none
MOPS2007 user authentication issue RRS feed

  • Question

  • A user account was mistakenly deleted in AD then recreated.  Now she cannot login to PWA, she gets the access denied page instead.  I cannot delete her account and recreate it because she it is active in several projects.  We are not using AD sync so she has no AD_GUID in project.    Any thoughts on how to fix this?

    Thursday, June 2, 2011 2:46 PM

Answers

  • I forgot to update this posting with the solution.  This solved my issue

    stsadm -o migrateuser -oldlogin domain\username -newlogin domain\username -ignoresidhistory

    • Marked as answer by JennPenn07 Wednesday, June 29, 2011 3:29 PM
    Wednesday, June 29, 2011 3:29 PM

All replies

  • Make sure the account was recreated with the same NT Login name as before, then go check the user in Project Server to make sure everything is ok (i.e. the user is active, the NT login is correct), then make a change to the user in Project Server, that should trigger a site permissions sync for that user in case that got dropped while the account was deleted
    Thursday, June 2, 2011 3:23 PM
  • The account was indeed recreated with the same NT login.  I've edited the user account in PWA and pasted the login name from AD just to be certian.  I've also set the account to Forms temporarily in order for her to submit her time for last week then changed it back to windows when she was finished.

    I am waiting to have the user test whether she can access the dev site.  If she has the same issue there, I will deactivate the reactivate the account to see if that fixes it.

    Thursday, June 2, 2011 3:35 PM
  • deactivating the account in PWA and then reactivating it only fixed the issue on our dev PWA site.  Figures...

     

    Thursday, June 2, 2011 5:47 PM
  • I would double check that Windows Authentication, using the Windows account is checked in their Resource Details, and that they are in the correct security group that allows PWA log in. In a worst case scenario, if you delete an Enterprise Resource, they become local resources in their active projects. You could use the Replace feature in Build Team From Enterprise for each project they are active in to replace the local with the newly created Enterprise resource. If they are active in several projects, this could be a daunting task, but it the project count is low, it is manageable. As always, test this first so you are familiar with the behavior before performing in Prod.

    Micah

    Thursday, June 2, 2011 6:25 PM
  • I've double checked that the resource is in the correct security groups.  I went ahead and deleted the account, recreated the account, and the user is still getting an access denied error.  Not sure what I am missing here.
    Friday, June 3, 2011 4:23 PM
  • If other member of the security group can log in, it is safe to say your groups are good. If they cannot as well, the spot to give access for the group is under Server Setting -> Manage Groups, under Global Permissions and General sub tab, Log On should be checked. If the user, or the gategory they are in, has deny checked, it will override any allow checks in the group. All denies should be empty as best practice.

    Problems with the user: Server Setting -> Manage Users. Clicking their name goes to edit users. Under User Authentication, Window Authentication should be toggled, and their User Login Account should be filled in. This should be [Company Domain]\[User ID], where the user id matches what they enter to log into windows. Below under Global permissions is where you should look for any denies for Log On.

    If all these conditions are good and they still cannot log onto PWA, my knowledge is exhausted.

    Micah

    Friday, June 3, 2011 5:35 PM
  • Yes I have verified everyting that you've mentioned, thanks eMicah for your reply. 

    I can however, switch the user from windows to forms auth and they are able to successfully login.  This tells me that the pwa security groups are fine.  When she is set to windows authentication, she gets an access denied page.  Earlier in this thread, i mentioned that the windows account for this user was mistakenly deleted.  it was recreated in AD, but she then could not login to PWA.  It seems like PWA is associating the login with the old AD login that was deleted (same login name different AD uid). I am unable to verify this as i dont see were a Active Directory uid is stored in project for the user.

    This is crazyness. :(

    Friday, June 3, 2011 6:13 PM
  • I forgot to update this posting with the solution.  This solved my issue

    stsadm -o migrateuser -oldlogin domain\username -newlogin domain\username -ignoresidhistory

    • Marked as answer by JennPenn07 Wednesday, June 29, 2011 3:29 PM
    Wednesday, June 29, 2011 3:29 PM