Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Email notification for domain users

JOHNGARRETT

It looks like I can't enable email notification for domain users. When I check the "notify on:" checkboxes on the Edit User dialogue, the Save button turns blue, but remains grayed out. Am I missing something or is this a bug? Oddly enough, it works just fine with local users.

Before and after screenshots below for your viewing pleasure

23 REPLIES 23

hland

I see the same issue in my lab. Note that the username field is displayed with a red frame. My guess is that WFA tries to validate the input somehow and stumbles upon the \ character that separates domain and username. That's why it doesn't allow you to save it. Likely a bug.

..- Hendrik

JOHNGARRETT

I agree, hland. Seems like a bug. Anyone know how to formally submit a bug report?

sinhaa

Hello John and Hendrik,

         The problem is the '\' character used in the username which is an invalid character for a username. You may try to login without providing the domain name and only use the username.

Domainname: MYDOM

Username: user1

don't user MYDOM\user1 to login. instead only user : user1. You will be able to login successfully and enable the email notifications as well.

WFA is identifying 'MYDOM\user1' and 'user1' as separate users.

warm regards,

Abhishek

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels

Hi sinhaa,

"WFA is identifying 'MYDOM\user1' and 'user1' as separate users."

This behavior makes your suggested workaround obsolete. The whole idea of using domain accounts is the fact to not maintain separate local users for WFA.

And I have to confirm this "bug". I'm unable to enable email notification on all my domain users - be it via "Users - Edit" for all users or "account Settings" of an individual user.

I highly recommend filing a BURT and get this fixed.

Kind regards, Niels

sinhaa

See the image below:

Both users (other than admin) are actually the same. When in the 2nd one I've provided 'Domain-name\username'. In the last one I've just used the username and still able to login. If you use this way, you won't face the problem mentioned in the original post.

There is a bug filed not to create users named in the  'Domian-Name\username way. '\' is an invalid character for a username in WFA.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

hland

This works for me, I can login with just the username (omitting the domain part) and the user then gets created without the domain part. This didn't work in previous WFA versions that required the domain part. LDAP-settings are left at the default (as posted by Niels above).

However, I still can't enable the notification. The username still shows up in red and I can't save:

It works fine in WFA1.1.1 (with the domain part included) so I would consider this a regression bug

..- Hendrik

sinhaa

Hendrik,

      This particular error is because your Domain user name [ hland-operator ] has a  '-' (hyphen) in between. Hyphen is another illegal character for a username. If you try to add a new local user you can see the tool-tip which tells "User name can only contain letter, digits, underscores, at signs (@) and dots"

Try to login as a domain user which has its name with only valid characters. Then this should work fine.


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

olson

Sinhaa,

               This limitation is invalid for LDAP authentication models. Users will have a \ in the name and the authentication portion works fine. However, it is important to allow for enabling of alert actions enabled actions.

sinhaa

I agree. This problem has been identified and perhaps a solution may be available in WFA's future release. Let's see.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

hland

I see

Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

Thanks

Hendrik

sinhaa

Hendrik,

   

@ Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

-------------------------------------

I don't know why was this limitation on characters added. I agree with your point about not having many limitation when integrating with third-party applications. The WFA decisions makers must already be reading through this thread. Perhaps a bug can be filed and corrected in future releases. Lets see how that goes.

@ Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

-----------------------------------------

I'm trying to understand your point. I'm thinking how such a situation can arrive. WFA 2.0 can only work with one Domain name which is given in the LDAP configurations. And we can't have multiple users with the same user name in the same domain name. Hierarchies aren't supported in WFA 2.0 I believe.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

pitrakou

Thanks Guys. So changing the user name attribute to userPrincipalName I can now log in using <user>@domain.com and I can then add the email notifications to the account. Only down side is that the userPrincipalName used @ my client is horrible...... Oh well at least it works

JOHNGARRETT

Ok, so I'm still a bit fuzzy on why some folks have to qualify usernames with the domain name while some don't. Sinhaa, do you have any ideas? If I could get that working I think it would solve my email problem because I won't be using illegal characters anymore.

pitrakou

I am also seeing similar issues with sending emails for Domain users. Like John and Niels I cannot log into WFA with just the user name, I need to use DOMAIN\username.

What's the fix here, if any?

Thanks

bdave

Curious: Can you log in with <user>@<domain> (johndoe@acme.com)?  (assuming you're running Windows 2000 + domain, not NT4-mode)

Thanks,

Dave

olson

Yes you must change the user name attributes: from  sAMAccountName to the userPrincipalName. I have tested this and it works correctly.

Regards,

John


sinhaa

Thanks John for the workaround solution.

5 stars.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels

Hi sinhaa,

what build are you using?

My WFA system:

Version:   2.0.0.391.2

Build:    11275

If I omit the domain name, I get "The user name or password is incorrect". For me that indicates WFA cannot resolve an LDAP user in case you don't specify the domain.

regards, Niels

sinhaa

I'm using a newer internal build but I believe that is not the problem. We tried to reproduce the problem and have found a case where it can happen. I think its in the User Logon user names you have created in your domain controller. You have created users with Logon names as: 'DOMAIN\user1' instead of only 'user1' . So looks like your username itself is 'DOMAIN\user1' instead of user1 and thats why when you are not providing DOMAIN\, its unable to find a username.

See below. Does your Logon usernames in your domain controller appear like this with 'DOMAIN\user'?

Create users in domain controller with Logon names like : 'user1' etc. and try.

If you create user Logon names like 'user1' then you'll be able to login to WFA server both as 'DOMAIN\user1' and only 'user1'.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

niels

I checked and all users are correctly configured.

Can you send me your LDAP settings of your WFA instance? I suspect the error may be buried there.

Could be the "Destinguished Name Attribute".

Mine:

But I chose "distinguishedName" on purpose as it could easily be a single user name exists in two (or more) trusted domains and the LDAP server requires the domain attribute to resolve the user name to a single user.

regards, Niels

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public