- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Version fom Intel EMA = 1.14.3.0
Installation = OnPrem
Database = MS SQL Server
After creating a tenant, I created two groups under "AD Groups":
Intel-EMA_GlobalAdmin
Intel-EMA_TenantAdmin
If I now try to log in with a user who is in one of the two groups, it unfortunately doesn't work (unless I add the user under "Users").
I find the following information in the log:
2025-07-11 07:44:45.7313 [ERROR], Message: Can not find a match between AD Groups in EMA database & Active Directory
Can anyone help me figure out why logging in via a group isn't working?
Thanks,
Stefan
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hi Stef37,
We see that you are facing the issue with users in AD groups unable to log in to Intel EMA unless they are also added as individual users. The key error, "Can not find a match between AD Groups in EMA database & Active Directory," suggests a mismatch or misconfiguration in how EMA is mapping and recognizing AD groups.
Common Causes and Solutions
1. Distinguished Name (DN) Mismatch
When adding AD groups in Intel EMA, you must use the exact distinguished name (DN) of the group from Active Directory. If there is any typo or if the DN format is incorrect, EMA will not match the group and authentication will fail.
2. AD Group Not Properly Synchronized
Ensure that the group exists in both Active Directory and the EMA database. If the group was renamed, moved, or deleted and recreated, the DN may have changed. Remove and re-add the group in EMA using the current DN.
3. Group Membership Propagation Delay
After adding a user to an AD group, there might be a delay before the change is recognized by both AD and EMA. Make sure the user’s group membership has fully propagated.
4. API Permissions (for Azure AD)
If you are using Azure AD groups (not traditional Windows AD), you may need to grant additional API permissions for group membership lookup in your Azure App Registration. Without these permissions, EMA cannot query group membership.
5. Logging and Troubleshooting
Enable detailed logging in EMA to see which domain controller is queried and what errors are returned. This can help identify if the issue is with AD connectivity or group lookup logic.
Steps to Resolve
Double-check the DN: In Active Directory Users and Computers, right-click the group > Properties > Attribute Editor > copy the "distinguishedName" value and use this in EMA.
Remove and re-add the group in EMA using the correct DN.
Verify user membership in the group and ensure there are no replication delays.
If using Azure AD, review your app registration and ensure it has permissions to read group memberships.
Restart the EMA services after making changes to force a refresh.
In summary:
The most likely cause is an incorrect DN or a synchronization issue between EMA and AD. Carefully verify the group DN, ensure proper permissions.
Thanks & Regards
Arun
Intel Customer Support Technician
intel.com/vPro
Ссылка скопирована
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hi Stef37,
We see that you are facing the issue with users in AD groups unable to log in to Intel EMA unless they are also added as individual users. The key error, "Can not find a match between AD Groups in EMA database & Active Directory," suggests a mismatch or misconfiguration in how EMA is mapping and recognizing AD groups.
Common Causes and Solutions
1. Distinguished Name (DN) Mismatch
When adding AD groups in Intel EMA, you must use the exact distinguished name (DN) of the group from Active Directory. If there is any typo or if the DN format is incorrect, EMA will not match the group and authentication will fail.
2. AD Group Not Properly Synchronized
Ensure that the group exists in both Active Directory and the EMA database. If the group was renamed, moved, or deleted and recreated, the DN may have changed. Remove and re-add the group in EMA using the current DN.
3. Group Membership Propagation Delay
After adding a user to an AD group, there might be a delay before the change is recognized by both AD and EMA. Make sure the user’s group membership has fully propagated.
4. API Permissions (for Azure AD)
If you are using Azure AD groups (not traditional Windows AD), you may need to grant additional API permissions for group membership lookup in your Azure App Registration. Without these permissions, EMA cannot query group membership.
5. Logging and Troubleshooting
Enable detailed logging in EMA to see which domain controller is queried and what errors are returned. This can help identify if the issue is with AD connectivity or group lookup logic.
Steps to Resolve
Double-check the DN: In Active Directory Users and Computers, right-click the group > Properties > Attribute Editor > copy the "distinguishedName" value and use this in EMA.
Remove and re-add the group in EMA using the correct DN.
Verify user membership in the group and ensure there are no replication delays.
If using Azure AD, review your app registration and ensure it has permissions to read group memberships.
Restart the EMA services after making changes to force a refresh.
In summary:
The most likely cause is an incorrect DN or a synchronization issue between EMA and AD. Carefully verify the group DN, ensure proper permissions.
Thanks & Regards
Arun
Intel Customer Support Technician
intel.com/vPro
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hello Arun
Thank you very much for your reply.
I have stored the two groups in the Distinguished Name format under AD Groups. I retrieved the path from Active Directory as you described. This means I can rule this out as an error.
What I don't quite understand is this sentence:
Ensure that the group exists in both Active Directory and the EMA database.
Do I also need to create a group with the same name under "User Groups"?
Regards
Stefan
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hi Arun
Now create a group with the same name under "User Groups". Now the application closes.
You should note, however, that Group in Group does not work unfortunately.
Thanks for the support.
Gruss
Stephen
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hi Stef37,
Make sure that the group exists in both Active directory and in the Intel EMA Database, which means that we have to ensure that the group is there in both AD and the sub DB which is created by Intel EMA.
Please feel free to revert for any further query!
Thanks & Regards
Arun
Intel Customer Support Technician
- Отметить как новое
- Закладка
- Подписаться
- Отключить
- Подписка на RSS-канал
- Выделить
- Печать
- Сообщить о недопустимом содержимом
Hello Stef37,
Thank you for reaching out to Intel, feel free to revert for any further query!
Thanks & Regards
Arun
Intel Customer Support Technician
- Подписка на RSS-канал
- Отметить тему как новую
- Отметить тему как прочитанную
- Выполнить отслеживание данной Тема для текущего пользователя
- Закладка
- Подписаться
- Страница в формате печати