-
Titel
Unable to login and access policy denial incorrectly on Windows Server 2012 -
Beschreibung
Joined directly to Windows 2012 domain controller
/opt/quest/bin/vastool user checkaccess user201 returns the following:
ALLOWED [user=user201] [service=login]
Access Rule = [Allow Group - DOMAIN\access-group (users.allow)]
However /opt/quest/bin/vastool user checklogin user201 shows
Access policy denial. User is not authorized to access this host.
DENIED (access denied) [user=user201] [service=login]
Access Rule = [Only Allow rules defined, user does not match any allow rule]
The below command shows that the group is not in the pac
/opt/quest/bin/vastool -u user201 auth -ps groups
-
Ursache
* vasd: Support for Windows 2012 SID compression added in 4.0.3.218
-
Lösung
STATUS:
Support for SID compression was added in Authentication Services 4.0.3.218
WORKAROUND 1:
Turn off SID Compression in 2012. Please refer to Microsoft for information about this.
WORKAROUND2:
Join specify to Windoes 2008 or 2003 domain controllers only.
Please refer to the following KBs on how to accomplish this:
https://support.quest.com/authentication-services/kb/34121
https://support.quest.com/authentication-services/kb/127565
RESOLUTION:
Upgrade to Authentication Services 4.1 Maintenance Release.
-
Änderungsanforderung
309866 -
Weitere Informationen
2012 domain controller support server login fails