cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jrobs3
Occasional contributor

Attempting to configure Security Group Provisioning of AD Groups

Jump to solution

We recently moved to Adobe Enterprise IDs with authentication by Microsoft Azure. I had AD groups created for each Adobe Product which links successfully for entitlement. I'm having trouble with Security Group provisioning within AppPortal. I created a Catalog Item that only performs the provisioning as a test. The Security Group configuration 'sees' the Adobe AD Groups and I can point to the correct title no problem. Upon testing, the log comes back with an error: 

Inner exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 

The AD Support Team didn't want the Service Account to have full reign in AD so the put the Adobe groups into an OU called Flexera Managed and assigned Modify rights to the Service Account for that container. 

I'm not sure if he problem is with AppPortal configuration or the AD permissions of the Service Account. The AD Support Team says its got to be AppPortal but all other aspects of the AD integration (Computers & Users, etc...) works as expected. 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Flexera CharlesW
Flexera

Re: Attempting to configure Security Group Provisioning of AD Groups

Jump to solution

No, there is no config file where credentials could be stored.. According to the log excerpt you provided, "integrated" credentials are being used. This means that it is the ESD Service account being used, which I assume is "FlexWeb"? I'd be very curios to know if the powershell command works as well.. I've no idea if using AD users and computers behaves in the same was as calling an API.. 

View solution in original post

0 Kudos
9 Replies
Highlighted
TeriStevenson
Intrepid explorer

Re: Attempting to configure Security Group Provisioning of AD Groups

Jump to solution
I don’t remember what error we got when we first configured the catalog items to add the user to the security group but we eventually found the cause was the displayname attribute didn’t have a value. App Portal uses the CN or SAMACCOUNTNAME attribute when it looks for the security group. We finally got an exception internally to have a OU specific for groups App Portal was adding to and to have the displayname attribute populated. Not sure if that is what you’re experiencing but maybe something to check on your groups
Highlighted
Flexera CharlesW
Flexera

Re: Attempting to configure Security Group Provisioning of AD Groups

Jump to solution
If Teri's suggestion does not seem applicable to your situation, you might try running the following query against the App Portal DB, to see if this helps:

IF NOT EXISTS (SELECT [KeyName] FROM [WD_AppSettings] WHERE [KeyName] = 'HasUntrustedDomains')
INSERT INTO [WD_AppSettings] ([KeyName], [Value]) VALUES ('HasUntrustedDomains', 'True')
ELSE UPDATE [WD_AppSettings] SET [Value] = 'True' WHERE [KeyName] = 'HasUntrustedDomains'

Once you have run the query perform an iisreset. This setting basically tells App Broker to make some different AD calls, and frequently resolves certain issues.

NOTE To revert the behavior run the following and perform an iisreset:
update wd_appsettings set value = 'False' where keyname = 'HasUntrustedDomains'
0 Kudos
Highlighted
jrobs3
Occasional contributor

Re: Attempting to configure Security Group Provisioning of AD Groups

Jump to solution

Thank you. I'm meeting with the AD Admin this afternoon. I'll run this past him. Greatly appreciated!

0 Kudos
Highlighted
jrobs3
Occasional contributor

Re: Attempting to configure Security Group Provisioning of AD Groups

Jump to solution

Just got out of my meeting and no luck with the displayname attribute. I've submitted a Change Request to attempt Charles' suggestion on Monday. Fingers crossed.

0 Kudos