As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Moving forward, myibi is our community platform to learn, share, and collaborate. We have the same Focal Point forum categories in myibi, so you can continue to have all new conversations there. If you need access to myibi, contact us at firstname.lastname@example.org and provide your corporate email address, company, and name.
We have embarked on an exercise to create a new domain say newdom which is gradually replacing olddom.
Some users using windows authentication were moved from olddom to newdom, but our wf client and servers are remaining on olddom until the switch over is completed.
The user has an account in newdom, and his account in olddom is locked.
The problem manifests itself when the user tries to log on to MRE only (server direct is ok) using the full credentials of the new domain eg
This log in fails on Server authentication.
05/13/2008 16:03:57 request by cmrpip000784 to authenticate user
05/13/2008 16:03:57 rejected cmrpip000784 u=Xxx.Xxxx (expired account)
What MRE seems to do is disregard the explicit request to log into newdomain and then
1. It tries the default domain of the wfclient and server which is still set to olddom. If this fails it then tries
2. The newdom domain which is linked in windows as being an associated domain and the next to try.
This process works fine unless you have previously accidentally attempt to log in to olddom via windows machine login. (eg at startup you accidentally enter the wrong domain) This seems to change the status of the dormant olddom account.
If you have changed the status of the olddom account then you will fail to log into MRE and the message shown above is shown in the SERVER log.
Things we have tried are:
1. Checking for all explicit mention of olddom in any of the MRE data. We cant find any.
Does anyone have any ideas? Help. Anyone out there good on Windows active directory and domain searching?This message has been edited. Last edited by: hammo1j,
Server: WF 7.6.2 ( BID/Rcaster) Platform: W2003Server/IIS6/Tomcat/SQL Server repository Adapters: SQL Server 2000/Oracle 9.2 Desktop: Dev Studio 765/XP/Office 2003 Applications: IFS/Jobscope/Maximo
Posts: 888 | Location: Airstrip One | Registered: October 06, 2006
I'm not an active directory expert by any measure, but I think that the fact that the user exists in the old domain but is locked/expired probably means that the Reporting Server is running down the list of domains and checks the old domain first. I assume that Windows API finds the user in olddom, but then fails to authenticate because it is locked. It doesn't bother to continue checking because it gets a "negative" response from olddom rather than a "I don't know them" response.
Try turning on traces on the reporting server and you will see the order it attempts to find the user. On my system it tries local machine and if the user doesn't exist goes off to check and domains that are available.
WebFOCUS 8.2.03 (8.2.06 in testing)
Posts: 253 | Location: Melbourne, Australia | Registered: February 07, 2007