[BUG] - Failed to login using AD users and can login only via clusteradmin

aws / res

Research and Engineering Studio (RES) is an AWS supported open source product that enables IT administrators to provide an easy-to-use web portal for scientists and engineers to run technical computing workloads on AWS.

https://github.com/aws/res

Apache License 2.0

81 stars 16 forks source link

[BUG] - Failed to login using AD users and can login only via clusteradmin #68

Open shankar0203 opened 1 month ago

shankar0203 commented 1 month ago

Launched RES portal and was able to successfully login via clusteradmin. However, except clusteradmin unable to view any other users which are created by default in Windows AD launched as part of RES Setup. Tried creating a new AD user and did a sync as mentioned in the documentation via SQS. However, its not working.

Sync between Windows AD created by RES setup and Cognito is not working.

shankar0203 commented 1 month ago

Hi Team,

Issue : AD Users Unable to Log into RES Portal

We are continuing to face problems where only the clusteradmin account is able to log into the RES (Research and Engineering Studio) portal, while Active Directory (AD) users from the Windows AD setup are not recognized.

Recent Steps:

We set up a new server and added another user in Windows AD using the Windows AD server.
Successfully logged into the RES portal using the clusteradmin account.
Created a new AD user and performed a sync as outlined in the documentation using SQS, but the issue persisted.
Attempted to log in to the RES portal using the newly created AD user, but the login failed, and the user was not recognized.

It appears that the synchronization between Windows AD and AWS Cognito is not functioning correctly, preventing AD user logins.

xiangshn commented 1 month ago

Hi, could you please cut a ticket and provide the cluster manager logs? Thanks.

shankar0203 commented 1 month ago

Hi, could you please cut a ticket and provide the cluster manager logs? Thanks.

Hi - I have attached the cluster manager logs for your reference. log-events-viewer-result-1.txt

Murielxun commented 1 month ago

Hi there, checked the log and the found following error message: [INVALID_PARAMS] Invalid parameters: email is required.

When adding user in Windows AD server, email is required to successfully sync from AD to RES. Also, SSO setup is required to login as AD users. The instructions for setting up using the AWS Managed AD can be found here: https://docs.aws.amazon.com/res/latest/ug/sso-idc.html

Could you try filling in the email and setup SSO, trigger AD sync manually and retry login as the AD user?

BoPeng commented 3 weeks ago

The first issue, namely, email field is required for AD account to be syned, was reported on #62

The second issue, namely SSO is required for AD users to work, is discussed at #63. This is very confusing as the documentation seems to suggest otherwise.