UM Login failure with Active Directory (AD) Network Type


There are one or more of the following issues that can occur when using the Active Directory (AD) network type in User Management (UM):
1) Some/all users cannot login to the UM website at all.
2) Some/all  users get "Could not verify user" error dialogs from the UM Client when printing.
Both of these issues have the same root cause, the UM web site and web services do not have the permissions required to retrieve user info from Active Directory.


When UM is installed it creates application pools in IIS, one for the main web, and one for the Client Web Services. The app pools are set to use the "NetworkService" built in user for Windows. This allows the app pools to have the same permissions as any authenticated user on the domain.
So when a user logs in to the web with their AD credentials, or the web services try to get AD information about the user, it queries AD as an "authenticated user" to get the information.
By default, in a Windows AD domain, "authenticated users" have permissions to query the AD directory and pull information. On installations where this fails, the default Active Directory query permissions have removed or changed.  The result is that standard "authenticated users" cannot query Active Directory so the AD lookup fails. 
Things to Check/Workaround:

The machine running the User Management web services must be part of the Active Directory domain for AD lookups to be successful.
If the default "NetworkService" account has been restricted from performing AD lookups, a managed service account will need to be created and the PAIinfinteApi and PAInfinite application pools will need to be set to use that Identify in the Internet Information Services (IIS) Manager.  This is found under Application Pools --> Advanced Settings --> Identity.

APIdentity.jpg 112.4 KB

How did we do with this article?