Topic
  • 3 replies
  • Latest Post - ‏2013-01-25T11:26:41Z by bpaskin
lorlor
lorlor
2 Posts

Pinned topic WAS 8.5 - Active Directory integration issue with Groups. Works with users

‏2013-01-21T16:31:33Z |
Hi,
I have downloaded for WAS8.5 for evaluation and face an issue with AD integration.
AD integration is functional for users but i face an issue when using Groups.
Would someone be able to propose an action plan. Details below.

WAS8.5 integrated with AD
I have created a Federated repository with both File and AD.
If i assign Administrator role to AD user, it works i.e AD user can connect to WAS console.
but
If i assign Administrator role to an AD group, same user is denied access to WAS console.
Within WAS when i check Groups, Group information confirms AD user is part of AD group.
Any idea how to troubleshoot this issue ?
Updated on 2013-01-25T11:26:41Z at 2013-01-25T11:26:41Z by bpaskin
  • gas
    gas
    892 Posts

    Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

    ‏2013-01-22T09:11:05Z  
    Hi,

    Check if you are able to see correct groups via Manage Groups in WAS admin console. Also check, if you can see user in the group via members and group in the user details via Group membership.

    Also restart the server after changes in role assignement.

    If it wont help try the following trace:

    *=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
  • lorlor
    lorlor
    2 Posts

    Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

    ‏2013-01-24T21:16:59Z  
    • gas
    • ‏2013-01-22T09:11:05Z
    Hi,

    Check if you are able to see correct groups via Manage Groups in WAS admin console. Also check, if you can see user in the group via members and group in the user details via Group membership.

    Also restart the server after changes in role assignement.

    If it wont help try the following trace:

    *=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
    Thanks Gas for looking into this. Sorry for delay.
    Yes, AD Groups are listed through "Manage Groups"
    Yes, users are listed in Group membership.
    As a consequence, my understanding is WAS reads information from AD without any problem

    As I was enabling trace with flags you proposed, i have bounced server and Group configuration is now .... functional.

    I am new to WebSphere. For my understanding, can you confirm which log files i should look at now that your flags are activated.
    This will help me next time i face a similar issue :-)

    Thanks again for your help and time

    Appreciated
  • bpaskin
    bpaskin
    4278 Posts

    Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

    ‏2013-01-25T11:26:41Z  
    • lorlor
    • ‏2013-01-24T21:16:59Z
    Thanks Gas for looking into this. Sorry for delay.
    Yes, AD Groups are listed through "Manage Groups"
    Yes, users are listed in Group membership.
    As a consequence, my understanding is WAS reads information from AD without any problem

    As I was enabling trace with flags you proposed, i have bounced server and Group configuration is now .... functional.

    I am new to WebSphere. For my understanding, can you confirm which log files i should look at now that your flags are activated.
    This will help me next time i face a similar issue :-)

    Thanks again for your help and time

    Appreciated
    Hi, Please make sure the group name does not exist in both the File Repository and Active Directory. Also make sure that the group name is unique within the Active Directory.

    Regards,
    Brian