Solved

Business objects authentication against active directory/ldap question

Posted on 2011-02-15
5
2,372 Views
Last Modified: 2012-05-11
We have a new process/reporting service in development and the new server will be running business objects.  It is Windows Server 2008 running in an Active Directory 2003 domain.  I have a service account that was setup for them to schedule jobs and it has allowed them to work so far.  The new requirement is that they integrate the authentication using the LDAP option.  I just received a notice from the developers that they are receiving an error message stating "“The secLdap plugin failed to verify the server administration credentials”".  Currently the account is set on to only be able to log onto the application server where business objects is installed.  Does it also need to be granted logon rights to the domain controllers where the LDAP option is pointed to?

Thanks in advance.
0
Comment
Question by:childersj
  • 3
5 Comments
 
LVL 6

Expert Comment

by:sharjeel ashraf
Comment Utility
you will need a domain administrator account in use to allow business objects the right to query AD.

best way is to create a new account, make it  part of the domain (and maybe enterprise admins) and tell the developers to use this account.
0
 

Author Comment

by:childersj
Comment Utility
That is not correct.
0
 
LVL 100

Expert Comment

by:mlmcc
Comment Utility
Why do you feel that is not correct?

Did you try the advice?

mlmcc
0
 

Accepted Solution

by:
childersj earned 0 total points
Comment Utility
I was in a rush when I typed that, not trying to be rude.  Here is my response as to why that is not the approach that should be taken.  I did figure this out as well.

Response:  Running any service account or giving developers domain or enterprise admin rights is a bad idea.  The user account only needs read access to the directory.  I guess technically giving enterprise admin would work.... but it wouldn't be a smart or realistic way to approach the problem.  It would introduce quite a bit of risk that a mistake could be made and accidentally affect AD or the domain or if the server was compromised it could allow for the compromise of an administrative account with rights to everything.

Solution:  As the account had read access to the directory structure from the root of the domain, it was not this type of rights issue.  The problem stemed from the account attribute 'Logon to' being set to only the app and database servers, not the domain controller where it was trying to connect via LDAP and find directory objects.  I thought that only affected interactive logon; however evidently it stops LDAP queries as well.
0
 

Author Closing Comment

by:childersj
Comment Utility
I figured out the solution.  Assigning domain or enterprise admin rights is not an appropriate course of action.  Assigning the correct granular security rights maintains the integrity of the environment while allowing the application to function.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now