0 votes

We can authenticate if we login to the machine hosting the service but if I have the client installed on my desktop, I can't authenticate with any of the services when my account is in the "Protected Users" group.

This is what my list of services look like: image.png

More information on the group: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

by (2.1k points)

Hello Mark,

For troubleshooting purposes, please, specify the following:

  • Do you face any errors when trying to connect to the Adaxes service on a remote computer while logged in using credentials of the account that is a member of the Protected Users group? If you do, please, post here or send us at support@adaxes.com screenshots of the errors.
  • Can you connect to the Adaxes service on a remote computer when logged in using credentials of the account that is not a member of the Protected Users group?

Any additional details would be much appreciated.

  • If I log into the server that is hosting the adaxes service, I can login to the service just fine.
  • If I try to remotely connect to the service using the client, it fails.

The error we get when trying to connect to the service is below. image.png

1 Answer

0 votes
by (6.7k points)
selected by
Best answer

Hello Mark,

Thank you for specifying. The issue occurs because by default NTLM is used for connection between the Administration console and the Adaxes service while NTLM is prohibited for members of the Protected Users group and Kerberos must be used. To remedy the issue, you can try to do the following:

  1. On the computer where Adaxes Administration Console is installed, navigate to folder C:\Users\All Users\Softerra\Adaxes 3.
  2. Open the Softerra.Adaxes.Adsi.dll.config file with a text editor.
  3. Locate the application/channels/channel XML element.
  4. Set the servicePrincipalName parameter to the username of the Adaxes service account (specified during Adaxes installation) in the username@company.com format. For example:
        <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@company.com">
  1. Save the file.
  2. Close the Adaxes Administration console.
  3. Sign out the currently logged on user and then sign back in.
  4. Launch the Adaxes Administration console.

IMPORTANT: the approach will work only for the Adaxes services that are installed using the credentials of the account whose username is specified in the servicePrincipalName parameter.


Worked! Thank you!

Related questions

0 votes
1 answer

For example, if the scope is a specified OU, running the report will list management history for every object in the OU even if it has had no management operations ... so objects that have not had any recent modifications are excluded from the report results?

asked Aug 13, 2021 by ryan741 (120 points)
0 votes
1 answer

So this works for us however we would like to add to check if the last group is at 3 users we would like to send a seperate email but would still like all the above to continue to happen the way it is.

asked Mar 2 by Keonip (160 points)
0 votes
0 answers

Say you have Manager A that has 30 users under them. Manager A leaves and Manager B takes the position. What is the best way to update all 30 users so their new manager is Manager B.

asked Jun 7, 2021 by Jmbrown04 (60 points)
0 votes
1 answer

I would like to change department without a script just yet if possible on multiple accounts. If I cant do this then I will entertain custom script Thanks :)

asked Nov 23, 2021 by will17 (350 points)
0 votes
1 answer

Hello, I have a web service that checks if a user is a member of a group. I am not concerned if they are a direct member or an indirect member of a group, but if the user is in the ... I pass it User A and Group 1. I am using ADSI, c# (.Net 4.0), and WCF.

asked Feb 23, 2014 by mbcalvin (140 points)
2,807 questions
2,541 answers
65,239 users