Tag: AD/LDAP

Categories
User Guides Documentation exacqVision Enterprise Categories Products

How to Add AD/LDAP Security Group to ESM

Step 1:

Log into ESM and navigate to the Domain settings page. If you haven’t yet configured this, you will need to add your domain settings. You must have the proper Base DN, Binding DN and credentials for the account you will use to connect to Active Directory/LDAP. If you do not know these, contact your Active Directory/Network Admin. You will also need to know the IP address/Hostname and port number of that server.

Step 2:

After connecting to AD/LDAP, you need to add a group to ESM. A group named Root will exist by default. Any new groups will be nested under the Root group. In ESM groups contain both servers and users.

Once the group is added you will see it on the Group List page. Click the group name to go to the group settings page.

Step 3:

In the section titled Domain Associations, click on the pencil-shaped Edit button.

The Domain group drop-down menu will be populated with a list of AD/LDAP security groups. This will only show groups nested under your Base DN. If you do not see your group listed here, make sure you are using the correct Base DN.

You may choose to provide users in this group with the ability to log in to ESM, the exacqVision server, or both. If you provide them with server log in privileges this will be pushed out to all the servers inside that ESM group.

Once you’ve chosen which privileges to provide click the Associate button to finalize.

<br>

How-to-Add-AD-LDAP-Security-Group-to-ESM.pdf
Categories
Knowledge Support Support exacqVision Client Products

Troubleshooting Active Directory Error Messages

Error: “Client Side Kerberos Authentication Failed”

Cause: The setspn command was not run on all Active Directory Servers, or there is a duplicate SPN.

Solution: On the DC, run the setspn command as directed in the appropriate ExacqVision Active Directory setup guide, or run setspn -X to check for duplicates. If a duplicate is found, remove the SPN attribute from all but one of the accounts.

Error: “User not authenticated in LDAP”

Cause: Windows 2000 or earlier Active Directory Domain Functional Level.

Solution: Upgrade the Functional Level of your Domain to Windows 2003 or higher.
See How to raise Active Directory domain and forest functional levels for details.

Alternate Solution:

  • If you are using ExacqVision 4.8 or newer, you can edit the StreamPI.xml file. Change the value of EnableActiveDirectoryUserDisabling from 1 to 0.
  • If you are using an ExacqVision version earlier than 4.8, contact support@exacq.com to obtain an updated DLL.

Error: The connection to the server always shows “Disconnected” in the ExacqVision Client.

Cause: The Binding DN is incorrect.

Solution: Complete the following procedure:

  1. Download Softerra LDAP Browser. (Be sure to click the tab for Browser, NOT Administrator.)
  2. Install and Run LDAP Browser.
  3. Click File and then New Profile.
  4. Enter a name for your new profile and click Next.
  5. Enter the hostname of your AD server in the Host field (or click the Lookup Servers button if you don’t know the host).
  6. Click Next.
  7. Select Currently Logged On User.
  8. Click Finish.
  9. Highlight the new profile you just created in the left panel.
  10. In the Find What box at the top of the right panel, enter the username used to connect to Active Directory in the ExacqVision software.
  11. Press Enter.
  12. After the search completes, find the correct user account.
  13. Right-click the user account and select Properties.
  14. Copy the string in the top portion of the Properties Panel (it should start with CN=).
  15. Paste this string into the Binding DN section of your ExacqVision Client and click Apply.

Error: “Connected, SPN not found”

While there are other possible causes, it’s common for a ‘Binding DN’ to be an extended string that is easy to mistype. For instance the following Distinguished Name will work, but must be typed exactly: 

CN=exacqSVC,OU=ServiceAccounts,OU=SecurityGroups,OU=Indiana,OU=US,DC=exacqts,DC=local

Any incorrect spacing or punctuation will not allow proper setting of the SPN and you will see the following Server log:

StreamPI Warning LDAP: Bind DN was not found. Unable to create SPN.

You can also try the Username instead. In this instance, the username (UPN) for that account is:

exacqSVC@exacqts.local

<br>