Does NPM 9.1 have the ability to log users in with Active Directory? Instead of creating indivdual or group accounts I was wondering if there was a way to us our AD enivornement to authenticate users?
We have NPM 9.5 and have NPM logins synched up with our AD; all works well except I am now having a problem with this one particular user. Whenever he tries to get the details of a node (any node- router, Solaris node, Windows node, etc..), he will be prompted with AD login screen, any ideas???
No idea. If it were me, I'd open a support ticket. They can help you troubleshoot.
Quick Answer: NO.
But Orion does offer somethign called windows pass-through authentication (WPTA).
Its fairly easy to set up, but the admin guide is not written properly. It includes steps that dont need to be taken, and omits steps that need to be taken.
YOu will still be setting up individual accounts, but users whould no longer need to "login".
To set up WPTA, you need to open the IIS manager on the Orion server. (Inside Computer Managment). Double click on websites, and highlight SolarWinds NetPerfMon, right click, properties.
Select the "directory security" tab along the top. Click on Edit inside the autentication portion. This will open a new window. uncheck "enable anonymous access" and check "Intergrated Windows Authentication.
OK, close.
Now you go into the admin portion of the Orion website and go into the account manager. Create new accounts for users following the "Domain\user" syntax. You will need a dummy password for the time being so go ahead and enter one. Set up the account with the same sort of view limitation, etc.
Test this with your own domain\user account. To see if WPTA is working, log out of Orion, and then take the "login" portion out of the browser address. It should now read something like "YOURORIONSERVER/Orion.aspx.
Click refresh. Youshould now be logged in as Domina\user. Rinse and repeat.
I too find this a little funny that NPM is not using AD. More so with respect that NCM does but really doesn't make sense for it.
One of the setting that is in NCM Admin is only allow users to see devices that they have access to. Well that information is not in AD and the current security that is in both NCM and NPM lacks in that regards.
I would love to see this tie in to something like MS IAS (Radius) server or Cisco ACS 4.2 or maybe even 5.0. If could tie those peices together I could take this in a whole different direction. In regards to security controls and auditing.
But looks like we are head in that direction since NCM was not even incorporated into NPM a version or two back.
Full AD authentication is coming for NPM. It's a little trickier because we don't want to take away the SQL-based authentication because there are users who could not use AD.
Attn Albany NY Mike
do you know if both WPTA and individual Orion accounts will work together?
i have some users outside my Windows Domain which use Orion but the majority are inside my Windows Domain where WPTA would be pulling from.
and if i have 40 users in my Domain using Orion - do i have to do these one at a time with the dummy password step?
thanks.
Hi denny.lecompte
I looked into NPM 9.5 Admin guide. No trace of "Active Directory" introduction with that replease ? any hint from the Labs as to when NPM will have Full AD integration.
Thank you
can someoen reply on whether you can use both WPTA and local user accounts at the same time? i have a bunch of customers who will log into the console, but i do not want to create them active direct accounts... ut i ant my team members to use WPTA
any hint from the Labs as to when NPM will have Full AD integration.
It's on the roadmap. I can't name a specific timeframe.
Look at this section of the AG.
You can have a mix of both.
If you want anyone to be able to use WPTA, you can set up a Domain\anyone account.
If there is no domain accoutn setup in Orion, they will be prompted to login.
As long as they have a regualr Orion user name and PW, all should be fine.
Our datacom crew logs into Orion using WPTA, whille out DB crew, which has a limitation to only see thier stuff, logs in using a genaric user ID - DBUnit, PW - DBUnit.
I am surprised SW hasnt progressed with true AD authentication as they did with NCM.
There are always future releases I guess.
How would you do this on Windows 2008 Server IIS? The drop downs mentioned here don't looke the same in 2008.
SpinnerRow,
Denny provided a link, above, to the section "Using Windows Pass-through Security" in chapter "Configuring Automatic Login" of the Orion NPM Administrator Guide. Is that what you are referencing? There are Windows 2008 instructions in that section. Please let us know if you encounter futher difficulty.
Hi Denny,
Any idea when this will happen? I don't believe the code I'm currently running has this capability yet - 9.5 SP4.
Thanks,
Dana
It's not in 9.5, and it's not in 10.0. We are anxious to get it in, but I don't have a date for you.
Hello. I am reading this thread with interest as one of the most critical parts of the product, AAA (authentication, authorization, and accounting) is being treated as a "side show", almost an after-thought. From this thread I see that it is having difficulty even being prioritized. In our organization we employ AD authentication but are experiencing very strange issues with NPM/Orion. We have users who keep getting locked out from their AD accounts by the Orion server, by no mistake of their own (IE passes the credentials, and they work at all other sites). Then we have AD users who cannot login AT ALL, no matter how many times we delete and recreate the user, the situation does not correct itself.
There are MULTIPLE ISSUES with AD authentication, affecting not just access to the application but access to the entire domain as well (because of lockouts due to NPM). There are zero logs on Orion for this, no literature on correct configuration, it's just AD authentication a la fly-by-the-seat-of-your-pants.
I can't stress enough how this item needs to be UBER-PRIORITIZED. It just looks bad that the product claims it supports AD authentication, yet it doesnt fully work, it breaks/locks out accounts, all the while Solarwinds programmers are psyched about the new bells & whistles coming in version 10. I dont work there, but it seems to me working with security & authentication perhaps is not as much fun as adding bells & whistles.
Excuse my rant, but this issue is really frustrating us. At this time we cannot even add regular (non-AD accounts). NPM will not allow these accounts access. A simple username & password wont work, and there are several AD accounts that the application is locking out without even the user's interaction. There are zero logs for authentication and authorization, which I think is SUPER IMPORTANT. If I missed something, and you can tell me where this is logged, please accept my apologies and let me know what file has this info. We opened a case, but working with support is not very helpful, they blame the browser, blame the user, there's so many components it's easy to pass the buck (not blaming them, I understand there are a million components there). However we are professionals, we know when we make mistakes. This isn't one of them. There are legitimate issues with AD authentication, and Solarwinds needs to put this (undesirable) problem at the VERY TOP!!
Paul
Phoenix, AZ
Denny,
Pam
