App Control: Active Directory Integration Failure in Multiple Domains
search cancel

App Control: Active Directory Integration Failure in Multiple Domains

book

Article ID: 286243

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

After adding multiple trusted domains the role mappings fail

Environment

  • App Control Server: All Supported Versions
  • Multiple Forests/Domains

Cause

One of the domains listed belongs to a different Root Domain

Resolution

To identify the domain affected, the following steps can be helpful
  1. Go to shepherd_config.php page >> https://YourServer/shepherd_config.php
  2. Copy the value from the property: AdBrowseDomainList 
  3. Run the following command, replacing the value collected from the shepherd config  
    cscript /U /nologo "C:\Program Files (x86)\Bit9\Parity Server\scripts\QueryAD.vbs" -base "toplevel" -list <Value of shepherd config AdBrowseDomainList> -debug 6 > "C:\temp\QueryAD-debug.txt"
  4. Identify the domain with the error: Did not get object insecurely either (-2147016661 : )  
    DEBUG: 3: Domain: domain.com
DEBUG: 6: QueryAD GetObjectTrySecure: Initiating insecure connection to LDAP://domain.com/RootDSE
DEBUG: 6: QueryAD GetObjectTrySecure: Got object insecurely. Terminated connection to LDAP://domain.com/RootDSE
DEBUG: 6: QueryAD GetObjectTrySecure: Initiating insecure connection to LDAP://domain.com/CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM
DEBUG: 6: QueryAD GetObjectTrySecure: Got object insecurely. Terminated connection to LDAP://domain.com/CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM
DEBUG: 3: Domain: domain.com Context: CN=Configuration,DC=DOMAIN,DC=COM Root: DOMAIN.COM
DEBUG: 3: Partition: CN=DOMAIN,CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM
DEBUG: 6: QueryAD GetObjectTrySecure: Initiating insecure connection to LDAP://CN=DOMAIN,CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM
DEBUG: 6: QueryAD GetObjectTrySecure: Did not get object insecurely either (-2147016661 : ). Terminated connection to LDAP://CN=DOMAIN,CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM
  5. Remove the domain in question and test again

Additional Information

If removing the domain is not an option, replace the domain affected by Root Domain, before implementing this action, it's recommended to discuss with a dedicated team or AD team and consider the solution
Powered by Wolken Software