Integrated authentication fails to work after upgrade from ASP to .NET - Error = Unknown user name / disabled user


SYMPTOMS

After upgrading MailEnable and selecting to upgrade ASP web mail to ASP.NET web mail, users can no longer authenticate via web mail when using integrated Active Directory authentication. The response when that is returned is "unknown user name / disabled user". This happens to all users when logging in using a browser on both remote machines and the local machine.

CAUSE

Server security policies are preventing the IME_ADMIN account from authenticating the instance of web mail or web administration. This will be a result of the servers effective policies or the IME_ADMIN account not being assigned the policy rights as outlined in the resolution section below.

RESOLUTION

These are the requirements for the IME_ADMIN account. This account also has to be a member of the domain.

- Logon as batch job enables IME_ADMIN to run COM under this user account.
- Logon as service enables users to set the IME_ADMIN to logon using the configured account.
- Shut down the system allows the IME_ADMIN to restart the server if configured to do so when recovery of a service fails.
- Debug programs enables IME_ADMIN to contact processes that are secured, such as ASP and IIS applications.
- Increase quotas required for operating system CreateProcessAsUser call.
- Act as part of the operating system Required for operating system LogonUser call.
- Bypass traverse checking required for operating system LogonUser call.
- Replace a process level token required for operating system LogonUser call.

If the above policy changes do not work then the following may help diagnose the problem further.  The problem could be because the IME_ADMIN account used to run web mail does not have permissions to update the account information.  To test this add the IME_ADMIN account to the administrators group for the domain.  After testing if it is successful then you can look into changing the access to only allow access to Active Directory.

It is possible to test this and prove that the IME_ADMIN account does not have correct permissions by completing the following;

1.  Create a domain account called "mailenable". Log on to web mail using this new domain account. This should fail to login, stating that the user is unknown.
2.  Log in using the "mailenable" account using POP.  This authentication method should work as the services are running under the system account which will most likely have permissions.  This will prove that the reason for the authentication failure is due to permisssion deficiencies for the IME_ADMIN account, as it only occurs for the web mail service which runs using the IME_ADMIN account.

While trying to diagnose these permission errors the Event Logs will contain further information and reasons why authentication is failing.

MORE INFORMATION

Unable to login to web mail: Article ME020255



Product:MailEnable (ME-2.X)
Category:Other
Article:ME020464
Module:General
Keywords:integrated,authentication,ad,.net,fail,login,error,unknown
Class:BUG: Product Defect/Bug
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable