AnsweredAssumed Answered

Advice on troubleshooting identity provider issues (specifically AD)?

Question asked by John Goodman Employee on Feb 23, 2017
Latest reply on Feb 25, 2017 by Jon Chinitz

I seem to consistently have problems with HCI and AD. Does anybody have any pointers on troubleshooting HCI with AD?

 

I'm currently trying to use our lab AD (Windows Server 2016 Standard) with HCI (1.1.0.62) and can successfully add it as an Identity Provider. I've created two roles 1) Admin 2) User. I've also successfully created a Domain Admins and a Domain Users group and assigned Admin and User to them respectively. When I try to login as either a domain admin or a domain user, I get a "Not Authorized Error. Please contact your system administrator."

 

The only message in the catalina logs looks like this:

 

2017-02-23 23:41:54,756 WARN [runFederatedQuery] [catalina-exec-22] com.hds.ensemble.security.realm.JwtRememberMeManager [JwtRememberMeManager.java:186] Principals do not contain a string and uuid: john@HFL.hds.com
2017-02-23 23:41:54,757 INFO [runFederatedQuery] [catalina-exec-22] com.hds.ensemble.auth.oauth.AbstractOAuthServlet [AbstractOAuthServlet.java:85] Principals do not contain a string and uuid: john@HFL.hds.com

 

The admin and default_access logs both show:

 

10.76.35.29 - admin [23/Feb/2017:23:40:45 +0000] "POST /auth/oauth/ HTTP/1.1" 403 25
10.76.35.29 - admin [23/Feb/2017:23:41:54 +0000] "POST /auth/oauth/ HTTP/1.1" 403 25

 

So what is the trick to get HCI to authenticate off AD?

Outcomes