Cannot AD Authenticate after upgrade to 9.9.7 - VisualCron - Forum

Community forum

NicholasDawson
2022-04-21T13:55:01Z
SSPI Authentication failed

Connecting with an internal user works fine.

Any ideas?
Michael Fjellström
2022-04-29T15:26:29Z
Originally Posted by: NicholasDawson 

SSPI Authentication failed

Connecting with an internal user works fine.

Any ideas?



Does it work if you try this version? https://www.visualcron.c...aspx?g=Posts&t=10582 
NicholasDawson
2022-05-09T08:13:08Z
Yes, it appears to work in this version.
Thanks
Nick Hilder
2022-05-22T10:05:10Z
Hi,

I upgraded to Visual Cron 9.9.8.

The AD users can no longer login. I have a non-AD user setup to be able to check and update the settings. However we have staff setup as AD users that need access too.

I checked Settings > Users/Logon. The SPN and UPN fields appear to be new. The software prompts me to add port :636 to the AD hostname. I tried doing this but then the test fails. So I just have the domain name as the AD hostname.

I checked the Client settings. The AD logon option appears to have a new Identity Type option : DNS Identity, Windows Default, UPN Identity and SPN Identity. I tried UPN Identity and then type my full user@domain for the Principal name.

When I save these settings and then click the Connect button, I am prompted for a Password. I type my AD password. There is no error message but the dialog clears and then represents to me, with the Password input text highlighted. So the login did not work.

I checked the log file and the entry says "ConnectionError: Failed to connect to server."

Can you give us some more information about setting up the AD user authentication in the Client settings and the Server settings?

Thank you


Michael Fjellström
2022-05-23T11:14:30Z
Originally Posted by: Nick Hilder 

Hi,

I upgraded to Visual Cron 9.9.8.

The AD users can no longer login. I have a non-AD user setup to be able to check and update the settings. However we have staff setup as AD users that need access too.

I checked Settings > Users/Logon. The SPN and UPN fields appear to be new. The software prompts me to add port :636 to the AD hostname. I tried doing this but then the test fails. So I just have the domain name as the AD hostname.

I checked the Client settings. The AD logon option appears to have a new Identity Type option : DNS Identity, Windows Default, UPN Identity and SPN Identity. I tried UPN Identity and then type my full user@domain for the Principal name.

When I save these settings and then click the Connect button, I am prompted for a Password. I type my AD password. There is no error message but the dialog clears and then represents to me, with the Password input text highlighted. So the login did not work.

I checked the log file and the entry says "ConnectionError: Failed to connect to server."

Can you give us some more information about setting up the AD user authentication in the Client settings and the Server settings?

Thank you




Hi,
How is the visualcronservice started from the machine, is it running as localsystem or as the AD user/some other credential?
NicholasDawson
2022-05-23T14:28:35Z
Ours is using domain account with run-as-a-service permissions and am seeing the same issues in 9.9.8 too.
serverteam
2022-05-23T14:33:06Z
Hello
I've got a similar issue.

AD authentication from the console on the visualcron server self , it's OK
But from a remote console, it's not working.
- I received popup about trial version ??? server is fully licensed.

I tried multiple method:
DNS identity : "You need to allow Active Directory logon..."
Windows default:
Connection failed to 'SERVERFQDN:16444'. Connection failed with error:
'The requested upgrade is not supported by 'net.tcp://SERVERFQDN:16444/'. This could be due to mismatched bindings (for example security enabled on the client and not on the server).'

TRied with visualcron service in local system or with an AD account.

Any help is welcome
Rupert Holden
2022-05-23T14:42:35Z
Same issue here, now having to use local authentication from clients
Gregg
2022-05-24T11:37:42Z
I was having the same issue with AD logon with version 9.9.8 and stumbled on this solution by trial and error. In Credentials section of the connection, in Use Active Directory logon, select "SPN identity" for Identity type and enter a Principal name of: HOST/xxxx where xxxx is your computer name. I don't know why it works, but it does. There is nothing in the Help documentation about the new Identity options.
Rupert Holden
2022-05-24T13:12:59Z
Originally Posted by: Gregg 

I was having the same issue with AD logon with version 9.9.8 and stumbled on this solution by trial and error. In Credentials section of the connection, in Use Active Directory logon, select "SPN identity" for Identity type and enter a Principal name of: HOST/xxxx where xxxx is your computer name. I don't know why it works, but it does. There is nothing in the Help documentation about the new Identity options.



This worked, thank you!
IT Purchases
2022-05-24T18:08:41Z
We had the same with our remote clients not being able to connect after upgrading to 9.9.8. The recommendation to switch to SPN fixed it for us as well. Maybe this 9.9.8 feature was responsible: [FEATURE] Client/Server: Authentication->Increased security for AD auth (VC-2587,VC-2539)
serverteam
2022-05-25T05:52:23Z
Hello, for me, it's not working in 9.9.8.

Connection failed to 'fqdnserver:16444'. Connection failed with error:
'The following remote identity failed verification: 'HOST/fqdnserver'.'

I confirm, the spn is existing in AD.

Any idea where I could investigate?
Thx
Michael Fjellström
2022-05-31T09:56:16Z
Unfortunately the documentation got overwritten, but we have it available and it will be available shortly as well. I believe it is available in the online documentation,

Here are screenshots from the documentation related to the new AD auth system and how to properly set up your clients with it.

2022-05-24_10-26-14.png   2022-05-24_10-26-05.png (297kb) downloaded 16 time(s).
serverteam
2022-06-01T17:30:27Z
Hello,
Finally a correct configuration has been found and it's working in v9.9.8

In the server:
Allow AD logon : enabled
AD server : ldap dns record

In the client console,
server: servername.domain
type: SPN identity
Principal name : servername.domain (and NOT HOST/servername.domain)

No idea why it's different for me but it's working.

Rgds
Jonathan
Michael Fjellström
2022-06-09T15:23:56Z
Originally Posted by: serverteam 

Hello,
Finally a correct configuration has been found and it's working in v9.9.8

In the server:
Allow AD logon : enabled
AD server : ldap dns record

In the client console,
server: servername.domain
type: SPN identity
Principal name : servername.domain (and NOT HOST/servername.domain)

No idea why it's different for me but it's working.

Rgds
Jonathan



Thats very interesting! Could you please go to CMD and type: setspn -l SERVERNAME
And show the results?
MRomer
2022-06-22T17:09:32Z
Originally Posted by: Michael Fjellström 

Originally Posted by: serverteam 

Hello,
Finally a correct configuration has been found and it's working in v9.9.8

In the server:
Allow AD logon : enabled
AD server : ldap dns record

In the client console,
server: servername.domain
type: SPN identity
Principal name : servername.domain (and NOT HOST/servername.domain)

No idea why it's different for me but it's working.

Rgds
Jonathan



Thats very interesting! Could you please go to CMD and type: setspn -l SERVERNAME
And show the results?



This configuration worked for me, too. On my client PC, I set:
Server: SERVER1
type: SPN identity
Principal name: server1.domain.tld.

Setting the principal name to HOST/server1.domain.tld did not work.

Here's the output of setspn -l SERVER1
Registered ServicePrincipalNames for CN=SERVER1,OU=Servers,DC=Domain,DC=tld:
WSMAN/SERVER1
WSMAN/SERVER1.Domain.tld
TERMSRV/SERVER1
TERMSRV/SERVER1.Domain.tld
RestrictedKrbHost/SERVER1
RestrictedKrbHost/SERVER1.Domain.tld
MSSQLSvc/server1.domain.tld:1132
HOST/SERVER1
HOST/server1.Domain.tld
Sean Smith
2022-06-22T19:56:53Z
Sorry...i didn't read the entire thread...i had the same issue but resolved. Check out this thread
https://www.visualcron.c...aspx?g=Posts&t=10625 
Scroll to Top