cancel
Showing results for 
Search instead for 
Did you mean: 

No Roles assigned - when browseing AD groups

SOLVED
Highlighted
Occasional Contributor

No Roles assigned - when browseing AD groups

Hi -

Ive configured my 4500 to authenticate on AD - It works except one aspect of it. If i tell my realm to use AD and more spesific a AD group, it repots "no roles" when a user from that group trys to log in. If i set the realm to "username is " * " and the authentication to AD, it works fine........

Ive confirmed that the users are in the AD group and that the group is active. The SSL can browse the AD server and i can see all groups.......but once i select the AD group it doesnt assign roles to the users.......

Anyone else have this problem - any fix????

Im running ver 6.1 R1

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

Hi Kevin

Ill look at the AD settings again - I did get an error while joining the domain, but i always seem to have this issue. Reading other threads, i was advised to ignore the error and continue with the Realms - There i could see the AD groups so i stopped focusing on the AUTH Server settings - ill format the box again and remove the SSL computer account from the domain - try again and hopefully this time it will work.

The AD settings are soooo simple but yet every time i setup one up for a client i get an error joining the domain......maybe a format will help. - Ill let you know

Cheers

Andrew

View solution in original post

13 REPLIES 13
Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

What OS are your domain controllers running? 6.4 is the only version supported for 2008 DCs.

You may find it easier to use an AD server for Authentication and LDAP for group assignment.

Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

Hi Gavin

We running 2003 - i just cant figure it out - my roles are correct and i can browse the AD groups from the SSL but when we try login, the SSL says "Authentication successfull, but no roles defined......this is craizy!!! any more thoughts????

Highlighted
Valued Contributor

Re: No Roles assigned - when browseing AD groups

Can you do a policy trace and post (or PM) the results?
Highlighted
Contributor

Re: No Roles assigned - when browseing AD groups

I've had a problem similar to this, but it gets even more wierd. In my case, I have two IVEs in Active/Active, load balanced by DXs. One node will properly map the user based on AD security group membership, but if the user gets sent to the other node, they will get a role mapping failure "No Roles," and cannot login. Also, if they were previously moved out of a group, the IVE will not see the refresh even though domain controllers are synch'd. So I opened a case with JTAC, but they have not been able to resolve.

Get this: the IVE does cache AD group information and for some reason the trigger that tells it to refresh is broken (in certain instances). Here's the summary from JTAC regarding my case (2009-0422-0388):

On 6.0R3.1, using AD server for authentication and role mapping based on security group
membership. If a user is removed from a security group and removal, or if the group
membership is exchanged with another one that corresponds to a different role mapping
rule, is synched with domain controllers, IVE still thinks user is a member of previous
group and maps user to old role.

When same user logs into lab unit running 6.3R2, role mapping works correctly. Wondering
if this is a flaw in 6.0R3.1


PTAC understanding of issue/issue reported by customer

IVE unable to sync the changes made to the AD users.
The changes made are reflecting on the Domain controllers but IVE still presenting the
old roles to them.

Seems IVE is presenting through the existing Cache.

Highlighted
Contributor

Re: No Roles assigned - when browseing AD groups

One of our customers had a similar problem to this once. It turned out that it was to do with the Primary Group that the users had been assigned in AD. As a result, we ended up creating 2 role mapping roles for each group.

eg

1 group is "Sales"

2 attribute "Primary Group ID" is "1234"

(Where 1234 is the AD group id for the Sales group)

Might be worth trying.

Keith

Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

Thanks Keith, I had the same issue I juse use the attributes instead of the actual groups and it worked!!.
Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

Hi Kevin

Attached is the output you asked for........one can see from the log, the Auth is correct but it still wont assign any roles to the user.

Let me know your thougts

adiXion

ps - excuse the family pic - -i have two screens...LOL

Highlighted
Valued Contributor

Re: No Roles assigned - when browseing AD groups

Cute baby Smiley Happy

I don't have access to my SSL box from an admin perspective as I am traveling today so I can't do any comparisons to my box. But a quick look at the screen shot shows that the group look from the SA box into the domain is failing. No groups are "found" in the domain so the role map test fails as a result of that.

About 1/2 way down the SSL box trys to do a group lookup using Winbind and that fails so no groups are returned. Then I noticed that your Winbind auth failed during the initial attempt to communicate. Winbind is used to pull the groups for your user to match against.

So you have got to solve the communication issue between the SSL and the domain. I would try this. On your AD box - delete the computer name entry for the SSL Box. Resave the Auth Server setup again and see how that goes.

Highlighted
Occasional Contributor

Re: No Roles assigned - when browseing AD groups

Hi Kevin

Ill look at the AD settings again - I did get an error while joining the domain, but i always seem to have this issue. Reading other threads, i was advised to ignore the error and continue with the Realms - There i could see the AD groups so i stopped focusing on the AUTH Server settings - ill format the box again and remove the SSL computer account from the domain - try again and hopefully this time it will work.

The AD settings are soooo simple but yet every time i setup one up for a client i get an error joining the domain......maybe a format will help. - Ill let you know

Cheers

Andrew

View solution in original post