This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SWIS / SWQL Studio / API - Windows Group Authentication Issue

Hi All,

One of our SolarWinds NPM 2020.2 instances is experiencing authentication issues with SWIS and SWQL Studio connections.

SWIS and SWQL Studio connections to SolarWinds do not appear to allow authentication of active directory accounts configured for SolarWinds access via "Windows Groups".  SWQL Studio simply reports the following...

Capture.PNG

The Orion log on the primary poller reports the following when such an attempt is made:

WARN  SolarWinds.Data.Providers.Orion.OrionAccountValidator - (null) (null)  Invalid username or password for user 'DOMAIN\username' via password hash comparison.

Logins to the SolarWinds web front end/GUI authenticate via "Windows Groups" without any issues.

Connecting via SWIS/SWQL Studio using an individual account which is configured within SolarWinds (local Orion or active directory account) also works without any issues.

To rule out an issue with a specific windows group, a new group was created and configured for access within SolarWinds however the issue with SWIS/SWQL Studio connections also occurs with this new group.

We have other similar SolarWinds instances which allow "Windows Group" authentication via SWIS/SWQL Studio without any issues, so we know this authentication method should be possible.

Has anyone had similar issues?

Thanks.

Parents
  • Run sql query SELECT AccountID, AccountSID FROM [DATABASE].[dbo].[Accounts] WHERE AccountID='DOMAIN\ACCOUNT'.
    Replace DATABASE and DOMAIN\ACCOUNT with corresponding ones for you.

    If you got NULL AccountSID, just update the value with the proper SID for your account. 

    Fixed for us this exact issue. I'm curios if this helps others and amazed how this does not have an answer yet being opened since more than 1 year

  • This is the sollution to the issue. Somehow the SID's are not loaded into the Table. Thanks for sharing.
    I tried to load the SID's in the Orion.Accounts Table via a Powershell script using the SWIS module. But until now I was not successful. Probably because I can not update via SWIS. Or did I misread the Metadata.Entity table?

  • I've rechecked, don't think it's possible to update accountsid using swis. Only the properties below

    Orion.Accounts Enabled
    Orion.Accounts AllowNodeManagement
    Orion.Accounts AllowMapManagement
    Orion.Accounts AllowAdmin
    Orion.Accounts CanClearEvents
    Orion.Accounts AllowReportManagement
    Orion.Accounts AllowAlertManagement
    Orion.Accounts AllowCustomize
    Orion.Accounts AllowUnmanage
    Orion.Accounts AllowDisableAction
    Orion.Accounts AllowDisableAlert
    Orion.Accounts AllowDisableAllActions
    Orion.Accounts AccountType
    Orion.Accounts AllowViewCopCheck
    Orion.Accounts DisplayName
    Orion.Accounts Description


    Use sql...

Reply
  • I've rechecked, don't think it's possible to update accountsid using swis. Only the properties below

    Orion.Accounts Enabled
    Orion.Accounts AllowNodeManagement
    Orion.Accounts AllowMapManagement
    Orion.Accounts AllowAdmin
    Orion.Accounts CanClearEvents
    Orion.Accounts AllowReportManagement
    Orion.Accounts AllowAlertManagement
    Orion.Accounts AllowCustomize
    Orion.Accounts AllowUnmanage
    Orion.Accounts AllowDisableAction
    Orion.Accounts AllowDisableAlert
    Orion.Accounts AllowDisableAllActions
    Orion.Accounts AccountType
    Orion.Accounts AllowViewCopCheck
    Orion.Accounts DisplayName
    Orion.Accounts Description


    Use sql...

Children
  • Thanks. I Used the following PS script to create the SQL statements to add the missing SID's to the users.


    ##############################################################################
    ## Script name:         Add Missing SID to Domain Accounts                  ##
    ## Script Version:      0.1                                                 ##
    ## Org Creator:         Edwin Hoekman                                       ##
    ## Revision By:                                                             ##
    ## Date:                2021-08-24                                          ##
    ##############################################################################
    ## Purpose:                                                                 ##
    ##      Check the table Orion.Accounts if Domain accounts have a AccountSID.##
    ##      If the account has no AccountSID create a SQL command to add the    ##
    ##      SID to the user accounts via Orion DataBase Manager.                ##
    ##      Replace the following to your environment:                          ##
    ##        - <Host>  e.g. localhost or 10.10.10.10 or hostname               ## 
    ##        - <Domain> e.g DOMAIN1                                            ## 
    ##        - <user-id> e.g. DOMAIN1\EHoekman                                 ## 
    ##        - <password> e.g. Password1234                                    ## 
    ##############################################################################  ## Ver | Name        | Date     | Remarks                                   ##
    ##     |             | dd-mm-yy |                                           ##
    ##-----+-------------+----------+-------------------------------------------##
    ## 0.1 | E Hoekman   | 21-09-20 | Initial Release                           ##
    ##-----+-------------+----------+-------------------------------------------##
    ##############################################################################

    # import the SWIS module
    Import-Module SwisPowerShell

    #section with fixed variables
    $hostname = "<host>"                     # Orion Main Engine
    $domain = "<Domain>"                     # Domain to be checked

    # create a connection to SolarWinds Information Service (SWIS)
    $swis = Connect-Swis -Hostname $hostname -Trusted
    # or Use
    # $swis = Connect-Swis -Hostname $hostname -Username "<user-id>" -Password "<password>"

    # request to get all nodes and their caption an IP addresse
    $query = "
        SELECT  AccountID,
                URI
        FROM Orion.Accounts
        WHERE   AccountSID IS NULL AND
               (AccountType = 2 OR
                AccountType = 4) AND
                AccountID like '$domain\%'
    "
    # Putting all requested SWIS information into a variable called user_without_SID
    $users_without_SID = Get-SwisData -SwisConnection $swis -Query $query

    #Find the SID for the users without an SID in Orion.Accounts
    Clear-Host
    Write-Output "=================================================================================="
    Write-Output "Run the following statements in the Orion DataBase Manager App on the Main Engine."
    Write-Output "=================================================================================="

    foreach ($user_without_SID in $users_without_SID)
    {
        # Get Missing SID of user
            $Account = $user_without_SID.AccountID
            $user = New-Object System.Security.Principal.NTAccount($Account)
            $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])

        # Write SID to User in Orion.Accounts
        Write-Output "Update Accounts Set accountSID = '$SID' where AccountID = '$Account'"
    }