Published apps filtering by group - sporadic access denial

Hello,

I have been having sporadic but increased problems with whole sets of applications disappearing from users' desktops. Initially, this appeared to happen on a very inconsistent basis, but after some troubleshooting, I think I have narrowed down what requirements are needed to have the problem present itself. It appears that all users who experience this problem are using published applications where access control is being filtered by Group.

As an example:
Two users, A and B. One Group A, of which User A is a member.
App A has access controlled by Group only, for Group A.
App B has access by User only, for User A and User B.

Normally, when User A logs in, he can see App A and App B. When User B logs in, he can see App B. When the problem occurs, App A will disappear from User A's desktop, but he will still be able to see App B as an available application. Any other published applications that are using Group access control will also disappear from other users who are members of those groups as well. But, User B, never loses access to App B, because access control there is by user, not group.

I know that nested groups are not supported at this point, but these are just straight AD groups.

As far as getting the apps back, they just reappear at random, whenever what ever issue it is that is preventing the group info from showing up is resolved. This can take from anywhere from a few minutes to a few hours to clear up.


Any thoughts on why group enumeration would periodically not work?

Thanks,
Kevin

 

The three things I would check would be.

active directory controller fault

replication issues within active directory

DNS issues within Active directory

 

I've run all the diagnostics for the above and all come up clean (should have mentioned that originally). All indicators point to AD, except that I have no problems with other areas that are using AD for access control (for example, certain areas of the file system that are using the exact same groups for access control). And initial login to Terminal Services is controlled by AD, and when the group access is going crazy, the initial login is still working fine. I'd think I'd see problems with that initial login if I had overall AD problems.

In the Filtering tab, I am wondering what the significance of having User Only, User and Group, or Group Only is? Regardless of what I choose, I'm able to add any combination of Users or Groups and access control (when it works) behaves the same, whether I have chose User and Groups, User Only, or Group Only.

Also, one other tidbit - most of my accounts are of the inetOrgPerson type. Could that have anything to do with it?

I have switched everything over to filtering by IP address only, for the moment, which mostly works for me, since access to the applications is highly geographically related. Haven't see access disappear since doing that, but that of course takes AD mostly out of the mix.

 

I think I have uncovered some more issues related to this issue, hence the bump.

Using User and Groups filtering, we attempted to add another user to a published desktop, which is filtered by individual users. No matter what combination of Default Object Type of User Only, Group Only, User & Group, and whether Use LDAP mode is used or not, the published desktop does not show up for the newly added user. We tested with one server we have that is version 6.2, and on a test server, that was on version 7.1 and then upgraded that to 7.3. We used clients 6.2, 7.1, and 7.3 (sorry don't have the builds handy).

We are using "inetorgPerson" as our objectclass for users, although I have a few accounts from a long time ago that are setup with the "user" objectclass. I created a new user using the "user" objectclass, and the published desktop now appears for that account.

I have turned on debug logging and for every login attempt of the "inetorgPerson" objectclass, the message that is logged states "Desktop #3esktop name is filtered for test.user2@ourdomain...". When a "user" objectclass account is used, then the message changes that the desktop is available.

In summary, it seems that direct enumeration of inetorgPerson accounts does not work, if filtering is done by specific user accounts.. However, if those accounts are members of groups, then those accounts can logon to a published app that is filtered by that group.

Also, if instead of adding individual users to the filter, I instead add a group, then the members of that group are able to access the desktop, whether they are inetorgPerson or user objectclasses.

Is there a reason that inetorgPerson accounts are not able to be used? We are using Windows 2003R2, Enterprise Edition, and they are supported in that AD schema.

Thanks,
Kevin

 

Any luck on resolving this? I am having a similar if not the same issue, but only for new users added to the group. All previous users have no trouble.