02-03-2021, 12:04 AM
Hi, havent had any problems in years, maybe Im missing something, but Ive gone through some searches and forum threads and looked through the Help section, I cant find what Im missing.
Fully working setup:
version 12.0.6261.1 (Upgrade planned for end of the year) running on a SQL server DB
(I have 4 accounts to test with:
--PROD\dbwillis (non ASG admin)
--PROD\dbwillis1 (ASG admin)
--PROD-B\dbwillis1 (non ASG admin, directly added into users of SQL DB with same perms as AD groups)
--PROD-B\dbwillis2 (non ASG admin, added into PROD-B\AllUsers group)
current permissions are:
PROD\VisionAppRD - AllUsers (no user accounts in this group)
PROD\VisionApp - FolderExample1 (users are in this group, this group is a member of the above group) *dbwillis is a user/non admin
PROD\VisionAppRD - Admins (only users that are overall admins are in here, it is NOT a member of VisionAppRD - AllUsers) *dbwillis1 is an admin
We have a domain that we plan to consolidate into in the future, as a test, we want to move IT groups in first, lets call this domain PROD-B
Tools/Settings/Environment/Domain I have the PROD domain added in and I used a 'service' account to have it read AD info (lets call the account ASGRD), it is not a member of any Visionapp related group.
I added the PROD-B domain in and used the same PROD\ASGRD account, and it shows up in Tools/Settings/Environment/Domain, after a few days of troubleshooting, created a PROD-B\ASGRD-B account to use (also tried my PROD-B\dbwillis1).
In Tools/Security Groups/Users I have the PROD\VisionAppRD - AllUsers and PROD-B\ASGRemoteDesktop – AllUsers
On the SQL DB, Prod\VisionAppRD - AllUsers have permissions "db_datareader", "public" and "db_executor"
Everything is fine, we have like 60 AD groups with different permissions for different groups, all is well and have rec'd great feedback since use exploded from just 'IT' to all of the company due to COVID.
I had the SQL DBA folks add PROD-B\ASGRemoteDesktop - AllUsers with the same permissions as the PROD group has
Ive added my PROD-B\dbwillis1 account into this PROD-B\ASGRemoteDesktop - AllUsers group.
Tested initially and couldnt connect, wasnt worried, thought replication or something, so I tried it the next day and still got the error.
Built a new virtual machine on the new domain, I can log in as PROD\dbwillis and access ASG as usual, I can log in as PROD-B\dbwillis1 and can start ASG and get to the 'integrated' logon GUI, click logon and get the message "Connection to your current environment could not be established, please select another one"
I reconfirmed with the SQL DBA the permissions for the 2 domain groups are the same.
I asked them to add my PROD-B\dbwillis1 account diretly into SQL as a user, now I can access ASG under that new domain and my PROD-B\dbwillis1 account.
But I still cant access ASG while logged in as PROD-B accounts I add into the ‘All users’ group (dbwillis2), am I missing something someplace?
The only difference I can tell between the 2 groups is :
PROD\VisionAppRD - AllUsers --------------àGlobal group
PROD-B\ASGRemoteDesktop – AllUsers ---àDomain Local group
Another test I did was log onto the computer as PROD\dbwillis and then in the ASG logon gui, uncheck integrated and I can get into ASG as other PROD-B domain accounts that are in the ‘all users’ group, like dbwillis2.
Cliff notes:
Domain 1 working fine, AD groups for access to folders
Domain 2 not working, cannot pass the ‘integrated’ logon unless added directly to SQL DB as user
Fully working setup:
version 12.0.6261.1 (Upgrade planned for end of the year) running on a SQL server DB
(I have 4 accounts to test with:
--PROD\dbwillis (non ASG admin)
--PROD\dbwillis1 (ASG admin)
--PROD-B\dbwillis1 (non ASG admin, directly added into users of SQL DB with same perms as AD groups)
--PROD-B\dbwillis2 (non ASG admin, added into PROD-B\AllUsers group)
current permissions are:
PROD\VisionAppRD - AllUsers (no user accounts in this group)
PROD\VisionApp - FolderExample1 (users are in this group, this group is a member of the above group) *dbwillis is a user/non admin
PROD\VisionAppRD - Admins (only users that are overall admins are in here, it is NOT a member of VisionAppRD - AllUsers) *dbwillis1 is an admin
We have a domain that we plan to consolidate into in the future, as a test, we want to move IT groups in first, lets call this domain PROD-B
Tools/Settings/Environment/Domain I have the PROD domain added in and I used a 'service' account to have it read AD info (lets call the account ASGRD), it is not a member of any Visionapp related group.
I added the PROD-B domain in and used the same PROD\ASGRD account, and it shows up in Tools/Settings/Environment/Domain, after a few days of troubleshooting, created a PROD-B\ASGRD-B account to use (also tried my PROD-B\dbwillis1).
In Tools/Security Groups/Users I have the PROD\VisionAppRD - AllUsers and PROD-B\ASGRemoteDesktop – AllUsers
On the SQL DB, Prod\VisionAppRD - AllUsers have permissions "db_datareader", "public" and "db_executor"
Everything is fine, we have like 60 AD groups with different permissions for different groups, all is well and have rec'd great feedback since use exploded from just 'IT' to all of the company due to COVID.
I had the SQL DBA folks add PROD-B\ASGRemoteDesktop - AllUsers with the same permissions as the PROD group has
Ive added my PROD-B\dbwillis1 account into this PROD-B\ASGRemoteDesktop - AllUsers group.
Tested initially and couldnt connect, wasnt worried, thought replication or something, so I tried it the next day and still got the error.
Built a new virtual machine on the new domain, I can log in as PROD\dbwillis and access ASG as usual, I can log in as PROD-B\dbwillis1 and can start ASG and get to the 'integrated' logon GUI, click logon and get the message "Connection to your current environment could not be established, please select another one"
I reconfirmed with the SQL DBA the permissions for the 2 domain groups are the same.
I asked them to add my PROD-B\dbwillis1 account diretly into SQL as a user, now I can access ASG under that new domain and my PROD-B\dbwillis1 account.
But I still cant access ASG while logged in as PROD-B accounts I add into the ‘All users’ group (dbwillis2), am I missing something someplace?
The only difference I can tell between the 2 groups is :
PROD\VisionAppRD - AllUsers --------------àGlobal group
PROD-B\ASGRemoteDesktop – AllUsers ---àDomain Local group
Another test I did was log onto the computer as PROD\dbwillis and then in the ASG logon gui, uncheck integrated and I can get into ASG as other PROD-B domain accounts that are in the ‘all users’ group, like dbwillis2.
Cliff notes:
Domain 1 working fine, AD groups for access to folders
Domain 2 not working, cannot pass the ‘integrated’ logon unless added directly to SQL DB as user