Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2767
Views
0
Helpful
5
Replies

Admin Users can't log into Certificate Provisioning Portal

Go to solution
GQ
Cisco Employee
Cisco Employee

‎08-18-2017 10:18 AM

trying to login to the the Cert Provisioning Portal as the Admin users...  because those are the only ones powerful enough to bulk create certificates with different CNs.  Only get invalid user.  Any additional superadmin users have the same problem.  Internal users can log in to the portal but not the Admin users.

Maybe a misconfig but I can't see what.  Is this working for anyone else?  (didn't in my home or in the dcloud environment)

Screen Shot 2017-08-18 at 10.17.45 AM.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-18-2017 02:49 PM

Craig is correct. The admin users need first be created as internal users and then added into admin users by selecting from network access users with either Super Admin or ERS Admin group. Else, we may use external admin users in an AD group mapped either of those two admin groups.

Screen Shot 2017-08-18 at 2.45.31 PM.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎08-18-2017 02:34 PM

Typically the case of validating the Identity Sequence for the portal.  I suspect Internal Users are in current sequence, but admin users are separate class of user.  Try creating new internal user (or use existing) and then add internal user as super admin user.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-18-2017 02:49 PM

Craig is correct. The admin users need first be created as internal users and then added into admin users by selecting from network access users with either Super Admin or ERS Admin group. Else, we may use external admin users in an AD group mapped either of those two admin groups.

Screen Shot 2017-08-18 at 2.45.31 PM.png

0 Helpful

Go to solution
GQ
Cisco Employee
Cisco Employee
In response to hslai

‎08-18-2017 03:35 PM

nice.  Sorry if that was documented somewhere and I didn't see it.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to GQ

‎08-18-2017 03:51 PM

The info is somewhat buried in Create a Certificate Provisioning Portal

...

There are two types of users who can access the Certificate Provisioning portal:

  • Internal or external users with administrative privileges—Can generate certificate(s) for themselves as well as for others.
  • All other users—Can generate certificate(s) only for themselves.

Users (network access users) who are assigned the Super Admin or ERS Admin role have access to this portal and can request certificates for others. However, if you create a new internal admin user and assign the Super Admin or ERS Admin role, the internal admin user will not have access to this portal. You must first create a network access user and then add the user to the Super Admin or ERS Admin group. Any existing network access users who are added to the Super Admin or ERS Admin group will have access to this portal. To create an administrator account to access the Certificate Provisioning portal:

  1. Add an internal user (Administration > Identity Management > Identities > Users > Add).
  2. Add the user to the Super Admin or ERS Admin group (Administration > Admin Access > Administrators > Admin Users > Add > Select from existing network access user). The user is now both an internal network access user and a Super Admin or ERS Admin user.

...

0 Helpful

Go to solution
GQ
Cisco Employee
Cisco Employee
In response to hslai

‎08-20-2017 08:31 AM

That explains that.  I never created a provisioning portal only used the default one, so I wouldn't have looked at that particular documentation.

0 Helpful
Customers Also Viewed These Support Documents