AD Group Restriction not working

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
cody@fox
New User
Posts: 8
Joined: Thu May 05, 2016 10:58 am

AD Group Restriction not working

Post by cody@fox » Thu May 05, 2016 2:51 pm

I am trying to limit users by AD group. I have added the user directly into the group and made sure it replicated but I get the following error:

Could not authenticate AD user 'johndoe' on domain 'domain.com' : AD user 'johndoe' is not a direct member of required security group 'FTP_Users'

If I remove the group membership requirement AD authentication works normally.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: AD Group Restriction not working

Post by Serin » Fri May 06, 2016 9:06 am

If you turn on DEBUG mode in the screen logging from the Log page of the Server Manager do you see the expected groups for the AD user listed when you try to login?

cody@fox
New User
Posts: 8
Joined: Thu May 05, 2016 10:58 am

Re: AD Group Restriction not working

Post by cody@fox » Fri May 06, 2016 10:32 am

I turned on debugging and the log shows the user is only part of 1 group. The user is part of at least 10 groups.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: AD Group Restriction not working

Post by Serin » Fri May 06, 2016 11:24 am

Turn on "Try Alternate AD group check" on the Advanced page of the Server Manager and try again.

How about after making that change?

cody@fox
New User
Posts: 8
Joined: Thu May 05, 2016 10:58 am

Re: AD Group Restriction not working

Post by cody@fox » Fri May 06, 2016 11:30 am

I was just able to resolve the issue by having the server run as a domain account instead of local service.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: AD Group Restriction not working

Post by Serin » Fri May 06, 2016 12:07 pm

Great, that's another option.

Post Reply