none
"Sorry this site hasn't been shared with you" / AD Sync RRS feed

  • Question

  • Hi Forum,

    The problem I am having (on a newly created Test Server / PWA instance) is when a named user (in AD) is logging into the PWA site and getting this message "Sorry this hasn't been shared with you". A few things which I have already checked:

    - As per Microsoft best practice: Enterprise Pool (PSERP) and Groups added to AD and Synchronized with PWA

    - AD Groups have been mapped to the PWA Groups (e.g. PortfolioViewers = PSPortfolioViewers (AD Group))

    - Individual users have been added to their respective AD Groups and show up in Manage Users

    Logging in as farm administrator works fine...

    I have seen that if I go into "Manage Groups", select a Group and under the section "Users", if I select a user from "Available Users" and move to the right. Then that user can then access into PWA. This approach seems to defeat the purpose of adding people into the AD groups... 

    I'm just wondering if I have missed something in the PWA setup - which essentially gives every user in the Domain (or at least in the Main PS Enterprise Pool Group) a "basic level of access to the PWA site" and then the AD Group will work according to the group mappings, etc...

    Many Thanks for your guidance.

    Regards

    Mark

    Tuesday, March 31, 2015 7:40 AM

Answers

  • Guillaume is correct on the timer jobs. You could do this manually, as you mentioned, however, I also suspect that, you have done the enterprise resource pool synchronization, and not the Security group synchronization.

    Please try this.

    1) Navigate to Server Settings >> Manage Groups

    2) Click on AD Sync Group Options as shown

    Select the options and sync.

    3)


    Cheers,

    Prasanna Adavi, Project MVP

    Blog:   Podcast:    Twitter:    LinkedIn:   

    • Marked as answer by MarkS_LE Tuesday, March 31, 2015 7:46 PM
    Tuesday, March 31, 2015 5:29 PM
    Moderator

All replies

  • Mark,

    The AD Sync job is generally scheduled to run once a day, between 1 am and 3 AM , unless you change it. You can do a manual synchronization.

    So my question is, in addition to mapping the security groups with the AD groups, have you atleast run one synchronization?


    Cheers,

    Prasanna Adavi, Project MVP

    Blog:   Podcast:    Twitter:    LinkedIn:   

    Tuesday, March 31, 2015 8:40 AM
    Moderator
  • Hi Prasana,

    Thanks for the reply.

    Yes, when I added the AD Group, I can select "Save and Synchronise". So I can validate that all AD Groups and users are loaded into the PWA (Manage Groups and Manage Users Screen).

    As mentioned: if I select the user (in Add/Edit Group) - if I put the user into the "Selected" column, then they can access PWA.  If I remove the individual - then they get the "Sorry..." message again.

    This approach seems a bit unwieldly - and wanted to see if everyone can get a basic access to PWA, without needing to set each group with selected users?

    (My understanding is that setting the AD Group should be sufficient to allow them to login).

    Regards

    Mark


    • Edited by MarkS_LE Tuesday, March 31, 2015 9:08 AM
    Tuesday, March 31, 2015 8:58 AM
  • Hi Mark,

    Note that the the timer jobs to execute the Resource Pool synchronization should come first and THEN the Group synchronization. Be careful, if you have the Enable Scheduled Synchronization set, this will RESET your Project Web App: Synchronization of AD with security groups timer job to the default time, which might cause trouble. This new setting may cause some issues as the group synchronization may start before the resource synchronization.


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, P-Seller |

    Tuesday, March 31, 2015 2:05 PM
    Moderator
  • Guillaume is correct on the timer jobs. You could do this manually, as you mentioned, however, I also suspect that, you have done the enterprise resource pool synchronization, and not the Security group synchronization.

    Please try this.

    1) Navigate to Server Settings >> Manage Groups

    2) Click on AD Sync Group Options as shown

    Select the options and sync.

    3)


    Cheers,

    Prasanna Adavi, Project MVP

    Blog:   Podcast:    Twitter:    LinkedIn:   

    • Marked as answer by MarkS_LE Tuesday, March 31, 2015 7:46 PM
    Tuesday, March 31, 2015 5:29 PM
    Moderator
  • Thanks very much for your reply.

    The Group Sync gave access to the PWA site: Site Settings | Site Permissions, all groups are showing.

    Kind Regards

    Mark

    Tuesday, March 31, 2015 7:50 PM