NetWorker: AD/LDAP User Can't See NMC Users or NMC Roles "Unable to get user information from authentication service [Access is Denied]"
Summary: You are able to log into the NMC with an LDAP AD user but cannot view NMC Roles or NMC Users. The error message "Unable to get user information from authentication service [Access is Denied]" appears. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
You are able to log into the NMC with a LDAP AD user but cannot view NMC Roles or NMC Users. The error message "Unable to get user information from authentication service [Access is Denied]" appears.
Cause
Issue 1: The AD Group DN is not specified in the NMC Roles "Console Security Administrator" and/or the NetWorker server User Group's "Security Administrators"
Issue 2: The NetWorker external authentication configuration has an incorrect or missing "Config User Group Attribute".
Issue 3: The AD group DN which has not been granted FULL_CONTROL administrative privileges.
Issue 2: The NetWorker external authentication configuration has an incorrect or missing "Config User Group Attribute".
Issue 3: The AD group DN which has not been granted FULL_CONTROL administrative privileges.
Resolution
Issue 1:
1) Log into the NMC as the default NetWorker Administrator account.
2) Go to Setup-->Users and Roles-->NMC Roles.
3) Open the properties of the Console Security Administrator and Console Application Administrator roles.
4) In the External Roles field the Distinguished Name (DN) of the AD group(s) for NetWorker administrators should be specified.
Note: If you are uncertain of the DN being specified see the Notes field for steps that can be completed for collecting this information. The AD group DNs should also be added to the corresponding NetWorker server's User Group's External Roles fields. Connect to the NetWorker server from the NMC as the default NetWorker Administrator account and go to Server-->User Groups. Without this you will be able to log into the NMC as an AD user but not connect to the NetWorker server.
Example:
In this instance the "Config User Group Attribute" is blank. For AD based authentication this field should be set to memberOf. If this field is blank or has some other value, complete the following:
2) To update this value via command run the following:
1) Log into the NMC as the default NetWorker Administrator account.
2) Go to Setup-->Users and Roles-->NMC Roles.
3) Open the properties of the Console Security Administrator and Console Application Administrator roles.
4) In the External Roles field the Distinguished Name (DN) of the AD group(s) for NetWorker administrators should be specified.
Note: If you are uncertain of the DN being specified see the Notes field for steps that can be completed for collecting this information. The AD group DNs should also be added to the corresponding NetWorker server's User Group's External Roles fields. Connect to the NetWorker server from the NMC as the default NetWorker Administrator account and go to Server-->User Groups. Without this you will be able to log into the NMC as an AD user but not connect to the NetWorker server.
Example:
5) Once the DN of your NetWorker administrator's AD group(s) has been added to both roles. Log into the NMC as an AD user belonging to the newly added group and confirm if you are able to see the NMC Users and NMC Roles configurations.
Issue 2:
1) Check your existing configuration using your configuration ID:
Issue 2:
1) Check your existing configuration using your configuration ID:
authc_config -u Administrator -p password -e find-all-configs
authc_config -u Administrator -p password -e find-config -D config-id=#
Note: The account being specified is the NetWorker Administrator account/password. Replace # with the config id collected in the first command.
Example:
Example:
authc_config -u Administrator -e find-config -D config-id=1
Enter password:
Config Id : 1
Config Tenant Id : 1
Config Name : lab
Config Domain : emclab
Config Server Address : ldap://winsrvr2k16.emclab.local:389/DC=emclab,DC=local
Config User DN : CN=Administrator,CN=Users,DC=emclab,DC=local
Config User Group Attribute :
...
...
In this instance the "Config User Group Attribute" is blank. For AD based authentication this field should be set to memberOf. If this field is blank or has some other value, complete the following:
2) To update this value via command run the following:
authc_config -u Administrator -p password -e update-config -D config-id=# -D config-user-group-attr=memberOf
Note: In some systems you will not be able to update individual values. If you receive an error with the above command it is recommended to use the script templates found under:
Linux: /opt/nsr/authc-server/bin
Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\bin
Note: the above Windows path assumes the default NetWorker installation path was used.
Note: the above Windows path assumes the default NetWorker installation path was used.
If the script is being used you can change "-e add-config" to "-e update-config" and populate the rest of the fields as per your environment. Config User Group Attribute should be set to "-D "config-user-group-attr=memberOf"" in the script template (by default). Once the configuration has been updated, you should see the changes with: authc_config -u Administrator -p password -e find-config -D config-id=#
Example:
Example:
authc_config -u Administrator -e find-config -D config-id=1
Enter password:
Config Id : 1
Config Tenant Id : 1
Config Name : lab
Config Domain : emclab
Config Server Address : ldap://winsrvr2k16.emclab.local:389/DC=emclab,DC=local
Config User DN : CN=Administrator,CN=Users,DC=emclab,DC=local
Config User Group Attribute : memberOf
...
...
3) Log out of the NMC and log back in with your AD user
Issue 3:
In some instances even after adding the AD group DN(s) to the External Roles fields of Console Security Administrator and Console Application Administrator you will still get the "Access Denied" error. FULL_CONTROL permissions can be added to the NetWorker administrators AD group(s).
1) Open an elevated command prompt on the NetWorker server
2) Confirm which AD groups have FULL_CONTROL permissions are set:
In some instances even after adding the AD group DN(s) to the External Roles fields of Console Security Administrator and Console Application Administrator you will still get the "Access Denied" error. FULL_CONTROL permissions can be added to the NetWorker administrators AD group(s).
1) Open an elevated command prompt on the NetWorker server
2) Confirm which AD groups have FULL_CONTROL permissions are set:
authc_config -u Administrator -p password -e find-all-permissions
Note: The account being specified is the NetWorker Administrator account/password.
3) If the DN of the NetWorker administrators group is not specified run the following command:
3) If the DN of the NetWorker administrators group is not specified run the following command:
authc_config -u Administrator -p password -e add-permission -D "permission-name=FULL_CONTROL" -D "permission-group-dn=cn=group-name,ou=ou-name,dc=domain,dc=domain"
Note: The permission-group-dn should contain the full DN of the group you want to add the permissions to. If you are uncertain of the group DN see the Notes field for collecting this information.
Example:
authc_config -u Administrator -e add-permission -D "permission-name=FULL_CONTROL" -D "permission-group-dn=cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local"
Enter password:
Permission FULL_CONTROL is created successfully.
4) Once the permission was added you can confirm the changes by running the find-all-permissions command from step 2.
5) Log into the NMC with an AD user belonging to the group you just added permissions to and confirm if you are able to see the NMC Roles or NMC Users settings.
Additional Information
The above procedures require knowing the Distinguished Name (DN) of an AD group that AD users belong to. This can be confirmed by your AD Administrator, but can also be collected using authc_config and authc_mgmt commands on the NetWorker server. In order to collect this information you will also need to know the tenant and domain that was configured for your LDAP AD external authentications:
1) Log into the NetWorker server and open an elevated command prompt.
2) Confirm if a tenant was configured (in most cases default is used):
3) Once you have the tenant name you can run the following command to query LDAP AD groups for a specific AD user:
Example:
1) Log into the NetWorker server and open an elevated command prompt.
2) Confirm if a tenant was configured (in most cases default is used):
authc_config -u Administrator -p password -e find-all-tenants
Note: The account being specified is the NetWorker Administrator account/password.
Example:
C:\>authc_config -u Administrator -e find-all-tenants
Enter password:
The query returns 3 records.
Tenant Id Tenant Name
1 default
7 emc
8 test
authc_mgmt -u Administrator -p password -e query-ldap-groups-for-user -D "query-tenant=tenant-name" -D "query-domain=domain-name" -D "user-name=ad-user"
Note: Specify the tenant name that was collected from the command in step 2. The domain-name needs to match how it was specified when configuring LDAP AD external authentication; not necessarily the domain as it would appear in a DNS query. Specify the domain name as you would when logging into the NMC. Specify an AD user for the user-name.
Example:
C:\>authc_mgmt -u Administrator -e query-ldap-groups-for-user -D "query-tenant=default" -D "query-domain=emclab" -D "user-name=bkupadmin"
Enter password:
The query returns 1 records.
Group Name Full Dn Name
NetWorker_Admins cn=NetWorker_Admins,cn=Users,dc=emclab,dc=local
From this output you should now have the full DN name of the AD group you want to add permissions to. This can be copied and pasted into the External Roles fields in the NMC Roles and NetWorker server's User Groups. It can also be used in the FULL_CONTROL permissions command.
authc_config and authc_mgmt are very useful commands for testing/configuring external authentication. To see all of the available options run the commands on their own with no flags/switches.
authc_config and authc_mgmt are very useful commands for testing/configuring external authentication. To see all of the available options run the commands on their own with no flags/switches.
Affected Products
NetWorkerProducts
NetWorker, NetWorker Management ConsoleArticle Properties
Article Number: 000039819
Article Type: Solution
Last Modified: 05 Oct 2023
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.