I'm trying to setup ePO 4.5 P3 so that we can provision users and permission sets by AD group membership. I have the following pieces in place:
A functioning AD LDAP registered server
A group in AD with members
A permissions set in ePO associated to the AD group.
Server setting "Active Directory User Login" set to true (according to KB67576 this should automatically create ePO user records for Active Directory users upon login)
I've asked a member of the AD group associated to the permissions set to try logging in to ePO. They receive this message "You do not have permissions to access ePolicy Orchestrator". Referring to KB67576 again this apparently means the person has successfully authenticated to the ePO console but had no permissions set assigned. However, when I look, no user record was created for this user which should have happened based on the "Active Directory User Login" setting. So I feel like I'm stuck in a chicken/egg situation. How to I assign a permissions set (other than AD group association which is already done) to a user record that doesn't exist? If it won't let them login without a permissions set, how do you get the account created? Manually creating an account would be rediculous and would make the "Active Directory User Login" completely useless.
Does anyone know what I'm missing here? My next step is to open an SR. But since the support portal is down I thought I'd ask the community first.
ePO creates the user account automatically when you allow login via AD, as you said that wouldn't make sense to have to do this manually.
We had a similar problem and in our case it turned out that the account we used to query the AD with did not have sufficient rights to all required AD objects. To narrow down the problem we temporarily borrowed a domain admin account and then it started working as expected. Also, some AD groups don't seem to play nicely with ePO, for instance I had no luck with a permission set that mapped to Domain Users whereas a smaller group with just a handful of members worked fine.
Another issue seems to be if you have multiple LDAP servers/domains configured then ePO 4.5 sometimes sends the login to a DC in the wrong domain. Try removing any LDAP servers not being used.
Unfortunately doesn't seem to be the case here. I tried Domain Admin and it still didn't work. I currently have both 4.5 P3 and 4.6 beta pointing to the same ldap source and authenticating with the same account. 4.6 beta works, and 4.5 P3 does not. Our environment is a single domain.Message was edited by: woodsjw on 9/1/10 12:26:38 PM GMT-08:00
MS Netmon 3 has quite good filters for Kerberos and LDAP so if you set ePO to not authenticate over SSL (this will capture everything, including the LDAP lookup account password so be careful) and try again it might be possible to see what is going wrong. This is how we did the troubleshooting for the insufficient rights problem of the LDAP account.