App Control: AD Logins Fail For Users With Domain Alias After Server Upgrade to 8.9+
search cancel

App Control: AD Logins Fail For Users With Domain Alias After Server Upgrade to 8.9+

book

Article ID: 291734

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • After Server Upgrade to 8.9.0 or 8.9.2 AD user accounts cannot log in to App Control Console
  • Recreating the User Role Mappings with the relevant Active Directory Folder/Group does not resolve.
  • AppControlAD-xxxx-xx-xx-xxxxxx.log shows 
    202X-XX-XX 00:00:00,000 [ 1] ERROR ADHelper.ADInfo.GetDirectoryEntry - Bind couldn't get the native object. ldapPath = LDAP://Domain/RootDSE - The server is not operational.

Environment

  • App Control Server: 8.9.0 and 8.9.2

Cause

Domain alias was used for the user's logon name within the Active Directory properties window

Resolution

This issue was tracked under EP-17347 and resolved with the release of Server version 8.9.4. Upgrading to Server version 8.9.4+ should provide a permanent fix for this issue.
  • EP-17347: AD users configured with domain alias cannot login

Additional Information

As a workaround the Shepherd Config, AllowADScript could be used to force the "old logic" for Active Directory using vbscript:
  1. Navigate to https://<app_control_servername>/shepherd_config.php
  2. Select the property AllowADScript
  3. Change the value to true.
  4. Restart the App Control Server & Reporter services.
  5. Verify the AD accounts are able to login correctly.
If AllowADScript is implemented and debugging is needed then please follow the "For App Control Server version 8.8.x and lower" instructions for debugging in the related content below. 
Powered by Wolken Software