Policies, Access Templates, and Roles applied to Groups do not get applied when signing into the Web Interface, but work properly in the Active Roles Console (4339131)

Policies, Access Templates, and Roles applied to Groups do not get applied when signing into the Web Interface, but work properly in the Active Roles Console

All Users of Active Roles Server note that Access Templates and Roles (such as, for example, the Active Roles Admin Role) which are applied to Groups resolve to members of those Groups and function properly in the Active Roles Console, but not in the Web Interface. Policies and Roles which are explicitly applied to the User object resolve properly in the Active Roles Console and the Web Interface.

CAUSE 1

The Kerberos server which is handling the authentication for IIS in this environment is running a non-Windows operating system.

IIS has Windows Authentication enabled by default, which should be sending User credentials as well as Group membership. It has been noted that some Kerberos servers running on a non-Windows operating system will properly process the User credentials, but ignore/fail-to-process Group Membership. The end result of this is that the User is allowed to log into the Web Interface successfully, but all Access Templates and Roles which are not explicitly applied to the User do not get applied.

It may also be possible to reconfigure the Kerberos server running on the non-Windows operating system so that it processes Windows Authentication properly. For assistance with this option, please contact the vendor of your Kerberos solution or consult their documentation.

CAUSE 2

If the Kerberos server which is handling authentication for IIS in this environment is running a Windows operating system, it is not passing a complete group membership list in the Kerberos authentication token.

Consult Microsoft resources or contact Microsoft for assistance with this issue.

WORKAROUND

In IIS, disable the default Windows Authentication and enable Basic Authentication.

1. Open the Internet Information Services (IIS) Manager
2. Expand the Server Name | Sites | Default Web Site and click on the Web Interface site (for example, ARWebAdmin).
3. Double-click on Authentication.
4. Right-click on Windows Authentication and click Disable.
5. Right-click on Basic Authentication and click Enable.
6. Repeat for any other Active Roles Web Interface Sites.
7. In an elevated command prompt, execute iisreset to restart IIS.

NOTE: User credentials in the credential prompt in the Web Interface must now be entered in the format domain\username

Basic Authentication should not be used over HTTP. Basic Authentication should only be used over SSL, and over when absolutely necessary. Using Basic Authentication over HTTP will result in the transmission of passwords via plain-text.