How can we help you today? How can we help you today?

Authenticating with Active Directory

Hi,

I have configured SQL Monitor (v 5.2.3.3831) to use AD Authentication successfully based on the documentation(http://documentation.red-gate.com/displ ... +Directory).
AD users are successfully added but cannot log on.

Below error is whats been returned every time a user tries to log on:

RpcNoResultException: System.DirectoryServices.AccountManagement.PrincipalOperationException was thrown by method Authorisation on service AuthorisationService: System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to retrieve the authorization groups, an error (5) occurred. at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase) at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper() at RedGate.Response.Engine.Monitoring.Core.Services.ActiveDirectory.UserPrincipalExtensions.d__0.MoveNext() at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Linq.Buffer`1..ctor(IEnumerable`1 source) at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source) at RedGate.Response.Engine.Monitoring.Core.Services.ActiveDirectory.ActiveDirectoryService.GetActiveDirectoryGroups(String userName) at RedGate.Response.Engine.Monitoring.Core.Services.ActiveDirectory.AuthorisationService.Authorisation(String userName)


Any assistance will be greatly appreciated
Nash9991
0

Comments

3 comments

Sort by
  • Alex B
    Hi Nash9991,

    I've found this SO article which links to another SO article that says:
    I assume GetAuthorizationGroups() calls in to tokenGroups in AD. To read that, your service account (or IIS machine account if Network Service) needs to be in the Windows Authorization Access group in AD.

    I believe this means that the user running the SQL Monitor Base Monitor service will need to be in the Windows Authorization Access group. This appears to have worked for another user getting the same error.

    Please let us know if this works for you!

    Kind regards,
    Alex
    Alex B
    0
  • Nash9991
    Hi Alex,

    Thanks for the assistance.

    Unfortunately this doesn't work as the service account is already part of the Windows Authorization Access Groups on AD.
    Nash9991
    0
  • Alex B
    Hi Nash9991,

    Are you using IIS or the XSP webserver to run the web UI? It may be that the IIS AppPool user needs to be in the Windows Authorization Access Groups as well - see this Stack Overflow article.

    Kind regards,
    Alex
    Alex B
    0

Add comment

Please sign in to leave a comment.