Solarwinds SWQL Studio - AD USERS NOT ABLE TO LOGIN

Hi all,

We have been active users of Solarwinds SWQL Studio. We normally use the AD accounts to login into it. The AD Auth stopped working recently for all users.
We are able to access Solarwinds GUI using the same AD account and it works fine. The Auth is working for local accounts in SWQL Studio which are created inside SW but not for the AD Accounts.
The authentication is also failing for python/powershell scripts using the OrionSDK with AD accounts (all of them used to work before).

There was no upgrades performed on Solarwinds, the only change I can think of is Windows OS patching.

I have also checked the Orion.Accounts and AccountSID is not NULL.
SW Product Version: 2020.2.6
Is there anything there I can do to troubleshoot the issue?
  • Point of clarity: Are you running with AD accounts of via SAML against Azure AD?

  • We dont use SAML nor Azure AD or both.

    We use on-premise Windows AD which the box sits on.

  • OK - just needed to make sure.  Are you getting any connection logs or errors?

  • Error in the GUI : Unable to connect to Information Service. Invalid Username or password

    C:\ProgramData\SolarWinds\InformationService\v3.0\Solarwinds.InformationService.log
    ====================================================================================
    2022-04-20 14:45:27,860 [295] INFO SolarWinds.Orion.Web.OrionMixedModeAuth - (null) (null) Successfully retrieved WindowsIdentity for user Domainxx\x123456a.
    2022-04-20 14:45:28,203 [295] INFO SolarWinds.Orion.Web.AuthorizationManager - (null) (null) WindowsAuthorizationManager.CheckCreateUser() failed: System.ArgumentException: The (&(|(objectClass=user)(objectClass=group))(|(objectSid=S-1-5-21-3499964120-3315823391-1593708255-811737)(objectSid=S-1-5-21-3499964120-3315823391-1593708255-1002140)(objectSid=S-1-5-21-3499964120-3315823391-1593708255-1246602)(objectSid=)(objectSid=S-1-5-21-3499964120-3315823391-1593708255-1002139)(objectSid=S-1-5-21-3499964120-3315823391-1593708255-801432)(objectSid=S-1-5-21-3499964120-3315823391-1593708255-1093599))) search filter is invalid.
    at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
    at SolarWinds.Orion.Web.Authentication.Windows.DirectoryServices.GetDistinguishedNames(IEnumerable`1 sids)
    at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.GetDomainGroups(WindowsIdentity identity, IEnumerable`1 orionDomainGroupsSids)
    at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.CheckGroupMembership(WindowsIdentity identity)
    at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.GetUpdatedVirtualUserFromGroupMembership(WindowsIdentity identity, String errorMessage)
    at SolarWinds.Orion.Web.AuthorizationManager.WindowsAuthorizationManager.CheckCreateUser(WindowsIdentity identity)
    at SolarWinds.Orion.Web.AuthorizationManager.CheckCreateUser(IIdentity identity)
    2022-04-20 14:45:28,203 [295] WARN SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null) Invalid username or password for user 'Domainxx\x123456a' via Windows Authentication.

    ========================================================

    If I try the "Orion V3 AD" login method (no need to enter password), it gives GUI error as below

    Unable to connect to Information Service. The server has rejected the client credentials.

    I could not see anything in the log file for this.

  • Just one thing to make sure, if you have the latest hotfixes for Orion you also need the latest SWQL studio - do you have the latest SWQL studio?

    Also, are your AD users added as groups or individual accounts? I see this behavior at other places with group accounts. 

  • We are on latest Orion hot fix. But not on latest SWQL. I will try upgrading after the embargo.

    We use AD groups for specifying user access. 

  • Ok, then that might be the issue. Latest HF requires the latest SWQL or you get an error on logging in looking something like that.

  • @seashore I found the same, SDK upgrades fixed it.  

  • We tested with latest version of SWQL and it still does not work. The API access via Python SDK is also not working for AD Group Users. So I guess the issue is not with SWQL but with Core or Information service API.

    We dont use individual accounts as there is few many users who need API access. Ex: Users use scripts to mute/manage multiple nodes as part of a Change 

    Also noticed, when I add a new Orion local user it has only access to the Orion scheme and not to NCM, Cirrus etc. But older local accounts can access all schemas in SWQL.

    Looks the whole authentication for API's seems to be mess for me. Is there a way to reset the stuff? like a clean slate and start again

  • Wasn't there something and users SIDs being empty in the database?