Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM user login

Hi Craig,
Thanks. Should there be a link to page 30? If not where do I find this page?

Regards,

David
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM user login

Sorry....See here...

https://www.novell.com/documentation/zenworks-2020/zen_sys_user_sources/data/bkykfkq.html#bmik7x3

Note: The docs state Kerberos does not support multiple domains.  Where it has been useful in multiple domain setups is when the customer in question was only using one for ZCM.  (They were part of a huge AD setup with many companies....)

One thing to try that is simpler....What about Catalog Ports?  See if it helps....

I'm thinking no......But since I worked on this rare issue......I've started moving all of my customers over to the catalog ports for other reasons.....  3268 and 3269.

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM user login

Hi Craig,

Thanks for the link and advice.

I am still confused with the process of adding the Kerberos service principal account. One thing the Novell documentation doesn't say is that according to Microsoft a user that is used as Kerberos service principal account must have a unique name.

The thing that really confuses me is that our users have a userPrincipalName looking like this <first letter first name>.<last name>@ssoe.nl (more domains available) and that our domain name for our AD is ssoe.int.

We want to be able to login to ZENworks with the userPrincipalName instead of User logon name (pre-Windows 2000) which we use now, because we would like to use Single Sign-on everywhere and that's based on our e-mailaddress i.e. the userPrincipalName. Our servers are all Windows 2012 R2.

How does Catalog Ports help? I cann't find any documentation on it.

 

Regards,


David

 

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM user login

Ignore Catalog ports for now...I don't think that would help in this case.

In your ZENworks Zone, Do you have users from Multiple Domains?  If your Zone only covers users from one Domain in your AD Tree, then Kerberos will help.  If your Zone covers multiple domains in your AD Tree it will not.

Look for Alias towards the bottom here...

https://www.novell.com/documentation/zenworks-2017-update-4/zen_sys_user_sources/data/bbtsocd.html#t48zlpb3kfka

In short, if your users are in one domain....then go for Kerberos.  The reason it helps is then ZCM does not do any form of authentication.  So format does not matter.  Rather ZCM reads who you are logged into Windows as and uses that. 

However, KEYTAB files are Domain Specific and we have not added support for multiple keytab files.  As far as using the Domain Alias with UserID and Password when there are multiple domain alias in your tree will fail.

There is an enhancement open with development to add further support in multi-domain setup for UPN.  The entry number is 1129648.  However, progress is unlikely w/o further customer requests.  I would recommend opening an SR if possible and referencing that if nothing above helps.

 

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM user login

Hi Craig,

Thanks for the help. It seems that Kerberos would do the trick. Now I have to try it out on my home system as we do not have a test system at work.

I will let you know the outcome.

Regards,

David

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ZCM user login

Hi,

 

Do you known if that work with name.fisrtname@ADdomain.local ?  It seem that ZCM dont like the dot.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.