Highlighted
Absent Member.
Absent Member.
1466 views

Users cannot log into Zenworks when AD restrictions are set

Hello,

Perhaps an unusual situation.

We have several training accounts that are restricted in active directory to only be able to log into certain PCs.

It appears that, although the users can log into the PCs, the Zenworks agent does not "see" these AD accounts.

Of course, we can get round this by assigning bundles to the workstations, but would rather it works as intended.

Any ideas?

Don
Labels (2)
0 Likes
11 Replies
Highlighted
Absent Member.
Absent Member.

Forgot to mention the versions!

Asset Management 11.2.3.18534
Bundle Management 11.2.3.21005
Inventory Management 11.2.3.18534
Policy Management 11.2.3.18534

On Win7 Workstations.
0 Likes
Highlighted
Absent Member.
Absent Member.

just a thought, maybe try adding the ZCM sats and primaries as machines they can log onto and see if that works, it's possible that AD sees the ZCM authentication request as coming from the primary / sat server rather than the actual workstation?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert


That is exactly it.
The ZCM Authentication Servers need to be included as a valid Logon Source.

On 3/20/2014 7:16 PM, gleach1 wrote:
>
> just a thought, maybe try adding the ZCM sats and primaries as machines
> they can log onto and see if that works, it's possible that AD sees the
> ZCM authentication request as coming from the primary / sat server
> rather than the actual workstation?
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Technical Support Engineer

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks, I'll give this a bash today and report back.

Don
0 Likes
Highlighted
Absent Member.
Absent Member.

I've tried adding our three zenworks servers as login sources, but no joy so far.

The user can happily log into the PC (an AD login), but unhappily, Zenworks does not seem to "see" the user.

I did notice that the "Processing user sources" message appeared (I have a feeling it didnt before adding the Zen servers, or was very quick)

Removing the workstation restrictions definitely lets the user log in to Zenworks, adding the restrictions back makes the login fail.

Anything else I should be putting in, or is this a bug in this version of Zenworks?

Don
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

What happens is that the user's Authentication Server will actually attempt an LDAP Bind as that user to verify the user's authentication.
You need to make sure that whichever servers are defined as Auth Servers can do an LDAP Bind as that user.

The ZCM authentication for that user does not actually take place on the user's desktop.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Absent Member.
Absent Member.

So in practice, this would mean domain controllers?
0 Likes
Highlighted
Absent Member.
Absent Member.

Adding domain controllers, Zenworks servers, etc, makes no difference to this problem.
Should I raise an SR?
0 Likes
Highlighted
Absent Member.
Absent Member.

That would be the best way to get assistance.

On 4/9/2014 6:46 AM, Donaldr wrote:
>
> Adding domain controllers, Zenworks servers, etc, makes no difference to
> this problem.
> Should I raise an SR?
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Technical Support Engineer

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
Highlighted
Absent Member.
Absent Member.

But the Key will be the ability to authenticate to LDAP from the
Authentication Server over LDAP using on of your restricted accounts.

I would also suggest getting that working first using a 3rd Party LDAP
Browser. (I always say that because some MS "LDAP" Tools actually don't
use the LDAP protocol, but rather std MS Networking and just present the
results in an LDAP type of view....)


On 4/9/2014 7:27 AM, CRAIGDWILSON wrote:
> That would be the best way to get assistance.
>
> On 4/9/2014 6:46 AM, Donaldr wrote:
>>
>> Adding domain controllers, Zenworks servers, etc, makes no difference to
>> this problem.
>> Should I raise an SR?
>>
>>

>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Technical Support Engineer

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
Highlighted
Absent Member.
Absent Member.

Late answer but possible a help for others:

I solved the problem when users where only allowed to login to specific workstations by adding the Domain Controllers to the list of allowed workstations - in fact it needs to be the machine where the LDAP process is running to which ZENworks sends its LDAP packets - which in most cases are the Domain Controllers itself.

Klaus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.