Active Directory
ara3n
Member Posts: 9,258
Hello
I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.
They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
Users cannot login under the group.
Is there something special about creating groups on AD that I should watch for?
I have not spent much time with AD to know the issues.
The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.
I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.
They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
Users cannot login under the group.
Is there something special about creating groups on AD that I should watch for?
I have not spent much time with AD to know the issues.
The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.
0
Answers
-
oops iin the wrong forum.0
-
Do you make it right, it works too!0
-
ara3n wrote:Hello
I ran into this problem today, didn't know what was the cause, but I'm guessing AD is the reason.
Client is testing in preprod using 5.0 on sql, and with windows authenication with Standard security. Using AD groups to setup NAV roles.
They moved the db to production environment and it has a different Active directory with new AD groups that we setup.
Users cannot login under the group.
Is there something special about creating groups on AD that I should watch for?
I have not spent much time with AD to know the issues.
The error they get is login and pw did not match using windows authenication. When adding the user, they can login, but they don't want to setup/maintain roles for each user.
The problem is, that you cannot setup outside the domain... because AD is not working with names, but GUIDs (SIDs) for each object. And each time you create group/user it will have different GUID, it means what you created is not what they are using...0 -
[Topic moved from Upcoming version NAV "6.0" (formerly NAV 5.1) to Navision forum]0
-
question:
did i not say this in the link or is this not understandable ?Do you make it right, it works too!0 -
garak wrote:question:
did i not say this in the link or is this not understandable ?
Sorry, I didn't follow the link... :-#0 -
We deleted all the windows users.
Entered them manually in the new db, and synched and still couldn't login.
The issue is that if we add the user with security roles, they can login.
When we add the group with roles, they cannot.
Standard security model.0 -
ara3n wrote:We deleted all the windows users.
Entered them manually in the new db, and synched and still couldn't login.
The issue is that if we add the user with security roles, they can login.
When we add the group with roles, they cannot.
Standard security model.
May be I don't understand because it is Saturday morning, but what does it mean "user with security roles" and "group with roles"? You means if you add directly the user account and assign the roles, and if you add AD group and assign the roles? Just to be sure- if you are adding AD groups, into NAV, users must be directly members of this group. Cannot be members of group which is member of this group... ;-)
I assume that both xp_ndo stored procedures exist on your SQL server ...0 -
Yes, if you add an AD group with roles, the users who are on that group cannot login. If I added the user and give him roles, they can login.
xp_ndo is registered on the server. for both groups and userids.
It all works on the old domain.
It's the new domain that it doesn't work.0 -
I'm sure it's a typo here, but just to be sure... it's usersids, not userids. Mind the 's' in the middle there.0
-
yes it's a typo here. i was writing from memory.
I have the script that i always copy and paste.0 -
I've solved the issue.
In c prompt when you type NET GROUP
it will list all the groups that are available on domain.
When you type NET GROUP "GroupName" /DOMAIN
it will list all the users under the domain.
The issue was that the Group was created as local domain, and once we created the GROUP that is GLOBAL, the NET GROUP shows the group and we were able to login.
One more thing, when you copy and past roles from one group to another specifically with windows, it copies the SID as well. So do not copy and paste, but enter the roles manually.0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 320 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions