New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connect-vRAServer - Usecase issue where UPN used as Username #233
Comments
After some thought, introducing a Domain parameter and supplying a LoginType with a default value of "Simple" and an optional value of "Advanced" may be a cleaner approach |
Maybe even getting more granular in the login type: Simple, DomainUser, UPN, etc. Approach it as someone who's never looked at the code and won't know what "Advanced" means. |
One last thought, there is one scenario I forgot to test and that is when the user is set to the SAMAccountName and the username in the payload includes the domain. If that doesn't check out it's back to the drawing board but unfortunately I have some personal errands for the rest of tonight until I can get back at it. |
After further investigation this morning, I found that if the IDM is set to use SAM instead of UPN, it does require a specific syntax to login, so I will continue with my pull request. |
About to link a pull request. Kept this simple and just added a parameter called UserAttribute, which takes (UPN,SAM,sAMAccountName, or userPrincipalName) as values, and defaults to SAM. For more information please take a look at the pull request that is incoming. |
@Stevio54 Nice work on this one, appreciate the thorough effort to test the different scenarios. |
The recent update to the Connect-vRAServer commandlet to add advanced authentication login functionality helped me locate a new issue.
If an environment sets the UPN (userPrincipalName) as the userName for vRealize Automation, they will not be able to authenticate. This is because the UPN often takes the form of a domain login (e.g. scarnes@my.local) and so the advanced login is used, by splitting this into its two parts (username = scarnes, and domain = my.local).
However, in that case, the login will fail as the server is expecting it to come through as such: (username=scarnes@my.local, and domain = my.local).
We need to address this login use-case, and my proposal is to add a $Domain parameter to the login, and infer an advanced login when this is provided, or simply use the simple login process.
As an alternative, I also suggest in addition to this to also provide a flag such as "-Advanced" in order to force the use of the advanced login as well. (and in this case, it can infer the domain from the username supplied)
The text was updated successfully, but these errors were encountered: