Active Directory Log In Fails for Users Associated With the AD Group Protected Users
search cancel

Active Directory Log In Fails for Users Associated With the AD Group Protected Users

book

Article ID: 375438

calendar_today

Updated On: 07-09-2025

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • User's Role in Console is mapped to the Active Directory Group, "Protected Users"
  • Logs for Active Directory Troubleshooting have results similar to:
    • ServerLog-TIMESTAMP.bt9 shows an empty result for the Canonical Name:
      (10388 Admin Thread 1)UserStorage::LoginUserAD: Calling ValidateLogin DOMAIN\USER
      (10388 Admin Thread 1)UserStorage::LoginUserAD: Check if canonical name '' exists
      (10388 Admin Thread 1)ReportLogin called username = DOMAIN\USER, successful = 0
    • AppControlAD-TIMESTAMP.bt9 finds the DOMAIN\USER result:
      DEBUG ADHelper.ADInfo.GetDirectoryEntry - Bind successful with ldap path = LDAP://DOMAIN.TLD/CN=Protected User,CN=Users,DC=DOMAIN,DC=TLD
      DEBUG ADHelper.ADInfo.GetADUserList - Found adUser for userName = DOMAIN\USER
      DEBUG ADHelper.ADHandler.ParityServerADMapping - Computer = , Users = DOMAIN\USER, Ruleset = 2

Environment

  • App Control Server: 8.9.0-8.10.4

Cause

This issue was tracked under EPCB-21147 and resolved with the release of Server 8.11.0.

Resolution

Upgrading to Server 8.11.0+ will resolve this issue.

Additional Information

The following temporary workaround can be used to force the "old logic" for Active Directory using vbscript. This should be reverted after upgrading to 8.11.0+

  1. Navigate to https://AppControlServer/shepherd_config.php
    1. Select the Property: AllowADScript
    2. Change the Value to true.
  2. Restart the App Control Server & Reporter services.
  3. Verify the AD accounts are able to log in correctly.