Hey all,
Wanted to share a quick experience. I've been setting up team-based web access into Solarwinds, by delegating access via AD security groups. We had a number of groups already in place, but I wanted to add more, and hit some hitches. Sharing here in case it benefits anyone else.
First, I have to remind myself and others that delegating access isn't just a matter of adding the user or group in the Manage Accounts section. The user or group also needs "Allow log on locally" permissions to the server (secpol.msc / gpedit.msc / rsop.msc / etc > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally). To prevent us from needing to add a new group every time, I created a master "logon" group and made all of the new groups members.
Next, I created a couple groups, and added them in Solarwinds. I also created a test user account and added it, so I could verify the access myself.
After doing all of this, my test account could not login to the web console. I was presented with a bad username/password error. Further investigation determined that the security log on the Orion server recorded a successful credential validation, and no other errors were apparent. I figured something had to be happening within Orion, itself.
I checked some threads here, and found the location of the diagnostic logs. (C:\ProgramData\Solarwinds\Logs\Orion\OrionWeb.log) There, I found the following reoccurring event.
[51] ERROR SolarWinds.Orion.Web.DAL.AccountProfileDAL - Attempted to retreive properties for nonexistent user <domain>\<userId>.
Just before those events, the following was also appearing.
[51] WARN SolarWinds.Orion.Web.AuthorizationManager - Warning: Checking Group membership; Account Group '<domain>\<groupName>' contained NULL SID.
I double-checked the group in AD and determined it was fine, so I removed the group from Solarwinds and re-added it. Problem fixed.
I'm still not sure what caused this to occur, but wanted to share in case anyone else hits the same roadblock.
