Active IQ Unified Manager Discussions

Has Anyone got AD groups into WFA

lopaka
20,309 Views

So I have a AD group I added it to WFA operators. But the only way I can get it to work is making the user login. Then I have to added them to the right categories ect. If someone knows how to pull AD group into WFA that would be great. I have tried to code it but I still get nothing. Any help on this would be great. Thanks

1 ACCEPTED SOLUTION

sinhaa
20,222 Views

 

Hi lopaka,

    I couldn't find my old dar file. So I made a new solution and I think I've done it better than what I had last time.

 

Let's see how it works.

 

Assigning Category access for Active Directory "WFA Operators Groups" is not available in WFA. Its only the individual operator users that can be done. And another problem that domain users in WFA are only created when they login. This is a  problem that the Admin needs to wait for operators users to login into WFA. 

 

This solution I'm providing is a workflow. A workflow which when executed will pull out all Users in the WFA Operators Groups for every LDAP server mentioned and get them into WFA as operators. Now you can assign Categories to them as you wish. You need not wait for them to login into WFA before assigning categories to them.

 

When the operators login using their respective Domain credentials, they will get access to categories just as you wanted them to be.

 

Prerequisites:

 

  1. You need Powershell 3.0 or above on your WFA server. Windows2012 by default has this. 
  2. Have the WFA Configurations defined for LDAP and Wfa Operators Users groups decided as you wish.
  3. Add credentials of a WFA ‘Admin’ user for ‘localhosthost

Match: Exact

Type: Other

Name/IP: localhost

Username: <WFA Admin Username>

Password: <User Password>

 

Credentials_localhost.png

 

 

 4. Add credentials for the Active Directory server. We need it to query the AD server for users in groups.

 

Match: Exact

Type: Other

Name/IP: <Active Directory Server IP>

Username: <Username>

Password: <Password>

 

AD.png

 

 

Now just import the attached WFA2_2_sinhaa__Workflow_Get_WFA_Ldap_Operator_Users.dar into your WFA server and Execute the workflow. It needs NO user inputs, just execute it.

 

Have fun.

 

sinhaa

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

15 REPLIES 15

sinhaa
20,186 Views

This has been a problem since the beginning. WFA may address this in future. But till then we need to find a way to work it out. wory not, I have solution which fits exactly into your requirement.

 

I have a workflow that when executed pulls out all the Users in the AD Group that is mentioned as "WFA operators groups" and create users with in WFA. Now you can assign Categories to those Operator users. You don't need to wait for them to login into WFA.

 

When the operators login using their respective AD credentials, they will get access to the right WFA categories. All problems resolved.

 

But there is a bad news that I'm not able to find the workflow right now Man Sad , Not sure where I kept the dar.

 

I'll search for it and try to post it by tomorrow. Wait for my post.

 

sinhaa

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

sinhaa
20,223 Views

 

Hi lopaka,

    I couldn't find my old dar file. So I made a new solution and I think I've done it better than what I had last time.

 

Let's see how it works.

 

Assigning Category access for Active Directory "WFA Operators Groups" is not available in WFA. Its only the individual operator users that can be done. And another problem that domain users in WFA are only created when they login. This is a  problem that the Admin needs to wait for operators users to login into WFA. 

 

This solution I'm providing is a workflow. A workflow which when executed will pull out all Users in the WFA Operators Groups for every LDAP server mentioned and get them into WFA as operators. Now you can assign Categories to them as you wish. You need not wait for them to login into WFA before assigning categories to them.

 

When the operators login using their respective Domain credentials, they will get access to categories just as you wanted them to be.

 

Prerequisites:

 

  1. You need Powershell 3.0 or above on your WFA server. Windows2012 by default has this. 
  2. Have the WFA Configurations defined for LDAP and Wfa Operators Users groups decided as you wish.
  3. Add credentials of a WFA ‘Admin’ user for ‘localhosthost

Match: Exact

Type: Other

Name/IP: localhost

Username: <WFA Admin Username>

Password: <User Password>

 

Credentials_localhost.png

 

 

 4. Add credentials for the Active Directory server. We need it to query the AD server for users in groups.

 

Match: Exact

Type: Other

Name/IP: <Active Directory Server IP>

Username: <Username>

Password: <Password>

 

AD.png

 

 

Now just import the attached WFA2_2_sinhaa__Workflow_Get_WFA_Ldap_Operator_Users.dar into your WFA server and Execute the workflow. It needs NO user inputs, just execute it.

 

Have fun.

 

sinhaa

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

JoelEdstrom
19,803 Views

Hi Sinhaa,

 

I ran this today on our test WFA instance and while it did add all the usernames in, it didn't add them with the domain\ prefix or set them up as LDAP users.  Is there any way to have these users created as LDAP users instead by any chance?

 

sinhaa
19,783 Views

Hi Joel,

 

@JoelEdstrom while it did add all the usernames in, it didn't add them with the domain\ prefix

 

----

I don't think you need this Domain\Username format for domain users login to WFA. Using just the Username  completely works. However if you do login into WFA using Domain\Username, that too works but the thing is in MS Active Director there is no such attribute of a domain user which I can obtain.

 

Also this Domain\Username is the old NT login mechanism. Why don't you use the new username@domain login format. WFA totally supports it. All you need to do is

 

WFA->Configuration->Authentication

 

change the user name Attribute from sAMAccountName to userPrincipalName . That's All!!

 

As the image below.

 

WFA_Ldap.png

 

 

WFA_login.png

 

 

 

 

@JoelEdstrom .  Is there any way to have these users created as LDAP users instead by any chance?

 

-------

 

Did you notice that when you are creating a new user, WFA doesn't ask you if this is going to be a domain user or local user? All users in WFA by default are created local. As soon as the same user i.e. with same username succeeds login using the Domain authentication, the same same users get modified to domain users i.e. column "is ldap" will become true for them.

 

Every login attempt in WFA is first looked for local authentication, if local fail and LDAP is enabled the the same login is attempted using the Domains provided for domain authentication. If local fails but the domain succeeds, then the WFA user is allowed access and he/she is marked as a  Doamin user i.e. column "is ldap" becomes true for him. 

 

This is the very  magic-logic behind the solution I provided Man Happy . I get all the Domain users in from the Groups as mentioned in Your WFA LDAP configurations. I created local users with them. Now when real domain users actually attempt login into WFA, their local authentication will fail, it has to. But their Domain authentication will pass (assuming they give right username/password etc.). This upgrades the user to LDAP user.  Now this will allow the user the access into WFA with the correct roles and category access as assigned by the Admin. 

 

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

JoelEdstrom
19,768 Views

Thank you for the detailed reply (and this *awesome* workflow) Sinhaa!

 

Good to know on the old NT vs new domain login format.  I'll have to test this out.

 

I'll have to do some more testing on the last bit where WFA is supposed to upgrade or pass the failed local credentials through to AD.  It's quite possible the other users I was testing with weren't inputting credentials in the correct format.  Good to know this is how it's supposed to work though!

 

Thanks again and have a great day.

 

moep
19,009 Views

Hi sinhaa,

 

Could you make this Workflow available for WFA 4.0?

sinhaa
18,998 Views

@moep

 

I can, but you see that I have posted the command code in .txt format too, its here.

 

All you need to do is in your WFA4.0:

 

1. Create a new command in WFA.

2. Choose language "Powershell".

3. Paste the code, do discover Parameters. Though this command has no parameters.

4. Provide any String representation within double quotes. ex: "My command"

5. Thats all.

 

You would need to save the credentials of localhost as provided in the steps.

 

 

 

BWT: This Active directory for Groups is being provided as a feature in next WFA release. The RC1 is right on the corner. So you would now not need this solution after that. 

 

warm regards,

sinhaa

 

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

moep
18,968 Views

Thanks for the info regarding the RC.

Axis
18,837 Views

Hi,

 

We have been looking for this feature for quite some time, and according to the release notes of WFA 4.1RC1 it seems that the feature is included.

 

Has anyone maybe already tried this feature out on the specific version?

 

 

 

moep
17,011 Views

I can confirm it is working in 4.1RC1. But the RC has a bug and cannot be connected to OCUM 7.0. I would suggest to wait for 4.1 GA.

sinhaa
17,002 Views

@moep

 

The bug that you are refering to ( Bug ID 1058468) is NOT a wfa 4.1RC1 bug, its an OCUM bug in their pairing feature. OCUM 7.0 or later can be acquired by WFA. So NO error in WFA

 

You can go ahead and use WFA4.1RC1

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

moep
16,992 Views

Well as a customer I am blocked from viewing the bug details. Anyway the issue stays the same. You can't pair OCUM 7 with WFA 4.1RC1.

Richard
16,787 Views

We have used 4.1 for a while and delegation of a workflow category to an Active Directory group works just fine. However, this requires that the AD group is assigned to the role Operator and is thereby free to execute to ALL workflows, including the built-in. So if I create a custom workflow to resize home directory quotas and delegate this to AD\HelpDesk, this means that the HelpDesk users happily can delete volumes, break SnapMirrors etc - unless I have explicitly "un-delegated" the built-in workflows. Correct me if I am wrong...

 

The workaround we have done is to create a dummy user with the Operator role and restricted all built-in workflows to this user. Sad thing about this is that the category structure must be carefully reviewed every time WFA is upgraded. There is also a couple of built-in workflows under "No category" and these can apparently not be "un-delegated" unless they are moved in to one of the categories.

 

Another caveat is that the Active Directory name appears to be case sensitive. Adding the group AD\Helpdesk in WFA did not work as the group name was spelled HelpDesk in AD. Everything worked fine when I added the group with identical spelling. Is this by design?

 

 

Best regards

Richard

 

dkorns
16,755 Views

Richard ... I think there is an easier way to mask the builtin workflows from operators. In the 4.1 verson of WFA, under Administration -> WFA Configuration -> Advanced tab, uncheck packs which hold all the built-in workflows you don't want them seeing (probably all of them). 

 

show-wfs.png

 

WFA starts out assuming you want to see all the builtins in the portal but when you go into production I think everyone would want to hide the provided examples. If WFA 4.x, the examples are formally part of Packs hence the ability to pick which packs you want to present or not.

 

In earlier versions of WFA a similar function was under the Other tab and called 'Show example workflows in portal', 

 

 

Richard
16,744 Views

Ok. I noticed that the "Show example workflows" was removed in later versions. Thanks for pointing this out Smiley Happy

Public