This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Logon failure the user has not been granted the requested logon type at

FormerMember
FormerMember

Running into some issues getting AD to work with SolarWinds Orion NPM 10.1.3.

I've created multiple windows groups in the Account Management and I am running into the error: logon failure the user has not been granted the requested logon type at

 It works for the majority of the groups but not all of them. Same thing is happening with Single Windows Accounts. Any user part of the router team has no issues logging in but the DNS team has issues. I've read the replies from other thwack threads but it hasn't resolved the issues.

SolarWinds is on one domain and the Server that hosts AD is on another domain.

I've checked the following:

- made sure the users are in the appropriate groups in AD

- validated that the groups have a SID by them in the Accounts field in the database

- the users who are having issues do not have bad passwords or expired accounts as they log in with these accounts daily.

- I have admin rights to the AD tree

I'm not exactly sure where to check since some groups work fine and others don't.

Awaiting for our Support contract to renew before I can open a support ticket.

Thanks.

  • Due to the way how we authenticate AD users in Orion we require the 'Allow Logon Localy' permission for the accounts that are used in Orion.

     

    The partial workaround for this is to enable automatic login using Windows Authentication (it can be set in Web Console Setting). However this works only in situation when IIS does the authentication - the Orion login page is skipped then. Once you get to the Orion login page (either you logout or by timeout) you need to restart the browser so IIS can authenticate the account again."

     

    So there should be two workarounds:

     

    1) Add the accounts to "Allow log on locally" policy on Orion server. You can configure this policy in mmc - Local Computer Policy snap-in - Windows Settings\Security Settings\Local Policies\User Rights Assigment\Allow log on locally

     

    2) Enable automatic login in Orion - this will only work if the authentication is done on IIS, and not in Orion. So it will only work in IE (but there is some browser setting that can allow it also for Firefox) and user needs to be logged under the same account to windows.

  • oh, for fire fox to work, type in about:config in the url field and add your orion host name in "network.automatic-ntlm-auth.trusted-uris" and now you can use pass-through auth in firefox!!!!! yea!!