Author Topic: Login in issues using windows log in. (Read 12591 times)

Fefceac · « **on:** January 07, 2022, 07:47:49 pm »

Hi guys,

I encounter a problem and I do not posses the knowledge to surpass it. We are using EA with Pro Cloud Server and two repositories one older on Oracle SQL and a new one on PostgreSql. We use Windows authentication on both repos but on the new one some users cannot login using the domain credentials. They get a pop up requiring user and password and after introducing the domain user and password a incorrect user/password massage is shown. the users are added in users and have assigned groups, also they can log in in the old repo. Also the system output panel displays an additionl login message "login: Windows user xxxx\john.doe is not a member of the model."

I've removed the users from EA, they get deleted from t_secuser and try adding them manually or whit import from AD with no success.

Can you help me get out of this?

Modesto Vega · « **Reply #1 on:** January 07, 2022, 08:27:02 pm »

Have you enabled model security and assign AD users the relevant permissions?

Fefceac · « **Reply #2 on:** January 07, 2022, 08:30:14 pm »

Hi,

Enable security is done as it is mandatory in order do define groups and add users.
Can you provide more details on the part with the AD permission?

Modesto Vega · « **Reply #3 on:** January 07, 2022, 08:40:17 pm »

You need to import the AD users and/or user groups and assign them permissions to perform different operations on the model.

Please see https://sparxsystems.com/enterprise_architect_user_guide/15.2/modeling/managingusers.html and https://sparxsystems.com/enterprise_architect_user_guide/15.2/modeling/managinggroups.html.

We used AD groups with some success.

Edit: I forgot to say that the out-of-the-box Sparx groups are linked to AD groups.

Fefceac · « **Reply #4 on:** January 07, 2022, 08:49:26 pm »

I believe that I've performed this steps correctly. I've created groups in EA without AD link and then in users I've used import to get AD users for each group. The problem is that some users in the same group can log in and others can not. The users were imported at the same time. I'm stuck.

Modesto Vega · « **Reply #5 on:** January 07, 2022, 08:59:59 pm »

Have you compared the actual AD group membership against what Sparx "thinks" is the group membership? I think that Sparx does not automatically synchronises the group synchronising requires pressing the Sync button in the Security Groups window.

If this is not the problem, I understand from your last post that you are using multiple groups. Have you checked if all users in a single group can login? Have you isolated if there is a problem with a specific group or it affects all groups.

Fefceac · « **Reply #6 on:** January 07, 2022, 09:04:09 pm »

Groups are not link to AD (the check box is not checked in groups) only the users are imported and have Accept windows login enabled. In some cases some but not all user groups can log in, for some other groups all users can log in.

Fefceac · « **Reply #7 on:** January 07, 2022, 09:06:24 pm »

The same config with groups defined in EA and users imported from AD is on both repos all user can log in on one, and some cannot on the second.

Geert Bellekens · « **Reply #8 on:** January 07, 2022, 10:33:20 pm »

Quote from: Fefceac on January 07, 2022, 09:06:24 pm

The same config with groups defined in EA and users imported from AD is on both repos all user can log in on one, and some cannot on the second.

What error are you getting? There's a good chance they don't have access to the actual database (on the database level)
In those cases EA will present you with "Enter password" box (without user)

Geert

Fefceac · « **Reply #9 on:** January 07, 2022, 10:41:07 pm »

Thank you Geert, can you take the time and guide me on where to check this permissions. I suspected this might be the case due to the error about user not having access to the model.

Geert Bellekens · « **Reply #10 on:** January 07, 2022, 11:35:28 pm »

Quote from: Fefceac on January 07, 2022, 10:41:07 pm

Thank you Geert, can you take the time and guide me on where to check this permissions. I suspected this might be the case due to the error about user not having access to the model.

Ask your database people
I'm not sure if that is the case though, since you still haven't told us exactly what is happening.

Geert

Modesto Vega · « **Reply #11 on:** January 08, 2022, 01:36:21 am »

If the connection between Sparx EA - i.e., the desktop client - is via ProCloud Server, my understanding is that the service account running the ProCloud Server windows server needs to have permissions on the database.

If the connection between Sparx EA is direct to the database, each windows user must have permissions on the database. Your DBAs should be able to tell you who has permissions to the database.

Having said this you need to start from basics, are your users connecting to a database or the ProCloud Server endpoint? A ProCloud Server endpoint looks like http://[servername], https://[servername].[domain name] with or without a port.

Fefceac · « **Reply #12 on:** January 08, 2022, 01:41:00 am »

Hi,

Users connect through Pro Cloud (pro cloud is connected with technical user to the DB).

the error in system output is: "login: Windows user xxxx\john.doe is not a member of the model." followed by the login window

Geert Bellekens · « **Reply #13 on:** January 08, 2022, 02:33:45 am »

So it's not a database permissions issue.

Have you updated the schema on both databases to the latest version?
In a previous version there was an issue when user names got too long. (max 32 characters I believe)
So it didn't work for users with long names

So if one database is still using the old schema, you might have the issue there, where the other one doesn't.

EA also has changed the userID it uses to connect to the database.
In the more recent versions it's [email protected] and no longer MyCompany\John.Doe
This change made the problem with the limited usernames a bit worse, since something like jan.hendrik-willem.vandercruisen-versteeg@mycompanyWithaLongName.com is easily longer than 32 characters.

Geert

Modesto Vega · « **Reply #14 on:** January 08, 2022, 03:22:05 am »

In addition, I suggest you do the following: change the logging level of ProCloud Server to TRACE, restart the service, and look for any errors in the ProCloud Server logs that may shed further information on the problem.

Quote from: Geert Bellekens on January 08, 2022, 02:33:45 am

[SNIP]
EA also has changed the userID it uses to connect to the database.
In the more recent versions it's [email protected] and no longer MyCompany\John.Doe
This change made the problem with the limited usernames a bit worse, since something like jan.hendrik-willem.vandercruisen-versteeg@mycompanyWithaLongName.com is easily longer than 32 characters.

I am not sure how well ProCloud Server adheres to this. Our logs show plenty of successful uses of user names with the e-mail format but were also seeing quite a few failed attempts to use the old format [Domain]\[User Name]. We cannot trace where the failed attempts to use the old format are coming from, we have an unresolved support case regarding this very same issue.

Sparx Systems Forum

News: