https://blogs.technet.microsoft.com/servicemanager/2010/03/10/ad-connector-cross-forest-tricks/
  • Bryan_TaylorBryan_Taylor Customer Adept IT Monkey ✭✭
    Thanks for the insight Matt and Joe.

    I've got a ticket open now and we're going to be working on this a little more closely. I was able to validate everything that Joe posted and am still experiencing the issues. Once we reach a conclusion, I'll be sure to update this post to include it in the event that other people encounter similar issues.

    Thanks again!
  • Matt_MedleyMatt_Medley Member Advanced IT Monkey ✭✭✭
    Thanks for the insight Matt and Joe.

    I've got a ticket open now and we're going to be working on this a little more closely. I was able to validate everything that Joe posted and am still experiencing the issues. Once we reach a conclusion, I'll be sure to update this post to include it in the event that other people encounter similar issues.

    Thanks again!
    Thank you for the follow up Bryan, I'll find your ticket in our queue and keep an eye on it as well as I'd like to know the resolution to the issue.
  • Bryan_TaylorBryan_Taylor Customer Adept IT Monkey ✭✭
    edited December 2017 Answer ✓

    Just wanted to make good on my promise and ensure I posted the final resolution here...

    Our fix was threefold

    1. Fix corrupted Cireson Licensing App DLL files (logs indicated a license problem and the Cireson Licensing App settings in the console would crash the whole console)
    2. Truncate the CI$User table (this ensured that cache builder had a clean environment to populate)
    3. Ensure that user scoping was enabled within the portal



    Once we did these three things and cycled the server, the other domain users were able to log in. There is an issue where if you've opened up the browser on the server as a user from a different domain, nothing will display, however that is a use case that should never happen anyways. If you run into a similar issue and you're trying to test on the server itself, be aware of the fact that this won't work.


    Thanks again to Matt, Joe, and Cireson support for the quick turnaround and resolution with this one!

Sign In or Register to comment.