34 Replies Latest reply on Aug 13, 2010 8:29 AM by bshopp

    AD Authentication

    dmcconnell

      AD authentication is working great.  One thing that I would like to see added is the "default domain" and login method.  By that I mean, on the login page, I don't want to have to enter domain\userid.  I only want to enter userid.  So, maybe you could add a dropdown box to the login page to allow the user to switch between "Orion login" and "AD login", then on the manage accounts page, you could add an option to select which you wanted to be the default.  Something like the way that Blackberry does it, see screenshot below.

      -David

        • Re: AD Authentication
          bshopp

          Good deal, glad it is working well for you.

          So do you plan to make your users manually login to Orion and not use automatic login or the single sign-on option so it automatically logs them into Orion based on the AD account they logged into their machine with?  

            • Re: AD Authentication
              dmcconnell

              Brandon,

              Are you talking about pass-through authentication that is in the product today or did I miss some automatic login/sso options in the beta?  We currently do use pass-through authentication, but it has been flakey at best.  I would much prefer that the system automatically logs the user in with the AD account the logged into their PC with, based on AD group rights setup within Orion.

              Thanks,
              David

                • Re: AD Authentication
                  bshopp

                  No this is completely different.  With the new AD functionality in the beta when a user logs into Orion, if this option is enabled, it will attempt to log them in with their AD credentials they logged into the machine with automatically, so true single sign on.

                  This can be found under Admin -> Web Console Settings and Windows Account Logon

                    • Re: AD Authentication
                      dmcconnell

                      That's odd, I looked at that yesterday, and it was already set to "Enable automatic login", but it was not behaving that way.  I was still getting the login page when accessing the Orion website.  I had already added an AD group "Orion-Admin" into account manager, and added my AD account into that group, but was still getting the login page.  This morning, I added my AD account to the individual accounts tab and it started working.  I have removed my account from the individual accounts tab and it seems to still be working.  Anyway, this is my preferred method of authenticating users if it works reliably.

                      Thanks,
                      David

                        • Re: AD Authentication
                          damienball

                          We use AD on our OS X machines.  Does this single-signon work with that as well?  Anyone tested that?

                          • Re: AD Authentication
                            bshopp

                            That's odd, I looked at that yesterday, and it was already set to "Enable automatic login", but it was not behaving that way.  I was still getting the login page when accessing the Orion website.  I had already added an AD group "Orion-Admin" into account manager, and added my AD account into that group, but was still getting the login page.  This morning, I added my AD account to the individual accounts tab and it started working.  I have removed my account from the individual accounts tab and it seems to still be working.  Anyway, this is my preferred method of authenticating users if it works reliably.

                            What browser were you trying yesterday?  Was it different than today?

                          • Re: AD Authentication
                            kweise

                            I'm getting an error while trying to add an AD account.  Every time I try to search for a user to add, I get an error message stating No domain specified.  I've tried several of our domains, because I thought the dash in my domain name might have been an issue, but it fails on all of them.  The domain my account is in is "isd-nt\" but I've tried others such as "dwd\" and "bmv\" all of which generated the same message.

                              • Re: AD Authentication
                                jonchill

                                I'm getting the same message as Kweise for adding both a single user and user group from our AD. I've tried ULH in lower and upper case and it makes no difference.

                                  • Re: AD Authentication
                                    bshopp

                                    Can turn on web debugging with the log adjuster and then send me OrionWeb.log.   If you need assistance, please let me know.

                                      • Re: AD Authentication
                                        jonchill

                                        I've enabled debug for the website but can;t find the OrionWeb.log file and have searched in both the NPM website folder and Npm program folder.

                                        • Re: AD Authentication
                                          kweise

                                          Brandon,

                                          I'm having a problem enabling web debugging using the log adjuster.  Even if I do a right click, run as and uncheck the 'Run this program with restricted access' check box and I get the same results.  I've tried this on my production Orion servers and get the same results.  Any idea what I'm doing wrong?

                                           

                                                

                                        • Re: AD Authentication
                                          damienball

                                          I was getting that "No domain specified" error, but I changed the AD Authentication account I was using and it started to work just fine.  Great job on this btw!

                                           

                                          I do agree being able to specify a default domain would be nice.  If I had to get people to login, it would be great if they only had to put in their username and it did some kind of ordered attempt at logging in.  Maybe if I put in my username "damienball", it would try to login by appending domain\damienball, and if that fails then try to authenticate as damienball against Orion's local account database.

                                • Re: AD Authentication
                                  sotherls

                                  I feel late to the game but I had to rebuild our server before installing NPM.

                                  I too am having an issue with the adding an AD account. I get the same message reported : No domain specified.  Please enter search string in the format:  Domain\Username.

                                  I tried to use the supplied documentation but found it was lacking, maybe not current with this version?

                                  I saw one of the post mentioned (changed the AD Authentication account) but not sure where that was.

                                  My search account is a member of Domain Admins in the domain I am searching in.

                                  What am I missing?

                                    • Re: AD Authentication
                                      bshopp

                                      For those of you who have had issues getting AD to work in your environment, I believe most of your I have already reached out to -- we have a new dll  which has resolved everyone who has applied it thus far.  If you have not gotten it from me, send me a note

                                        • Re: AD Authentication
                                          kweise

                                                 

                                          Brandon,

                                           

                                          Should I be getting prompted for a username and password when browsing to Orion when the Windows Account Login is set to “Enable automatic login?”  Initially, I just added an AD group that I’m a member of and then I added my individual AD account.  I’m logged in with the same account that I added in Orion.  If I enter my username and password into the pop-up window, it takes me right into Orion to the home page, bypassing the Orion login page.  The way the description under the Web Console Settings page, I would think I would go straight to the Orion home page as long as enable automatic login is enabled and I’m logged into an AD account that has a group or individual account set up in Orion. I get the same behavior using Firefox or IE.

                                      • Re: AD Authentication
                                        KenKasmar

                                        Any idea (in a vague way of course) when this feature might be making its way to an RC or production build?  This is going to save me untold headaches in user access management and I can hardly way to roll it out to our prod environments!