Hey everyone:
I am looking to troubleshoot issues we’re having with switching our user base over to Single Sign-On.
I have tried doing this in a test environment, and there are a number of problems that have come up (and have made me hesitant to implement this in Production):
1) None of the groups that we have set up on our Directory Server are synchronizing down to Laserfiche Forms.
To this point, I have created groups in Active Directory that effectively mirror the user groups we have created in one of our repositories. We have also created groups in Directory Server with similar names, and we have matched/associated these with the appropriate user group in Active Directory.
When it comes to actual Named Users, users appear to become active once they have logged into our Laserfiche Forms test environment successfully. Using this logic, I created a Laserfiche group that contained only users that had logged in successfully (thinking the group would become active once each user within the group had logged in successfully), but this doesn’t look to be the case.
2) Only a couple of the 90+ Participant Licences convert over to Windows (Active Directory) Users.
When I go into Laserfiche Forms Administration in our test environment, and I go into the Forms Administration Console, I am prompted with a message that says a number of Participant Licences have been found, and to click to migrate all of them over. Despite doing this, I am presented with a message in the Event Log that says the user already exists. With this in mind, as an experiment, I intentionally removed a user from Active Directory, and tried running this again, however the same error occurs.
There does appear to be some Participant users that are migrating over, but it does not appear to be happening in a repeatable/predictable pattern, as there are occasionally users that migrate over that are only Laserfiche repository users, but never an actual Participant Licence/user.
I would love to hear any suggestions people may have about possible things to try here. As mentioned, I’m leery about trying this in the Production environment until such time that I have it working (or at least understanding why it’s not working properly) in our test environment.
Thanks in advance to anyone that can assist, and if you have any questions regarding information I may have left out (hopefully not), please let me know, and I will work to clarify what I’ve done to this point as best as I can.
Marty Gaffney – Network Technician
Town of Okotoks
Question
Question
Issues migrating Participant users after changing to Single Sign-On
Replies
Marty,
Regarding the issue of the AD groups not filtering down in Forms, what version of Forms are you utilizing? There is a bug with certain forms versions where this is a known issue.
Hi Marty,
1) Did you add the groups you created to Forms whitelist? They need to be either added to whitelist explicitly or added to a group that has been whitelisted.
2) The prompt for migration you saw is for Forms participant user previously created in Forms. The user would be considered as already existed if a user with same name already exists in the LFDS. Also note that the migration tool does not cover Laserfiche repository users/AD users, all you need to check is the Forms paticipant under "Participant" tab in the System Security page.
Hi Rui:
1) When I attempted to migrate participant licences over to Active Directory Named Users, I specified a group that is currently listed under "Allow the following groups to sign in to Laserfiche Forms".
2) Most users that were set up as participants would not have a user that already existed in LFDS, however initially there was a group that was set up for all of the participant users in Active Directory (which would have referenced everyone's AD account), but nothing beyond this, which is why I thought it was strange I was being prompted with a message that said these users already existed.
Please let me know if you would like more information on this, and I'll try to assist however I can.
1) The question was for the issue "None of the groups that we have set up on our Directory Server are synchronizing down to Laserfiche Forms", so I asked on those groups, not the one for participant. Did you mean that even the group for participant was not synchronized? Has any group ever been synchronized? None?
2) Since you said "AD", you got me confused: Forms participant could never be linked to an AD account, how did you do the reference? Did you created accounts in Forms with same name/password and considered that as "reference"? I don't expect this because to do that you need to know password for every AD account, which seems to be strange.
So can you open a support case and provide more information? We would like to see the detailed user list in Forms/LFDS to further inspect on the issue. Thanks.