Common Data Centre Security & UMC - Ad login failure
In this article, I will cover how to troubleshoot a very common error that occurs when enabling Active Directory within DCS. It's not always obvious from the UMC logs that this is the issues you're encountering.
In this case, the issue is a missing or mismatched UserPrincipalName against the user's AD records. Without this value DCS integration with AD will not work and the user will not be able to login.
One of the main concerns with this issue is that, once you enable AD integration in UMC, the dcsadmin account is disabled. Thus you may have potentially lost access to your DCS estate - which is a major concern, especially when Active agents are on the ground.
This article takes it from the point where you have enabled AD login, created a number of AD users within the DCS UMC console, but you cannot log in to the UMC console.
Missing or mismatched User Principal Name
Under ..\umc\logs\umc.logs you may see errors such as "looking for UPN" or "retrieving token for userA" but you're still not able to log in.
- Navigate to Active Directory Users and Computers
- Select View and Advanced Features (if not already enabled)
- Search for one of the AD users you've added to UMC
- Open the user's AD Properties
- Select the field Attribute Editor
- Scroll down the fields in the Attribute Editor and find "userPrincipalName"
- If the value is blank, this will need populating with the users "User logon name" @ domain e.g. firstname.lastname@example.org
- Tip: On the account tab of the properties, combine the "User Login Name" and the domain field to the right of it to make the UPN.
- Not it's the full domain and not Alias, i.e. abc123.local, not abc.
- If the value is different then you have 2 choices
- Updated the UPN value such that it matches the expected value
- Inform the user of their UPN value and use this as the login value for DCS