Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.

Integrated Windows Authentication across Multi Forest AD Domain

ShrikantPatil
7 - Meteor

Hello All,

in our org, we have a Alteryx Server Sandbox and a Production Server. A business group is moving from Domain 1 to Domain 2.  Domain 1 and Domain 2 are part of different forest. This group is currently using Alteryx Gallery and want to continue accessing it after migrating over to Domain 2. Problem we are having is, they are not able to access the Gallery in current setup which is using Integrated Windows Authentication. When checked with Alteryx support team, we were told that Multi Forest domain access is not supported, however Domain 2 users are able to access the Alteryx Sandbox server.

 

Two way trust is set up between two domains and both Gallery run under two Different Service accounts which appears to have same privileges in terms of querying the users.

 

Is there anyway I can see how authentication is happening in Sandbox and where its breaking in PROD server?

 

Thanks,

Shrikant

8 REPLIES 8
miguelm
Alteryx
Alteryx

Hi ShrikantPatil, 

 

From the Alteryx side you can look at the service logs and Gallery logs for deeper activity of authentication. 

Default locations of these logs: Service Logs (Default location C:\ProgramData\Alteryx\Service)
Gallery Logs (Default location C:\ProgramData\Alteryx\Gallery\Logs)

 

Cheers

sean_bolte_dup_544
8 - Asteroid

@ShrikantPatil were you able to obtain any further insights into your situation?

NicoleJohnson
ACE Emeritus
ACE Emeritus

@ShrikantPatil 

 

You might have resolved this issue already, but thought I'd leave some of my notes here as we faced a similar problem that we were able to resolve.

 

We had similar multi-forest domain issues using Integrated Authentication, but there is a change in the way user authentication is done in version 2020.1 and beyond (something about looking globally at the domains first, rather than specific domain that the server is on, I think?), so we found we were able to upgrade to 2020.1 and then users were able to access the Gallery from either domain. 

 

There are some nuances to how you add users from the other domain to collections etc. that might be a bit different than your current setup, since I think the collections still look at users on the specific domain first... but overall, it should be possible for them to access if you add their studio instead, or perhaps if you use domain local AD groups or something to add your users to actual collections? Likely need to play around with it a bit.

 

Couple things to verify as well:

1. We had to make sure SSL was enabled on the server, so it uses https:// instead of http://, and that the firewalls were opened up on the server side to the users from the "other" domain

2. Bi-directional trust had to be set up (which it sounds like you might already have in place)

 

@asmith was INCREDIBLY helpful while we were troubleshooting our multi-domain Gallery issues, for anyone looking to find a Gallery domain superstar in the future... 🙂

 

Hope that helps!

 

Cheers,

NJ

ShrikantPatil
7 - Meteor

@wrang Yes we were able to resolve the issue. As I mentioned in my post that we already had Two way trust set up between two AD forest however our Alteryx Server, AD are in different DMZs. I had to work with Networking team and found out couple Firewall ports needed to be opened. Initially we thought port 389 for AD connection was enough but we noticed Kerberos port 88 was blocked and needed to opened too.

 

I used Powershell AD cmdlets to query the user from different forest which allowed us to trace all of this.

 

We faced another hurdle after opening the port. I could not query the user form Alteryx Gallery. The workaround was to give Gallery link to users from Second forest. They were able to login to Gallery. Once they log in, I could see their Username and then manage rest of the permissions, access on the Gallery. Hope this helps.

 

Shrikant

sean_bolte_dup_544
8 - Asteroid

Thanks much for the reply back. I'm at the point with moving to IWA, (this has been a looooong start/stop process, me throwing in the towel a few times thru frustration) where I think the main issues are:

1) ensuring I have a service account setup that has the permissions to query (CN) Users / Computers, and that is my "Run-As" id. I was also questioning whether going thru the System Settings process, does that take care of having to setup Alteryx in services.msc with that "Log-in" as well, or I would just leave that running from the default local account? From a security group permissions pov, I need to be able to validate what can/can't be done with the existing ID I'm using as my run-as, as I'm sure my guess that a specific service account to do this is needed.

2) working with my global AD team so we can hopefully get these trust relationships setup correctly.

 

A very basic question, if the FQDN's of say the environment DC (in a firewalled datacenter) of my server where group policy information is being obtained is server.us.prod.companyA.com, and when on the corporate LAN and finding out what DC I'm hitting, it's something like dom.users.companyA.com - the fact this has a shared root (companyA.com) is indicative of them being in the same forest, correct?

EdP
Alteryx
Alteryx

@NicoleJohnson 

2021.3 Server changes this a bit.  Users from both domains can still log in to Server.  But you can no longer add a Private Studio to a Collection.  The list of Users you can add to a Collection comes from the first domain only when the domains are in different forests.  Technically:

 

NTLM is used for authentication (which can check both trusted domains).  LDAP is used to get the list of users to add to the Collection (or a Group) and it only pulls from the one domain when they are in different forests.

 

Ed Phelps
Sr CSE
Alteryx
NicoleJohnson
ACE Emeritus
ACE Emeritus

@EdP - thank you for the update. Unfortunately, this feels like a significant step in the wrong direction when it comes to Gallery & multi-forest AD domains. This means the only way for users to be added from other domains is now limited to manually adding them to the MongoDB, which is clearly not ideal.

 

I'd like to understand more about why this still isn't on the roadmap to allow users from multiple domains to access the same Gallery. If it is meant to be a collaborative environment, seems like a pretty big roadblock to prevent users from 1/2 a company from accessing it the same way, particularly when "some" of the areas of Gallery accept them as users (i.e. assigning roles) while others don't ("adding to collections"). I'm concerned about the implications for other areas as well - does this mean we can't provision Gallery data connections to them too? Can we get around this by adding AD Groups as users that have members from multiple domains? 

 

NJ

EdP
Alteryx
Alteryx

Hi @NicoleJohnson --

I don't know the roadmap for multi-forest Active Directory domains, however a thoughtful exchange about the move away from Private Studio appears here: https://community.alteryx.com/t5/Inspire-Buzz/Removing-Studios-from-the-Gallery-your-opinion-concern...

The discussion includes the Product Manager for Server, John Pelletier, and would be a great place to ask about how Server will manage multi-forest domains in the future and express your use case and how you've worked around the issue so far.

 

EdP

Ed Phelps
Sr CSE
Alteryx