Policies and Memberships applied to Groups do not get applied when signing into the Web Interface, but work properly in the MMC (155118)

Policies and Memberships applied to Groups do not get applied when signing into the Web Interface, but work properly in the MMC

All Users of Active Roles Server note that Policies and Roles (such as, for example, the Active Roles Administrator Role) which are applied to Groups resolve to members of those Groups and function properly in the MMC, but not in the Web Interface. Policies and Roles which are explicitly applied to the User object resolve properly in the MMC and the Web Interface.

The Kerberos server which is handling the authentication for IIS in this environment is running a non-Windows operating system.

IIS has Windows Authentication enabled by default, which sends User credentials as well as Group membership. It has been noted that some Kerberos servers running on a non-Windows operating system will properly process the User credentials, but ignore/fail-to-process Group Membership. The end result of this is that the User is allowed to log into the Web Interface successfully, but all Policies and Roles which are not explicitly applied to the User do not get applied.

WORKAROUND

In IIS, disable the default Windows Authentication and enable Basic Authentication.

1. Open the Internet Information Services (IIS) Manager
2. Expand the Server Name | Sites | Default Web Site and click on the Web Interface site (for example, ARServerAdmin).
3. Double-click on Authentication.
4. Right-click on Windows Authentication and click Disable.
5. Right-click on Basic Authentication and click Enable.
6. Repeat for any other Active Roles Web Interface Sites.
7. In an elevated command prompt, execute iisreset to restart IIS.

NOTE: User credentials in the credential prompt in the Web Interface must now be entered in the format domain\username

It may also be possible to reconfigure the Kerberos server running on the non-Windows operating system so that it processes Windows Authentication properly. For assistance with this option, please contact the vendor of your Kerberos solution or consult their documentation.