Closed dbaars closed 10 months ago
@dbaars
Are the users who can log in vs not in different domains?
Have you added the AMS service account to the groups as specific in our install guide?
Hi Ryan, thanks for the reply.
Same domain - different OU.
Yes if you mean the Access Control Assistance Operators and Windows Authorization Access Group
In the AMS Configuration tool it also has green ticks -
Dylan
Thanks for confirming Dylan
This is most likely that the default permissions have been changed on the objects in those OUs. Try adding the AMS service account with permissions to read all user and group objects in the OU that is not working, and see if that resolves the issue.
Morning Ryan,
well after a lot of testing I tracked it down to 1 group (the "role" group) being in some odd state. I didn't really investigate security permissions on it, once I had narrowed it down to that group I deleted and re-created and now everything is working. Thanks for your help!
Dylan
Describe the bug Unable to login with certain accounts. On the user side (i.e. web login) they just get re-prompted for authentication details (user/pass). In Lithnet Access Manager Service Configuration > Authorization rules > Computers, if I use the "Effective access" button to test the user account, I receive an error
The account is a member of the group given access control to the OU where the computer object is The account is a member of the group under App Configuration / User authentication / Sign-in restrictions The user and computer accounts are in the same directory
To Reproduce Steps to reproduce the behavior: Lithnet Access Manager configuration error:
In access-manager-service log I see
User login:
In access-manager-ui log file
Expected behavior Account can login and view LAPS passwords Effective access check returns a result
Screenshots
Access Manager installation
Additional context Add any other context about the problem here.
Logs See above