Active Directory Logins Fail When OUs Contain Special Characters
search cancel

Active Directory Logins Fail When OUs Contain Special Characters

book

Article ID: 288701

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • After Server Upgrade to 8.9.x AD user accounts can not log in to App Control Console
  • Recreating the User Role Mappings with the relevant Active Directory Folder/Group does not resolve.
  • AppControlAD-TIMESTAMP.log results show the EscapeFilter including the Hex code for a special character, such as a slash:
    EscapeFilter - EscapeFilter(CN=User\5c, Name....

Environment

  • App Control Server: 8.9.0 - 8.9.6
  • Microsoft Active Directory: All Supported Versions

Cause

Active Directory Organizational Units have one or more of the following characters:

\/:*?<>|~:!@#$%^&'(){}

Resolution

Upgrade to Server 8.10+ where this issue has been resolved (EP-17684\EA-22686)

Additional Information

  • ​​​​​​When AllowADScript is set to true Active Directory logging will be included in ServerLog-TIMESTAMP.bt9 and the EscapeFilter will log the special characters similar to:
    EscapeFilter - EscapeFilter(CN=User\, Name....
  • As a workaround the Shepherd Config, AllowADScript could be used to force the "old logic" for Active Directory using vbscript. This should be reverted after upgrading to 8.10.

    1. Navigate to https://AppControlServer/shepherd_config.php
      1. Select the Property: AllowADScript
      2. Change the Value to true.
    2. Restart the App Control Server & Reporter services.
    3. Verify the AD accounts are able to log in correctly.