RTC + Active Directory with Global Catalog
Hi guys,
We've already set some RTC servers with AD (Active Directory) before, but now we are having problems with the AD Global Catalog.
Active Directory Global Catalog reference:
http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28WS.10%29.aspx
http://www.brunobraga.com.br/img/jazz/ad_global_catalog.png
Config Details:
- We are connecting RTC in domain A, which has under it the domain B, C and D.
- The users and groups are in domain B, C and D, ok?
- The RTC configuration including the setup / test was done without problems.
So, we can add Active Directory users, like that:
http://www.brunobraga.com.br/img/jazz/rtc_user_groups.png
But RTC failed to read groups / permissions, and when he tries to login:
http://www.brunobraga.com.br/img/jazz/rtc_user_login.png
He has to be an admin.
Ok, you could tell me that this is a problem of "web.xml". This is usually caused by lack of mapping of the groups (AD x Jazz) in web.xml or teamserver.properties.
But apparently the settings are ok and if you want I can send these files by email for review.
I believe the problem comes when RTC tries to read the groups from the Global Catalog. There is some consideration about that?
We have some debug / log for this?
We've already set some RTC servers with AD (Active Directory) before, but now we are having problems with the AD Global Catalog.
Active Directory Global Catalog reference:
http://technet.microsoft.com/en-us/library/cc728188%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28WS.10%29.aspx
Config Details:
- We are connecting RTC in domain A, which has under it the domain B, C and D.
- The users and groups are in domain B, C and D, ok?
- The RTC configuration including the setup / test was done without problems.
So, we can add Active Directory users, like that:
But RTC failed to read groups / permissions, and when he tries to login:
He has to be an admin.
Ok, you could tell me that this is a problem of "web.xml". This is usually caused by lack of mapping of the groups (AD x Jazz) in web.xml or teamserver.properties.
But apparently the settings are ok and if you want I can send these files by email for review.
I believe the problem comes when RTC tries to read the groups from the Global Catalog. There is some consideration about that?
We have some debug / log for this?
One answer
We changed the Group Scope from Global to Universal and that fix the problem.
Group Scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
So, to use AD with Global Catalog (multi-domains) is necessary groups with scope Universal.
This solution / requirement can be documented?
Group Scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
So, to use AD with Global Catalog (multi-domains) is necessary groups with scope Universal.
This solution / requirement can be documented?
Comments
Based on the documentation from Microsoft. It would appear that in a scenario with two domains that you would need to create 12 AD groups (JazzUsers,JazzProjectAdmins,JazzDWAdmins,JazzAdmins)?
Universal Groups - JazzUsers,JazzProjectAdmins,JazzDWAdmins,JazzAdmins
Then DomainA Groups - JazzUsers,JazzProjectAdmins,JazzDWAdmins,JazzAdmins
Then DomainB Groups - JazzUsers,JazzProjectAdmins,JazzDWAdmins,JazzAdmins
Then assign the group membership like:
- Universal\JazzUsers
---- DomainA\JazzUsers
---- DomainB\JazzUsers
-Universal\JazzAdmins
---- DomainA\JazzAdmins
---- DomainB\JazzAdmins
etc.. ?