TrueSight Remedy Single Sign-On was integrated into a Windows Active Directory, but domain users fails to login to TSPS with the error:
You are not authorized to use this system |
The message You are not authorized to use this system does mean that the user can be authenticated with Active Directory ( user and password match) by RSSO. But the Presentation Server is not able to find a group which is matching a group in Authorization Profiles. In the example the focus is only for the TrueSight Presentation Server Administrator, the same approach does apply for other Authorization profiles like Capacity Planing. Please login to TSPS with the default admin user, click on the Burger Icon in left upper corner and follow Administration Authorization Profiles. If you don't see Administration you are not logged in as a Solution Administrator. In front of each Authorization Profile Name you have an another Burger Icon, click on it to select Edit. On the new page , at the right side there is another Burger Icon beside User Groups. Click on it and select Edit again. Using the Add Groups , button retrieves the list of the groups retrieved by RSSO, you can add to the Authorization Profile. Select the relevant groups and save the changes does allow users from this group login to TSPS with the permission of the Authorization Profile. The expected groups from LDAP are not listed?Consider first to search for the group with a prefix, like MANY in this example.This does not help either.. , Group Filter are required.Since the user can be authenticated, it possible that there are many groups in Active Directory and the query initiated by RSSO is exceeding the result limit in Active DirectoryThe <RSSO_Install>/rsso/tomcat/logs/rsso.0.log would show this kind of error if this situation occurs: ERROR: [LDAP: error code 4 - Sizelimit Exceeded] To deal with this login to RSSO as the internal Admin User, open the Realm, Authentication and LDAP security container. Navigate to Group Support and Locate the Group Filter line, you are required to filter out the groups which are not relevant. The default group Filter does query all groups which are to many for an enterprise environment. (objectCategory=group) Filter out the relevant groups by using group filters. A few Group Filter examples: a:) Group search Filter example to filter out for 2 groups with the common name attribute BMM and TSCO you can simple change the filter from (objectCategory=group) to: (&(objectCategory=group)(|(cn=BMM)(cn=TSCO))) b:) An example for a filter for more groups works in this way: (&(objectCategory=group)(|(cn:=GroupA)(cn:=GroupB)(cn:=GroupC)(cn:=GroupD)(cn:=GroupN))) c:) Filter out for groups with regular expression, for example if all groups with a prefix Group are supposed to login into TrueSight, makes the filter shorter. (&(objectCategory=group)(cn=Group*)) This kind of group filter should help to reduce the LDAP query results, and get the proper groups displayed in TSPS. - How to verify which user is in which group in the remote LDAP?This is not possible in RSSO, while it is possible to list the groups in TSPS the best approach is to very this in Active Directory.By using an LDAP explorer which is beyond the scope of this Solution, or by using dsquery| dsget commands, which need to be run on a Domain Controller or a box with the RSAT tools installed. A Windows System administrator could assist with this commands. 1. Replace groupname with the name of the group to list the Distinguished Name of all user which are a member of that group, the first line is the command the next lines are the output, the output can become quite long if there are many members in that group. dsquery group -name groupname | dsget group -members -expand CN=user1,OU=CAP,DC=domain,DC=com CN=user2,OU=CAP,DC=domain,DC=com 2. Another examples which list all groups from a user based on the samaccountname of the user, replace username with the account name of the user. Again the first line is the command and the rest is the output, this list can become long if the user is a member of many groups. dsquery user -samid username | dsget user -memberof -expand CN=groupa,OU=TSCO,DC=domain,DC=com CN=groupb,CN=Users,DC=domain,DC=com |