Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

iOS Enrollment Fails For Users with MANY Groups

Created: 30 Aug 2012 • Updated: 10 Dec 2012 | 10 comments
This issue has been solved. See solution.

So, we've got Authentication Check working, but it's failing for users with over ~100 domain groups assigned to them.  It's pretty repeatable.

There are no errors logged anywhere, no failures on our domain controllers, or anything.  The only message we get is the "Unauthorized User Detected" on the iOS device after ~8 seconds after trying to enroll.

We've been able to duplicate this by adding an empty user to the enrollment group, and then adding groups and eventually it fails.

 

Has anyone else seen this?  Support says that their test environment isn't large enough to replicate this.

 

Oh, to make it REALLY weird, if we add Domain Users to our enrollment group, enrollment succeeds for the users who were added discretely to the group and were failing.

 

Thanks!

Comments 10 CommentsJump to latest comment

HighTower's picture

Also, we thought it was the Kerberos MaxTokenSize issue and we applied the fix for that but it didn't affect the failure.

Also, no failures show on domain controllers.  Nothing in iOS logs other than "Unauthorized User Detected".  Nothing in MMS server logs other than "Unauthorized User Detected". 

We can't figure out where this is failing.

Ashuter's picture

We haven't had this problem ourselves, but I'm curious if you could try a couple of things:

What happens if you change the user's primary group to the enrollment group?

What happens if you change the enrollment group so that alphabetically it's the first group in the member of list?

HighTower's picture

What happens if you change the enrollment group so that alphabetically it's the first group in the member of list?

No change.

What happens if you change the user's primary group to the enrollment group?

BINGO!  After changing the primary group to match the enrollment group AND taking Domain Users out of the enrollment group, the enrollment succeeds.  Changing the primary group back to Domain Users (but not adding it back into the enrollment group) causes enrollment to fail.

 

So, what does this point to?  A code problem?  Something else?

Ashuter's picture

I know there's an AD limitation on groups, but that's more like 1000. My AD account is in 50 groups, if I get time today I'll add a bunch more and see if mine fails too.

The primary group gets looked up first, that's why that worked but I don't see that being a viable solution long term as you can get various inconsistancies when the primary group is anything but domain users.

What happens if you make your enrollment group a part of the domain users group? Also, is your enrollment group a universal group? I'm not sure if that makes a difference.

I'm hoping I can replicate the problem so I can look into it. We would probably have a few users with 100+ groups ourselves.

HighTower's picture

Making the enrollment group part of the domain users group had no effect.

Enrollment group was a global group and changing it to a universal group had no effect.

 

Development is leaning towards this being a timeout while waiting for the domain query to complete.  They gave me a tool to run and I returned the results so we'll see what they can dig up.

Thanks!

CPHkenped's picture

Hi HT

Did Symantec Support get back to you and if so - what was the solution ?

Thanks

Kind Regards
Kenneth Pedersen
Copenhagen Airports

HighTower's picture

Yeah, but we're still working through this.

Two things:

1.  Our AD lookup takes too long but we're on track to upgrade our AD from 2003 to 2008R2 here in the next few weeks.  This alone might fix it.

2.  We'll be upgrading from 7.2MR1 to 7.2SP1.  Allegedly there is some LDAP lookup behavior optimization in place that may also fix the issue.

 

Do you have the same issue?

CPHkenped's picture

Thanks for your reply.

Yes - we are facing the same problem and we are running 2008R2.

Ok - maybe the upgrade will fix it. We haven´t updated the solution as it went wrong the first time and we are facing iphone enrollment (workflow solution) just in a few weeks and are not allowed to make any more changes ;o) 

I will make a case to the symantec support regarding this problem - If we solve the problem I will post it as a reply to your comment - hope you will do the same - if any luck ;o)

Again - thanks for replying and have a great day.

 

 

Kind Regards
Kenneth Pedersen
Copenhagen Airports

HighTower's picture

So far it appears that 7.2SP1 has resolved this issue.

SOLUTION
HighTower's picture

A month later it's still good.  I'm calling this as resolved.