Active Directory and IUM Login issues

Issue:  
  • Users may not get popups on their IUM Client.  The error log will contain an entry
    <TIMESTAMP> Could not authorize user with local automatic authorization.
    <TIMESTAMP> Unable to authorize: 1, The account information you entered is invalid.
  • When logging into the IUM webpage, they may get an error "Login name or password is not valid"
  • When logging into the IUM webpage, they may get an error "Unable to create a user entry for this network name.  No associated directory entry found."
Cause:
The IUM server installation will create at least two Application Pools in IIS.  These AppPools are set to run under the "NetworkService" built-in account.  In most cases the built in NetworkService account will have the necessary privileges to allow IUM to authenticate against Active Directory.   


Solution:
  • Update IUM to 7.2.12 or better
  • If the issue(s) still persists, set the AppPool identity to an Active Directory user with Active Directory permissions to read users passwords and any lockout policies that may be in place ie: Login On To...  This may be an existing AD account or a dedicated user with minimal rights.  

Set Identity of  the AppPool user to a Custom account:

  1. Open Internet Information Services (IIS) Manager.
  2. Under "Connections" locate "Application Pools".
  3. Highlight the Application Pool "PAInfinite"
  4. Under Actions --> Edit Application Pools, click on "Advanced Settings..."
  5. Under Process Mode, select the field "Identity" and click the button.
  6. Select "Custom account" and click Set...
  7. Add the user name and password for the customer user.
  8. Under Actions --> Application Pool Task, restart the AppPool by click "Stop" and the "Start".
  9. Repeat the process for the "PAInfiniteApi" AppPool.


How did we do with this article?