mibuso.com
Home NAV/Navision Classic Client

Active Directory

ara3nara3n Member Posts: 9,256
edited 2008-09-17 in NAV/Navision Classic Client
Hello

I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.

They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
Users cannot login under the group.
Is there something special about creating groups on AD that I should watch for?
I have not spent much time with AD to know the issues.

The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.
Ahmed Rashed Amini
Independent Consultant/Developer


blog: https://dynamicsuser.net/nav/b/ara3n

Answers

  • ara3nara3n Member Posts: 9,256
    oops iin the wrong forum.
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
  • garakgarak Member Posts: 3,263
    The same principle

    http://www.mibuso.com/forum/viewtopic.php?t=23830
    Do you make it right, it works too!
  • kinekine Member Posts: 12,562
    ara3n wrote:
    Hello

    I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
    Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.

    They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
    Users cannot login under the group.
    Is there something special about creating groups on AD that I should watch for?
    I have not spent much time with AD to know the issues.

    The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.

    The problem is, that you cannot setup outside the domain... because AD is not working with names, but GUIDs (SIDs) for each object. And each time you create group/user it will have different GUID, it means what you created is not what they are using...
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • AdministratorAdministrator Member, Moderator, Administrator Posts: 2,499
    [Topic moved from Upcoming version NAV "6.0" (formerly NAV 5.1) to Navision forum]
  • garakgarak Member Posts: 3,263
    question:
    did i not say this in the link or is this not understandable ?
    Do you make it right, it works too!
  • kinekine Member Posts: 12,562
    garak wrote:
    question:
    did i not say this in the link or is this not understandable ?

    Sorry, I didn't follow the link... :-#
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • ara3nara3n Member Posts: 9,256
    We deleted all the windows users.

    Entered them manually in the new db, and synched and still couldn't login.

    The issue is that if we add the user with security roles, they can login.

    When we add the group with roles, they cannot.


    Standard security model.
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
  • kinekine Member Posts: 12,562
    ara3n wrote:
    We deleted all the windows users.

    Entered them manually in the new db, and synched and still couldn't login.

    The issue is that if we add the user with security roles, they can login.

    When we add the group with roles, they cannot.


    Standard security model.

    May be I don't understand because it is Saturday morning, but what does it mean "user with security roles" and "group with roles"? You means if you add directly the user account and assign the roles, and if you add AD group and assign the roles? Just to be sure- if you are adding AD groups, into NAV, users must be directly members of this group. Cannot be members of group which is member of this group... ;-)

    I assume that both xp_ndo stored procedures exist on your SQL server ...
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • ara3nara3n Member Posts: 9,256
    Yes, if you add an AD group with roles, the users who are on that group cannot login. If I added the user and give him roles, they can login.


    xp_ndo is registered on the server. for both groups and userids.

    It all works on the old domain.
    It's the new domain that it doesn't work.
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
  • DenSterDenSter Member Posts: 8,305
    I'm sure it's a typo here, but just to be sure... it's usersids, not userids. Mind the 's' in the middle there.
    Daniel Rimmelzwaan
    RIS Plus, LLC
  • ara3nara3n Member Posts: 9,256
    yes it's a typo here. i was writing from memory.

    I have the script that i always copy and paste.
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
  • ara3nara3n Member Posts: 9,256
    I've solved the issue.

    In c prompt when you type NET GROUP

    it will list all the groups that are available on domain.


    When you type NET GROUP "GroupName" /DOMAIN

    it will list all the users under the domain.


    The issue was that the Group was created as local domain, and once we created the GROUP that is GLOBAL, the NET GROUP shows the group and we were able to login.


    One more thing, when you copy and past roles from one group to another specifically with windows, it copies the SID as well. So do not copy and paste, but enter the roles manually.
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
Sign In or Register to comment.