Portal not working

Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
Whenever I try to launch the Cireson portal I get prompted for a login and it tells me access denied. In the webconsole.log it says The user must be added to the SCSM DB and then synchronized to the cache via the cache builder service. I looked under Configuration items in Servicde manager and my user account is in there. I also noticed in the Cachebuilder.log that all my key groups are listed as not found. I'm not sure what is going on. Any ideas? I tried doing an AD sync with my AD connector but it says finished with errors. I don't see anything in the event logs under operations manager.


Best Answer

Answers

  • Justin_WorkmanJustin_Workman Cireson Support Ninja IT Monkey ✭✭✭✭
    If your key groups don't also have CIs, cachebuilder will fail(and thus will never successfully grant access to your user account).  If you're AD connector is not completing with success, you might doublecheck the account that you're using for the connector.  You could also simply create a new one that targets the OU where the key groups reside.
  • damon_mulligandamon_mulligan Cireson Consultant Advanced IT Monkey ✭✭✭
    1. Are the AD groups you chose during the Portal installed listed in the SCSM Console Users list?
    2. Do you have the Console and Portal mappings completed for your Support Groups?
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    If your key groups don't also have CIs, cachebuilder will fail(and thus will never successfully grant access to your user account).  If you're AD connector is not completing with success, you might doublecheck the account that you're using for the connector.  You could also simply create a new one that targets the OU where the key groups reside.
    All the Key groups are showing up under CI in Service Manager but the cachebuilder log states that they are not there still. I tried creating a new connector but I get the same status " Running with error"
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    1. Are the AD groups you chose during the Portal installed listed in the SCSM Console Users list?
    2. Do you have the Console and Portal mappings completed for your Support Groups?
    all the AD groups are listed but the cireson log states they are missing. The portal mappings are blank but I can't see any of the groups to assign
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    I have had cases where I have to run a SCSM Full AD sync to pick up the user and groups properly on SCSM.
    MS provided this to force a FULL AD sync on the connector.
    In SQL
    Use ServiceManager
    Select * from LFX.datasource
    Locate your AD connector row and take the number and replace the # with the datasource number
    exec [LFX].[ResetWatermarkForDataSource] #,'erroroutput'

    Run you AD Connector. Once complete restart your cachebuilder with the lastmodified clear. 
    HTH
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    edited May 8
    Also are you replicating your full AD structure with the AD connector or just specific OU's

    If Full DO NOT have the check box enabled for group expansion. 
    "Automatically add user of AD Groups imported by this connector"
    This is one of the biggest performance hitters.

    If your are only importing specific OU's then you will want to have group expansion on, this way it populates your SCSM users not imported by that specific OU group members.

  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    edited May 7
    I have had cases where I have to run a SCSM Full AD sync to pick up the user and groups properly on SCSM.
    MS provided this to force a FULL AD sync on the connector.
    In SQL
    Use ServiceManager
    Select * from LFX.datasource
    Locate your AD connector row and take the number and replace the # with the datasource number
    exec [LFX].[ResetWatermarkForDataSource] #,'erroroutput'

    Run you AD Connector. Once complete restart your cachebuilder with the lastmodified clear. 
    HTH
    I ran the query and tried to initiate a sync in Service Manager but it won't start a new sync it just sits there.
    My AD connector connects to a Root OU not the root of the domain and I have automatically add users of AD groups checked
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    If the connector is not kicking off check your Ops Manager event logs for errors.
    Also recommend a SCSM full Cache clear procedure. 
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Created a post on a script that can allow a full SCSM cache flush
    https://community.cireson.com/discussion/3905/full-scsm-and-cireson-cache-flush-powershell-script

  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    edited May 8
    If the connector is not kicking off check your Ops Manager event logs for errors.
    Also recommend a SCSM full Cache clear procedure. 

    I don't see any errors in the OPS Manager log and I ran the powershell script you posted ( Thank you for that) but I'm still getting the same errors.




  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Check all events on your Ops manager log
    Look for the connector kicking off and then look for another reporting it finished.


    Also make sure none of the AD groups are in the deleted items in SCSM administration.
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    I see the connector starting and ending immediately. I don't see any of my groups or users in the Deleted items.


  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Run the AD connector test in properties. Could be a locked out service account.(or incorrect password)
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    Run the AD connector test in properties. Could be a locked out service account.(or incorrect password)
    I tried that and the password is correct and the account is not locked out. I even created a new AD connector using my Admin account that has full access to everything and it still won't run. All my other connectors run fine just not the AD connector.
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Does the Test Connector return connection successful?
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    no it also fails
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Ok so you need to T/S your connection to AD. 
    Its either account related or network related. 
    If you feel the account is correct. Can you reach the DC thru the network?
    If you have ADUC installed on the management server see if it connects. 
    Perform a LDAP query from the management server ETC.
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    I have 4 DCs in the same site of my Service Manager environment. I can ping all 4 servers , I'm able to open ADUC from the Management server running cachebuilder and I'm able to run a LDAP query from the same server.
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    You want to run all the tests from you primary workflow server not the cachebuilder server. 
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    I'm sorry I'm still new with Service Manager and I'm learning as I go. Well I found the workflow server and I checked the OPS manager logs on it and I found errors.
  • Anthony_BrzozowskiAnthony_Brzozowski Customer IT Monkey ✭
    Its fixed!! Thank you so much for helping me and pointing me in the right direction.
  • Justin_WorkmanJustin_Workman Cireson Support Ninja IT Monkey ✭✭✭✭
    Nice work here @Brian_Wiest!!!
Sign In or Register to comment.