Hi all,
we are currently trying to set up additional user accounts synced from Active Directory to Check_MK.
Some of these users are members of the “Proteced users” AD-security group.
These users cannot log in due to authentication protocol restrictions of the “Protected users” group.
The users can log in without any problem when they are no member of this group.
I researched for error code 52f, it means:
"Account Restrictions are preventing this user from signing in. "
Our users are synced from Active Directory via LDAP and are currently using the “basic” authentication of Check_MK (which should be LDAP-authentication).
Is there any experience within the check-mk community on how to solve this problem without using separate users dedicated for monitoring (as mentioned in Login mit Protected Users) ?
You have 2 choices in this instance, remove the users in question from the “Protected Users” group or use another account for those users to access the check_mk. When accounts are added to “Protected User” you cannot delegate authentication for those members, which is what occurs when they sign-in to Check_Mk as the authentication request is “proxied” via the “Bind DN”. Furthermore if you review the logs on the AD sever itself, you’ll likely see that those auth requests are likely using NTLM, which is also disabled when a user is a member of “protected users”.
Hi darin,
thanks for the reply.
Do you know if Check_MK provides a possibility to change NTLM authentication for AD users (e.g. to Kerberos authentication as this should be supported for Protected users) or if Check_MK supports syncing users from Azure AD instead of on premises AD?
Thanks!
Switching the authentication protocol to Kerberos will not matter in this instance as authentication is still being “delegated” via the “Bind DN” account. Authentication via SAML is supported via mod_auth_mellon, so any IdP should work, however I’ve never set it up but it is fairly well documented.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.