Wikis - Page

Support Tip: Which user credentials can be used for GUI authentication?

0 Likes

Let's start by writing this support tip is not talking about RBAC, neither about LDAP. I may be writing other support tips specific to those subjects.

Now, the short answer to the question in the title is: the GUI logon will require any user which is configured in the cell (the KeyCloak on the Cell Server) and this user needs to be configured with a password.

Now there are different scenarios possible and please keep in mind that for any of the following scenarios, a configured user is essentially defined not only by its account name, but also domain or group and client system (short name versus FQDN!). All 3 items need to match!

When the user that is starting the GUI is configured in the cell and that with a password set, the GUI will authenticate automatically. That means that the password will be used internally, but even doesn't need to be known by the operator. The fact that this user is configured in the cell means that anyone who is allowed to logon to the client with that user is trusted and can start the GUI. Depending on the user class within DP this user belongs to, different rights may be granted. In this scenario, there is no popup window seen to prompt for credentials. This also means that as soon as this user is configured there's also no other choice possible when starting the GUI from this specific client system, logged on as this specific user. So this is a handy feature to grant certain rights to this user by configuring it in a specific Data Protector user class.

When the user that is starting the GUI is NOT configured in the cell, a popup for credentials will be seen. At that moment, any configured user can be used. Please note that it is the configured Data Protector web user with corresponding password that needs to be entered, not an operating system user. This user name is in the format "Name|GroupOrDomain|Client".

When the user that is starting the GUI is configured but without a password, an error will be seen.

The way to get around this is obviously by setting the password, either in another GUI or with the omniusers command. Or if the user would be removed then a popup for credentials will be seen again and another user can be used.

Key points to remember:

  1. When prompted, always use a configured DP web user name, not an OS user
  2. When seeing the error about he missing password, set the password
  3. When entering credentials is not desired, make sure the specific user on the specific client is confiured with a password

If you found this post useful then please make sure you are logged on and give it a “Like”.
You may be interested in some of my other Support Tips too: Support Tips listed per category.

Labels:

Support Tips/Knowledge Docs
Comment List
Related
Recommended