Description
This procedure describes how to add Domain users to be used as login into the Automation Engine Pilot.
Procedure
1. Steps to do on the domain controller
- The Automation Engine Server must be added in the active directory.
- On the Domain controller (=active directory), the BGSYSTEM user with the password of the Automation Engine Server must be present as a normal User.
To get Domain users working in the Pilot,
BGSYSTEM user must be able to retrieve the following information of the Pilot users from the domain controller:
- Does the account exist
- Is the password correct
- Is it a member of certain group
2. On the Automation Engine Server
If Windows domain users are to be granted access to Automation Engine Pilot functionality, they must be added to the BGUSERS or BGADMIN (administrator for the Pilot) Windows group.
To add a Windows domain user to the BGUSERS group, perform the following steps:
- Log in as User Administrator.
- Right-click My Computer icon on the desktop and click Manage.
- In the Computer Management window open the Computer Management (Local) > System Tools > Local Users and Groups items.
- Right-click the item Groups, select the BGUSERS group in the right pane and click Add to Group.
- In the BGUSERS Properties window, all the users belonging to the BGUSERS group will be displayed. Click Add….
- Click the Locations (1) button.
- Select the domain name (2) from this location.
- Type the user initials.
- Click the Check Names button.
You will see the complete user user name (username@domain). - Click OK.
- Click Apply. You will see the new user.
You cannot add Domain groups in the BGUSERS and BGADMIN groups.
3. Test the new domain user
- Open the Pilot and test the new user.
- Login: user@domain. No dns suffix is required.
Before Automation Engine 12.1 if you log in with domain suffix, you can connect but will not have access rights. Checking the Users panel shows that the user is not logged in.
Since Automation Engine 12.1, you can login with a domain suffix.
If there are users from another domain as the Automation Engine,
- The second domain must be added in Advanced TCP/IP settings > DNS tab >Append these DNS suffixes
The Firewall must be open to the domain trust:
135/TCP/udp RPC Endpoint Mapper 136 TCP/udp 137 TCP/udp 138 TCP/udp 139 TCP/udp 389/TCP/UDP LDAP 636/TCP LDAP SSL 53/TCP/UDP DNS 88/TCP/UDP Kerberos 445/TCP SMB
- The Domain trust must be set between the two domains.
4. Problems
4.1 Local users are working but domain users aren't
If you set debugging on LogonServer and when you log in, you get a message that the user is not in the BGUSERS or BGADMIN group.
On the Active Directory Server:
Active Directory Users and Computers: Go to View and enable the Advanced Features option.
User settings, security settings, Authenticated Users must have Read access.
- Read General Information and Read Group Membership must be on allow.
It's also possible that some domain users are working and others aren't because they have different security settings.
It is better to add, but the domain users that must be used for the Automation Engine Pilot in one group and change the security settings for this group.
4.2 It's working with domain users and after a while no users can connect!
- The only user that can log in is the domain user BGSYSTEM.
The bgmd log file has the message:
LogonServer[6168] 22 Nov 11:30:44.423 - Logon:failed SetCurrentUser (Exception of class BG_EThreadLogonTypeNotGranted
- Activate server is only a temporary solution.
Reason: The domain controller is resetting the local policies after some time
- The Activate Server adds correct settings in the local policy, User rights Assignment:
Log on as batch job
Following users must be present:
- “Administrators” - needed for the domain users.
- “BGADMIN” for the local admin user.
- “BGUSERS” for the local users, digi.
| Article information | |
|---|---|
| Applies to | Automation Engine |
| Created | 01-Apr-14 |
| Last revised | 10-Jun-20 |
| Author | HG |
| Problemlog Number | |