topic Re: Admin Users can't log into Certificate Provisioning Portal in Network Access Control

Admin Users can't log into Certificate Provisioning Portal

GQ — Fri, 18 Aug 2017 17:18:58 GMT

trying to login to the the Cert Provisioning Portal as the Admin users... because those are the only ones powerful enough to bulk create certificates with different CNs. Only get invalid user. Any additional superadmin users have the same problem. Internal users can log in to the portal but not the Admin users.

Maybe a misconfig but I can't see what. Is this working for anyone else? (didn't in my home or in the dcloud environment)

Re: Admin Users can't log into Certificate Provisioning Portal

Craig Hyps — Fri, 18 Aug 2017 21:34:50 GMT

Typically the case of validating the Identity Sequence for the portal. I suspect Internal Users are in current sequence, but admin users are separate class of user. Try creating new internal user (or use existing) and then add internal user as super admin user.

Re: Admin Users can't log into Certificate Provisioning Portal

hslai — Fri, 18 Aug 2017 21:49:13 GMT

Craig is correct. The admin users need first be created as internal users and then added into admin users by selecting from network access users with either Super Admin or ERS Admin group. Else, we may use external admin users in an AD group mapped either of those two admin groups.

Re: Admin Users can't log into Certificate Provisioning Portal

GQ — Fri, 18 Aug 2017 22:35:36 GMT

nice. Sorry if that was documented somewhere and I didn't see it.

Re: Admin Users can't log into Certificate Provisioning Portal

hslai — Fri, 18 Aug 2017 22:51:46 GMT

The info is somewhat buried in Create a Certificate Provisioning Portal

...

There are two types of users who can access the Certificate Provisioning portal:

Internal or external users with administrative privileges—Can generate certificate(s) for themselves as well as for others.

All other users—Can generate certificate(s) only for themselves.

Users (network access users) who are assigned the Super Admin or ERS Admin role have access to this portal and can request certificates for others. However, if you create a new internal admin user and assign the Super Admin or ERS Admin role, the internal admin user will not have access to this portal. You must first create a network access user and then add the user to the Super Admin or ERS Admin group. Any existing network access users who are added to the Super Admin or ERS Admin group will have access to this portal. To create an administrator account to access the Certificate Provisioning portal:

Add an internal user (Administration > Identity Management > Identities > Users > Add).

Add the user to the Super Admin or ERS Admin group (Administration > Admin Access > Administrators > Admin Users > Add > Select from existing network access user). The user is now both an internal network access user and a Super Admin or ERS Admin user.

...

Re: Admin Users can't log into Certificate Provisioning Portal

GQ — Sun, 20 Aug 2017 15:31:15 GMT

That explains that. I never created a provisioning portal only used the default one, so I wouldn't have looked at that particular documentation.