Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cant logon with users in new domain
#1
Hi, havent had any problems in years, maybe Im missing something, but Ive gone through some searches and forum threads and looked through the Help section, I cant find what Im missing.
 
Fully working setup:
version 12.0.6261.1 (Upgrade planned for end of the year) running on a SQL server DB
(I have 4 accounts to test with:
--PROD\dbwillis (non ASG admin)
--PROD\dbwillis1 (ASG admin)
--PROD-B\dbwillis1 (non ASG admin, directly added into users of SQL DB with same perms as AD groups)
--PROD-B\dbwillis2 (non ASG admin, added into PROD-B\AllUsers group)
current permissions are:
PROD\VisionAppRD - AllUsers (no user accounts in this group)
PROD\VisionApp - FolderExample1 (users are in this group, this group is a member of the above group) *dbwillis is a user/non admin
PROD\VisionAppRD - Admins (only users that are overall admins are in here, it is NOT a member of VisionAppRD - AllUsers) *dbwillis1 is an admin
 
We have a domain that we plan to consolidate into in the future, as a test, we want to move IT groups in first, lets call this domain PROD-B
 
Tools/Settings/Environment/Domain I have the PROD domain added in and I used a 'service' account to have it read AD info (lets call the account ASGRD), it is not a member of any Visionapp related group.
I added the PROD-B domain in and used the same PROD\ASGRD account, and it shows up in Tools/Settings/Environment/Domain, after a few days of troubleshooting, created a PROD-B\ASGRD-B account to use (also tried my PROD-B\dbwillis1).
 
In Tools/Security Groups/Users I have the PROD\VisionAppRD - AllUsers and PROD-B\ASGRemoteDesktop – AllUsers
 
On the SQL DB, Prod\VisionAppRD - AllUsers have permissions "db_datareader", "public" and "db_executor"
Everything is fine, we have like 60 AD groups with different permissions for different groups, all is well and have rec'd great feedback since use exploded from just 'IT' to all of the company due to COVID.
 
I had the SQL DBA folks add PROD-B\ASGRemoteDesktop - AllUsers with the same permissions as the PROD group has
Ive added my PROD-B\dbwillis1 account into this PROD-B\ASGRemoteDesktop - AllUsers group.
Tested initially and couldnt connect, wasnt worried, thought replication or something, so I tried it the next day and still got the error.
 
Built a new virtual machine on the new domain, I can log in as PROD\dbwillis and access ASG as usual, I can log in as PROD-B\dbwillis1 and can start ASG and get to the 'integrated' logon GUI, click logon and get the message "Connection to your current environment could not be established, please select another one"
I reconfirmed with the SQL DBA the permissions for the 2 domain groups are the same.
I asked them to add my PROD-B\dbwillis1 account diretly into SQL as a user, now I can access ASG under that new domain and my PROD-B\dbwillis1 account.
But I still cant access ASG while logged in as PROD-B accounts I add into the ‘All users’ group (dbwillis2), am I missing something someplace?
 
The only difference I can tell between the 2 groups is :
PROD\VisionAppRD - AllUsers  --------------àGlobal group
PROD-B\ASGRemoteDesktop – AllUsers ---àDomain Local group
 
Another test I did was log onto the computer as PROD\dbwillis and then in the ASG logon gui, uncheck integrated and I can get into ASG as other PROD-B domain accounts that are in the ‘all users’ group, like dbwillis2.
 
Cliff notes:
Domain 1 working fine, AD groups for access to folders
Domain 2 not working, cannot pass the ‘integrated’ logon unless added directly to SQL DB as user
Reply
#2
There are two things - one is the permission for the SQL database access - when you configure an environment you can choose how to access the database - integrated or with SQL user - if you choose Integrated your Windows Account is used to authenticate against the database server / the database. If this fails you get a message like "Can't connect to the database (instance/server)" - you can easily test it by adding your Account to the SQL Admin group or just give the user dbowner rights!

Second is Permissions in ASGRD - but this is only checked if you are connected to the database - it then decide what you can do inside the ASGRD environment.


I think you have to check your Accounts have permission to connect to the database (server) - in online help you can find the needed permissions on SQL server - for testing it make sense to try it first as Admin/dbowner and then switch to the minimum permission that is necessary...
Regards/Gruss
Oliver
Reply
#3
I had them recheck, perms match fully between the 2 domain groups.

On the SQL side, there logs show: Error: 18456, Severity: 14, State: 5.
Login failed for user 'PROD-B\dbwillis2'.
Reason: Could not find a login matching the name provided.

So it seems the SQL cant read members of the PROD-B domain group that dbwillis2 is in? because I can login with dbwillis1 that they added directly into the SQL DB
Still testing things with them.....


Attached Files Thumbnail(s)
       
Reply




Users browsing this thread: 1 Guest(s)