Open BoPeng opened 2 weeks ago
Thanks for reporting the issue. Could you provide the following information so that we can look more into it?
<environment-name>.accounts.users
DynamoDB table?Were you able to reset the user password in the AWS Directory Service console successfully?
I was able to reset password through the AWS DS console, and through Server Management from windows admin nodes. I can login in to the windows admin node with the new password if I change passord through the AWS DS console.
Have you set up SSO following ...
No. I am working with our institutional IT on this. Without SSO and with a non-working AD, we only have one user clusteradmin
in the system.
Are there any users in the
.accounts.users DynamoDB table?
I have three users in this table. One clusteradmin
, two copied from AD. I initially could not see these two users in RES, but I figured out the problem. (see https://github.com/aws/res/issues/62).
Are there any cluster-manager logs which indicates that RES has detected users and groups from AD?
I do see message like
2024-09-18T23:00:36.346Z
[2024-09-18 23:00:36,243] [INFO] [ad-sync] Fetching RES users
but I could not find any details about failed authentication attempts. Resetting password did not either. The system says an email has been sent but no email was received.
Edit: When I failed to login, the browser console window shows:
You can only login the RES portal via AD users after SSO is enabled. Note that clusteradmin
doesn't exist in AD and was created by the RES deployment in Cognito.
In the normal workflow, you should receive an email which include the clusteradmin
user credentials after installing RES. After login as the clusteradmin user, you can configure SSO following https://docs.aws.amazon.com/res/latest/ug/manage-users.html.
If you didn't receive emails about the clusteradmin
user credentials, I would suggest to check:
no-reply@verificationemail.com
) was blocked or whether the email was filtered out for some reasonTo get around the problem, you can manually reset cluteradmin password using the AWS CLI. Please check https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-reset-user-password.html
You can only login the RES portal via AD users after SSO is enabled.
Could you please elaborate why this is the case? According to RES documentation on Create a demo environment, users should be able to reset password from AD console and login. The documentation does not mention SSO integration.
I am also confused about the SSO/Cognito users and AD users. When a user logs in with SSO, an 'external user' is created under Cognito. Will this user be syned to AD? If a user logs in with AD users (which does not work for me now), will the users to syned to Cognito user pool? If the users are present both in AD and Cognito and we change user' password through AD, will the user still be able to login through SSO password?
Describe the bug With a fresh installation, non-
clusteradmin
users cannot login. Resetting password through AWS Directory Service does not work either.This could be the same issue as https://github.com/aws/res/issues/36
Steps to reproduce Steps to reproduce the behavior:
Expected behavior AD users should be able to login.
Environment (please complete the following information):
Additional context
Users can login to windows Admin node through
corp\user1
with the same password. After a failed login attempt, the<env>/cluster-manager
log group shows the following message but no details on why login failed.The cognito user pool has one user
clusteradmin
.It would be helpful to know where to look for more debug information.