Cannot log on using Active Directory credentials - Security Center 5.11

Active Directory Integration Guide 5.11

Product
Security Center
Content type
Guides > Integration guides
Version
5.11
Language
English
Last updated
2022-10-24

If you cannot log on to Security Center using your Windows Active Directory (AD) credentials, there might be an issue with your system setup. With Active Directory integration, your connection options differ depending on where your workstation is located on the network. To help you troubleshoot the issue, learn about its possible causes and solutions.

User groups not imported

Description of cause: You might have only imported the AD security groups as cardholder groups and not as user groups in Security Center.

Solution: In the Properties tab of the Active Directory role, make sure the As user group option is selected for the security group under Synchronized groups. If the As user group option is not selected it, select it and click Synchronize.

Imported users missing Security Center privileges

Description of cause: The AD user groups are imported but the groups are not assigned any privileges in Security Center.

Solution: Assign privileges to the imported user groups in Config Tool. See Assigning privileges to users.

Server hosting the AD role not part of the domain

Description of cause: The server that is hosting the Active Directory role in Security Center is not part of the same domain as the AD server, which is a requirement to import AD security groups as users groups in Security Center. To verify if the servers are part of the same domain: Open Windows Control Panel on the Active Directory role server and click System and Security > System.

If the Workgroup option lists WORKGROUP and the Domain option is not displayed, it means that the server is not part of a domain.

Solution: Add the server to the same domain as the AD server:
  1. On the server that is hosting the Active Directory role, open the System page in Windows Control Panel.
  2. Click Change settings > Change.
  3. Select Domain, type the domain name of the AD server, and enter the credentials of a valid user on that domain.
    Tip: Use the domain administrator or a user who has enough privileges on the AD. If you unsure which user has enough privileges, you can check using the AD Exporer on the AD server. For more information about using AD Explorer, see Microsoft documentation.

If failover is configured for the Active Directory role, perform the same troubleshooting step on the secondary server.

Domain name not specified

Description of cause: You have a large AD setup with multiple domains. As a result, even if your Config Tool or Security Desk workstation is on the same domain as the AD server, you must specify the domain name when you log on to Security Center.

The domain name is also required if you log on to Security Center using VPN or from a machine that is on a remote network.

Solution: Specify the domain name with your username when logging on to Security Center, using one of the following formats:
  • User@domain.com (Fully Qualified Domain Name or FQDN)
  • User@domain
  • domain\user

Windows user does not have correct permissions

Description of cause: You selected the Use Windows credentials option in the logon dialog box, but the user that is running the Genetecâ„¢ Server service on the server hosting the Active Directory role is not part of the AD, or does not have the correct permissions to access the AD service.
IMPORTANT: You can only use the Use Windows credentials logon option if your machine is on the same domain as the AD server.

Solution: Make sure that the user running the Genetecâ„¢ Server service on the server hosting the Active Directory role has permission to access Windows Active Directory. For a list of required permissions, refer to the related Global catalog attributes.

If failover is configured for the Active Directory role, perform the same troubleshooting step on the secondary server.

No authorization agent found

Description of cause: If you receive a No authorization agent found error message when you try to log on, it means that there is an issue with your AD integration. The cause can be one of the following:
  • There is a problem with the Active Directory role.
  • The AD user does not exist in Security Center.
  • The Active Directory role user does not have permission to access to the AD service.
  • After the Active Directory role was connected to the AD server, the role was not synchronized with the AD.
Solution: Do the following:
  • Verify that the Active Directory role is online and does not have any warnings or errors. Fix any errors that are found.
  • Check if the AD user was imported in Security Center from the User management task in Config Tool. If the user is not listed, on the AD server make sure that the user is part of a security group that was imported in Security Center.
  • On the AD server, check if the Active Directory role user has permission to access to the AD service. Give that user permission on the AD service or connect the Active Directory role to the AD server using different user who has the correct permissions.
  • Manually synchronize the Active Directory role with the AD server.

Performance issues

Description of cause: If logging on is slow or a timeout occurs, it might be due to low resources on the Security Center client or server, or it might be an issue on the AD side.

Solution: Try to log on using a local Security Center user.
  • If it still takes a long time for you to log on, make sure there are enough resources to run your local Security Center system. You can check the following:
    • On the main server, open the Windows Task Manager and check the CPU and memory. High CPU or memory might indicate a resource issue on your local system.
    • Check if it takes a long time to log onto Windows.
    • Make sure that your system meets the hardware and software requirements outlined in the Security Center System Requirements.
  • If the logon is faster with a local Security Center user, the issue might be on the AD side. Have the IT department of the AD system check for network issues or shortages. Otherwise, you can open a support case by contacting the Genetecâ„¢ Technical Assistance Center (GTAC).