We recently moved to Adobe Enterprise IDs with authentication by Microsoft Azure. I had AD groups created for each Adobe Product which links successfully for entitlement. I'm having trouble with Security Group provisioning within AppPortal. I created a Catalog Item that only performs the provisioning as a test. The Security Group configuration 'sees' the Adobe AD Groups and I can point to the correct title no problem. Upon testing, the log comes back with an error:
Inner exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
The AD Support Team didn't want the Service Account to have full reign in AD so the put the Adobe groups into an OU called Flexera Managed and assigned Modify rights to the Service Account for that container.
I'm not sure if he problem is with AppPortal configuration or the AD permissions of the Service Account. The AD Support Team says its got to be AppPortal but all other aspects of the AD integration (Computers & Users, etc...) works as expected.
Jan 16, 2020 06:19 AM
No, there is no config file where credentials could be stored.. According to the log excerpt you provided, "integrated" credentials are being used. This means that it is the ESD Service account being used, which I assume is "FlexWeb"? I'd be very curios to know if the powershell command works as well.. I've no idea if using AD users and computers behaves in the same was as calling an API..
Jan 21, 2020 03:07 PM
Jan 16, 2020 08:23 AM
Jan 16, 2020 09:43 AM
Just got out of my meeting and no luck with the displayname attribute. I've submitted a Change Request to attempt Charles' suggestion on Monday. Fingers crossed.
Jan 16, 2020 12:47 PM
Jan 20, 2020 03:17 PM
Charles, the AD Admin was able to add my account to the Security Group using Active Directory Users & Computers this morning logged in as the FlexWeb Service Account. Is there a config somewhere that should contain the Service Account credentials that may not currently?
Jan 21, 2020 09:26 AM
No, there is no config file where credentials could be stored.. According to the log excerpt you provided, "integrated" credentials are being used. This means that it is the ESD Service account being used, which I assume is "FlexWeb"? I'd be very curios to know if the powershell command works as well.. I've no idea if using AD users and computers behaves in the same was as calling an API..
Jan 21, 2020 03:07 PM
Charles, That was the issue. I assumed the process was supposed to use the FlexWeb Service Acccount but in fact it's using the FNMS Service Account which is set up as the local admin on the WebServer and running the ESD Service. That was the key. Thank you for clarifying. Everything works as expected now. Thanks again!
Jan 23, 2020 05:39 AM
Thank you. I'm meeting with the AD Admin this afternoon. I'll run this past him. Greatly appreciated!
Jan 16, 2020 10:16 AM