Having an issue on a Single Domain with RIO Directory Server Windows Named User Authentication Failing when the Service Account is not granted Domain Admin privileges but only has Local Admin on the Laserfiche Server granted to the Domain Service Account. (Single Server environment with DS / LFS on one machine)
I understand DS uses the S4U method of Authentication.
DS was upgraded to 10.0.0.270
UPN validation does not seem to be the concern.
Laserfiche actually provided a test utility (independent of Laserfiche DS / LFS) which validates the account works using LogonUser (License Manager Method) but S4U fails until the Service Account is granted Domain Admin
Below are the circumstances:
1. Customer granted Service Account as Domain Admin and Service Account can now authenticate using Windows Authentication. Both Service Account and USERS CAN authenticate.
2. We then removed the Domain Admin privilege from the svc_lf01 Service Account. After removing the Domain Admin privilege the Service Account can now successfully authenticate using Windows Authentication. However USERS CANNOT.
At this stage the suggestion is the issue may be related to the environment.
Has anyone is the Laserfiche Community experienced similar or can provide experience with what privileges may be required as the customer is not comfortable with the Laserfiche Service Account being granted Domain Admin?
I assume their may be Kerberos realated privileges which are required, given S4U is related to using a Keberos Token, we tried some Kerberos realated privileges but did not resolve.
https://msdn.microsoft.com/en-us/library/ff649317.aspx#paght000024_step2