Adaxes

Can't authenticate with servers if the user is in the built-in group "Protected Users"

0 votes

We can authenticate if we login to the machine hosting the service but if I have the client installed on my desktop, I can't authenticate with any of the services when my account is in the "Protected Users" group.

This is what my list of services look like: image.png

More information on the group: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

by (2.3k points)
0

Hello Mark,

For troubleshooting purposes, please, specify the following:

  • Do you face any errors when trying to connect to the Adaxes service on a remote computer while logged in using credentials of the account that is a member of the Protected Users group? If you do, please, post here or send us at support@adaxes.com screenshots of the errors.
  • Can you connect to the Adaxes service on a remote computer when logged in using credentials of the account that is not a member of the Protected Users group?

Any additional details would be much appreciated.

by (14.1k points)
0
  • If I log into the server that is hosting the adaxes service, I can login to the service just fine.
  • If I try to remotely connect to the service using the client, it fails.

The error we get when trying to connect to the service is below. image.png

by (2.3k points)

1 Answer

0 votes
by (14.1k points)
selected by
Best answer

Hello Mark,

Thank you for specifying. The issue occurs because by default NTLM is used for connection between the Administration console and the Adaxes service while NTLM is prohibited for members of the Protected Users group and Kerberos must be used. To remedy the issue, you can try to do the following:

  1. On the computer where Adaxes Administration Console is installed, navigate to folder C:\Users\All Users\Softerra\Adaxes 3.
  2. Open the Softerra.Adaxes.Adsi.dll.config file with a text editor.
  3. Locate the application/channels/channel XML element.
  4. Set the servicePrincipalName parameter to the username of the Adaxes service account (specified during Adaxes installation) in the username@company.com format. For example:
<application>
    <channels>
        <channel ref="tcp" priority="2" secure="true" servicePrincipalName="username@company.com">
            ...
        </channel>
    </channels>
</application>
  1. Save the file.
  2. Close the Adaxes Administration console.
  3. Sign out the currently logged on user and then sign back in.
  4. Launch the Adaxes Administration console.

IMPORTANT: the approach will work only for the Adaxes services that are installed using the credentials of the account whose username is specified in the servicePrincipalName parameter.

0

Worked! Thank you!

by (2.3k points)

Related questions

0 votes
1 answer
What is the most current way of checking if a user has MFA enabled in Azure?

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
0 votes
1 answer
For the built-in Management history report, is there a way to exclude objects that have no recent modifications?

For example, if the scope is a specified OU, running the report will list management history for every object in the OU even if it has had no management operations ... so objects that have not had any recent modifications are excluded from the report results?

asked Aug 13, 2021 by ryan741 (120 points)
0 votes
1 answer
On the built in Create User, how can I get the ability for the user to choose a different domain in the username field?

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer
I cant see where I can allow multi selection of user objects to then edit in the web interface.

I would like to change department without a script just yet if possible on multiple accounts. If I cant do this then I will entertain custom script Thanks :)

asked Nov 23, 2021 by will17 (350 points)
0 votes
0 answers
What is the proper way to change multiple users manager field if a management position changes

Say you have Manager A that has 30 users under them. Manager A leaves and Manager B takes the position. What is the best way to update all 30 users so their new manager is Manager B.

asked Jun 7, 2021 by Jmbrown04 (60 points)
3,547 questions
3,238 answers
8,232 comments
547,810 users