Applies to:
All 6.x versions
Symptom:
Upon successful login, the trees I browse are showing zero data. Moving from tree to tree shows all other trees exhibiting the same symptom.
Troubleshooting steps taken:
NOTE: Each of the below bulleted steps did not solve the issue.
- Restarting the backend database- in this case it was a MS-SQL database.
- Restarting the Windows server.
- Restarting the Venafi Encryption Director services- Venafi Encryption Director, Venafi Log server, Venafi Agent.
- Logging in and out with the same Active Directory ( AD) username.
Here's what the policy screen looks like. Note the username used is in the bottom left of the screen.
- Using the same username as above- AD+TAD:admin- resulted in this blank screen on the credential tree.
Cause:
Logging in with the local:Admin account displays all the data in each screen. Here's an example:
Resolution:
The username- Local:admin- contained administrative rights to the tree, while the AD user did not have any rights to the tree. We were , however, allowed to successfully login to the Windows Admin user interface by both user ids. Once your LDAP connectivity with AD has been established, Director will allow you the ability to login with any AD username, but will not automatically grant them rights.
NOTE: A similar symptom can be observed if you login using the admin user id using the Winadmin tool, and the Web UI. If your Active Directory database has a user id called admin, and it has not been assigned rights to your VED trees you will be able to login, but not see any data in the trees. To diagnose this issue, you will need to note if the user is local, or not, by observing bottom lower left status of the winadmin user interface- see the above graphic for an example of a local admin. There is no way to observe wether, or not, the user is local on the Web admin user interface.
To add rights to any AD user, follow these steps:
- Login to the Web Admin interface using your configured AD master account. ( This is the AD account you used when you first ran the Active Director Provider Wizard.)
- Navigate to the Identity tree, where you will see the a folder called AD-<name of your tree>. The below example screenshot uses the name "TAD".
- Clicking on this folder, you can search your AD tree for users you'd like to grant rights to the Director data.
- Once you have typed the name of the user in, and pressed the button Apply, those same users appear below the folder name, as per the screenshot below.
- Select the user you want to grant rights to.
- By clicking on the button called "Master Admin" you will grant this user full rights to the entire Director Database.
- You can grant more granular rights to each AD user by navigating to the base of any tree, clicking on the General tab > rights, and pressing the green add button.
Comments
Troubleshooting steps taken:
Here's a screenshot of the Policy tree while in the fault condition. Note the username used is in the bottom right corner of the screen: