6 Replies Latest reply on Mar 27, 2012 5:03 AM by JoeBidgood

    ePO login  - Can you use an AD group ?

    Superhoop

      HI,


      Using ePO 4.5 Patch 4.

       

      We are deploying EEPC and have 50 on site engineers who will be responsible for adding the users to the machines within ePO. We need to allow the onsite engineers to be able to login to ePO to do this.

       

      I understand we can create a permission set so these users can ONLY see the EEPC element.

       

      These 50 Onsite Engineers are all in an AD group for their role. Rather then add all 50 users individually I was hoping I could add the AD group to ePO so anyone in that group can login to ePO using their own personal credentials.

       

      Is this even possible? Struggling to see how at the moment but seems like it should be feasible.

       

      Many thanks for looking.

       

      Superhoop

        • 1. Re: ePO login  - Can you use an AD group ?
          JoeBidgood

          Hi...

           

          Check out the "Configuring Active Directory User Login" section of the ePO 4.6 Product Guide - I think it's exactly what you're after.

           

          HTH -

           

          Joe

          • 2. Re: ePO login  - Can you use an AD group ?
            Superhoop

            Thanks JB, I added it to the permssions set but when I logged in I didn't put the domain in front of the user name. Think it is working as I expected now.

             

            Will check that guide out now.

             

            Cheers

            Dan

            • 3. Re: ePO login  - Can you use an AD group ?
              Superhoop

              OK, This is really confusing now.

               

              I added the AD group to the permission set and was able to login with Domain\Username. Great. I then tried another user in the group and they coudln't. I then removed the group from the permssion set  and deleted the successfuly logged on persons user id int he users list, saved, went back in and added it and done a Domain sync task and no users in that group were able to login !

               

              I then created a test permssion set with random settings and added the same AD group to that so they were in two different permission sets. I could then login again.

               

              I then removed the AD group from the original permission set to see if it was that causing the problem. Deleted successful user login, saved etc but again was not able to login !

               

              I though perhaps it needs to be a memeber of two so i added the AD group back into the original but still was nt able to login !!!

               

              Now I am very confused to how it worked once but not again.

               

              Please help (if the above makes any sense)  !!


              Superhoop

              • 4. Re: ePO login  - Can you use an AD group ?
                JoeBidgood

                Check the orion.log on the ePO server - anything related to this function will be logged there. (Attach it here if you like and we can have a look.)

                 

                Thanks -

                 

                Joe

                • 5. Re: ePO login  - Can you use an AD group ?
                  Superhoop

                  Hi Joe,

                   

                  Orion log ....

                   

                  2012-03-26 13:50:04,401 WARN  [http-8443-Processor47] server.OrionLoginModule  - User did not have any permission sets or mapped groups: an\g0790573. Rejecting login.
                  2012-03-26 13:50:04,401 WARN  [http-8443-Processor47] realm.JAASRealm  - Cannot find message associated with key jaasRealm.loginException
                  javax.security.auth.login.LoginException: com.mcafee.orion.core.auth.AuthorizationException: User has no permission sets.
                  at com.mcafee.orion.core.server.OrionLoginModule.ensureUserHasAtLeastOnePermission Set(OrionLoginModule.java:390)
                  at com.mcafee.orion.core.server.OrionLoginModule.autoCreateUserOrFail(OrionLoginMo dule.java:359)
                  at com.mcafee.orion.core.server.OrionLoginModule.authenticate(OrionLoginModule.jav a:222)
                  at com.mcafee.orion.core.server.OrionLoginModule.login(OrionLoginModule.java:122)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                  at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:401)
                  at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:326)
                  at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthentica tor.java:259)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.ja va:454)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
                  at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogV alve.java:500)
                  at com.mcafee.orion.core.server.AjaxValve.invoke(AjaxValve.java:88)
                  at com.mcafee.orion.core.server.OrionUserSetupValve.invoke(OrionUserSetupValve.jav a:43)
                  at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
                  at com.mcafee.orion.core.server.OrionSingleSignOn.invoke(OrionSingleSignOn.java:11 3)
                  at com.mcafee.orion.core.server.ParameterEncodingValve.invoke(ParameterEncodingVal ve.java:37)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 8)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
                  at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConn ection(Http11BaseProtocol.java:665)
                  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:5 28)
                  at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorke rThread.java:81)
                  at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:6 89)
                  at java.lang.Thread.run(Thread.java:619)

                  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
                  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                  at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:401)
                  at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:326)
                  at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthentica tor.java:259)
                  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.ja va:454)
                  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
                  at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogV alve.java:500)
                  at com.mcafee.orion.core.server.AjaxValve.invoke(AjaxValve.java:88)
                  at com.mcafee.orion.core.server.OrionUserSetupValve.invoke(OrionUserSetupValve.jav a:43)
                  at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
                  at com.mcafee.orion.core.server.OrionSingleSignOn.invoke(OrionSingleSignOn.java:11 3)
                  at com.mcafee.orion.core.server.ParameterEncodingValve.invoke(ParameterEncodingVal ve.java:37)
                  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 8)
                  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
                  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
                  at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConn ection(Http11BaseProtocol.java:665)
                  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:5 28)
                  at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorke rThread.java:81)
                  at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:6 89)
                  at java.lang.Thread.run(Thread.java:619)

                   

                  The AD group is added to a permission set ......

                   

                  Thanks

                  Dan

                  • 6. Re: ePO login  - Can you use an AD group ?
                    JoeBidgood

                    Okay, this means that ePO can't find the credentials for the user in question - which in turn usually means that it can't find a DC for that user or his domain.

                    Make sure that you have an LDAP server registered for the domain in question, and you can experiment with the global catalog and chase referral settings which govern the way ePO does AD lookups.

                    If it still doesn't work I'd open a case with Support, as troubleshooting these scenarios can be complex.

                     

                    HTH -

                     

                    Joe