I see the same issue in my lab. Note that the username field is displayed with a red frame. My guess is that WFA tries to validate the input somehow and stumbles upon the \ character that separates domain and username. That's why it doesn't allow you to save it. Likely a bug.

..- Hendrik

I agree, hland. Seems like a bug. Anyone know how to formally submit a bug report?

Hello John and Hendrik,

         The problem is the '\' character used in the username which is an invalid character for a username. You may try to login without providing the domain name and only use the username.

Domainname: MYDOM

Username: user1

don't user MYDOM\user1 to login. instead only user : user1. You will be able to login successfully and enable the email notifications as well.

WFA is identifying 'MYDOM\user1' and 'user1' as separate users.

warm regards,

Abhishek

Hi sinhaa,

"WFA is identifying 'MYDOM\user1' and 'user1' as separate users."

This behavior makes your suggested workaround obsolete. The whole idea of using domain accounts is the fact to not maintain separate local users for WFA.

And I have to confirm this "bug". I'm unable to enable email notification on all my domain users - be it via "Users - Edit" for all users or "account Settings" of an individual user.

I highly recommend filing a BURT and get this fixed.

Kind regards, Niels

Hello Niels,

@ The whole idea of using domain accounts is the fact to not maintain separate local users for WFA.

---------------------------------------------------------------------------------------

My user 'user1' is not a local user. Its a domain user itself. I'm just saying not to provide the domain-name when trying to login. You'll be able to login and if you access the "users' page you'll see the column LDAP will be set to true for this user indicating its a Domain user and not a local user.

Domain-name: MYDOM

username: user1

In the login page don't use: 'MYDOM\user1'. Just use 'user1' and provide password.

See the image below:

Both users (other than admin) are actually the same. When in the 2nd one I've provided 'Domain-name\username'. In the last one I've just used the username and still able to login. If you use this way, you won't face the problem mentioned in the original post.

There is a bug filed not to create users named in the  'Domian-Name\username way. '\' is an invalid character for a username in WFA.

Hi sinhaa,

what build are you using?

My WFA system:

Version:   2.0.0.391.2

Build:    11275

If I omit the domain name, I get "The user name or password is incorrect". For me that indicates WFA cannot resolve an LDAP user in case you don't specify the domain.

regards, Niels

I'm using a newer internal build but I believe that is not the problem. We tried to reproduce the problem and have found a case where it can happen. I think its in the User Logon user names you have created in your domain controller. You have created users with Logon names as: 'DOMAIN\user1' instead of only 'user1' . So looks like your username itself is 'DOMAIN\user1' instead of user1 and thats why when you are not providing DOMAIN\, its unable to find a username.

See below. Does your Logon usernames in your domain controller appear like this with 'DOMAIN\user'?

Create users in domain controller with Logon names like : 'user1' etc. and try.

If you create user Logon names like 'user1' then you'll be able to login to WFA server both as 'DOMAIN\user1' and only 'user1'.

I checked and all users are correctly configured.

Can you send me your LDAP settings of your WFA instance? I suspect the error may be buried there.

Could be the "Destinguished Name Attribute".

Mine:

But I chose "distinguishedName" on purpose as it could easily be a single user name exists in two (or more) trusted domains and the LDAP server requires the domain attribute to resolve the user name to a single user.

regards, Niels

niels, my configuration is the same as yours. I also must qualify users with "MYDOMAIN\" when logging in to WFA.

Can someone with "working" LDAP post the configuration?

This works for me, I can login with just the username (omitting the domain part) and the user then gets created without the domain part. This didn't work in previous WFA versions that required the domain part. LDAP-settings are left at the default (as posted by Niels above).

However, I still can't enable the notification. The username still shows up in red and I can't save:

It works fine in WFA1.1.1 (with the domain part included) so I would consider this a regression bug

..- Hendrik

Hendrik,

      This particular error is because your Domain user name [ hland-operator ] has a  '-' (hyphen) in between. Hyphen is another illegal character for a username. If you try to add a new local user you can see the tool-tip which tells "User name can only contain letter, digits, underscores, at signs (@) and dots"

Try to login as a domain user which has its name with only valid characters. Then this should work fine.

My WFA LDAP configuration is the following. It looks same as yours.

I see

Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

Thanks

Hendrik

Hendrik,

@ Is there any reason for this limitation? It's a perfectly valid LDAP/Active Directory username and if we integrate with such third-party applications we should try to not have any unnecessary limitations. Such usernames exist in customer environments.

-------------------------------------

I don't know why was this limitation on characters added. I agree with your point about not having many limitation when integrating with third-party applications. The WFA decisions makers must already be reading through this thread. Perhaps a bug can be filed and corrected in future releases. Lets see how that goes.

@ Also, I'd prefer to have the domain part included in the username. Larger customers tend to have several sub-domains (with trust relationships) and it would be nice if we could tell to which sub-domain a user belongs.

-----------------------------------------

I'm trying to understand your point. I'm thinking how such a situation can arrive. WFA 2.0 can only work with one Domain name which is given in the LDAP configurations. And we can't have multiple users with the same user name in the same domain name. Hierarchies aren't supported in WFA 2.0 I believe.