Active IQ Unified Manager Discussions

Email notification for domain users

JOHNGARRETT
13,844 Views

It looks like I can't enable email notification for domain users. When I check the "notify on:" checkboxes on the Edit User dialogue, the Save button turns blue, but remains grayed out. Am I missing something or is this a bug? Oddly enough, it works just fine with local users.

Before and after screenshots below for your viewing pleasure

23 REPLIES 23

hland
12,971 Views

I see the same issue in my lab. Note that the username field is displayed with a red frame. My guess is that WFA tries to validate the input somehow and stumbles upon the \ character that separates domain and username. That's why it doesn't allow you to save it. Likely a bug.

..- Hendrik

JOHNGARRETT
12,971 Views

I agree, hland. Seems like a bug. Anyone know how to formally submit a bug report?

sinhaa
12,971 Views

Hello John and Hendrik,

         The problem is the '\' character used in the username which is an invalid character for a username. You may try to login without providing the domain name and only use the username.

Domainname: MYDOM

Username: user1

don't user MYDOM\user1 to login. instead only user : user1. You will be able to login successfully and enable the email notifications as well.

WFA is identifying 'MYDOM\user1' and 'user1' as separate users.

warm regards,

Abhishek

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels
12,971 Views

Hi sinhaa,

"WFA is identifying 'MYDOM\user1' and 'user1' as separate users."

This behavior makes your suggested workaround obsolete. The whole idea of using domain accounts is the fact to not maintain separate local users for WFA.

And I have to confirm this "bug". I'm unable to enable email notification on all my domain users - be it via "Users - Edit" for all users or "account Settings" of an individual user.

I highly recommend filing a BURT and get this fixed.

Kind regards, Niels

sinhaa
12,663 Views

Hello Niels,

@ The whole idea of using domain accounts is the fact to not maintain separate local users for WFA.

---------------------------------------------------------------------------------------

My user 'user1' is not a local user. Its a domain user itself. I'm just saying not to provide the domain-name when trying to login. You'll be able to login and if you access the "users' page you'll see the column LDAP will be set to true for this user indicating its a Domain user and not a local user.

Domain-name: MYDOM

username: user1

In the login page don't use: 'MYDOM\user1'. Just use 'user1' and provide password.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

sinhaa
12,971 Views

See the image below:

Both users (other than admin) are actually the same. When in the 2nd one I've provided 'Domain-name\username'. In the last one I've just used the username and still able to login. If you use this way, you won't face the problem mentioned in the original post.

There is a bug filed not to create users named in the  'Domian-Name\username way. '\' is an invalid character for a username in WFA.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels
12,973 Views

Hi sinhaa,

what build are you using?

My WFA system:

Version:   2.0.0.391.2

Build:    11275

If I omit the domain name, I get "The user name or password is incorrect". For me that indicates WFA cannot resolve an LDAP user in case you don't specify the domain.

regards, Niels

sinhaa
12,973 Views

I'm using a newer internal build but I believe that is not the problem. We tried to reproduce the problem and have found a case where it can happen. I think its in the User Logon user names you have created in your domain controller. You have created users with Logon names as: 'DOMAIN\user1' instead of only 'user1' . So looks like your username itself is 'DOMAIN\user1' instead of user1 and thats why when you are not providing DOMAIN\, its unable to find a username.

See below. Does your Logon usernames in your domain controller appear like this with 'DOMAIN\user'?

Create users in domain controller with Logon names like : 'user1' etc. and try.

If you create user Logon names like 'user1' then you'll be able to login to WFA server both as 'DOMAIN\user1' and only 'user1'.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels
12,973 Views

I checked and all users are correctly configured.

Can you send me your LDAP settings of your WFA instance? I suspect the error may be buried there.

Could be the "Destinguished Name Attribute".

Mine:

But I chose "distinguishedName" on purpose as it could easily be a single user name exists in two (or more) trusted domains and the LDAP server requires the domain attribute to resolve the user name to a single user.

regards, Niels

JOHNGARRETT
12,474 Views

niels, my configuration is the same as yours. I also must qualify users with "MYDOMAIN\" when logging in to WFA.

Can someone with "working" LDAP post the configuration?

sinhaa
12,474 Views

My WFA LDAP configuration is the following. It looks same as yours.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

hland
12,782 Views

This works for me, I can login with just the username (omitting the domain part) and the user then gets created without the domain part. This didn't work in previous WFA versions that required the domain part. LDAP-settings are left at the default (as posted by Niels above).

However, I still can't enable the notification. The username still shows up in red and I can't save:

It works fine in WFA1.1.1 (with the domain part included) so I would consider this a regression bug

..- Hendrik

sinhaa
12,782 Views

Hendrik,

      This particular error is because your Domain user name [ hland-operator ] has a  '-' (hyphen) in between. Hyphen is another illegal character for a username. If you try to add a new local user you can see the tool-tip which tells "User name can only contain letter, digits, underscores, at signs (@) and dots"

Try to login as a domain user which has its name with only valid characters. Then this should work fine.


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

hland
12,782 Views

I see

Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

Thanks

Hendrik

sinhaa
12,782 Views

Hendrik,

   

@ Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

-------------------------------------

I don't know why was this limitation on characters added. I agree with your point about not having many limitation when integrating with third-party applications. The WFA decisions makers must already be reading through this thread. Perhaps a bug can be filed and corrected in future releases. Lets see how that goes.

@ Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

-----------------------------------------

I'm trying to understand your point. I'm thinking how such a situation can arrive. WFA 2.0 can only work with one Domain name which is given in the LDAP configurations. And we can't have multiple users with the same user name in the same domain name. Hierarchies aren't supported in WFA 2.0 I believe.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

JOHNGARRETT
12,024 Views

Ok, so I'm still a bit fuzzy on why some folks have to qualify usernames with the domain name while some don't. Sinhaa, do you have any ideas? If I could get that working I think it would solve my email problem because I won't be using illegal characters anymore.

pitrakou
12,025 Views

I am also seeing similar issues with sending emails for Domain users. Like John and Niels I cannot log into WFA with just the user name, I need to use DOMAIN\username.

What's the fix here, if any?

Thanks

bdave
11,727 Views

Curious: Can you log in with <user>@<domain> (johndoe@acme.com)?  (assuming you're running Windows 2000 + domain, not NT4-mode)

Thanks,

Dave

olson
11,727 Views

Yes you must change the user name attributes: from  sAMAccountName to the userPrincipalName. I have tested this and it works correctly.

Regards,

John


sinhaa
11,727 Views

Thanks John for the workaround solution.

5 stars.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public