Hi Dmitry,

Can you confirm if LDAP Integration is enabled?
If is under Global Settings > Console Security Settings > Console Security > LDAP Integration.

Please check Enable LDAP Integration and check the group(s) that the users belong to if they haven't been checked already:



Please let me know if the above works.

Regards, 
~G

I assume you want MDM administrator to log-in the web-console with AD/LDAP credential.  If so, just do the following:

1. In the "All-Plaforms->Security" tab, click on "Add" button and select "User Directory User/Group", and then input the "user/group name" associated with your integrated LDAP server

2. Enable the required Global permission(s) and save.  A new item should appear under the "User Directory Security User/Group" category rather than the usual "MobiControl Security User/Group" category.   

3. Add required Device Group permissions for the created account.

If your AD/LDAP server has not been properly integrated and configured,  you won't be able to complete step (1)

LDAP and group setting in SOTI is configured correctly. It seems that SOTI somehow don't know belonging of the user to the required AD group  

<a href="https://ibb.co/fxS6Od"><img src="https://preview.ibb.co/dH9aGy/soti1.jpg" alt="soti1" border="0" /></a>

I see the following error in the log :

*********************************************************************
* Exception: Authorization Server Host: Failed to authenticate user *
*********************************************************************
[BusinessLogicException: Parameter username has invalid value ruu071lp.]
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByNameDomainLdap(String name, String domain, String ldapConnectionName)
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByName(String name)
   at Soti.MobiControl.ManagementService.AuthorizationService.Authenticate(LogOnRequest request, Boolean& isAdUser)
   at Soti.MobiControl.ManagementService.AuthorizationService.InitialUserSession(LogOnRequest request)
   at Soti.MobiControl.ManagementService.Security.AuthorizationManager.AuthorizeWithUserCredentials(String userName, String password, String source)
   at Soti.MobiControl.Security.AuthorizationServer.Controllers.AccountController.<LogOn>d__5.MoveNext()

I can't see your screenshot even when enlarged.  Do you have special character in your AD user name?   

Here is the link to the image

Nothing special in the name. I tried different names. Maybe there is a way to troubleshoot (debug mode or something) ?

Have you tried adding just an AD user "ruu071lp" rather than an AD group?

Just tried to do that :

And get the following error

*********************************************************************
* Exception: Authorization Server Host: Failed to authenticate user *
*********************************************************************
[SecurityException: Authentication Failed. Username or password is incorrect. Use Domain\Username for AD login.]
   at Soti.MobiControl.ManagementService.AuthorizationService.Authenticate(LogOnRequest request, Boolean& isAdUser)
   at Soti.MobiControl.ManagementService.AuthorizationService.InitialUserSession(LogOnRequest request)
   at Soti.MobiControl.ManagementService.Security.AuthorizationManager.AuthorizeWithUserCredentials(String userName, String password, String source)
   at Soti.MobiControl.Security.AuthorizationServer.Controllers.AccountController.<LogOn>d__5.MoveNext()

*********************************************************************

[2018-07-19 15:02:05.870] INFO  [Scheduler] [62c8a525-bd44-470b-a9e8-43ab1b0dac5f] (32): MobiControl logon failed. User "NA\RUU071LP" not found in database.
[2018-07-19 15:02:05.870] ERROR [Scheduler] [62c8a525-bd44-470b-a9e8-43ab1b0dac5f] (32):

Yes, this solved the isuue  for the user ! Thanks a lot for your great help. But this thing is working only, when put users directly, but in case of AD  group it is  not working... Any ideas ? In the log :

      83,
      45,
      83,
      79,
      84,
      73,
      45,
      77,
      111,
      98,
      105,
      67,
      111,
      110,
      116,
      114,
      111,
      108,
      45,
      65,
      80,
      80,
      45,
      65,
      100,
      109,
      105,
      110,
      105,
      115,
      116,
      114,
      97,
      116,
      111,
      114,
      115
   ]
]
[2018-07-23 09:08:10.394] INFO  [ISecurityService.SearchADPrincipals] [99bb1333-9664-4507-a478-ed10d8b046de] (73): LDAP: GetGroupSid: attribute: objectSid
[2018-07-23 09:08:10.394] INFO  [ISecurityService.SearchADPrincipals] [99bb1333-9664-4507-a478-ed10d8b046de] (73): LDAP: GetGroupSid: attribute value: [
   1,
   5,
   0,
   0,
   0,
   0,
   0,
   5,
   21,
   0,
   0,
   0,
   125,
   197,
   74,
   127,
   215,
   208,
   200,
   87,
   25,
   27,
   229,
   75,
   217,
   190,
   13,
   0
]
[2018-07-23 09:08:35.628] INFO  [ISystemService.GetRcConMsg] [3331d444-11c8-4b44-a7f7-d91291e87bf8] (85): TimeNow: 07/23/2018 09:08:35 Access rights retrieved from cache: True.
[2018-07-23 09:08:35.832] INFO  [ISystemService.GetAccessControlState] [d8931e2d-cfbc-48df-b47d-a49b61f8cebe] (94): TimeNow: 07/23/2018 09:08:35 Access rights retrieved from cache: True.
[2018-07-23 09:08:40.675] INFO  [ISystemService.GetAccessControlState] [d8931e2d-cfbc-48df-b47d-a49b61f8cebe] (94): TimeNow: 07/23/2018 09:08:40 Access rights retrieved from cache: True.
[2018-07-23 09:08:40.972] INFO  [ISecurityService.CreatePrincipal] [4c8c6914-1f8a-4e66-a4eb-11b9c07c877d] (94): TimeNow: 07/23/2018 09:08:40 Access rights retrieved from cache: True.
[2018-07-23 09:08:48.722] INFO  [ISecurityService.CreatePrincipal] [4c8c6914-1f8a-4e66-a4eb-11b9c07c877d] (94): TimeNow: 07/23/2018 09:08:48 Access rights retrieved from cache: True.
[2018-07-23 09:09:11.707] INFO  [IDeviceGroupService.GetChildren] [31d17cb9-bd66-4ca5-9bce-69ebe919e830] (73): TimeNow: 07/23/2018 09:09:11 Access rights retrieved from cache: True.
[2018-07-23 09:09:13.207] INFO  [IConsoleService.RequestContent] [bca19449-6283-4426-b4bc-0d03561cc073] (73): TimeNow: 07/23/2018 09:09:13 Access rights retrieved from cache: True.
[2018-07-23 09:09:23.442] INFO  [IEventsService.Clear] [ab49d220-734f-4398-8cdc-40671d350cb4] (73): TimeNow: 07/23/2018 09:09:23 Access rights retrieved from cache: True.
[2018-07-23 09:09:23.489] INFO  [IEventsService.Clear] [ab49d220-734f-4398-8cdc-40671d350cb4] (73): TimeNow: 07/23/2018 09:09:23 Access rights retrieved from cache: True.
[2018-07-23 09:09:23.582] INFO  [IConsoleService.RequestLogOff] [a40a6934-de84-4106-85b0-4fa367e66f60] (73): TimeNow: 07/23/2018 09:09:23 Access rights retrieved from cache: True.
[2018-07-23 09:09:23.676] INFO  [Scheduler] [62c8a525-bd44-470b-a9e8-43ab1b0dac5f] (73): Authorization Server Host: Attempt to authorize with McSessionIn failed: Session user does not exist
[2018-07-23 09:09:24.176] DEBUG [Scheduler] [62c8a525-bd44-470b-a9e8-43ab1b0dac5f] (73): No SSO entity found with ID , request issuer : https://ruisv02.na.intranet.msd/oauth.
[2018-07-23 09:09:38.129] ERROR [Scheduler] [62c8a525-bd44-470b-a9e8-43ab1b0dac5f] (73):

*********************************************************************
* Exception: Authorization Server Host: Failed to authenticate user *
*********************************************************************
[BusinessLogicException: Parameter username has invalid value admdsini.]
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByNameDomainLdap(String name, String domain, String ldapConnectionName)
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByName(String name)
   at Soti.MobiControl.ManagementService.AuthorizationService.Authenticate(LogOnRequest request, Boolean& isAdUser)
   at Soti.MobiControl.ManagementService.AuthorizationService.InitialUserSession(LogOnRequest request)
   at Soti.MobiControl.ManagementService.Security.AuthorizationManager.AuthorizeWithUserCredentials(String userName, String password, String source)
   at Soti.MobiControl.Security.AuthorizationServer.Controllers.AccountController.<LogOn>d__5.MoveNext()

Regards, Dmitry

Hi Dmitry,

It's good to hear that enabling LDAP Integration allowed you to log in as an LDAP user now.
I have tried it on my instance and I was able to log in as an LDAP user as long as it belonged to the group I specified in User Directory Security User/Group. 

Can you confirm again that the user exists under the group you added to the security console and also check LDAP Integration to make sure the group itself is also checked? Every group (or user if you added by user) has to be checked individual in order to log in using LDAP. 

Regards, 
~G

Hello,

Just checked all the settings and tried on more time - it seems to be ok . 

Same error in the log :

*********************************************************************
* Exception: Authorization Server Host: Failed to authenticate user *
*********************************************************************
[BusinessLogicException: Parameter username has invalid value admdsini.]
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByNameDomainLdap(String name, String domain, String ldapConnectionName)
   at Soti.MobiControl.Providers.Ado.Legacy.SecurityPrincipalProvider.GetByName(String name)
   at Soti.MobiControl.ManagementService.AuthorizationService.Authenticate(LogOnRequest request, Boolean& isAdUser)
   at Soti.MobiControl.ManagementService.AuthorizationService.InitialUserSession(LogOnRequest request)
   at Soti.MobiControl.ManagementService.Security.AuthorizationManager.AuthorizeWithUserCredentials(String userName, String password, String source)
   at Soti.MobiControl.Security.AuthorizationServer.Controllers.AccountController.<LogOn>d__5.MoveNext()

Can you share your settings under Groups/user Atrributes ( LDAP connection Dialog) ? Maybe I am missing something.

Error MobiControl access denied. User does not have access right to web console. 

Just if someone else gets this same issue and finds this discussion. My solution was: delete group and recreate it. Logins worked with single accounts, but with AD-group and Mobicontrol administrators as member it did not work. I just updated from 13 to 14 and then this issue occurred. Changing different roles did not help. I even just added all of them and then I got error: MobiControl access denied. User belongs to group(s) that deny access to web console: "MobiControl BYOD Users" as expected, so strangely it worked partly. I uncheked and rechecked ldap integration, resaved AD configurations but at end just deleting and recreating the group fixed it.