We help IT Professionals succeed at work.

Fuzzy Application Access Issue

354 Views
Last Modified: 2020-06-30
Hi EE,


I have 14 users out 151 that can't access a particular application via a Citrix v6 desktop, LDAP authentication. I have ascertained it's not a network issue as I can log into the application from all allowed network touchpoints in the organization. I can even log the application via the user's laptops that are having trouble connecting with their own username using my username, we both have the same GPO applied as well. I have tried recreating the user's login on the application end no fix.  How to troubleshoot this issue is it an OU problem, where do I begin?

The application message states although of very little use: Cannot connect to the DB please ensure your client configurations settings are correct and not being blocked by a firewall.

Any assistance is welcome.

Thank you.;
Comment
Watch Question

ste5anSenior Developer
CERTIFIED EXPERT

Commented:
Start by describing your problem precisely.

Cause "can't access a particular application" means the cannot read (parts of the ) application and execute it. But your error message indicates, that they can access it.

Depending on the kind of application and used database and drivers involved, check the common things:

- Is a local firewall on these clients blocking access? Can you as different, working user (non-admin) connect to the database from these machines?
- NTFS permissions to certificate files, if involved.
- NTFS permissions, if file DSN is used.
- Check user authentication on the database server, if AD/LDAP authentication is used, check whether it is user or group based. Check whether the user is authenticated or in the correct group.
ZackGeneral IT Goto Guy

Author

Commented:
Hi Stefan,

The error message: "Cannot connect to the DB please ensure your client configurations settings are correct and not being blocked by a firewall." This occurs when users try to launch the application my apologies for the confusion. 

- NTFS permissions to certificate files, if involved. - NA
- NTFS permissions, if file DSN is used - NA
- Check user authentication on the database server, if AD/LDAP authentication is used, check whether it is user or group-based. Check whether the user is authenticated or in the correct group. - Group-based and that group has the necessary access to the database.

Any other ideas?

Thank you. 
ste5anSenior Developer
CERTIFIED EXPERT

Commented:
Well, check the database side, maybe there is configuration data missing..
ZackGeneral IT Goto Guy

Author

Commented:
Hi Stefan,

I will get our DBA to do that in the morning.

Thank you 
Richard FaulknerEnterprise Solutions Architect
CERTIFIED EXPERT

Commented:
When I have had issues in the past with applications not functioning, I have used Process Monitor to watch the process and see where it is failing. Is it file access, network access, or even registry access that is keeping the application from functioning. You can download it here:  https://docs.microsoft.com/en-us/sysinternals/downloads/procmon 
Run it once as a user who can execute it, then as a user who cannot. It will literally highlight in red any failures. 
ZackGeneral IT Goto Guy

Author

Commented:
Hi EE,

Okay at DB layer I get the following msg for users that can't access the application:

 Logon Login failed for user 'user\mssqlsrv Reason: Failed to open the explicitly specified database. [CLIENT: <local machine>]   Error: 18456, Severity: 14, State: 38.

What I don't get is why would only users that can't access the application be appearing the error log of the database when they should have identity verified at the application layer via LDAP and the application service account communicates directly with DB. For instance have no access to this SQL server but can access the application without issue.

My theory it possible that the application service_account is corrupted and for some reason, the application is trying to parse the individual users' LDAP authentication in its place.

Your thoughts? 

Thank you.

ste5anSenior Developer
CERTIFIED EXPERT

Commented:
To clarify things:

What database server?
What OS for it?
What kind of application?
ZackGeneral IT Goto Guy

Author

Commented:
Hi Stefan,

Db Server 2014 standard.
Windows Server 2012 R2
Application: Client distrubted via Citrix which connects to App server which connects to a DB server.

Thank you
ste5anSenior Developer
CERTIFIED EXPERT

Commented:
Do the failing users/clients;

- Use the correct database name?
- Do they have a user in the database and a login on the server?
- Are they allowed to connect?
ZackGeneral IT Goto Guy

Author

Commented:
Hi Stefan

Yes we all using the same published app on Citrix.

I have verified all the users having issues have they Ldap credientals in the DB of the application. They don't have individual logins to the sql server but I don't either and I can access the Application  without issue.

We all using the same AD groups and all or same office lan so they should be allowed to connect. If they are being blocked I wouldn't know where or how that is occurring.

Thank you.




ste5anSenior Developer
CERTIFIED EXPERT

Commented:
The error itself normally means, that you're trying to connect to the wrong database or the user has no rights.
Richard FaulknerEnterprise Solutions Architect
CERTIFIED EXPERT

Commented:
A quick Google of the error shows that basically "The generic message “Login Failed for User (Microsoft SQL Server, Error: 18456)” means you entered invalid credentials when logging into SQL Server." You have verified they hd DB credentials on the SQL server, but do their credentials have the proper permissions to access the databases being opened? My suspicion would be that their account does not have the right to some database that is attempting to be opened. I believe you can monitor from SQL what databases are being opened by whom, and then see what a successful login opens and what ha failed login does not open. That should point you to the culprit. 
CERTIFIED EXPERT

Commented:
Are the accounts mapped correctly?
ZackGeneral IT Goto Guy

Author

Commented:
Hi Guys,

The SQL issue turned out a be red-herring not the root cause of the issue, I recreated the accounts affected and the SQL server error resolved itself. But the underlying issue still persists some users can't get logon onto the via LDAP so I a using:  https://docs.microsoft.com/en-us/sysinternals/downloads/adinsight 

Does anyone know any good tutorials on how to use this tool so I can capture the LDAP process flow?

thank you. 
Richard FaulknerEnterprise Solutions Architect
CERTIFIED EXPERT

Commented:
I have not used the tool. There are some good discussion pages on Microsoft's site, and I have always found the readme for the tool to be very informative.
ZackGeneral IT Goto Guy

Author

Commented:
Hi Experts,

We finally got to the cause of the issue the problem and don't quote me as I am not a Windows Administrator but the issue was a replication issue with Domain controllers the user to authenticating against. Apparently some new users weren't able to authenticate credentials against this particular domain controller reasons I don't understand our windows admin sorted it out he was away on holidays. A patch resolved the issue.   
General IT Goto Guy
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ste5anSenior Developer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ZackGeneral IT Goto Guy

Author

Commented:
Hi Stefan,

Thank you for pointing your previous comment out friend and your assistance it's always appreciated. 
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.