Adaxes

member-of outdated on web interface

0 votes

We're having an issue where removing groups from a user object gets executed in AD and also reflected if browsing through the Adaxes Admin Console to the user object, but the groups are still shown when viewing the user object through the web Interface.

Are we doing anything wrong? I cleared my browser cache, but that didn't make a difference. Does anybody experience this issue, too?

by (40 points)
0

Hello,

Could you specify how many instances of Adaxes service do you have installed? If there are many, could you check the user's memberships on each of them through the Administration Console?

Also, on how many computers do you have the Web Interface installed?

How many Domain Controllers do you have?

by (272k points)
0

Hello,

thank you for our fast reply. I didn't see it because I missed the "Notify me" checkbox.

We have one production machine that hosts Adaxes Service and web Interface. In the Adaxes Administration Console I'm connected to this production instance but it Shows that there are other Services available and lists the machine that was used for evaluation. I'm not sure where to look for what Adaxes Service the web Interface is talking to, I thought it's using the production host.

We have two domains connected, because we're in the middle of a domain migration. Each domain has 6 domain controllers.

Today there was a case that a user was removed from two groups at the same time. In the web Interface looking at the groups doesn't show the user anymore, looking at the user it still shows one of the groups.

by (40 points)
0

Hello,

Could you check the value of adaxesConfigurationSetId attribute specified for the Web Interface? To do so:

  1. On the computer where Web Interface is installed, navigate to C:\Program Files\Softerra\Adaxes 3\Web Interface\<Web Interface type>\.
  2. Open Web.config file with a text editor.
  3. Navigate to softerra.adaxes\web.ui XML element and check the value of adaxesConfigurationSetId attribute. It should be 00000000-0000-0000-0000-000000000000 to connect to Adaxes Service installed on the same computer. If the attribute has a different value, replace it with 00000000-0000-0000-0000-000000000000 and save the file.
by (272k points)
0

Web.config contains:

  <web.ui doNotShowExecutionLogForSucceededOperation="true" adaxesConfigurationSetId="00000000-0000-0000-0000-000000000000"
    useMyPropertiesPageAsDefault="true" allowedForRedirectionHosts="*"
    allowIFrameEmbedding="true">

I found out a little more via trial and error, the root cause could be quite complicated. It's not only an issue in the web interface but also administration console. First I was only looking at the detail pane of the console - this one is correct. But when right-clicking the user to look at his properties and opening the member-of panel it shows a different (incorrect) number of groups than the detail pane of the console.

This is the environment:

  • Adaxes talks to domain A and domain B
  • users and groups were in domain A
  • all users and most groups (but not all) were migrated via Microsoft's ADMT from A to B
  • user (in domain B) is in some global and some universal groups of domain B (depending on nested groups of domain A) and some universal groups of domain A directly
  • both groups that were removed from the user were groups of domain B
  • the one that is removed from member-of is universal and the one that is still shown is global
  • I removed management of domain A from Adaxes => member-of was correct!
  • I reconfigured Adaxes to manage Domain A => member-of showing the group again, which the user is not member of
  • I made the global group universal => member-of was correct
  • I made the universal group global again => member-of still correct! :?:

I'm not sure if making it universal and global again did it or if the group just needed to be updated somehow.

by (40 points)
0

Hello,

First I was only looking at the detail pane of the console - this one is correct. But when right-clicking the user to look at his properties and opening the member-of panel it shows a different (incorrect) number of groups than the detail pane of the console.

This is by design, as the detailed pane does not show the primary group and cross-domain group memberships.

In Active Directory, it is always the Member attribute of the group that is modified when managing group memberships. Member Of is just a backlink managed automatically by Active Directory. There can be a certain time before updating the attribute, thus, if you check a user’s group memberships right after removing them from a group, that group can still be present in the Member Of list.

The issue can be caused by replication delays. For information on how to check whether replication is successful, see the following article: https://technet.microsoft.com/en-us/lib ... 10%29.aspx.

by (272k points)
0

OK, thanks for clarification that the difference is by design because of cross-domain check.

As long as this affects groups that still belong to the old domain I understand that. Unfortunately the issue happens with users and groups of the same (new) domain. I don't think it's an issue with replication delay because the original problem case is still there (10 days ago). Looking at the domain controllers they don't show the user as a member of the removed groups. Looking at Adaxes they are still there, but not if I remove the old domain from management (which stops cross-checking this domain). Though the groups are from the new domain.

by (40 points)
0

Hello,

Sorry for the delayed reply.

For further troubleshooting, could you do the following:

  1. Send us a screenshot of Member attribute of the group in Administration Console. We need something like the following:

  2. Send us a screenshot of the user properties in Administration Console. We need something like the following:

  3. Do you still have the group in both domains (meaning that during migration it was copied, not moved)? If you do, could you check the SID and GUID of the group in both domains? To do so:

    • Launch Adaxes Administration Console.
    • Navigate to the group in the Console tree.
    • Right-click the group and click Properties.
    • Click Advanced on the General tab.
    • Copy SID and GUID of the group to a text file and repeat the steps for the group in the second domain.
by (272k points)

Please log in or register to answer this question.

Related questions

0 votes
1 answer
Web Interface - View User: Member of - Read only?

Is there a way to configure the module "Member of" in a "View user"-action as purely read only? As it stands now we are able to navigate to a seperate viewing page ... needs write-access to AD, we can't specify purely read-rights via the security role either.

asked Mar 8 by Handernye (50 points)
0 votes
1 answer
Web page - Member of section, colomn is too small

Hello, The column that shows the member of property of a user is to small and it seems not poosible to adjust its size. How to solve this issue? Thanks in adavnce! Mic

asked Nov 5, 2018 by zemitch (200 points)
0 votes
1 answer
How to show OU an object is a member of in web consoles

Hello We are using the Computer Manager security role and have given access to this group of staff to a web console, what I can't get working is getting it to display the ... else like OS, service pack, role are displaying OK. Can you help please? Thank you.

asked Feb 4, 2015 by CBurn (700 points)
0 votes
1 answer
Changes to Exchange Online Mailbox not reflected on Web Interface.

I'm testing making changes to a mailbox that is synced between AD and Office365. During changes updates are not reflected back. I'm prompted that the replication with AD Connect has ... in the web interface. If I go to the console I can see the change.

asked Aug 6, 2020 by ComputerHabit (790 points)
0 votes
1 answer
Hide action on the Web Interface

Hello, Is it possible to hide some action on the Web Interface on Adaxes. We want to use only one interface for the users, is it possible to hide some action for default user and show the action for specific user (which would be in a specific AD group) Thanks.

asked May 18, 2016 by Alexandre (460 points)
3,355 questions
3,054 answers
7,799 comments
545,154 users