Skip to main content
Kofax

Challenges Encountered when using AD Groups for eFLOW Windows Authentication

Article # 3049941 - Page views: 39

Issue

AD Groups were configured in DomainSecurity.xml but eFlow station is unable to get launched or the launch is taking too long (performance concern).

Cause

Some known causes for failure: Clients and Server not in same domain, LDAP server is not reachable from eFlow server, multiple domains situation where it was not made "virtually the same domain" (e.g. trusted, etc), inputs may be incorrect (e.g. incorrect AD group that does not exist or user is actually not a member of the group), etc.

For authentication performance concern, the time taken is out of eFlow scope for this part (eFlow has no control over it).  This is environmental.  The tool (refer to solution) could be used to get a gauge for the time taken, followed by e.g. wireshark trace or whatever deem suitable then IT team of the environment is to look/analyze into the slowness issue in this area and resolve it - this is transparent to eFlow.

Solution

The baseline for eFlow has never changed.  NT Authenticated users for eFLOW need to be in same domain (clients and servers).  Those not on same domain (different or parent-child or sub-domain), the environment IT team is responsible to make them as "same domain" e.g. virtually the same (e.g. trusted, etc), and no blockage for eFlow to AD (LDAP) server, etc.  This is out of eFlow scope.  Similarly for the authentication performance concern, eFlow has no control over it.  This is environmental.

Nevertheless the product team has provide a testing tool to provide some insights which may assist the environment IT team to identify or zoom into suspected areas.

For the tool, 

  • you could use it to verify if the group could be found (mostly also how eFlow is trying to find).

  • if it could be found then you can check for the performance (time taken will be shown) - this info may be helpful to IT team to provide some insights.

If there is any error encountered then most likely it would not work for eFlow as well.  You can take note of the error info from the tool which may provide some clues on what may be wrong (e.g. The LDAP server is unavailable).

Please download the testing tool: Test Time Taken for Finding your AD Group at Domain - DomainWithSpecificGroup.zip

Here is a quick guide on how to use the tool.

1. After you downloaded the zip file, copy it to the machine (simply you could test it at eFlow server).

2. Unzip it to a folder.  You can also test it without eFlow installed but you should have at least .NET framework 4.7.2 in the environment.

3. Run as Administrator for the exe file.

4. Enter the mail ID and your AD Group which this ID.

  • If you are not sure of the AD Group(s) your ID belong to then use CMD or powershell to check.  E.g. CMD (run as administrator), input "whoami /groups"
  • Usually for your mail ID used in the organization, it is your domain account (same as your email).
  • If it is a closed environment where email is not linked to your domain account then input <userID>@<domain>.
  • Below is a screen shot example (no email account, just domain account) showing you the non-existence member and existence member.
  • eFLOW ADGroup at Domain Test Tool - Test Sample Result.png
  • If there is failure then you would see exception and you may get to see what is the error message.  This is mostly going to have issue at eFlow as well.
  • If there is no failure and you could be found in the AD group, this probably is going to work at eFlow.
  • The time taken could provide insight for IT team to investigate further if it was considered slow so as to run other analysis tool or trace (e.g. Wireshark) to identify potential bottleneck, etc.

 

Note: 

 

Level of Complexity 

Moderate

 

Applies to  

Product Version Build Environment Hardware
eFlow 6.0.2, 6.0.2.1, 6.0.3 or higher 6.0.2.72, 6.0.2.93, 6.0.3.73 or higher Windows, .NET Framework 4.7.2 (minimum as verified)  

References

N.A.

 

Article # 3049941
  • Was this article helpful?