Subscribe
Accepted Solution

Has Anyone got AD groups into WFA

[ Edited ]

So I have a AD group I added it to WFA operators. But the only way I can get it to work is making the user login. Then I have to added them to the right categories ect. If someone knows how to pull AD group into WFA that would be great. I have tried to code it but I still get nothing. Any help on this would be great. Thanks

Re: Has Anyone got AD groups into WFA

This has been a problem since the beginning. WFA may address this in future. But till then we need to find a way to work it out. wory not, I have solution which fits exactly into your requirement.

 

I have a workflow that when executed pulls out all the Users in the AD Group that is mentioned as "WFA operators groups" and create users with in WFA. Now you can assign Categories to those Operator users. You don't need to wait for them to login into WFA.

 

When the operators login using their respective AD credentials, they will get access to the right WFA categories. All problems resolved.

 

But there is a bad news that I'm not able to find the workflow right now Man Sad , Not sure where I kept the dar.

 

I'll search for it and try to post it by tomorrow. Wait for my post.

 

sinhaa

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Has Anyone got AD groups into WFA

[ Edited ]

 

Hi lopaka,

    I couldn't find my old dar file. So I made a new solution and I think I've done it better than what I had last time.

 

Let's see how it works.

 

Assigning Category access for Active Directory "WFA Operators Groups" is not available in WFA. Its only the individual operator users that can be done. And another problem that domain users in WFA are only created when they login. This is a  problem that the Admin needs to wait for operators users to login into WFA. 

 

This solution I'm providing is a workflow. A workflow which when executed will pull out all Users in the WFA Operators Groups for every LDAP server mentioned and get them into WFA as operators. Now you can assign Categories to them as you wish. You need not wait for them to login into WFA before assigning categories to them.

 

When the operators login using their respective Domain credentials, they will get access to categories just as you wanted them to be.

 

Prerequisites:

 

  1. You need Powershell 3.0 or above on your WFA server. Windows2012 by default has this. 
  2. Have the WFA Configurations defined for LDAP and Wfa Operators Users groups decided as you wish.
  3. Add credentials of a WFA ‘Admin’ user for ‘localhosthost

Match: Exact

Type: Other

Name/IP: localhost

Username: <WFA Admin Username>

Password: <User Password>

 

Credentials_localhost.png

 

 

 4. Add credentials for the Active Directory server. We need it to query the AD server for users in groups.

 

Match: Exact

Type: Other

Name/IP: <Active Directory Server IP>

Username: <Username>

Password: <Password>

 

AD.png

 

 

Now just import the attached WFA2_2_sinhaa__Workflow_Get_WFA_Ldap_Operator_Users.dar into your WFA server and Execute the workflow. It needs NO user inputs, just execute it.

 

Have fun.

 

sinhaa

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Has Anyone got AD groups into WFA

Hi Sinhaa,

 

I ran this today on our test WFA instance and while it did add all the usernames in, it didn't add them with the domain\ prefix or set them up as LDAP users.  Is there any way to have these users created as LDAP users instead by any chance?

 

Re: Has Anyone got AD groups into WFA

[ Edited ]

Hi Joel,

 

@JoelEdstrom while it did add all the usernames in, it didn't add them with the domain\ prefix

 

----

I don't think you need this Domain\Username format for domain users login to WFA. Using just the Username  completely works. However if you do login into WFA using Domain\Username, that too works but the thing is in MS Active Director there is no such attribute of a domain user which I can obtain.

 

Also this Domain\Username is the old NT login mechanism. Why don't you use the new username@domain login format. WFA totally supports it. All you need to do is

 

WFA->Configuration->Authentication

 

change the user name Attribute from sAMAccountName to userPrincipalName . That's All!!

 

As the image below.

 

WFA_Ldap.png

 

 

WFA_login.png

 

 

 

 

@JoelEdstrom .  Is there any way to have these users created as LDAP users instead by any chance?

 

-------

 

Did you notice that when you are creating a new user, WFA doesn't ask you if this is going to be a domain user or local user? All users in WFA by default are created local. As soon as the same user i.e. with same username succeeds login using the Domain authentication, the same same users get modified to domain users i.e. column "is ldap" will become true for them.

 

Every login attempt in WFA is first looked for local authentication, if local fail and LDAP is enabled the the same login is attempted using the Domains provided for domain authentication. If local fails but the domain succeeds, then the WFA user is allowed access and he/she is marked as a  Doamin user i.e. column "is ldap" becomes true for him. 

 

This is the very  magic-logic behind the solution I provided Man Happy . I get all the Domain users in from the Groups as mentioned in Your WFA LDAP configurations. I created local users with them. Now when real domain users actually attempt login into WFA, their local authentication will fail, it has to. But their Domain authentication will pass (assuming they give right username/password etc.). This upgrades the user to LDAP user.  Now this will allow the user the access into WFA with the correct roles and category access as assigned by the Admin. 

 

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Has Anyone got AD groups into WFA

Thank you for the detailed reply (and this *awesome* workflow) Sinhaa!

 

Good to know on the old NT vs new domain login format.  I'll have to test this out.

 

I'll have to do some more testing on the last bit where WFA is supposed to upgrade or pass the failed local credentials through to AD.  It's quite possible the other users I was testing with weren't inputting credentials in the correct format.  Good to know this is how it's supposed to work though!

 

Thanks again and have a great day.

 

Re: Has Anyone got AD groups into WFA

Hi sinhaa,

 

Could you make this Workflow available for WFA 4.0?

Re: Has Anyone got AD groups into WFA

@moep

 

I can, but you see that I have posted the command code in .txt format too, its here.

 

All you need to do is in your WFA4.0:

 

1. Create a new command in WFA.

2. Choose language "Powershell".

3. Paste the code, do discover Parameters. Though this command has no parameters.

4. Provide any String representation within double quotes. ex: "My command"

5. Thats all.

 

You would need to save the credentials of localhost as provided in the steps.

 

 

 

BWT: This Active directory for Groups is being provided as a feature in next WFA release. The RC1 is right on the corner. So you would now not need this solution after that. 

 

warm regards,

sinhaa

 

 

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Has Anyone got AD groups into WFA

Thanks for the info regarding the RC.

Re: Has Anyone got AD groups into WFA

Hi,

 

We have been looking for this feature for quite some time, and according to the release notes of WFA 4.1RC1 it seems that the feature is included.

 

Has anyone maybe already tried this feature out on the specific version?