Active Directory integration failure

Hi Guys,

I have an issue with Active Directory authentication

I got an error : https://ip/service/core/v3/identityproviders/discoverschema failed, task was cancelled.

when i log to above url i got another error: (Authorization is denied for this request).

Although, All fields have been filled right and account has domain admin privilege.

thanks in advance.

  • Hi Mahmoud,

    A) SPP can fail to discover the AD schema if the below ports are blocked:
    - Please ensure SPP has access to TCP/389 for the DCs, and TCP/3268 for Global Catalogs within the forest.

    B) The error (Authorization is denied for this request) is because you would need to authorize access to the SPP appliance with admin credentials before navigating to the URL:ip/.../discoverschema

    1. To access the API, go to this URL first:
    IP/.../index.html

    2. Then you can click authorize to access the SPP appliance.

    3. Expand the IdentityProviders > Discover Schema to test it.

    Thanks!

  • Dear Tawfik,

    i have followed above points

    1- all ports are open and issue is still exist 

    2- can't login to service/core although logged with admin user i got below error:

    {"Code":60094,"Message":"Authorization is denied for this request.","InnerError":null}

    restarting the machine didn't affect the behavior

  • Hi Mahmoud,

    Please upgrade to SPP version 6.8 if running an older version and try by specifying a particular Domain controller (new feature added in 6.8) 

    Under Identity and authentication > Select the AD domain provider > edit > expand Advanced drop down > enable Specify Domain Controller check box to add the Domain Controller for the domains required.

    ----------

    Information on this feature from the Admin guide states the following:

    Domain Controllers (for Active Directory)

    Instead of having Safeguard for Privileged Passwords automatically find domain controllers from a DNS and CLDAP ping, you can specify domain controllers.

    In the desktop client, select Specify domain controllers. In the text box, enter the network addresses, which may be DNS names or IP addresses, separated by spaces, commas, or semicolons. If you have multi-domains, you must provide a domain controller for every domain. Do not enter the domain itself.

    The domain controllers are used in the order entered. During the test connection from the Connection tab, if SPP does not find a domain controller in the list, the test connection fails and an error is returned.

    Adding a read-only domain controller will be limited in functionality. For example, login will work but password or SSH key check and change will not work.

    During a process, if one domain controller does not respond, the processes continue with the next domain controller. The non-responsive domain controller is blocked for about 5 minutes.

    ----------

    If the issue persists, please open a service request via the support portal at: support.oneidentity.com/create-service-request

    Thanks!