Only some accounts can be impersonated, Problem, Suggestion – Google Search Appliance Enabling Windows Integrated Authentication version 6.8 User Manual

Google Search Appliance: Enabling Windows Integrated Authentication

24

•

The security for the Login.aspx file security was incorrectly set up.

•

Your Internet Explorer browser is using enhanced security settings, and the host of SAML Bridge is
not recognized as an Intranet site.

If you enter credentials but are not granted access, the Kerberos configuration may be incorrect and
might have duplicate SPNs configured. Contact Microsoft Support.

Only Some Accounts Can Be Impersonated

Problem

In the step in which you test impersonation (see “Verifying the Configuration of the SAML Bridge”), some
users can be impersonated but others cannot.

Suggestion

There are many ways in which user security can be inconsistent. This is one technique for resolving this
problem:

1.

Select a couple of users from the group that can be impersonated and a couple of users from the
group that can’t be impersonated.

2.

Open the Active Directory Users and Computers console.

3.

Click View > Advanced.

4.

Select a user account that cannot be impersonated and double click to display the Properties
window.

5.

Select the Security Window.

6.

By default, the permissions for Authenticated Users is Read.

7.

If this user does not have Read access, grant Read access to the user.

8.

Click Apply and then click OK.

Authorization Testing Results in Indeterminate Status

Problem

In the step in which you run an authorization test (see “Running a Test” on page 20), the permit code
“Indeterminate” appears, and the following messages appear in the ac.log file.

3/13/2007 5:17:59 PM, GetPermission: after WindowsIdentity
3/13/2007 5:17:59 PM, GetPermission: AuthImpl::caught exception
3/13/2007 5:17:59 PM, GetPermission: Either a required impersonation level was
not provided, or the provided impersonation level is invalid.