New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


LDAP authentication over trust

Votes:

0

Your Vote:

Up

Down

We have configured PRTG in our environment to use LDAP authentication. The problem we are running into is that LDAP accounts from other domains that we have trust with don't work in our PRTG installation. Is there a way to get this to work? From what I can tell PRTG is using the ADsOpenObject function to bind the credentials but it seems to be hard coded to use the domain that the PRTG server belongs to.

accounts ldap trust

Created on May 9, 2012 8:43:24 PM by  gortiz (0) 1



8 Replies

Votes:

0

Your Vote:

Up

Down

Are you using V9 or V12. V9 doesn't use the LDAP provider and is somewhat limited in certain aspects. V12 is intended to work in the scenario you describes but there is acually an issue. The code uses the RootDSE Object at some places but this always returns the (default) naming context of the computer domain and not the domain which is given in the LDAP conection string. This is going to be fixed soon.

Best regards

Created on May 10, 2012 5:16:32 PM by  Roland Grau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Yes, I am using version 12.3.3.2855 at the moment and this does not seem to be fix in this version. Looking at the logs I see the following:

ADsLogin1(LDAP:domain.example.com|Trustdomain\username)

It looks like the computer domain is automatically getting appended to the ldap connection string and when a user from another domain enters his domain then you have a connection string with two domains as a prefix. This was probably done under the assumption that all PRTG users for an enterprise will be part of the same domain. In my case we have a two way transitive trusts with four different domains and creating local accounts in PRTG for people that are not in our domain is getting out of control in terms of management. Is this somethings that is being worked on?

Created on Sep 20, 2012 3:46:52 PM by  gortiz (0) 1



Votes:

0

Your Vote:

Up

Down

Hi!

Yes, currently we don't support trusted domain relationships because the domain name entered in the system setup page (for active directory logins) in prtg is used as prefix for the login name and so you can only login to this domain. We are going to change this in the near future so that you can optionally prefix you login with another domain name and only if you omit the domain part, we would put the default there. Not sure if this is enough for your environment, but at least worth trying. As we have no trusted domain setup here, maybe you'd like to try it as soon as its done?

best regards

Created on Sep 20, 2012 7:14:37 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I removed the domain name from the settings and then went ahead and tried it. It doesn't work. This is what I am getting from looking at the logs:

Webserver: ADsLogin1(LDAP:|domain/username): 80005000: An invalid Active Directory pathname was passed

You guys have '|' pipe character that normally separates the domain from the username. When I removed the domain from the settings in the PRTG options the '|' character is no longer separating the domain from the username but instead it is at the beginning

"LDAP:|domain/username"

When the domain name is included in the settings of PRTG the query that it sends looks like the one below:

Webserver: ADsLogin1(LDAP:domain|username)

Are you guys using the '|' character as a delimiter to break the string into the domain and username portions?

Created on Sep 20, 2012 8:32:24 PM by  gortiz (0) 1



Votes:

0

Your Vote:

Up

Down

I'm afraid that's just a misunderstanding. The pipe char "|" is only used in the logs to separate the 2 parts, AD path and credentials, for a better readability. It's not used within PRTGs AD-requests.

Created on Sep 24, 2012 2:33:32 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi

We currently have the same problem about login in over a domain trust with prepending another domain. Is there any update since 2012?

Thanks!

Regards Patrick

Created on Feb 11, 2016 3:15:00 PM by  renygma (50) 2 1



Votes:

0

Your Vote:

Up

Down

Patrick, I'm very much afraid trusted domains are not supported for the AD-Integration in PRTG.

Created on Feb 12, 2016 6:54:13 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi, is this going to be addressed anytime? It was stated that it would be addressed back in 2012. Is this not the case? You really need to include this info in your documentation around AD integration and not some knowledge base query. Bad form.

Created on Jun 21, 2017 11:44:32 AM by  shanemoran (0) 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.