cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Hurdles with Windows AD Authentication Configuration

former_member211289
Participant

on ‎2020 Jun 05 3:57 AM

0 Kudos
860

Dear Team,
Please be informed that when we try to configure Windows AD Authentication, we are facing difficulties with various errors.
Kindly check and do the needful.

Process I followed:
Enabled WinAD Authentication
Gave AD Administration name and Default Domain name
Click update
Got Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577)
Click cancel
Gave SPN and other details
Click update
Got The Active Directory Authentication plugin does require valid global administration credentials in order to access Active Directory. Please specify administration credentials and try again.

Errors:
1. Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577) ?
We don't have any group named with (S-1-5-21-3132330154-158638298-2079404797-18577), verified in Query Builder.

2. The Active Directory Authentication plugin does require valid global administration credentials in order to access Active Directory. Please specify administration credentials and try again ?

We got to know that AD authentication will not continue if the AD account used to read the AD directory (service account\AD Administration Name) doesn't have read permissions on the Domain Controller.

Thanks
Ram

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2020 Jul 23 12:45 PM
0 Kudos

just remove the group from the AD plugin. If you are unsure which group you can pull a list in query_builder with https://apps.support.sap.com/sap/support/knowledge/preview/en/2546772 and then control f the sid

-Tim

Show replies
Show replies
former_member211289
Participant
‎2020 Aug 06 4:34 AM
0 Kudos

Dear Tim,

Thank you.

we have only one AD Group and that group had already been removed from AD plug-in but no luck.

charles_weber
Member
‎2021 Jun 21 4:45 PM
0 Kudos

I am having the same issue as the poster. I have removed all groups and still get the error:

Invalid group name, cannot find group (S-1-5-21-1152703029-3547880430-2289592226-512), (S-1-5-21-1152703029-3547880430-2289592226-513), (S-1-5-21-1152703029-3547880430-2289592226-1620).

Is there a solution to this issue?

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2021 Jun 21 5:08 PM
0 Kudos

If you removed all the groups there shouldn't be an issue, if you run query builder select si_name,si_aliases,si_rel_group_members,si_id from ci_systemobjects where si_aliases like '%secwinad%' and si_kind='usergroup'

are you still seeing groups (specifically the ones in the error?

If you go to CMC > authentication > windows AD, and the group list is empty but query builder is still showing groups there is something corrupt in the CMS, you may need to open a ticket to clear it out

-Tim

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2020 Jun 05 12:48 PM
0 Kudos

The AD administration account requires read and query rights to AD, furthermore if you are dealing with multiple forests the proper forest trust must be in place.

When your group error occurs with an invalid sid, that would indicate you tried to add a group that no longer exists in AD.

Show replies
Show replies
former_member211289
Participant
‎2020 Jun 05 4:27 PM
0 Kudos

Dear Tim,

We haven't tried to add a group that no longer exists in AD.

Below process we followed and getting error.

Process I followed:
Enabled WinAD Authentication
Gave AD Administration name and Default Domain name
Click update
Got Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577)

Thanks

former_member211289
Participant
‎2020 Jun 05 4:30 PM
0 Kudos

Also, below group doesn't exists in BO system and AD and how can we handle this issue? Is some SI_ID entry exists in CMS DB?

Invalid group name, cannot find group (S-1-5-21-3132330154-158638298-2079404797-18577).

Ask a Question