Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: AD Logins Fail For Users With Domain Alias After Server Upgrade to 8.9+

App Control: AD Logins Fail For Users With Domain Alias After Server Upgrade to 8.9+

Environment

  • App Control Server: 8.9.0 and 8.9.2

Symptoms

  • After Server Upgrade to 8.9.0 or 8.9.2 AD user accounts cannot log in to App Control Console
  • Recreating the User Role Mappings with the relevant Active Directory Folder/Group does not resolve.
  • AppControlAD-xxxx-xx-xx-xxxxxx.log shows
    202X-XX-XX 00:00:00,000 [ 1] ERROR ADHelper.ADInfo.GetDirectoryEntry - Bind couldn't get the native object. ldapPath = LDAP://Domain/RootDSE - The server is not operational.

Cause

Domain alias was used for the user's logon name within the Active Directory properties window

Resolution

This issue was tracked under EP-17347 and resolved with the release of Server version 8.9.4. Upgrading to Server version 8.9.4+ should provide a permanent fix for this issue.
  • EP-17347: AD users configured with domain alias cannot login

Additional Notes

As a workaround the Shepherd Config, AllowADScript could be used to force the "old logic" for Active Directory using vbscript:
  1. Navigate to https://AppControlServer/shepherd_config.php
  2. Select the property AllowADScript
  3. Change the value to true.
  4. Restart the App Control Server & Reporter services.
  5. Verify the AD accounts are able to login correctly.
If AllowADScript is implemented and debugging is needed then please follow the "For App Control Server version 8.8.x and lower" instructions for debugging in the related content below. 

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-23-2023
Views:
725
Contributors