AD login to HCL Domino using group authentication fail for one user

Question

I have setup Domino assistance to use AD login with group authentication. In the ACL of a database, I have entered the AD group name and users can login fine using their AD credentials except for one single user.

I do not use AD sync and the users are not stored in Domino Directory.

I have set LDAPDebug=3 (also tried (15)) and I do see some ldap queries in domino console but they do not seem to be related to that user trying to login

when I look in domlog.nsf I can see that the user get an error trying to login. 401 UNAUTHORIZED (The client is not authorized to access data)

I have verified with the other users in the same AD group and the users are set up the same, also checked the distinguehed name, mail and sn fields in ad.

How can I troubleshoot this further, I would like Domino to report in the console what values or requests being made to AD but I only get that for the users that are stored in Domino directory

The user do not have any strange characters in the name

Domino v11

thanks

Thomas

Answer 1

Just from a pure AD perspective, is the affected user a member of a large number of Active Directory groups?

If they are in more than 1010 groups, direct or transitive, the LSA access token for the account may fail to be created, and therefore they can't logon to the target system. This can affect Kerberos and NTLM auth.

More commonly - and this depends on operating system versions - for Kerberos auth, the MaxTokenSize for the ticket can be exceeded by the user being in too many groups. In the second instance, it's not about a fixed number of groups - it can include group memberships inside and outside the domain, and "sidHistory" if accounts have been migrated between domains. But this is normally combined with a large number of group memberships as well.

If it involves Win 7/Server 2008 R2 or older systems, MaxTokenSize is a third of the size it is in more recent OSes (unless it was customised to be larger). But even the larger size can be exceeded in environments where there are large groups with a lot of nesting/transitive memberships.

In any case, the first thing to check is the number of groups the account is a member of, recursively. If it's getting into the 100s, MaxTokenSize should be reviewed.