Permission problems with the Remote Manage pane
Marc-Andre_Lafleur
Customer Adept IT Monkey ✭✭
We are currently trying the True Control Center portal (3.0.6) and we are having some issues with the Remove Manage pane. It works great when the browser is running under the same service account as the app pool and the portal services but it won't open for any other accounts (Full SCCM admins).
When we are attempting to open the pane, nothing happens. In the developper console we get the following error:
GET http://v41eusmgmt08/platform/api/Cireson_ConfigurationManager_Portal_Core_Models_ConfigurationManager_CmResource?$filter=ResourceId eq 16781780&$select=Id 403 (Forbidden)
If we browse to this api URL, we get the following result:
The following error is also logged in the platform log:
Main Exception 2018-04-13T07:36:00.8746826-04:00: HResult: -2147467261, Source: Cireson.ConfigurationManager.Portal.Core, Message: Object reference not set to an instance of an object., InnerException: , StackTrace at Cireson.ConfigurationManager.Portal.Core.PortalAuthentication.PortalAuthenticationHandler.<GetUserFromCookie>d__4.MoveNext() in
\a\1\s\CMP.Core\CMP.Core\PortalAuthentication\PortalAuthenticationHandler.cs:line 96, TargetSite: Void MoveNext()
Using the service account, it works from the portal server and from any remote computer and all the Remote Manage actions works (except for Log Folder and Open C$ Share).
When we are attempting to open the pane, nothing happens. In the developper console we get the following error:
GET http://v41eusmgmt08/platform/api/Cireson_ConfigurationManager_Portal_Core_Models_ConfigurationManager_CmResource?$filter=ResourceId eq 16781780&$select=Id 403 (Forbidden)
If we browse to this api URL, we get the following result:
{
"error":{
"code":"","message":"Authorization has been denied for this request."
}
}The following error is also logged in the platform log:
Main Exception 2018-04-13T07:36:00.8746826-04:00: HResult: -2147467261, Source: Cireson.ConfigurationManager.Portal.Core, Message: Object reference not set to an instance of an object., InnerException: , StackTrace at Cireson.ConfigurationManager.Portal.Core.PortalAuthentication.PortalAuthenticationHandler.<GetUserFromCookie>d__4.MoveNext() in
\a\1\s\CMP.Core\CMP.Core\PortalAuthentication\PortalAuthenticationHandler.cs:line 96, TargetSite: Void MoveNext()Using the service account, it works from the portal server and from any remote computer and all the Remote Manage actions works (except for Log Folder and Open C$ Share).
0
Best Answer
-
F_Christiansen
Cireson Dev Advanced IT Monkey ✭✭✭
Hi Marc-Andre,
Sorry for having this question sitting here for so long.
If you have not yet reached out to us directly, if you are still evaluating, we can extend your trial period.
To help you the best, I would recommend you to upgrade to the latest version, currently 3.1.1 that also include User Manage.
That being said, do you have an Security Groups defined in Control Center?
Go to Settings -> Security Settings -> Security Groups.
And if so, if you have multiple Roles (AD Users and Groups) defined for a Security Group, are they separated by a semicolon? If so, we recently found that only commas are supported as delimiters. That is being fixed currently.
Also, with your service account user, log in to Control Center, add a new tab and enter this:
http://<yourcontrolcenter>/platform/api/ProviderRoleToApplicationRoleMap
Let me know the result of that query. You can send it in a private message if you don't want to share with the world :-)
Also, only the service account needs to have Full Administrator permissions in ConfigMgr, but you need to give other users permissions to use Control Center by defining Security Groups and assign Security Rights to that group.
If you want to reflect ConfigMgr security (RBAC) you can enable that.
Best regards
Flemming Appelon Christiansen5
Answers
Sorry for having this question sitting here for so long.
If you have not yet reached out to us directly, if you are still evaluating, we can extend your trial period.
To help you the best, I would recommend you to upgrade to the latest version, currently 3.1.1 that also include User Manage.
That being said, do you have an Security Groups defined in Control Center?
Go to Settings -> Security Settings -> Security Groups.
And if so, if you have multiple Roles (AD Users and Groups) defined for a Security Group, are they separated by a semicolon? If so, we recently found that only commas are supported as delimiters. That is being fixed currently.
Also, with your service account user, log in to Control Center, add a new tab and enter this:
http://<yourcontrolcenter>/platform/api/ProviderRoleToApplicationRoleMap
Let me know the result of that query. You can send it in a private message if you don't want to share with the world :-)
Also, only the service account needs to have Full Administrator permissions in ConfigMgr, but you need to give other users permissions to use Control Center by defining Security Groups and assign Security Rights to that group.
If you want to reflect ConfigMgr security (RBAC) you can enable that.
Best regards
Flemming Appelon Christiansen