We recently moved to Adobe Enterprise IDs with authentication by Microsoft Azure. I had AD groups created for each Adobe Product which links successfully for entitlement. I'm having trouble with Security Group provisioning within AppPortal. I created a Catalog Item that only performs the provisioning as a test. The Security Group configuration 'sees' the Adobe AD Groups and I can point to the correct title no problem. Upon testing, the log comes back with an error:
Inner exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
The AD Support Team didn't want the Service Account to have full reign in AD so the put the Adobe groups into an OU called Flexera Managed and assigned Modify rights to the Service Account for that container.
I'm not sure if he problem is with AppPortal configuration or the AD permissions of the Service Account. The AD Support Team says its got to be AppPortal but all other aspects of the AD integration (Computers & Users, etc...) works as expected.
No, there is no config file where credentials could be stored.. According to the log excerpt you provided, "integrated" credentials are being used. This means that it is the ESD Service account being used, which I assume is "FlexWeb"? I'd be very curios to know if the powershell command works as well.. I've no idea if using AD users and computers behaves in the same was as calling an API..
IF NOT EXISTS (SELECT [KeyName] FROM [WD_AppSettings] WHERE [KeyName] = 'HasUntrustedDomains')
INSERT INTO [WD_AppSettings] ([KeyName], [Value]) VALUES ('HasUntrustedDomains', 'True')
ELSE UPDATE [WD_AppSettings] SET [Value] = 'True' WHERE [KeyName] = 'HasUntrustedDomains'
Once you have run the query perform an iisreset. This setting basically tells App Broker to make some different AD calls, and frequently resolves certain issues.
NOTE To revert the behavior run the following and perform an iisreset:
update wd_appsettings set value = 'False' where keyname = 'HasUntrustedDomains'
Just got out of my meeting and no luck with the displayname attribute. I've submitted a Change Request to attempt Charles' suggestion on Monday. Fingers crossed.