Access Denied to Server Spaces

We are an experiencing an issue with a single user who is receiving Access Denied errors when trying to connect to space. The space has security and access is limited to an Active Directory group that the user is a member of and the user has been added to the space as well. But still access is denied, not only to that space but all spaces on the server. He can connect with no issues to our production server that has the exact same settings.

Any ideas? Running EM Desktop 5.1.2.1

@rrodrigues

Could it be that the user’s domain/account in the spaces access list has a typo? Can you please remove and re-add the user.

Access is governed by an Active Directory group (the user is in the group) and we have added the user directly, but still receive the access denied message. From my experience, you cannot add a user name that is incorrectly spelled. Thinking that that the software somehow checks the user as it it is being added to make sure it is a valid user?

But again, the space security configuration is exactly the same on our production server and he has no issues accessing the spaces on that server. Same domain, different subnet.

@ckononenko any ideas on the issue?

Hi

Yes, you’re right, the server checks and finds name/sid/etc when adding a user/group to a space. For this, LDAP is used.

EasyMorph Desktop should transparently pass the user’s Identity using NTML|Negotiate.

Can a user access a password-protected space with EasyMorphDesktop on the same server?
Are the user’s computer and the dev Windows Server included into the same domain (both are AD joined)?
Is the problem only with one specific computer?
Are you using any proxy to access the dev/prod environment?

You can reply directly to support email.

@ckononenko @dgudkov

I answered your questions below, but think I may have the answer. We access the Morphs Spaces folder structure through Windows Explorer and create new sub-directories using that method as opposed to using the EM Server interface. Example:

Using File Explorer, access \servername\Users\Public\Public Documents\Morphs\Space Name and then create a new directory: Beta Version as an example.

Also, we have created a hidden share for our users to access directly as well: \servername\Morphs$

I wonder if either of those causes issues? We reapplied permissions recursively and that solved the issue for this user.

Thanks.

Can a user access a password-protected space with EasyMorphDesktop on the same server? YES
Are the user’s computer and the dev Windows Server included into the same domain (both are AD joined)? YES
Is the problem only with one specific computer? YES
Are you using any proxy to access the dev/prod environment? NO

Hi @jcaseyadams

This is a very interesting observation. Thank you for sharing.

Error Access to space…forbidden is particular. This error occurs only at the user’s AD authentication stage when the passed Windows Identity or user group is not bound to the specified space. It has nothing to do with file system permissions in the PublicFolder, nor with the repository.

Considering that the error disappeared just after the file system access rights were updated and the error occurred only on one computer, indicating possible problems with the synchronization/updating of AD entities in the easymorpservercomputer-adcontroller-desktop chain or some misconfiguration. Perhaps there are still some nuances.

So I spoke incorrectly earlier. The network folder issue was resolved, but the server link issue remains. I have uploaded a screenshot that should give you a clear idea. Again, on our production server that is in the same domain, but on a different subnet, is configured exactly the same and we have no issues there.

We have deleted the server link and recreated it and upgraded EM to the latest version, but still the issue exists. Would the access denied be captured in the server logs? I could check there tomorrow for clues.

Thanks again for the help!

So, only one user (user A) cannot access the second server (dev). Can you and other users access the server (dev)? And are you on the same subnet as user A?

Since you mentioned that the second server is on a different subnet, please look at the DNS settings, including on user A’s computer and on the second server (dev). Is there anything strange there? Make sure everything is set up correctly, including name, IP address, and reverse DNS lookup .

Let’s check some more scenarios in the web browser for user A.

Scenario A.

  1. Enable integrated NTLM/Windows Authentication in Firefox

  2. Open Firefox and open the config page by typing about:config

  3. Search for network.automatic-ntlm-auth.trusted-uris and press Enter.

  4. Set the value network.automatic-ntlm-auth.trusted-uris as the path to the server like http(s)://youremserver:6330

  5. Perform login to AD space. Firefox should pass credentials automatically and not ask for the user’s login/password.

  6. Disable integrated NTLM/Windows Authentication.

Scenario B.

  1. Open Firefox in private mode
  2. Sign in to AD space. Firefox will ask for the username/password.
  3. Enter username/password.
  4. Sign in to AD space

Were both scenarios successful?

Here was our fix that has successfully resolved the issue:

Go to and click on Windows Credentials

Delete all records related to the server with issue:

1 Like