Posted on 08-30-2016 03:26 PM
So I'm having an issue with authentication for admins at offices other than my own. Here are the details -
Members of the Admins group in Boise can access the JSS web portal, but when they try to log in the page "refreshes" with no error message. This is for multiple users with multiple platforms and various browsers. This should rule out end user issues.
So I move on to LDAP / authentication issues. Initially, I associated the JSS with only the SFO-AD1 server, figuring the Admins group would be available over LDAP. I'm guessing that it was not, so I added in the BOI-AD1 server. This resolved nothing. So then I authenticated to the domain, still no change. Here's the weird part - testing their user names in the LDAP Servers section of the JSS loads their information normally. The Search Base for BOI-AD1 appears to be pointed at the correct OU where the accounts reside.
The issue is getting a little embarrassing at this point, if anyone could point me in the right direction I'd sincerely appreciate it.
EDIT - I'm on v9.93.
Posted on 08-30-2016 05:39 PM
@chovrud We have been having a similar issue if not the same for about six months. JAMF support have tried all number of things to resolve it, but nothing has fixed it. In our case the authentication drop outs are really random, but like you only affect techs associated with AD groups. local techs in the JSS have no issues or drop outs.
If your TAM wants to check this is the support ticket number: ref:_00D80cOw4._5001A16EyQ8:ref
If we run the LDAP test for user and group membership and the tech could then login, no other changes were made.
Posted on 08-31-2016 06:55 AM
One more thing - members of the Admins group here in San Francisco can log in normally.
Posted on 09-01-2016 11:56 AM
Thanks for the response, glad I'm not the only one. Still feel like a goober in front of the rest of my admin team, unable to facilitate such basic access.
Posted on 09-01-2016 01:23 PM
The AD authentication happens between the application server (JSS in SFO ?) and a domain controller (SFO-AD1 ?), so I can't think of a reason it would matter where the user is that is logging in to the JSS. Are there multiple application servers?
If you think it is authentication I'd put it back to just doing the lookup from the one local domain controller (local to where the JSS is) for simplicity and performance.
A few things I would follow up on...just throwing out ideas...most probably won't help but maybe one will!:
- Did it work for these BOI users in the past?
- Any changes with the AD service account?
- Screen share and have a BOI user try to login from your browser....and vice versa. This should help narrow it down to a location or user issue.
- You mentioned the test AD lookup works in the JSS....does it show they are member of the Admin group as well? Are the BOI users in a different OU in AD that the service account can't access?
- Is there anything in the web app logs that shows the authentication attempts? Or the SFO-AD1 logs to see that authentication is happening/attempted?
- Is the login page redirecting them to a port that is blocked by a firewall at the remote site?