VMware Workspace ONE Community
Seb1180
Enthusiast
Enthusiast
‎05-21-2013 07:36 AM

The user could not be authenticated

Hi to everyone,

been scratching my head over this issue and really hope someone will have a hint on this one.

I am currently building a POC with Horizon View & Workspace (Mirage is for later). Managed to deploy everything fine until the end with certs, AD & View integration and thanks by the way to the contributors of this forums that helped me to solve quite some of the issues I have faced.

The remaining issue I am facing is pretty strange actually. I am able to login into Horizon Workspace using the account that was used during the setup (let's call it horizonsvc) but I am unable to log with any other account.

In the connector under Directory Sync I have the OU were that horizonsvc user is and added another OU to look into. I can sync and import 65 users, also added a group but none of them can log in. If I move my personal account into the OU were the horizonsvc account is then I am able to log in otherwise I am receiving the user could not be authenticated.

I am running the latest version with a trial license but I doubt there could be a limitation on this.

Anyone has faced that issue ?

Cheers

Seb

0 Kudos
7 Replies
kpelt
Contributor
Contributor
‎05-21-2013 11:03 AM

Change your Bind DN to the whole domain.  If the service account you are using is not with all of your users it will not be able to find the users outside that OU.  I have seen this documented incorrectly around the interwebs by some.

0 Kudos
kpelt
Contributor
Contributor
‎05-21-2013 12:54 PM

I possibly could be mistaken on the "whole domain" as I am seeing it supposedly will not work with that setup.  I have not had issues with this setup but I did change my bind DN to an OU that had my users and horizon admin account within that so it could search the entire OU.

Seb1180
Enthusiast
Enthusiast
‎05-21-2013 02:37 PM

Thanks Kpelt for your answer.

Indeed you can't change to the whole domain and I was afraid of having this answer that the account had to be along with the users. That is leaving me with a problem as we have 3 top OU. One for each of our site and of course redisigning the AD is out of consideration and would bring way to many problem.

However I don't understand why there is an option to search for different OU if the users can't be authenticated afterwards ... Lucky for me this is just a POC but for sure first thing I do as soon as I have bought the license is open an SR with support.

Cheers

Seb

0 Kudos
sravuri
VMware Employee
VMware Employee
‎05-21-2013 10:43 PM

Sorry to jump in a little late here. Can you please explain your AD structure a bit?

Is this correct? You have 3 top level OUs - something like OU=Engineering,DC=company,DC=com and OU=Sales,DC=company,DC=com etc. Then, can you set the bindDN to be DC=company,DC=com? As long as the Administrator user can query users in other OUs, it should work, I think.

Please clarify your AD structure a bit.

Seb1180
Enthusiast
Enthusiast
‎05-21-2013 11:22 PM

Hi Sravuri,

no worries. Any input is valuable for anyone that would face the same issue.

To clarify a bit the structure, our company is made of three entities that has it s own OU under which there are sub OU like computers, servers, users ... We had to structure it that way due of different policies to be applied per entities. So it would be a bit like this :

OU=Company1,DC=my,DC=corp,DC=com

     OU=Users,OU=Company1,DC=my,DC=corp,DC=com

     OU=Servers,OU=Company1,DC=my,DC=corp,DC=com

     ...

OU=Company2,DC=my,DC=corp,DC=com

     OU=Users,OU=Company2,DC=my,DC=corp,DC=com

     OU=ServersOU=Company2,DC=my,DC=corp,DC=com

     ...

OU=Company3,DC=my,DC=corp,DC=com

     OU=Users,OU=Company3,DC=my,DC=corp,DC=com

     OU=Servers,OU=Company3,DC=my,DC=corp,DC=com

     ...

Aside from this there is another OU for service accounts OU=Service Accounts,DC=my,DC=corp,DC=com in which I had put the Horizonsvc account.

As Kpelt mentioned, if I move my horizon account is the users OU of Company1 for ex than I can authenticate with every users in that OU. Horizon sees also the other users as I have added them in the search but none of them can authenticate. Of course every site will be using Workspace.

Hopes this clarify a bit Smiley Wink

Cheers

Seb

0 Kudos
Seb1180
Enthusiast
Enthusiast
‎05-21-2013 11:42 PM

Just managed to solve it. Thanks to both of you that led me in the right thinking Smiley Happy

All users have been imported and can authenticate.

In the connector admin page in Directory the base DN has been set to : DC=my,DC=corp,DC=com
In the connector admin page in Directory the bind DN has been set to : CN=Horizon Service Account,OU=Service Accounts,DC=my,DC=corp,DC=com

In the connector admin page in DirectorySync for I have set like below and excluded what needed to

     OU=Users,OU=Company1,DC=my,DC=corp,DC=com

     OU=Users,OU=Company2,DC=my,DC=corp,DC=com

     OU=Users,OU=Company3,DC=my,DC=corp,DC=com

     OU=Service Accounts,DC=my,DC=corp,DC=com

Whoop Whoop that s a great way to start the day. Now I can move on with the config of the apps and so on.

As usual this forum has been of great value. Thanks guys and let s hope this post might be helpful for someone and save him from scratching his head like I did :smileysilly:

Cheers

Seb

0 Kudos
sravuri
VMware Employee
VMware Employee
‎05-22-2013 10:49 AM

Yes, you got it. Thanks for the update. Yes, in my post earlier, I mistyped.. I meant to say BaseDN, instead of BindDN... good that you figured out anyway.

0 Kudos