You are viewing limited content. For full access, please sign in.



S4U - Directory Server Windows Authentication Fails without Domain Admin Service Account

asked on January 16, 2017 Show version history

Having an issue on a Single Domain with RIO Directory Server Windows Named User Authentication Failing when the Service Account is not granted Domain Admin privileges but only has Local Admin on the Laserfiche Server granted to the Domain Service Account. (Single Server environment with DS / LFS on one machine)

I understand DS uses the S4U method of Authentication.

DS was upgraded to

UPN validation does not seem to be the concern.

Laserfiche actually provided a test utility (independent of Laserfiche DS / LFS) which validates the account works using LogonUser (License Manager Method) but S4U fails until the Service Account is granted Domain Admin


Below are the circumstances:

1. Customer granted Service Account as Domain Admin and Service Account can now authenticate using Windows Authentication. Both Service Account and USERS CAN authenticate.

2. We then removed the Domain Admin privilege from the svc_lf01 Service Account. After removing the Domain Admin privilege the Service Account can now successfully authenticate using Windows Authentication. However USERS CANNOT. 

At this stage the suggestion is the issue may be related to the environment.

Has anyone is the Laserfiche Community experienced similar or can provide experience with what privileges may be required as the customer is not comfortable with the Laserfiche Service Account being granted Domain Admin?

I assume their may be Kerberos realated privileges which are required, given S4U is related to using a Keberos Token, we tried some Kerberos realated privileges but did not resolve.

0 0


replied on January 30, 2017 Show version history

It sounds like the service user needs more permissions in active directory. We have tested with users that are not domain admins. Opening a support case to troubleshoot might be a good idea.

1 0
replied on January 31, 2017

Ok thanks Brianna. We will move forward with opening a case!

0 0
replied on January 17, 2017

I too am having a similar issue with this as well. Mine has to do laserfiche mobile though. None of our users cannot use the mobile app because of "account locked" 9011. I only have two choices either give the mobile user Domain Admin rights or make them a "User" instead of a "domain user" which Laserfiche recommends to do. Any answers greatly appreciated!!

0 0
replied on January 30, 2017

Any thoughts from Laserfiche on what this may be?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.