06-30-2015 07:08 AM
Are there any special considerations here? It isn't working.
Scenario:
Two domains prod and test, same exact user group names and user names. Prod OnBase authenticates with prod domain, and Test OnBase authenticates with test domain. Client would now prefer to have the test environment authenticate w/ the prod domain. I updated the network security configuration in OnBase config for the test environment to point to the prod domain.
We are using interactive logon for Core, and I am no longer able to authenticate, with the error: user doesn't belong to any groups. If my user account in prod domain is slemp and slemp in the test domain, and I'm a member of the same groups, shouldn't this work? Do I need to change from AD Basic to AD Enhanced?
Thanks,
Stephen
06-30-2015 09:48 AM
Hi Stephen,
Do you have impersonation on the application server in test environment? Or an account to run your app pools on web/ app servers. As that could be the problem if test domain account is used for impersonation and it does not have access to prod domain to authenticate the user and search for groups - one of the reasons you could be getting the 'No matching groups' error. Have you tried authenticating with Thick Client? What do you see in Diagnostic Console on LDAP/ NT tab?
Also keep in mind for core clients to work across domains it has to be two way trust between domains when AD Basic is used, AD Enhanced can authenticate users from non trusted domains.
Take care,
Verica
06-30-2015 08:58 AM
Why would you you do this? Test is supposed to be test and prod should be prod. You need the 2 environments to be independent. At the very minimum, this seems to ignore all generally accepted principles related to data integrity. Sometimes one has to protect the clients from themselves and you need to tell them no.
06-30-2015 09:48 AM
Hi Stephen,
Do you have impersonation on the application server in test environment? Or an account to run your app pools on web/ app servers. As that could be the problem if test domain account is used for impersonation and it does not have access to prod domain to authenticate the user and search for groups - one of the reasons you could be getting the 'No matching groups' error. Have you tried authenticating with Thick Client? What do you see in Diagnostic Console on LDAP/ NT tab?
Also keep in mind for core clients to work across domains it has to be two way trust between domains when AD Basic is used, AD Enhanced can authenticate users from non trusted domains.
Take care,
Verica
06-30-2015 10:34 AM
I hadn't considered the user running the AppPool/impersonation account. This was all very helpful information, thanks Verica!
EDIT:
Yes I've tried authenticating with OnBase client and it worked just fine.
06-30-2015 02:05 PM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.