MARC can identify the wrong user in a multi domain environment

Versions / Builds Affected

Any

Status

Open

Problem Summary

MARC can identify the wrong user in a multi domain environment

TT / JIRAID

1979

How to Identify

The customer has a multi domain forest with a few (child) domains. E.g.: DNS name / NETBIOS name / description gfi.com / GFI / root domain malta.gfi.com / MALTA / child domain uk.gfi.com / UK / child domain us.gfi.com / US / child domain ... In each domain he has an accounts with the same name, e.g.: Administrator Let's say the MARC server is joined the domain gfi.com (GFI) This is what can happen: 1. User logged into Windows as GFI\Administrator 2. He opened the MARC web page 3. ADA does a query against a global catalog for: (objectCategory=User)(sAMAccountName=Administrator) 4. The GC returns all Administrator accounts from all domains 5. ADA probably continues to work with the account returned at the top of the list 6. In this case MALTA\Administrator ASPNET/UI/WebLoader.log 2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","STARTING direct security test" 2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","Not Forms Authentication" 2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","SecurityTest" 2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","Windows Authentication Detected" 2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","SV User Found: GFI\Administrator" Core/Debuglogs/AdaAuthenticationM.log 2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: MALTA\Administrator >>" 2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Identity type is AdaWindows" 2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User located: ec3ce2d8897ec14e9f817dc38cbd59f7" 2014-02-25,12:12:29,027,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover roles - RBAC" 2014-02-25,12:12:29,059,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Roles discovery finished" 2014-02-25,12:12:29,059,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover missing admin role - RBAC" 2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","ResolveMissingAdmin: No administrator role assignment found" 2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover missing admin role - RBAC" 2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover subordinates for user" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Subordinates discovery" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","User manages: 0 groups" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Resolving redirects" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Subordinates discovery finished" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [User] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ConnectThruIMAP] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveEmailsToOwnMailbox] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveEmailsToMailboxWithAccess] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveFiles] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [DeleteEmailsFromOwnMailbox] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [DeleteEmailsFromMailboxWithAccess] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [CreateOrAssignLabelsToEmails] permission" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Principal is ready. Identity:MALTA\Administrator roles: 8 subordinates: 0 rights: NoAccess" 2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticated [MALTA\Administrator]. <<" There is no error shown above, but it shows the mixup of GFI\Administrator and MALTA\Administrator. Symptoms for the customer: - He cannot not enter the license key (gets an ASP NET error) - He cannot not make changes to the config in general (as the users got mixed up and ASP\Administrator did not have the proper "roles and permissions" set) - There are probably more

Workaround / Fix Details

MARC was not designed with complex or multi domain forests in mind. There is currently no fix which fully addresses the situation. ---- For an environment in which there is no need for MailArchiver to handle objects outside of the local domain to which the server is joined (e.g. if all user objects live in one particular subdomain) MARC can be configured to query a local domain controller rather than a global catalog server which can be used as a workaround: To achieve this add the following key to each product.config file of each of the services and restart the services:

Required Actions

Escalate