Group of remote users unable to log into Service Portal

Ryan_Lane

We have a group of remote users who are unable to log into Service Portal.

They can navigate to the portal and are prompted for username and password but on entering the prompt repeatedly appears until a 401 error page is displayed.  This is reproducible for all of that particular group of remote users.  Known-working accounts that work locally have the same behavior when they attempt to use those credentials remotely.

IIS W3SVC2 log shows repeated messages like the following:

2018-01-19 17:54:38 192.168.40.56 GET / - 80 - 10.100.200.3 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 - 401 1 2148074248 406
Has anyone encountered this before?

Brian_Wiest

When they run into the issue remotely are you checking if their AD accounts are locked?
Sounds like whatever path/software you have them going thru from remote is changing their SSO profile.

Justin_Workman

@Ryan_Lane - I would make sure there's a Configuration Item for that group and its members in the SCSM console.  I would also make sure the group and/or its members are members of a Security Role(at least End User) in the SCSM Console.

Ryan_Lane

Thanks for the response.  I have confirmed that the individual users Configuration Items show up in the Console, Portal and in the CI$User db table.  Running the spCheck_UserRequestOfferingPermissions also comes up with positive results:

Request Offering: 6FE46D20-150A-2CD9-127D-F6025199F46D

 - Title: IT Server Request

 - Is Found in the Following Service Offerings: 

   - ID: 2A805BF8-8DC1-AAED-9CEB-EC8767B9E641 Title: IT

 

Found 1 user(s) matching user name: asghardurrani

User: Asghar Durrani

 - Id: E8637E8C-CF57-4024-74E0-7F423ADD7280

 - Domain\UserName: SANMAR\asghardurrani

 - DistinguishedName: CN=Asghar Durrani,OU=Jabs,OU=Information Technology,OU=Departmental Accounts,OU=SanMar,DC=corp,DC=sanmar,DC=com

 - Has Permission to Access Request Offering with ID: 6FE46D20-150A-2CD9-127D-F6025199F46D

   - Has Permission to Access Parent Service Offering with ID: 6FE46D20-150A-2CD9-127D-F6025199F46D and Title: IT

 

 I have also confirmed that the users are in Domain Users in AD and that the specific Security Group they belong to is in a User Role.

Brian_Wiest

When they run into the issue remotely are you checking if their AD accounts are locked?
Sounds like whatever path/software you have them going thru from remote is changing their SSO profile.

Ryan_Lane

Brian_Wiest said:

When they run into the issue remotely are you checking if their AD accounts are locked?
Sounds like whatever path/software you have them going thru from remote is changing their SSO profile.

Thanks for the suggestion @Brian_Wiest,
I've checked all DCs during a few attempts and ADAudit for any logon failures and I'm not seeing anything.  I think you're right on the site-to-site playing a part here.  I had one of the users remote onto a local box and attempt to login and that went through.  So, I've got a known-working account that doesn't work when used on their site-to-site and one of their non-working accounts that works when local..