cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Hurdles with Windows AD Authentication Configuration

former_member211289
Participant

on ‎2020 Jun 05 3:57 AM

0 Kudos
865

Dear Team,
Please be informed that when we try to configure Windows AD Authentication, we are facing difficulties with various errors.
Kindly check and do the needful.

Process I followed:
Enabled WinAD Authentication
Gave AD Administration name and Default Domain name
Click update
Got Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577)
Click cancel
Gave SPN and other details
Click update
Got The Active Directory Authentication plugin does require valid global administration credentials in order to access Active Directory. Please specify administration credentials and try again.

Errors:
1. Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577) ?
We don't have any group named with (S-1-5-21-3132330154-158638298-2079404797-18577), verified in Query Builder.

2. The Active Directory Authentication plugin does require valid global administration credentials in order to access Active Directory. Please specify administration credentials and try again ?

We got to know that AD authentication will not continue if the AD account used to read the AD directory (service account\AD Administration Name) doesn't have read permissions on the Domain Controller.

Thanks
Ram

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
BasicTek
Product and Topic Expert
Product and Topic Expert
‎2020 Jul 23 12:45 PM
0 Kudos

just remove the group from the AD plugin. If you are unsure which group you can pull a list in query_builder with https://apps.support.sap.com/sap/support/knowledge/preview/en/2546772 and then control f the sid

-Tim

Show replies
Show replies
former_member211289
Participant
‎2020 Aug 06 4:34 AM
0 Kudos

Dear Tim,

Thank you.

we have only one AD Group and that group had already been removed from AD plug-in but no luck.

charles_weber
Member
‎2021 Jun 21 4:45 PM
0 Kudos

I am having the same issue as the poster. I have removed all groups and still get the error:

Invalid group name, cannot find group (S-1-5-21-1152703029-3547880430-2289592226-512), (S-1-5-21-1152703029-3547880430-2289592226-513), (S-1-5-21-1152703029-3547880430-2289592226-1620).

Is there a solution to this issue?

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2021 Jun 21 5:08 PM
0 Kudos

If you removed all the groups there shouldn't be an issue, if you run query builder select si_name,si_aliases,si_rel_group_members,si_id from ci_systemobjects where si_aliases like '%secwinad%' and si_kind='usergroup'

are you still seeing groups (specifically the ones in the error?

If you go to CMC > authentication > windows AD, and the group list is empty but query builder is still showing groups there is something corrupt in the CMS, you may need to open a ticket to clear it out

-Tim

Ask a Question