I have a standalone webreports instance running on Windows 2012. Today I was unable to login to the WebReports WebUI with my AD credentials. When I logged in with a local account > Administration > User Management > Active Directory Permissions, I get this error:
“Unable to update data table: Failed to open the Active Directory global catalog”
With this being a standalone WR instance on a server that has no running BES Root services, where is WR configured to point to a DC for authentication? I can’t find the setting anywhere and I’d like to find that to help troubleshoot this issue.
Issued resolved after reboot, but still looking for where WR knows which AD server to use for authentication.
FYI
Either the Windows Server where you are running the Web Reports service is itself joined to the AD Domain, or you use a Service Account from the Domain to run the Web Reports service.
From the documentation:
If the permissions on Active Directory are set so that only some users are able to read the Active Directory data or if the Web Reports server does not belong to the Active Directory domain, you must configure your Web Reports Server service to run as a domain user with permissions to query Active Directory. This user does not need to be a domain administrator or have any permissions to make changes to Active Directory.
1 Like
Right, so the Windows server is joined to the domain that we use for authentication. I was just under the assumption that WebReports had a way to define which LDAP server to use like the BES Console LDAP login does. But I guess not.
I could RDP onto the windows server with the same AD creds i use for webreports so I know there wasn’t an issue with the server communicating with AD. Are there any WR logs that would give more information for this specific communication failure?
There’s no front end configuration, as you’ve noticed, for Active Directory integration using this embedded approach. It inherits what the Server and/or Service receives from AD.
However, you can add an LDAP Directory, either Generic or Active Directory, to the BigFix Console, and specify a particular AD server. This will also make LDAP available to Web Reports, where you can assign Web Reports roles to LDAP users or groups.
Have you looked at the Event Viewer on the Web Reports server?
Logging is covered in the documentation here: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Web_Reports/c_logging_web_reports.html
If logging was previously enabled, the path to the log files will be configured in the registry.
1 Like
There was a couple windows event log records talking about failure to communicate with the AD DCs so that does point to a sign of an issue. It is just strange though that Windows allowed me to logon but WebReports failed. But now I know where to look. thanks
Cached credentials in the local machine can hide potential AD communication issues, since it will authenticate you without needing a DC. WebReports needs to run the credentials past the DC every time.
1 Like