cancel
Showing results for 
Search instead for 
Did you mean: 

Problem to apply policies with Afaria and Active Directory integration

Former Member
0 Kudos

Hello,

I have a tenant (Afaria 7 SP4, hf3) integrated with Active Directory for manage Android devices.

The user authentication process is success during the enrollment, but the problem is that not apply the policies associated to the user group which belong the user. The "user group" created contains the Active Directory user which I made the enrollment.

I've tried creating a user group which contains all user of the active directory and the result is the same, the policies associated to this user group aren't applied.

Anybody knows what can be the problem?

Thanks in advance.

Regards

Javier

Accepted Solutions (1)

Accepted Solutions (1)

keith_nunn
Active Participant
0 Kudos

AD user groups assignments can fail for a few reasons.  The basic ones are that the server can't contact the domain controller or the user isn't a member of the AD group specified in the Afaria user group.  Peter's mention of the AssignmentsUserName is another.  If this field is blank or if the format doesn't match the attribute specified on the Server > Configuration \ Security page then we may not be able to match it.  In SP5 we have much better handling of this and are able to correct the format to match the attribute in most cases.

If you're "Server Address" field on the Security config page is just a DNS or IP without a port, I would suggest trying to add the Global Catalog port (":3268") and see if the behaviour is any different.  (Note: You can only use GC with the AD authentication option, not NT or LDAP) 

Otherwise, clarifying the structure of your domain would be useful. 

Are you using a single domain structure or are there children domains?

Is your search root against the root domain or the children?

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Former Member
0 Kudos

Hi Keith,

Before all, thanks for your help.

I've tried to set the "3268" port and I received the same result.

I attach several pictures to clarify the situation:

Let me know if you need more info.

Thanks

Javier

keith_nunn
Active Participant
0 Kudos

Javier,

Based on your screenshots, you're authenticating using the sAMAccountName parameter but it's possible that your user's device is storing the userPrincipalName format as the AssignmentsUserName value.  I can't be sure because the UserName displayed for Android when inspecting a device is pulled from inventory data and may not match the actual AssignmentsUserName value as listed in the A_CLIENT table. 

First thing I would recommend is to check the A_CLIENT table and verify the value of the AssignmentsUserName column.  If the value listed there for your device is in UPN format ("user@domain.com") then that's a possible reason for the problem. 

Otherwise, you could try changing your search root to the root of your domain instead of the General OU and see if that makes a difference.  Note that searches against the root may require the Global Catalog port to function properly.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Former Member
0 Kudos

Hi Keith,

I'm very happy in this moment, I've reached to solve the problem with your last recommendations.

I've changed the search root to the root of my domain instead of the General OU and It works, the policies are applied on the device.

Thank you so much for your help, It has been very important for me.

BR

Javier

Answers (1)

Answers (1)

Former Member
0 Kudos

Can you confirm that the AssignmentUserName field is populated for each device?

Former Member
0 Kudos

Hi Peter,

Yes, I attached the screenshots:

Thanks

Javier

Former Member
0 Kudos

Can someone help me to solve this problem?

Thanks in advance.

Javier

Former Member
0 Kudos

Do you have any errors in the Afaria log when you do an Apply Polices to a device with an AD User ?

Also, (sorry for saying this) but make sure you actually assign policies to the User Group.

BR

Peter

Former Member
0 Kudos

Hi Peter,

I don't receive any error in the Afaria Log when I do an Apply Polices to a device with an AD User. The polices assigned to the static group are applied, but not the policies assigned to the AD group.

Don't worry by the question, I understand you. Yes, there are policies assigned to the AD group.

BR

Javier