Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Moving forward, myibi is our community platform to learn, share, and collaborate. We have the same Focal Point forum categories in myibi, so you can continue to have all new conversations there. If you need access to myibi, contact us at myibi@ibi.com and provide your corporate email address, company, and name.


Connect to myibi
Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Windows user Moved to new Domain cannot log in to Server via MRE

Read-Only Read-Only Topic
Go
Search
Notify
Tools
Windows user Moved to new Domain cannot log in to Server via MRE
 Login/Join
 
Master
posted
We have embarked on an exercise to create a new domain say newdom which is gradually replacing olddom.

Some users using windows authentication were moved from olddom to newdom, but our wf client and servers are remaining on olddom until the switch over is completed.

The user has an account in newdom, and his account in olddom is locked.

The problem manifests itself when the user tries to log on to MRE only (server direct is ok) using the full credentials of the new domain eg

newdomain\Xxx.Xxxx

This log in fails on Server authentication.


05/13/2008 16:03:57 request by cmrpip000784 to authenticate user
05/13/2008 16:03:57 rejected   cmrpip000784 u=Xxx.Xxxx (expired account)



What MRE seems to do is disregard the explicit request to log into newdomain and then

1. It tries the default domain of the wfclient and server which is still set to olddom. If this fails it then tries

2. The newdom domain which is linked in windows as being an associated domain and the next to try.

This process works fine unless you have previously accidentally attempt to log in to olddom via windows machine login. (eg at startup you accidentally enter the wrong domain) This seems to change the status of the dormant olddom account.

If you have changed the status of the olddom account then you will fail to log into MRE and
the message shown above is shown in the SERVER log.

Things we have tried are:

1. Checking for all explicit mention of olddom in any of the MRE data. We cant find any.

Does anyone have any ideas? Help. Anyone out there good on Windows active directory and domain searching?

This message has been edited. Last edited by: hammo1j,



Server: WF 7.6.2 ( BID/Rcaster) Platform: W2003Server/IIS6/Tomcat/SQL Server repository Adapters: SQL Server 2000/Oracle 9.2
Desktop: Dev Studio 765/XP/Office 2003 Applications: IFS/Jobscope/Maximo
 
Posts: 888 | Location: Airstrip One | Registered: October 06, 2006Report This Post
Guru
posted Hide Post
hammo1j,

I'm not an active directory expert by any measure, but I think that the fact that the user exists in the old domain but is locked/expired probably means that the Reporting Server is running down the list of domains and checks the old domain first. I assume that Windows API finds the user in olddom, but then fails to authenticate because it is locked. It doesn't bother to continue checking because it gets a "negative" response from olddom rather than a "I don't know them" response.

Try turning on traces on the reporting server and you will see the order it attempts to find the user. On my system it tries local machine and if the user doesn't exist goes off to check and domains that are available.

Cheers

Stu


WebFOCUS 8.2.03 (8.2.06 in testing)
 
Posts: 253 | Location: Melbourne, Australia | Registered: February 07, 2007Report This Post
Master
posted Hide Post
Thanks Stu

That's what's happening, however it is sporadic, which may be due to ad server replication and load balancing.

In the end we created users in MRE like newdom\userfirst.userlast and that solved the problem.

Regards

John



Server: WF 7.6.2 ( BID/Rcaster) Platform: W2003Server/IIS6/Tomcat/SQL Server repository Adapters: SQL Server 2000/Oracle 9.2
Desktop: Dev Studio 765/XP/Office 2003 Applications: IFS/Jobscope/Maximo
 
Posts: 888 | Location: Airstrip One | Registered: October 06, 2006Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Windows user Moved to new Domain cannot log in to Server via MRE

Copyright © 1996-2020 Information Builders