I seem to consistently have problems with HCI and AD. Does anybody have any pointers on troubleshooting HCI with AD?
I'm currently trying to use our lab AD (Windows Server 2016 Standard) with HCI (18.104.22.168) and can successfully add it as an Identity Provider. I've created two roles 1) Admin 2) User. I've also successfully created a Domain Admins and a Domain Users group and assigned Admin and User to them respectively. When I try to login as either a domain admin or a domain user, I get a "Not Authorized Error. Please contact your system administrator."
The only message in the catalina logs looks like this:
2017-02-23 23:41:54,756 WARN [runFederatedQuery] [catalina-exec-22] com.hds.ensemble.security.realm.JwtRememberMeManager [JwtRememberMeManager.java:186] Principals do not contain a string and uuid: john@HFL.hds.com 2017-02-23 23:41:54,757 INFO [runFederatedQuery] [catalina-exec-22] com.hds.ensemble.auth.oauth.AbstractOAuthServlet [AbstractOAuthServlet.java:85] Principals do not contain a string and uuid: john@HFL.hds.com
The admin and default_access logs both show:
10.76.35.29 - admin [23/Feb/2017:23:40:45 +0000] "POST /auth/oauth/ HTTP/1.1" 403 25 10.76.35.29 - admin [23/Feb/2017:23:41:54 +0000] "POST /auth/oauth/ HTTP/1.1" 403 25
So what is the trick to get HCI to authenticate off AD?