on 09-04-2014 7:27 PM
Hello,
I have a tenant (Afaria 7 SP4, hf3) integrated with Active Directory for manage Android devices.
The user authentication process is success during the enrollment, but the problem is that not apply the policies associated to the user group which belong the user. The "user group" created contains the Active Directory user which I made the enrollment.
I've tried creating a user group which contains all user of the active directory and the result is the same, the policies associated to this user group aren't applied.
Anybody knows what can be the problem?
Thanks in advance.
Regards
Javier
AD user groups assignments can fail for a few reasons. The basic ones are that the server can't contact the domain controller or the user isn't a member of the AD group specified in the Afaria user group. Peter's mention of the AssignmentsUserName is another. If this field is blank or if the format doesn't match the attribute specified on the Server > Configuration \ Security page then we may not be able to match it. In SP5 we have much better handling of this and are able to correct the format to match the attribute in most cases.
If you're "Server Address" field on the Security config page is just a DNS or IP without a port, I would suggest trying to add the Global Catalog port (":3268") and see if the behaviour is any different. (Note: You can only use GC with the AD authentication option, not NT or LDAP)
Otherwise, clarifying the structure of your domain would be useful.
Are you using a single domain structure or are there children domains?
Is your search root against the root domain or the children?
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Javier,
Based on your screenshots, you're authenticating using the sAMAccountName parameter but it's possible that your user's device is storing the userPrincipalName format as the AssignmentsUserName value. I can't be sure because the UserName displayed for Android when inspecting a device is pulled from inventory data and may not match the actual AssignmentsUserName value as listed in the A_CLIENT table.
First thing I would recommend is to check the A_CLIENT table and verify the value of the AssignmentsUserName column. If the value listed there for your device is in UPN format ("user@domain.com") then that's a possible reason for the problem.
Otherwise, you could try changing your search root to the root of your domain instead of the General OU and see if that makes a difference. Note that searches against the root may require the Global Catalog port to function properly.
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Hi Keith,
I'm very happy in this moment, I've reached to solve the problem with your last recommendations.
I've changed the search root to the root of my domain instead of the General OU and It works, the policies are applied on the device.
Thank you so much for your help, It has been very important for me.
BR
Javier
Can you confirm that the AssignmentUserName field is populated for each device?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
I don't receive any error in the Afaria Log when I do an Apply Polices to a device with an AD User. The polices assigned to the static group are applied, but not the policies assigned to the AD group.
Don't worry by the question, I understand you. Yes, there are policies assigned to the AD group.
BR
Javier
User | Count |
---|---|
83 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.