Hello
I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.
They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
Users cannot login under the group.
Is there something special about creating groups on AD that I should watch for?
I have not spent much time with AD to know the issues.
The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.
Ahmed Rashed Amini
Independent Consultant/Developer
blog:
https://dynamicsuser.net/nav/b/ara3n0
Answers
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
http://www.mibuso.com/forum/viewtopic.php?t=23830
The problem is, that you cannot setup outside the domain... because AD is not working with names, but GUIDs (SIDs) for each object. And each time you create group/user it will have different GUID, it means what you created is not what they are using...
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
did i not say this in the link or is this not understandable ?
Sorry, I didn't follow the link... :-#
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
Entered them manually in the new db, and synched and still couldn't login.
The issue is that if we add the user with security roles, they can login.
When we add the group with roles, they cannot.
Standard security model.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
May be I don't understand because it is Saturday morning, but what does it mean "user with security roles" and "group with roles"? You means if you add directly the user account and assign the roles, and if you add AD group and assign the roles? Just to be sure- if you are adding AD groups, into NAV, users must be directly members of this group. Cannot be members of group which is member of this group... ;-)
I assume that both xp_ndo stored procedures exist on your SQL server ...
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
xp_ndo is registered on the server. for both groups and userids.
It all works on the old domain.
It's the new domain that it doesn't work.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
RIS Plus, LLC
I have the script that i always copy and paste.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
In c prompt when you type NET GROUP
it will list all the groups that are available on domain.
When you type NET GROUP "GroupName" /DOMAIN
it will list all the users under the domain.
The issue was that the Group was created as local domain, and once we created the GROUP that is GLOBAL, the NET GROUP shows the group and we were able to login.
One more thing, when you copy and past roles from one group to another specifically with windows, it copies the SID as well. So do not copy and paste, but enter the roles manually.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n