App Control: AD Logins Fail When Active Directory OUs Have Special Characters
Article ID: 288701
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- After Server Upgrade to 8.9.x AD user accounts can not log in to App Control Console
- Recreating the User Role Mappings with the relevant Active Directory Folder/Group does not resolve.
- AppControlAD-TIMESTAMP.log results show the EscapeFilter including the Hex code for a special character, such as a slash:
EscapeFilter - EscapeFilter(CN=User\5c, Name....
Environment
- App Control Server: 8.9.x
- Microsoft Active Directory: All Supported Versions
Cause
Active Directory Organizational Units have one or more of the following characters:
\/:*?<>|~:!@#$%^&'(){}
Resolution
Upgrade to 8.10 where this issue has been resolved (EP-17684\EA-22686)
As a workaround the Shepherd Config, AllowADScript could be used to force the "old logic" for Active Directory using vbscript. This should be reverted after upgrading to 8.10.
As a workaround the Shepherd Config, AllowADScript could be used to force the "old logic" for Active Directory using vbscript. This should be reverted after upgrading to 8.10.
- Navigate to https://AppControlServer/shepherd_config.php
- Select the property AllowADScript
- Change the value to true.
- Restart the App Control Server & Reporter services.
- Verify the AD accounts are able to login correctly.
Additional Information
- When AllowADScript is set to true Active Directory logging will be included in ServerLog-TIMESTAMP.bt9 and the EscapeFilter will log the special characters similar to:
EscapeFilter - EscapeFilter(CN=User\, Name....
Feedback
Yes
No
Powered by
