56 Replies Latest reply on Nov 23, 2011 6:31 AM by bunny

    10.1 & AD authentication

    JBall

      Greetings,

      Upgraded to 10.1 and I'm trying to get an AD account set up.  After following the procedure outlined in this post (Meet the Features – Orion NPM 10.1 – Active Directory authentication with Groups) to create the account, I am presented with the following error on the web page:

      Logon Failure:  the user has not been granted the requested logon type at this computer.

      I can't seem to find the reason for the failure.  Any ideas?

       

      Thanks,

      Jim

        • Re: 10.1 & AD authentication
          bshopp

          Make sure your account has the right AD rights.  If you go and look at the Accounts table in the database, the last column should be SID.  If that is blank, then your account does not have enough rights.  Either get someone with high rights or get your account updated, delete and try re-adding

          • Re: 10.1 & AD authentication
            JosephRLee

            We have the same issue. Granting local login is out of the question. Although we would like to take advantage of this feature, we are unable to do to security.

              • Re: 10.1 & AD authentication
                bshopp

                Are you logging on manually (the login gateway page), and supplying domain\username credentials?

                When that happens, the Orion server validates those creds with a “Logon” on the server.  If you are using domain creds at the login page then they are considered anonymous, and so must be validated by the server.

                I’d suggest you enable Windows account login (enable automatic login)… if the machine they’re accessing Orion server on is on the same domain as the server itself then IIS takes care of the Windows Auth side of things automatically, and we use that token to login to Orion.  If not, and they log in with domain creds manually, then the server needs to validate those creds with a “logon” on the server.  In this case it looks like the server won’t allow that, hence the “Logon Failure:  the user has not been granted the requested logon type at this computer” Error.

                • Re: 10.1 & AD authentication
                  netlogix

                  I don't think the issue on this is anything that Solarwinds can fix.  It is a IIS issue.  If IIS won't authenticate the User, the NPM can't piggy back on that.  Get IIS to auth the user and you should be good to go.

                    • Re: 10.1 & AD authentication
                      Questionario

                      I think the authentication works fine (we have the same problem).

                      It seems more like the settings are either not saved or the association to the user is incorrect.

                      I heard dev might or might not ever fix this but dev will decide when or if this will be fixed, no further information can be given.

                      basically, if not enough people open a ticket for this, they're not gonna fix this anytime soon.

                  • Re: 10.1 & AD authentication

                    I had the same issue with the user not being granted the requested logon type. One work around that may not work for some is to give authenticated users read access to the website directory.

                      • Re: 10.1 & AD authentication
                        Questionario

                        well, the user I tried to login with was myself and I definitely have read access to the server...

                        anyone got a clue on what could be the problem?

                        we're currently investigating as well, if I find the problem I will post it here too

                          • Re: 10.1 & AD authentication
                            Questionario

                            Hi,

                            the problem solved itself for us, when trying to add the group several times, it finally worked for some reason... hope it stays that way but we still don't know why it initially didn't work!

                              • Re: 10.1 & AD authentication
                                paper

                                I'm finding I'm having the same issues.

                                Upgraded and when I tried to add a DOMAIN ADMIN account, the logon works fine. But if another (lower-level) admin or regular user account I get the same error - Logon Failure: User has not been granted the requested logon type at this computer.

                                I also had issues with domain GROUP accounts. They did not work at all. It seems to only work when I add individual full domain admin accounts. What security settings are preventing this from working properly?

                                  • Re: 10.1 & AD authentication
                                    Questionario

                                    Hi Paper,

                                     

                                    have you tried adding the group about a dozen times and checking in between if it works? ;)

                                    thats the workaround that got me going... once its set up it will work, it just seems as if Orion cannot get a valid SID from the group (of course this will be Microsofts fault from solarwinds's perspective because some API they are using from MS causes this behaviour)

                                      • Re: 10.1 & AD authentication
                                        paper

                                        A dozen?! Wow. I tried deleting it and readding it in a few times, but not THAT many times... O__O;

                                        It's tough right now cause now I've had to resort to adding individual accounts. it would have been SO much easier if this was actually working properly.

                                        I also updated the security policies to allow the lower level groups logon access rights and admin rights to the Solarwinds server (thinking that it might possibly be a security setting problem) but that hasn't resolved anything yet.

                                          • Re: 10.1 & AD authentication
                                            paper

                                            Also - I checked the database and the SIDs were generated for both the groups and domain accounts, if that matters.

                                              • Re: 10.1 & AD authentication
                                                timcasey

                                                I'm having the same sorts of issues with adding AD groups. Rather than just delete, add and test until it finally works with an unknown number of attempts (there doesn't seem to be any reason why one group works and another doesn't) is there a database check that can be done to determine whether an AD group add has worked or not?

                                                  • Re: 10.1 & AD authentication
                                                    JesperVestergaard

                                                    Hey

                                                    I noticed that my NCM intergration, the "home drop-down list", the manage node grouping (when entering "manage nodes") is not remembering my settings anymore, after implementing AD authentication using groups.

                                                    Am i the only one, or ...??

                                                    Especially the NCM intergration is killing me....

                                    • Re: 10.1 & AD authentication
                                      Denys.Pavlov

                                      Hi JBall, have you allowed user to log on locally on Orion server (see image)?

                                      If AD account is not allowed to log on locally it won't be able to log in to Orion web site.