For today’s article, I thought I would touch on as many topics that I could think of that involved setting up users for SmartConnect Security as well as related topics that we get frequent questions on in support.
One of the first things that trip users up is setting up their users in SmartConnect Security.
The SmartConnect client will be installed on a users’ machine and when they launch and try to log in, they will get the error: Your login failed. Please contact your system administrator.
Figure 1: Your login failed. Please contact your system administrator.
The reason for this specific error is because the current user Windows credentials are not set up in SmartConnect Security.
When I talk about “Windows credentials” there is always the question of how does SmartConnect authenticate the current user credentials in Active Directory?
The answer is: It doesn’t – it only pulls the current login credential name.Instead of using the Windows credentials for login/authentication to SQL, SmartConnect uses a common identity in SQL for connectivity to the SQL database – typically the SmartConnect SQL user. To determine if the current user can use SmartConnect and what rights they have, SmartConnect pulls the current user credentials and then queries the SmartConnect..[User] table for verification.
To see the current user login as SmartConnect sees it, you can go to the CMD prompt in windows and run the command ‘whoami’
Figure 2: Results of whoami to get current windows credentials
In the example above, the logged in Windows credentials user as SmartConnect would see the user is “eonedemo\joe”.
To add Joe into Security as a SmartConnect administrator – eonedemo\eone – we open SmartConnect Security by going to Setup | Security
Figure 3: SmartConnect Security window showing current set up users.
By default, the only user that is set up in SmartConnect Security is the user that initially installed SmartConnect – they will be set up as an Admin user.
Notice that “joe” isn’t set up in SmartConnect Security which is why that user gets the “Your login failed” message we saw previously.
To add the new user, we go to User Maintenance | Add User
Figure 4: Only the current machine domain shows in lookup
From the Select Users window pressing the Locations button, we can see that SmartConnect is going to pull from the “current” domain (only).
From what I can tell, SmartConnect will always only pull from the domain that the current machine is joined to. In the case of my test system here is “demo.eonedemo.com”.
At this point, you might say “What if I need to add a user from a different domain – how can I do that since it isn’t displayed?”. I’ll defer that question and circle back to it at the end.
After selecting my domain (or letting default), I then find my “joe” user and select them to add to SmartConnect Security.
Figure 5: After selecting Joe in the AD User Lookup
After adding Joe to the list of SmartConnect Security users – we would then expect that user to be able to log in successfully to SmartConnect.
However, we might be surprised to hear that they still get the same “Your login failed.” message they received initially. Do you see why?
If you recall, the “whoami” results for Joe was “eonedemo\joe” and not “demo\joe”. While those credentials might work in Active Directory to log into this machine – remember that SmartConnect only uses the ADUserName to query the SmartConnect user table for verification.
Why did the name come in “wrong” then? When SmartConnect calls the Windows API to display a list of AD objects (Users in our case) the return value is a long string with the “decorated” name of the selected object. To get the AD Username that we want to use, it must parse it out from that list. The result isn’t always what we need to use in SmartConnect so we need to fix this AD Username in SmartConnect before Joe can log in.
This is very easy to do in SmartConnect via the UI.
Figure 6: Click the AD User field to directly edit the value
It isn’t easy to tell, but if you click into the grid into the AD User column, the icon on the left will turn into a pencil/edit icon. The cursor will turn into an edit cursor | and now we can directly edit the field in the UI by using the arrow & delete keys and change it directly.
What if we wanted to fix the AD User Name by capitalizing “joe” properly and then adding the last name “Smith”?
Unfortunately, that field isn’t directly editable but it can be done without resorting to changing it directly in SQL (which would also work).
Go to Setup | Setup and then the Web tab in SmartConnect Setup.
Figure 7: Enable SmartConnect Web marked
Mark the checkbox for “Enable SmartConnect Web” (even if you didn’t install it) and close this SmartConnect Setup window.
Go back to the SmartConnect Security Window and select the Web tab (which will be enabled from above)
Figure 8: Web tab reveals First & Last Name fields
We notice that there is a First Name & Last Name field that we can enter (and will be defaulted empty).
We can unmark the Enable Web Login if desired (since we are just using this for the AD User Name display) and If we edit the First & Last Name fields and go back to the “Users” tab again:
Figure 9: Which then changes the AD User Name
We can see that the AD User Name has now changed to what we wanted it to be (regardless of how it originally defaulted).
Now that we know we can use SmartConnect to change the AD User or the AD User Name fields in the application, lets circle back to the question about adding users on different domains.
As we found, SmartConnect only displays the “current machine” domain. If I needed to add the user “differentdomain\patrick” to SmartConnect I cannot do that directly.
However, what I can do is select ANY user of the eonedemo domain and add that user to SmartConnect.
Then I would use the above methods to change the AD User & AD User Name fields to the desired “differentdomain\patrick” user credentials.
Figure 10: Add random user to Security and then edit as needed
As we can see above, I’ve added myself into the Security with the “differentdomain” credentials and if I could log into that machine with those credentials I would be able to successfully get into SmartConnect.
To recap, this article covered several topics that support sees quite often:
- Your login failed. Please contact your system administrator.
- Changing the AD User domain
- Changing the AD User Name in SmartConnect
- How to work around the “only current domain user can be selected” limitation
Until next time,