cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Windows Pass-Through Security

Not sure I am fully clear on what the interaction with the Auto Login and Windows Pass-Through Security is. Initially I created separate Orion accounts (Admin, a super-user account for our netops, and a limited account for one of our regional offices) but I saw that this would be an added pain to manage as we are trying to move to fewer application-specific accounts.

I followed the steps in the Admin Guide to remove anonymous access and select Integrated Windows authentication. However, I still have to set up separate accounts from Orion using the Domain\User structure, and I am able to give these accounts passwords that are separate from the user's Windows Domain password.

Am I missing something about the functionality here? What does this really buy me over creating local accounts? Do I still need to manage these accounts in Orion for password changes, or will the users be sync'd with their NT account.

Sorry for the dense question.

Jim

James Shepherd
Network Service Project Manager - IT

Swiss Reinsurance Company
55 East 52nd Street
New York, NY 10055
phone - direct +1 212 317 5385 - fax +1 917 368 4385
mailto:james_shepherd@swissre.com - http://www.swissre.com
0 Kudos
12 Replies
Level 7

Any news on AD group pass-thru authentication? Will this be included in V8? I was fine with just using \Everyone group, but security wasn't, and adding individual users is a pain. I want as many people to view/use Orion as possible, and adding users to an AD group is way easier than setting up additional accounts in Orion.
0 Kudos
Level 15

Unfortunately, I have not been able to get group authentication to work either.
Anyone else have any luck with this?

This would definitely be a huge benefit for managing accounts.



-=Cheers=-
NG
0 Kudos
Level 10

Has anyone had any luck trying to add groups instead of individual AD accounts? In our environment it would be extremely difficult and time consuming to add everyone's individual user accounts, set up their account limitations, etc.

I would say this would be a great feature to add, if its not already.
0 Kudos
Level 7

I just tried doing this.. I added domain\everyone and it didn't work so I deleted that and added domain\Everyone and now it works fine. Go figure.
0 Kudos
Level 13

quote:Originally posted by charlesdf23

We are having the same exact issue. Having to add each individual user is getting real old. Once again, documentation is wrong.


We use the domain\everyone account as described in the Admin Guide, and it works quite well for us.
0 Kudos
Level 7

We are having the same exact issue. Having to add each individual user is getting real old. Once again, documentation is wrong.
0 Kudos
Level 12

quote:Originally posted by rgward

Bakerd,

Instead of domain\* try domain\Everyone


I did, along with domain\users and domain\domain users. I only listed a few above, but I bet I tried 15 or 20 so different combinations.
0 Kudos
Anonymous
Not applicable

Bakerd,

Instead of domain\* try domain\Everyone
0 Kudos
Level 12

quote:Originally posted by Don Yonce

Later versions of Orion also include supoort for \Domain\* to enable all acounts in the Domain.

Be sure to enable NT Authentication within IIS.

Another Tip:
Add the \Domain\* account to Orion and set the default permissions for this account.
Then add another account such as \Domain\DonYonce and set the permissions for this account to include Admin rights.
You can then add another account such as \Domain\DaveYonce and set the permissions on this account to not allow logins at all. So, in essence, we have created a set of default permissions for everyone in a domain except DonYonce and DaveYonce. Don gets additional admin rights and Dave is blocked from logging in altogether.


This doesn't work for us. I can do specific users and it works fine, but that is it.

domain\userid - works

Tried with no luck:

domain\*
\domain\*
domain\OU\OU\*
domain/OU/OU/*
domain\OU\OU\userid

This is in a 2003 environment including 2003 AD schema. I even tried using FQDN ie xx.yy.zzzz\*

0 Kudos
Level 9

Later versions of Orion also include supoort for \Domain\* to enable all acounts in the Domain.

Be sure to enable NT Authentication within IIS.

Another Tip:
Add the \Domain\* account to Orion and set the default permissions for this account.
Then add another account such as \Domain\DonYonce and set the permissions for this account to include Admin rights.
You can then add another account such as \Domain\DaveYonce and set the permissions on this account to not allow logins at all. So, in essence, we have created a set of default permissions for everyone in a domain except DonYonce and DaveYonce. Don gets additional admin rights and Dave is blocked from logging in altogether.
0 Kudos
Level 7

quote:Originally posted by jshepherd



Am I missing something about the functionality here? What does this really buy me over creating local accounts? Do I still need to manage these accounts in Orion for password changes, or will the users be sync'd with their NT account.



Enter the username in the Solar Winds administrator like this:

\windows_domain\ad_user_name

Leave the passwords blank. The first time the user logs in, it will probably ask them to authenticate with a password but after that, it will tie in with ad. That's the way we run it here and it works great. If you have any questions about the IIS portion, shoot me an email (evans.martin@nashville.gov).

Evans Martin
0 Kudos
Level 15

Hi Jim,

As I undestand the pass-thru authentication, as long as the user is authenticated & logged into the Windows AD domain, they will not be prompted to login.

If the user is not authenticated to the AD domain, then they will get the login screen & must use the password you have programmed for their account.

This assumes that your Orion server is part of the AD domain that the users are logged into.

-=Cheers=-
NG
0 Kudos