Link to home
Start Free TrialLog in
Avatar of Brian_B
Brian_B

asked on

AD groups not being passed to web app

we have a custom web app that's been in place for a few years.  I have a user that rarely access but recently tried to and could not authenticate.  my developer says the AD groups are not being passed when the user logs in.  The user is a domain admin and part of other groups - and has no issue.  He's logged into the app before but it's been maybe a year.  

what could cause the AD groups to not be passed properly to the app?   looking at the group membership via gpresult or  dumpsec shows he's in all the groups he should be.  only issue we've found, so far, is that they are not passed to this one app.  we've tried from several PCs and such.  thanks.
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image
The idea that the AD Group membership is being passed from the web server seems like a misconception.  Surely the user's credentials are being sent to AD and AD is returning the list of groups to which the user belongs.  Does this web app work for anyone else, or is this the only user who uses it?

It also seems like your developer could run the source code in an IDE, have this user log in, and walk through the code to see what goes to and what comes back from AD.  Certainly that's where I'd start if only one user were being affected, AND I were positive the one user weren't in an AD group explicitly prohibited from using the web app.
Avatar of Brian_B
Brian_B

ASKER

not sure you read that right  - the webserver is receiving the authentication and group information - not sending it.   for all other users the groups are sent fine.  for one user, no group information is sent.  So my developer can see the authentication take place but access is denied because there are no groups.    I don't see this being on the app since 100+ other users are working fine and have been for 2 years.  so seems like something with this one user.  we could delete the account and recreate but I'd prefer to know why this is happening in case its point to a larger issue.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Is the dev using ldap? Is the user a member of the restricted user group? 

Avatar of Brian_B
Brian_B

ASKER

Yes and there are no restricted groups.  As long as you’re in one or more of the appropriate groups - you have that level of access in the app.  But doesn’t seem to matter since groups are never showing up.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.