Versions / Builds Affected
Any
Status
Open
Problem Summary
MARC can identify the wrong user in a multi domain environment
TT / JIRAID
1979
How to Identify
The customer has a multi domain forest with a few (child) domains. E.g.:
DNS name / NETBIOS name / description
gfi.com / GFI / root domain
malta.gfi.com / MALTA / child domain
uk.gfi.com / UK / child domain
us.gfi.com / US / child domain
...
In each domain he has an accounts with the same name, e.g.: Administrator
Let's say the MARC server is joined the domain gfi.com (GFI)
This is what can happen:
1. User logged into Windows as GFI\Administrator
2. He opened the MARC web page
3. ADA does a query against a global catalog for: (objectCategory=User)(sAMAccountName=Administrator)
4. The GC returns all Administrator accounts from all domains
5. ADA probably continues to work with the account returned at the top of the list
6. In this case MALTA\Administrator
ASPNET/UI/WebLoader.log
2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","STARTING direct security test"
2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","Not Forms Authentication"
2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","SecurityTest"
2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","Windows Authentication Detected"
2014-02-25,12:12:27,090,1,"#00000A90","#00000008","info ","WebLoader","SV User Found: GFI\Administrator"
Core/Debuglogs/AdaAuthenticationM.log
2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: MALTA\Administrator >>"
2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Identity type is AdaWindows"
2014-02-25,12:12:28,855,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User located: ec3ce2d8897ec14e9f817dc38cbd59f7"
2014-02-25,12:12:29,027,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover roles - RBAC"
2014-02-25,12:12:29,059,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Roles discovery finished"
2014-02-25,12:12:29,059,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover missing admin role - RBAC"
2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","ResolveMissingAdmin: No administrator role assignment found"
2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover missing admin role - RBAC"
2014-02-25,12:12:29,074,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Discover subordinates for user"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Subordinates discovery"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","User manages: 0 groups"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Resolving redirects"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Subordinates discovery finished"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [User] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ConnectThruIMAP] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveEmailsToOwnMailbox] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveEmailsToMailboxWithAccess] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [ManuallyArchiveFiles] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [DeleteEmailsFromOwnMailbox] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [DeleteEmailsFromMailboxWithAccess] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: User has [CreateOrAssignLabelsToEmails] permission"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticate: Principal is ready. Identity:MALTA\Administrator roles: 8 subordinates: 0 rights: NoAccess"
2014-02-25,12:12:29,090,1,"#00000B74","#0000001A","info ","AdaAuthenticationM","Authenticated [MALTA\Administrator]. <Workaround / Fix DetailsMARC was not designed with complex or multi domain forests in mind. There is currently no fix which fully addresses the situation.
----
For an environment in which there is no need for MailArchiver to handle objects outside of the local domain to which the server is joined (e.g. if all user objects live in one particular subdomain) MARC can be configured to query a local domain controller rather than a global catalog server which can be used as a workaround:
To achieve this add the following key to each product.config file of each of the services and restart the services:
Required Actions
Escalate