Forum / Devolutions Password Server - Support

Roles based on AD groups working erratically

  • Create an Issue
  • Cancel

Hi,

We're trying to secure RDM based on AD groups. This is not working as it should for most users (but works fine for others):
- Roles based on explicit membership (non-AD) work fine
- Roles based on AD membership work for some users, not for others

I have been unable to find anything special about the users that it works for or that it doesn't work for.

We've just upgraded tot 5.1.1 (from 4.7.1) but that didn't help (didn't work in either version).

For both users that AD groups works for as for users where it doesn't, on successful authentication I see two debug messages in the server logs, logged by the RDMSMembershipProvider:
ProcessDomainUserInfo using userName/password - Enter
ProcessDomainUserInfo using userName/password - Exit

No more details are given and no other entries are logged.

Windows logs show nothing special. Only the security log showing a security Audit Success Logon (4648, A logon was attempted using explicit credentials) for the username signing in so that's as was expected plus of course the same message as above in the Devolutions log.

For the users that it works for, everything is working like a charm. Even nested groups (if the checkbox is set and not if it's cleared, as it should).

I've tried recycling the app pool and even rebooting the server. Results stay the same: for the same users it keeps working, for the same users it keeps broken.

The only thing that changed anything is I deleted a user that it DID work for and after recreating it, it NO LONGER worked (sign in works but has no access to items secured by AD groups, items secured by non-AD groups work). Tried recreating by username and recreating by AD lookup, no difference.

I've even tried things that should matter (because for some users it works): AD access for the AD account works fine (runas -> AD Users and groups -> view group membership).

Any ideas on what to try next?

Clock2 yrs

Hello,

For the users experiencing issues, could you have them run the File - My Data Source Information tool? In it, we will see what we are able to load from AD and in consequence, which roles have been assigned based on AD group membership.

Best regards,



Maurice Côté

signaturesignature

Clock2 yrs

I've sent it using the button. The interesting part is probably that under 'Active Directory groups' (Roles tab) it only shows Domain Users and not the actual groups the user is a member of. For a user that does work, all groups are listed.

Big question now is of course WHY does it resolve group membership correctly for some but not for others?

Clock2 yrs

Ok, I think I found the problem.

The user that queries group membership has different permissions on the different accounts. It appears that users that were created in a specific time interval (I'm guessing between 2003-2010) behave differently than others. Ah, the joy of an AD that has seen too many Exchange and Lync versions upset

I think I can sort it out from here! Thanks for your help!

Clock2 yrs

All good, thanks for keeping us posted.



Maurice Côté

signaturesignature

Clock2 yrs

Ok, I've fixed this by delegating 'read member, memberof' on groups and 'read memberof' on users to the service account. The groups are now correctly listed under 'Active Directory groups' (Roles tab) and also as roles.

Unfortunately, the items secured by these roles are still not visible unless I remove the data source and add it back again for the user or edit the object the rights apply to. I tried using File->Refresh, closing and opening the data source, restarting RDM, recycling the application pool, flushing the server cache but none of these seems to help...

Apparently some cache is still in the way. Any idea what and how I could flush it?

Clock2 yrs

Hello,

Just using the File - Refresh isn't enough to refresh the local cache file. You could try with CTRL+F5 within RDM.

If it doesn't help either, you can delete the local cache file in the data source configuration (File - Data Sources) and go in the Settings tab. Then, click on the Manage Cache button to open the Manage Cache dialog. Then, click on the Delete button to delete the local cache file.


image

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

Thanks. Ctrl-F5 works like a charm!

Clock2 yrs