3 Replies Latest reply on Sep 25, 2017 12:28 PM by Jeff Strauss

    Unable to add users from AD group that is different from Tableau Server domain

    Sreenath Jampani

      I have Tableau Server 10.3 installed on one domain - domain1. I have no issues adding AD groups with users from the same domain. When I try to add AD Group from a domain (domain2) that's different from the Tableau Server (domain1), no users are getting added. There is a one way trust established between server and user domains. There are no firewall issues either.

       

      Server domain  is on - domain1.

      AD Group 1 - domain1 - no issues adding users.

      AD Group 2 - domain2 - Group is recognized and added but users are skipped..

      Summary of import of group 'domain1\AD_Group':

      Users added to group: 0

      Users added to site: 0

      Users with insufficient licenses: 0

      Users in Active Directory group: 0

      Users processed: 0

      Users skipped: 3

      Users with information updated: 0

      Users with site role updated: 0

      Users removed from group: 0

      Users unlicensed: 0

       

      Here is the actual log when I tried adding AD group:

      Group “TableauAdmins_GRP1” submitted to be added. See Background Tasks for more info.

      Completed adding group “TableauAdmins_GRP1” on domain “domain1”.

      0 users were added to the group.

      An error occurred while adding Active Directory group “TableauAdmins_GRP1” on domain “domain1”. Try again.

      0 users were skipped. Try again or see the logs for more details.

       

      Where can we find error logs related to AD groups? Could you please help me resolve these issues.

        • 1. Re: Unable to add users from AD group that is different from Tableau Server domain
          Jeff Strauss

          Was this working with earlier releases of TS?  I would start looking within the vizportal.log.  Also, if nothing shows here that is useful, then can you run a tabcmd syncgroup and see what shows there?

          • 2. Re: Unable to add users from AD group that is different from Tableau Server domain
            Sreenath Jampani

            Thanks Jeff for your reply.

             

            This is the first onsite Tableau server installation for us. I ran the  tabcmd and it showed that 3 users are skipped (this AD group has only 3 users) with these errors:

            Errors:

              CN=S-1-5-21-507921405-448539723-682003330-36087,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=###: Can't resolve SID: CN=S-1-5-21-507921405-448539723-682003330-36087,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=### (1332): No mapping between account names and security IDs was done.

            (errorCode=101007)

              CN=S-1-5-21-507921405-448539723-682003330-17064,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=###: Can't resolve SID: CN=S-1-5-21-507921405-448539723-682003330-17064,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=### (1332): No mapping between account names and security IDs was done.

            (errorCode=101007)

              CN=S-1-5-21-507921405-448539723-682003330-14090,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=###: Can't resolve SID: CN=S-1-5-21-507921405-448539723-682003330-14090,CN=ForeignSecurityPrincipals,DC=###,DC=ad,DC=### (1332): No mapping between account names and security IDs was done.

            (errorCode=101007)

             

            Is it something to do with AD group mapping?

            • 3. Re: Unable to add users from AD group that is different from Tableau Server domain
              Jeff Strauss

              I'm not sure.  I know through experience that 1-way trusts can be tricky as you have to get the direction of the 1-way trust correct, and the AD needs to have the proper relationships.  Work with your AD security guys to work it out.