CommVault Forums

Solving Forward - Solving Together
Welcome to CommVault Forums Sign in | Join | Help
in

Domain User account add

Last post 07-26-2013, 4:58 PM by GhengisKhan. 8 replies.
Sort Posts: Previous Next
  • Domain User account add
    Posted: 07-25-2013, 4:16 PM

    CommServe = Win2k8 Simpana 10 SP3

    ...related to my 'Job User Name' post....   When I first installed and set up the CommCell, I was able to add AD users to CommCell Users, thus allowing single sign-on.  Either it has broken since then, or I have destroyed that brain cell, because I do not seem to be able to do that anymore.  I can still add AD Groups to Security -> Name Servers -> [Domain NetBIOS name] -> External Groups.  I can add CommCell Users but am unable to associate them to the domain.  What am I forgetting?!?!


    All your base are belong to us....

    G.K.
  • Re: Domain User account add
    Posted: 07-25-2013, 10:52 PM

    You may have to give more details on what you are trying to accomplish.  You dont add AD users to commcell users, or commcell users to AD groups.  You can only map commcell users to commcell groups and AD Groups to commcell groups. 

    You can read up on SSO and Name Servers here

    http://documentation.commvault.com/commvault/release_9_0_0/books_online_1/english_us/features/user_admin/user_admin.htm#Single_Sign_On


    If all our national holidays were observed on Wednesdays, we could wind up with nine-day weekends
    -- George Carlin
  • Re: Domain User account add
    Posted: 07-26-2013, 12:05 AM

    Greetings Ghengis, could you please clarify the following "I can add CommCell Users but am unable to associate them to the domain", do you mean within some user capabilities or else?

  • Re: Domain User account add
    Posted: 07-26-2013, 1:08 PM

    With the initial release of v10, SSO did not work.  When accessing the console, one had to cancel when the login screen came up and remove the <domain> portion.  Correspondingly, CommCell Users usernames appeared under Security -> CommCell Users without the <domain> portion. When SP2 came out, I was able to set up CommCell Users such that when a user logged on, it used their AD credentials, and their User Name under Security -> CommCell Users appeared as <domain>\<username>.  SSO was working.

    I can no longer set up users such that when they accessed the console, it uses their AD creds. And what is really wierd => I thought I had it figured out this morning.  I had a user enter their AD password in the New User Properties.  When I clicked on OK, it then asked me for MY password (AD), and boom, the user was showing up under Security -> CommCell Users in the <domain>\<username> format, and they were able to SSO to the console. This is where it gets wierd.  I then tried it on a different user, and it did not work => it did not ask me for MY password again, and they appeared in Security -> CommCell Users without the <domain>.

    So, I think I am going to have to open a support case... 


    All your base are belong to us....

    G.K.
  • Re: Domain User account add
    Posted: 07-26-2013, 1:13 PM

    adding a new user from Security -> Commcell Users would never add an AD account. are you sure the domain\user wasn't there previously ?

    The prompting for password thing is probably because you were editing an existing password for that user, so it is a security check (to prompt for your password) to make sure you have rights to change it. 

    If you right click on a domain user in the users list, you dont get an option to change the password, since the password isn't stored in our database and we dont have the ability to change the user's password inA D. 


    If all our national holidays were observed on Wednesdays, we could wind up with nine-day weekends
    -- George Carlin
  • Re: Domain User account add
    Posted: 07-26-2013, 4:01 PM

    Alright, I was doing it wrong.  The following procedure is not tacitly in the BOL doc that I could find, and although the pieces are there, it is not intuitively obvious (to me, anyway) that this is what you need to do.  I do not know if this is the only way to do it, but it worked for me.  If there is an easier way, I would like to know it.  I realize that this does not cover all the options, but it will create a <domain>.<username>. There are a few minor steps I did not include which I am assuming that if you are computer-savvy enough to be using enterprise-class software that you don't need to be told what to do to move forward:

    Pre-reqs:
    * you have admin priveleges in the commserve console
    * JRE 1.6.x or better is installed on the user's compueter
    * A Nameserver has been properly configured in the CommServe console

    1) Add non-AD username to CommCell Users.  This username should be the exact same username which the user uses when logging onto their computer.  Supply any ol' password.

    2) On a computer which the user is logged onto using AD credentials, using the username from step 1, go to the following URL in a web browser:
    http://[CommServe Hostname]:81/console

    3) After the software downloads, a console login screen will appear => when this happens, press the ESC key. Remove the default username and supply a username and password with admin priveleges in the CommServer console => this should be a domain un/pw.

    4) Once in the console, go to Security -> CommCell Users and verify that the user is now <domain>.<username>.  Delete the non-AD user.

    5) Go to Security -> CommCell User Groups. For each group to which you want this user to belong, right click and go to Properties and select the Users tab, then add the user to the Member Users.

    6) Exit the console.

    7) Go the web browser and refresh the page with http://[CommServe Hostname]:81/console in the address bar.  The user should now be able to SSO.


    All your base are belong to us....

    G.K.
  • Re: Domain User account add
    Posted: 07-26-2013, 4:09 PM

    You shouldn't have to do anything nearly this complicated. 

    If i am a user called "jsmith" in a domain "company.com", then i would go into Name Servers and add the external domain for "company.com". 

    On the name server properties i would enable the checkbox for SSO

    Under the name server i would right click on External Groups and select Add new External Group

    I would then find an active directory group that i am a member of (for the sake of argument, i will use Domain Admins).  I will then associate this external group to a commcell group (for the sake of argument i will use 'master' group here)

    Now if i am logged into a Windows machine as "company\jsmith", i can load the console at http://commserve/console and it should automatically log me in using my credentials. 

    Anyone else who is in that domain admin Active Directory group should be able to as well. You can extend this to other AD groups as well by associating them to the commcell groups with the requisite capabilities and associations. 


    If all our national holidays were observed on Wednesdays, we could wind up with nine-day weekends
    -- George Carlin
  • Re: Domain User account add
    Posted: 07-26-2013, 4:40 PM

    I could not agree more.  I was aware of that, and would really, really, really have rather done it that way.  In the interest of trying to avoid negativity, lets just say that I can't in several cases.  


    All your base are belong to us....

    G.K.
  • Re: Domain User account add
    Posted: 07-26-2013, 4:58 PM

    FYI to anyone attempting to derive value/get perspective from this thread, my last post was a reference to my environment, not the Simpana product. The use of external AD groups in Simpana works fine.


    All your base are belong to us....

    G.K.
The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of CommVault Systems, Inc. ("CommVault") and CommVault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, CommVault.
CommVault, CommVault and logo, the “CV” logo, CommVault Systems, Solving Forward, SIM, Singular Information Management, Simpana, CommVault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of CommVault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2014 CommVault | All Rights Reserved. | Legal | Privacy Policy