Atrium Single Sign On integration into Active Directory for TrueSight 10.x

Version 18
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 10.x Capacity Optimization 10.x Atrium SSO 9.00.2 TrueSight Operation Management 10.x TrueSight Integration Management 10.x TrueSight Presentation Server 10.x



    DETAILS:

     

    Atrium SSO integration with TrueSight 10.x does only support external user store integration by using LDAP protocol with Active Directory. Other authentication mechanism like SAML or Kerberos are not supported.

      

    For detailed information, please open the attached document which contains all required information.

      
    If you  want to migrate LDAP settings from TrueSight Capacity Optimization to ASSO, only a few settings can be re-used.  

    LDAP Provider URL - The protocol URL to the host or domain hosting LDAP, yo can use the hostname without the protocol prefix.

    LDAP Context - The DN of the domain ,  also called Base DN for example: DC=bmmsup,DC=xy

    Search Account - This is the account used for the initial bind, this account must be in distinguish name format for example:

      

    CN=ServiceUser,OU=ServiceAccounts,DC=bmmsup,DC=xy

      


    The Chapters in the document and most important key points are listed in this Solution  

    The attached PDF document contains the following chapters.

      

    1. Prerequisites and Overview
    Brief overview for perquisites required before the installation

      

    2. Find the right Base and Search DN and Server Name
    Command output examples which help to evaluate the best DN

      

    3. Command examples
    Various command examples dsquery |dsget and Powershell examples to get the output from chapter 2.
    Generic troubleshoot commands for network connection issue.

    4. Login to ASSO and configure the integration.
    Explains all settings required for the integration and how to set it including User and Groups Filter.

      

    5. Common GUI Errors, Logs and Troubleshooting
    The most expected errors displayed in the GUI and logs, for server connection issues.

      

    6.  Assistance required by Support?
    A brief information for what is required by support to understand the issue and the environment. 

      


    1. Troubleshooting

      

    Should start with following key questions, details and screenshots are covered in the attached document.

    1. Is this an existing installation which was working before, or it is a new installation
    2. Are some users are able to login, but other not? Or is no user able to login?

    Existing installation, worked before  - No User Login possible.

    Is the ASSO Service running, is login to the ASSO console possible and can your telnet to the ASSO Port and hostname from the TrueSight product?


    Please login to ASSO and open the Realm ( per default BMC Realm ) open the configured Realm Authentication, not the Internal LDAP
    Click on Save in the LDAP /Active Directory Editor, if ASSO is not able to communicate with Active Directory you get  error messages.
    For details about most expected error messages and causes, see the Solution below or open the attached document.

    If there is no error on the save this means that ASSO can connect to Active Directory.

    Login to ASSO is possible but there is no error when you click save.
    Do you see some of the Active Directory Users and Groups in the ASSO Users and Group Tab?

    Please consider that some Groups and Users are existing in the internal User Store, for example apiuser is an internal user, the same does apply for the Capacity_Administration and Capacity View Groups.

    Possible issues are not correct or not matching Search DN and Base DN in ASSO Configuration, other LDAP attributes as sAMAccountName is used, or invalid and not correct prepared Group Filter. Please review Chapter 2 and 3 from the attached document to evaluate this settings.

    Existing installation, worked before  - some new User Login not possible.
    The User is not listed in the Users Tab in ASSO


    Possible issue is that the User or Group can not be found under the Search and Base DN configured in ASSO
    Please capture the Base and Search DN configuration in  ASSO and get output of the dsquery|dsget or Powershell commands to verify the information from the Active Directory site. Please review Chapter 2 and 3 from the attached document to evaluate this settings.

    Another possible issue is that the User is not in a  Active Directory group for which Group and Users Filter are setup.  If this is setup for only some groups, only users which are a member of this groups are listed in ASSO. Please review Chapter 2 and 3 from the attached document to evaluate this settings.

    The User is listed in ASSO on the Users Tab, but cannot login to TrueSight.
    If no Group and User Filters are set, it is likely that the user is in a group which is authorized to use TrueSight.
    Please verify the group membership, is the user in any group which configured in TrueSight.

    For example for TrueSight Capacity Optimization the user must be in a Active Directory Group which is matching the name of an External Name for a Role and Access Group, without a matching Active Directory group and External Names the user can be authenticated with ASSO but is not authorized to use TrueSight Capacity Optimization.

    Timeouts on login for some user
    The dsquery|dsqget  which show the user can show more. A possible issue is that the users are located in a different domain, or that Universal Groups are used.
    You can in fact verify this with the command outputs, but it is worth to give it an attempt to connect to the Global Catalog Port LDAP Port 3268 and LDAPS 3269. nstead of the ordinary LDAP/LDAPS ports, this can reduce the LDAP query if the domain controller used to connect does not have the user information stored locally.

    New installations

    There are too many possible issues, please review the attached document for details for the integration to get a understanding what is required.
    When you create a Realm Authentication and save it, you get typically well know errors messages if ASSO cannot connect to Active Directory.
    It is important to use only sAMAccountName for LDAP attribute mapping and no other attributes. It is important to set the correct Search DN and Base DN, without  this no users and groups are found. When doing the integration it might makes more sense to use the root of the domain as the Base and Search DN, to verify if the required Users and Groups are listed and then figure out if a different DN more down ion the Active Directory structure can be used and then using Group and User Filter to only list the required groups.

      


    2. Error messages and the meaning.

      
    BMCSSG1827W - Unable to bind to LDAP Server
    Most likely there is conflict with the settings for the user account for search, wrong password or wrong DN. 
    if you just changed the server name, you might need to reimport the ssl certificate flagging into the LDAP editor, and restarting AtriumSSO to apply changes, see https://docs.bmc.com/docs/sso90/enabling-ldap-to-authenticate-users-with-ssl-553327585.html 

    BMCSSG1822W - Could not connect to remote server on specific port.
    Check the port configured in the settings, is this a correct LDAP 389 / LDAPS 636  or Global Catalog port  LDAP Port 3268 / LDAPS 3269 

    BMCSSG1832W - Invalid Hostname specified.
    Please check the hostname, the hostname cannot resolved by DNS or is a wrong hostname. 

    The Port specified is the standard non SSL port, are you sure it is correct for SSL Usage.
    The Use SSL box is selected , but you connect to port 389 (LDAP) instead of LDAPS 636, or the other way around. 
       

     3. dsquery| dsget and Powershell command examples

      
    The Powershell command examples work only if the related cmdlet is installer, dsquery|dsget are only available on Domain Controllers, or on server with RSAT tool installed. The dsquery|dsget are commands which are supposed to work since Windows 2000, the Powershell does typically work on Windows 2012 and never. 

    For output examples, please open the attached document. 


    - get all member of a group in DN format, replace groupname with name of the group

    Powershell  
    Get-ADGroupMember groupname| Format-Table -Property distinguishedName,name,SamAccountName -Autosize | Out-String -Width 4096
       dsget | dsquery  
    dsquery group -name groupname | dsget group -members -expand
      
    - get details of a group, with DN name of the groups and additional group properties, replace groupname with name of the group

    Powershell  
    Get-ADGroup groupname | Format-Table -Property DistinguishedName,SAMAccountName,GroupCategory,GroupScope -Autosize
       dsquery|dsget  
    dsquery group -name groupname | dsget group -dn  -samid -scope
      
    - get details of a single user, replace username with name of the user:

    Powershell  
    Get-ADUser  username -Properties * | select -Property Description,Name,DistinguishedName,DisplayName,Enabled,SamAccountName,LockedOut
      
    dsquery|dsget  
    dsquery user -samid username  | dsget user -dn -samid -disabled
      


       

     

      


      

     


    Article Number:

    000139411


    Article Type:

    Product/Service Description



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles