Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
5
Replies

User states within CSA 5.1.0.108

pestilence.ath.cx
Level 1
Level 1

‎03-14-2008 03:22 PM - edited ‎03-10-2019 04:02 AM

I have been trying for the life of me to figure out why CSA will not allow a group, that I create in AD, to have write access to a wwwroot directory. I can make user accounts work, I can make the built-in accounts in AD (Domain Admins) work. However if I make a group called Domain Admins2, I get no lovin from the MC.

The rule is as follows:

Deny All apps, but not "www services", read/write/create dir.

The user state var is as follows : user <all>, <none>; groups <all>, "Domain Admins2"

I have also tried reversing the rule and doing a allow with the "Domain Admins2" in the first box of the user state.

Other then updating to 5.2 has anyone run into this issue?????

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎03-16-2008 06:22 AM

You should run the csa diagnostics from the csamc, this will tell you exactly what groups csa is seeing on your machine. Also remember that it is the cretedential used to execute a certain function that is used in user-states, not the logged-in user, so you might see some things not getting hit with a user-state if it is executed by ex. SYSTEM

0 Helpful

pestilence.ath.cx
Level 1
Level 1
In response to jan.nielsen

‎03-16-2008 08:40 AM

I don't see any options for a diagnostics on the MC. Is it called something else?

In the Event Log on the deny that is logged, I can click on details and see that it is being seen as Domain Admins2.

Also I have read that CSA should allow you on if you are a part of any group, not just one that has to be set primary in Active Directory. I can see this being a Windows AD issue though.

0 Helpful

tsteger1
Level 8
Level 8
In response to pestilence.ath.cx

‎03-17-2008 01:40 PM

It's on the host detail page under Host Status > Detailed status and diagnostics.

That takes you to another screen where you can run the diags.

Tom

0 Helpful

jan.nielsen
Level 7
Level 7
In response to tsteger1

‎03-17-2008 03:46 PM

Could it be that you have created the Deny rule as a Priority Deny, which overrides Priority Allow Rules ? Maybe post the actual event here on the forum ?

0 Helpful

pestilence.ath.cx
Level 1
Level 1
In response to jan.nielsen

‎03-18-2008 06:50 AM

The rule will be a priority deny, that allows the specified group.

I did get this to work, thanks to the host diagnostic link gave me the info I needed, granted I still can't get the name to work, however the SID for the group works just fine, and meets the needs of the web admin.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card