You are viewing limited content. For full access, please sign in.

Question

Question

Request LF makes to AD when calling GetEffectiveRights

SDK License Manager Administration
Updated May 15, 2020
asked on December 11, 2015

What requests does Laserfiche make to Active Directory to evaluate whether a windows user has access to a document when we call GetEffectiveRights function? Or does LF make any call to AD to check if that user still exist in AD before checking its Effective Rights in Laserfiche?

 

Also we have a scenario where we have two domains.

ProdDomain and TestDomain.

TestDomain trusts ProdDomain but ProdDomain doesn't trust TestDomain.

If LF Repo is in TestDomain and the user in ProdDomain tries to access a document in TestDomain or vice versa, then what kind of network setup between the domains in required in order to ensure that the request to GetEffectiveRights will work correctly?

Please ask me if anything above is unclear.

Thanks in advance.

0 0

Replies

replied on December 18, 2015

The call to GetEffectiveRights looks up the user's group membership to do the rights calculation, so it makes a request to AD.  It sounds like the LF server doesn't have access to perform this lookup on the production domain, although I am not familiar enough with AD to say why.

1 0
replied on December 21, 2015

Thanks Robert.

Would this be the user account that the Laserfiche service is running under?  The code that we are using to perform this call is as follows:

 

var account = new AccountReference(userName, session);

EntryRights rights = Entry.GetEffectiveRights(documentId, account, session);

Where username is a string with ProdDomain\MyAccount

 

Session is the Laserfiche session object.

0 0
replied on December 21, 2015 Show version history

Yes, the LF server performs the AD lookup for the target account. Try doing an AD lookup on the target user from a command prompt running as the same user as the LFS service. One way to do this is with PsExec:

 

psexec -i -u "nt authority\network service" cmd.exe

this opens a command prompt running as the network service user (change that to whatever LFS is running as). Run whoami from there to verify it is running as the correct user. Then run gpresult for the user you are trying to get effective rights on:

 

gpresult /user TESTDOMAIN\TargetUser /v

This should export the group information and group policies for the target user.

2 0
replied on December 18, 2015 Show version history

19 View so far and not even a single reply :(

Anything from Laserfiche Engineers? Have I asked a very tough question or the question doesn't make sense?

 

To add further details, When a user in Test Domain tries to call GetEffectiveRights functions to get the EffectiveRights of a Prod Domain User at Repository/Folder (repository is in Test Domain as well) level, he gets an error "Error Code: 6000 Error Message: Unspecified Error [6000:0x80004005] (Unspecified error)" (screenshot attached). What can we do to make this work?

I am after the back-end communication between LF Server and AD to figure out, that what kind of requests are made from LF Server to AD when we call a EffectiveRights function?

GetEffectiveRights7.png
GetEffectiveRights7.png (94.48 KB)
Download
0 0
replied on December 21, 2015

Thanks Robert.

Would this be the user account that the Laserfiche service is running under?  The code that we are using to perform this call is as follows:

 

var account = new AccountReference(userName, session);

EntryRights rights = Entry.GetEffectiveRights(documentId, account, session);

Where username is a string with ProdDomain\MyAccount

 

Session is the Laserfiche session object.

replied on May 14, 2020

Hi ,

 

Is there any update to this error message, we are getting similar error for prod domain user, who trying to perform same action from test domain repository. and getting following error when done from laserfiche client or done from laserfiche sdk,

 

Error Code: 6000

Error Message: Unspecified error [6000:0x80004005] (Unspecified error)

 

------------ Technical Details: ------------

 

LFSO:

    Call Stack: (Exception)

        ILFEntryListImpl::get_EffectiveRightsByName

    Additional Details:

        HRESULT: 0x80004005 (LFSession::ProcessResponse, LFSession.cpp:3861)

         (LFSO/9.1.1.589)

LF.exe (9.1.1.486):

    Call Stack: (Current)

        CEffectiveRightsTab::OnBnClickedBtnChooseTrustee

    Additional Details:

        Exception: 0x80004005 [6000] (Unspecified error) (CEffectiveRightsTab::OnBnClickedBtnChooseTrustee at EffectiveRightsTab.cpp:196)

    Call History:

        CChooseTrusteeDialog::OnInitDialog

        CChooseTrusteeDialog::OnBnClickedOk

        CEffectiveRightsTab::OnBnClickedBtnChooseTrustee

         CEffectiveRightsTab::UpdateDisplay

        CTrusteeListCtrl::FillList

        CChooseTrusteeDialog::OnInitDialog

        CChooseTrusteeDialog::OnBnClickedOk

        CEffectiveRightsTab::OnBnClickedBtnChooseTrustee

 

 

0 0
View 1 previous reply
replied on May 14, 2020

Have you run through the trouble-shooting steps Robert posted above? They seem to apply to your situation also.

0 0
replied on May 15, 2020

Hi Brian,

We are trying to get results, meantime can I check if there is any resolution to this issue?

0 0
replied on May 15, 2020

It's a symptom of a configuration problem in your system, so there isn't a simple resolution that can be applied to all systems. Maybe you need to change the user your Laserfiche server runs as, maybe you need to change firewall settings, maybe you need to change AD permissions.

1 0
replied on May 15, 2020

Hi Brian - We did further analysis and changing user for running LFS service fixed the problem, thanks.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...