A user was locked out of their Solve and DEX portals due to a permissions issue. After being granted all necessary permissions, they still couldn’t access Solve from the console. It was established that the user needed the "Use Solve" right in their security policy. The user then tried a few solutions, including the add-cuuser cmdlet (https://support.controlup.com/docs/add-cuuser-create-new-solve-users#), but still could not access the portal. A restart of the monitor did not help however, so the issue is still unresolved.
Read the entire ‘Locked Out of Solve Portal Despite Permissions’ thread below:
Not sure who can help here, but I am locked out of my Solve and DEX portals. Basically its saying I don’t have access even though I have given all necessary permissions in security policy, (and then some). I cannot access Solve directly from the realtime console, nor can I access app.controlup.com. Is there a way to reset my SSO instance and start over?
you need to reach out to support
yeah I have had this open since Monday, and no resolution yet
i did the same they sorted me out
hoping for some escalated support here
was it all done on the ControlUp support side? or was there anything you could do?
that’s unusual but yeah guys from Controlup can touch base with support
no was all on support side they were able to reset my SSO from the back end
ok got it. thanks. that helps. I have been trying to reset things on my side with no success. I will push on them. Thanks!
what u think ofthe new apps portal? u an MSP or sigle tenant
Im an MSP
just got the advanced auth going with certificate based auth and multi-tenant monitors
but I haven’t been able to get into solve or dex after making those changes
I do like the new web portal
i never went that went on the cert base auth
I didn’t want to have to switch orgs to view other customers
i love the chage organizations on the new portal
oh yeah? it seemed to take a long time to switch between for me
is us the azur login
mich better at times
ok good to know
Does the solve button in the console work? It uses a passthrough auth.
it does not. tried running the console as 3 different users, all the same result
The user in question needs the Use Solve right in the security policy.
yes, i granted all organization members just to make sure. but I know those permissions are right
Do you have access to a monitor? I’m not near a computer. But try the add-cuuser cmdlet.
https://support.controlup.com/docs/add-cuuser-create-new-solve-users#
UPN = “whoami /upn”
Samaccountname = the same as your AD user object SAMAccountName attribute value
User dns domain = the user dns domain environment variable. Easiest to see it is to run CMD > set. Among the variables listed you should see user dns domain
Do note that this should be the values for the user who runs controlupconsole.exe. In case you run that as a different user.
ill give it a shot
Thats should be needed if you launch it from the console. The console would have created the shadow account.
You and worked on an MSP environment where it was needed 😉
You and I*
You would still need to "Sign Up" in msp mode.
A few more notes:
• there should be a get-cuuser or get-cuuserlist or something to that effect. I can’t find it on my phone. I assume when you run that, you won’t see anything (before running add-cuuser)
• Make sure the monitor cluster has a domain identity for what your user dns domain ends up being.
hmm seems the module isnt importing or something
not able to run the cmdlet
actually I think I got it
U running on the monitor I think
Add -verbose -debug
same result when trying to add-cuuser
@member can you run that cmdlet in your lab?
DEBUG: Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: An unknown issue occurred while executing the request. (Fault Detail is equal to An ExceptionDetail, likely created by
IncludeExceptionDetailInFaults=true, whose value is:
System.InvalidOperationException: An unknown issue occurred while executing the request. —-> ControlUp.Client.Base.BaseProtobufClientException: Response handling error —-> System.Net.Http.HttpRequestException: Response status
code does not indicate success: 404 (Not Found).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at ControlUp.Client.Base.BaseProtobufClient.ca353e7c6327faad8166e9bbc28fd2973`1.MoveNext()
— End of inner ExceptionDetail stack trace —
at ControlUp.Client.Base.BaseProtobufClient.ca353e7c6327faad8166e9bbc28fd2973`1.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ControlUp.Client.Base.BaseProtobufClient.c4217b7e0bb535b0f23a150d94ade2238`2.MoveNext…).
get-cuuserslist : An unknown issue occurred while executing the request.
At line:1 char:1
- get-cuuserslist -verbose -debug
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidArgument: (:) [Get-CUUsersList], FaultException`1
- FullyQualifiedErrorId : General,ControlUp.PowerShell.User.Cmdlets.UmShadowAccounts.GetUsersList
@member pretty sure this 404 is our front end > our backend. But just in case, can you verify that all of this is in place? https://support.controlup.com/docs/communication-ports-used-by-controlup-hybrid-cloud-1
Seems like a FE server cannot get to some BE server
Have you restarted the monitors? I have had a few customers that were getting a permissions issue message. Since the monitors are the part that is validating the permissions, the refreshed monitors helped resolve the issue.
yeah Ill try that now
I’m offline though for the next 10ish hours 🙁
Is this a Friday the 13th thing, Dennis?!?
reboot of the monitor didnt help unfortunately
Let me follow up with the logs Landon shared and see if there is something going on with that error message
cool thanks
Continue reading and comment on the thread ‘Locked Out of ControlUp Solve Portal Despite Permissions’. Not a member? Join Here!
Categories: All Archives, ControlUp for VDI, ControlUp One Platform