KBI 311600 Insufficient Privileges Error When Accessing Argent Commander Or Argent Reports With User From Trusted Domain
Version
Argent Commander 5.0A-1707-A or below
Argent Reports 7.0A-1710-E or below
Date
Wednesday, 20 December 2017
Summary
Customers may see ‘Insufficient Privilege’ error messages while logging into Argent Commander or Argent Reports with a user from a Trusted Domain (e.g. a trusted domain that differs from the domain that Argent Commander is installed in)
Similarly, when customers use Argent Commander or Argent Reports’ Security page to search for Active Directory users or group in a Trusted Domain, the page may return no results
Technical Background
The issue stems from two areas of the code:
-
The internal LDAP queries that are responsible for getting a list of Active Directory users and groups
Typically, LDAP queries are made against LDAP:// — however, in order to cater for all forms of Trusted Domains, the Global Catalog should be targeted instead (GC://)
The Global Catalog caches information from both the local domain and Trusted Domains, which makes it the best place to make queries against
-
The code responsible for determining the ‘Distinguished Name’ of an Active Directory user (e.g. CN=john.doe,OU=Administrators Group,DN=argsoft,DN=internal,DN=corp)
The ‘Distinguished Name’ of the user is required to query Active Directory to find out what Security Groups a particular user is a member of.
The existing code was unable to translate users from certain types of Trusted Domains into the ‘Distinguished Name’.
Resolution
This issue has been formally addressed in Argent Commander 5.0A-1801-A and Argent Reports 7.0A-1801-A