Windows AD Groups
Fisherman
Member Posts: 456
Hi all -
Got a quick question about AD Groups as Windows Logins -
I've added my own AD security group to SQL as a login, to the Navision Database as a database user, and to Navision itself through the Windows Login screen. Resynced Navision security... When I switch my authentication type to Windows, I can log in with no problems - great so far... keep in mind, that I'm a member of the Administrator group, which also has logon rights to all three levels...
Now, I added one of our Accounting Department's Security groups in the same manner and resynced. I went to a member of that group and had him try to log on using Windows Authentication - no dice. I refreshed AD from the PDC to the BDC - no dice. I added another security group to which he is a member - no dice. I had him log off and back on while I resynchronized Navision security (again) , no dice...
Has anyone been able to get this to work correctly? I'd like to create our organizational hierarchy in AD, add the AD Groups to Navision, and then assign the permissions to those groups, but I'm having a hell of a time doing it. Are there any good Microsoft resources available on how to get this done?
Thanks.
Got a quick question about AD Groups as Windows Logins -
I've added my own AD security group to SQL as a login, to the Navision Database as a database user, and to Navision itself through the Windows Login screen. Resynced Navision security... When I switch my authentication type to Windows, I can log in with no problems - great so far... keep in mind, that I'm a member of the Administrator group, which also has logon rights to all three levels...
Now, I added one of our Accounting Department's Security groups in the same manner and resynced. I went to a member of that group and had him try to log on using Windows Authentication - no dice. I refreshed AD from the PDC to the BDC - no dice. I added another security group to which he is a member - no dice. I had him log off and back on while I resynchronized Navision security (again) , no dice...
Has anyone been able to get this to work correctly? I'd like to create our organizational hierarchy in AD, add the AD Groups to Navision, and then assign the permissions to those groups, but I'm having a hell of a time doing it. Are there any good Microsoft resources available on how to get this done?
Thanks.
0
Comments
-
With 4.x you need to assign each member of the AD group as a Windows Login in Navision along with the AD group itself. You only need to assign roles to the AD Group user.
This is documented somewhere, but I can't remember where right now.
Also, you do not need to add the AD user to SQL manually. The sync should take care of this.There are no bugs - only undocumented features.0 -
Ahh... the documentation that I have says pretty explicitly that you can add the AD Group, and Navision would perform authentication from there (Chapter 8 - Security... but I think it may be an older version of the docs. It's all I've been able to get from our NSC).
Did it work that way in 3.x? If so, then why in the world would they change it? I would think that would be the desired behavior?Also, you do not need to add the AD user to SQL manually. The sync should take care of this.
So.. add the Group as a Database Login and user, and to Navision as a Windows Login. Assign Roles and Permissions to the Group, and then I only have to add the windows login to Navision from that point?0 -
wait a tick, though...
My Windows User Login is not set up in Navision, only the MIS and Administrator security groups.. and I'm able to log in with Windows Auth....0 -
Yes this did work different in version 3. I understand that the change was to conform with the tighter Windws 2003 security model.
You should not need to add anything manually in SQL. Just create your AD groups and assign users. Then add then to Navision as Windows logins and sync. The user doing the sync must be a member of the SQL security admin role or higher.There are no bugs - only undocumented features.0 -
My Windows User Login is not set up in Navision, only the MIS and Administrator security groups.. and I'm able to log in with Windows Auth
Didn't you say you were an Administrator? This basicly overrides everything.There are no bugs - only undocumented features.0 -
OK... so the fact that I'm a Domain Administrator somehow overrides everything in Navision?
Man.. this is just screwy. The old model of mapping organizational hierarchy through AD groups and adding those to Navision just makes more sense. I don't see how this really provides any tighter security.
Do people like this new model?0 -
Man.. this is just screwy
I can't disagree with you. I used to have a 2.6 site with ~300 authorized users. With 20 to 30 user changes a month, the old model made this a breeze to manage.There are no bugs - only undocumented features.0 -
Stay tuned, the rumor is that it will be possible to select the "old"/"easy" way of handling security in v.4 SP3 (planned release in October / November).0
-
It is simple. You just needs to remember:
1) You can add group into navision and connect Navision roles to this group
2) Users must have account for their user account in the Navision (but it can be without any role)
3) Users must be directly members of the group used in the Navision, it is not possible to use more nested groups
(It must be - NAV Role - AD Group - AD User, NAV Role - AD Group-AD Group -AD User is not allowed)
4) You needs to run the synchronization process over the user ID, not over the group, sync for group is doing nothing...0 -
Thanks guys - I'll be anxiously awaiting SP3...It is simple. You just needs to remember...
Thanks for the synopsis kine. It is simple... but it is simpler still to just be able to add/map the AD groups.0 -
Fisherman:
4.0 SP2 Update 02 introduces the new option that allows you to choose between the old security model (prior to 4.0) and the new security (4.0 and above).
You should contact your NSC/Microsoft to get the update...so far, we have not encountered any issues and use the Standard security model (prior to 4.0) that allows us to make changes to table data w/o synching the users!
Scott Frappier
Vice President, Deployment Operations
Symbiant Technologies, Inc.
http://www.symbiantsolutions.com0
Categories
- All Categories
- 75 General
- 75 Announcements
- 66.7K Microsoft Dynamics NAV
- 18.8K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 610 NAV Courses, Exams & Certification
- 1.9K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 251 Dynamics CRM
- 103 Dynamics GP
- 6 Dynamics SL
- 1.5K Other
- 991 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 28 Design Patterns (General & Best Practices)
- Architectural Patterns
- 9 Design Patterns
- 4 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1K General Chat
- 1.6K Website
- 77 Testing
- 1.2K Download section
- 23 How Tos section
- 249 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions