8 Replies Latest reply on Jul 10, 2017 5:28 PM by cfizz34

    Had trouble logging new accounts and groups into web console

    jest4kicks

      Hey all,

       

      Wanted to share a quick experience.  I've been setting up team-based web access into Solarwinds, by delegating access via AD security groups.  We had a number of groups already in place, but I wanted to add more, and hit some hitches.  Sharing here in case it benefits anyone else.

       

      First, I have to remind myself and others that delegating access isn't just a matter of adding the user or group in the Manage Accounts section.  The user or group also needs "Allow log on locally" permissions to the server (secpol.msc / gpedit.msc / rsop.msc / etc > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally).  To prevent us from needing to add a new group every time, I created a master "logon" group and made all of the new groups members.

       

      Next, I created a couple groups, and added them in Solarwinds.  I also created a test user account and added it, so I could verify the access myself.

       

      After doing all of this, my test account could not login to the web console.  I was presented with a bad username/password error.  Further investigation determined that the security log on the Orion server recorded a successful credential validation, and no other errors were apparent.  I figured something had to be happening within Orion, itself.

       

      I checked some threads here, and found the location of the diagnostic logs.  (C:\ProgramData\Solarwinds\Logs\Orion\OrionWeb.log)  There, I found the following reoccurring event.

       

      [51] ERROR SolarWinds.Orion.Web.DAL.AccountProfileDAL - Attempted to retreive properties for nonexistent user <domain>\<userId>.

       

      Just before those events, the following was also appearing.

       

      [51] WARN  SolarWinds.Orion.Web.AuthorizationManager - Warning: Checking Group membership; Account Group '<domain>\<groupName>' contained NULL SID.

       

      I double-checked the group in AD and determined it was fine, so I removed the group from Solarwinds and re-added it.  Problem fixed.

       

      I'm still not sure what caused this to occur, but wanted to share in case anyone else hits the same roadblock.