Has anyone successfully joined their k1000 to a domain and enabled SSO, then moved the kbox computer and user objects to a different OU?

I have successfully joined our K1000 running 5.5 to AD, but SSO is not working. I'm an admin at a lower OU, so I had to get temp rights from the domain admin to create the kbox user account in the computers OU. After that, I moved the objects to one of my OUs within the same domain per kb115345, but SSO is not working? If anyone has gotten this to work, are there any undocumented steps to try? I followed the troubleshooting steps in 111863, but still no luck. I also imported the new user object into the K1000. I'm wondering if I need to make the new user object my ldap user.

I have a ticket open, but the tech had to kick it up to tier 3 support. I thought I'd check to see if anyone here could suggest anything.

Thanks.

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0

So you enabled SSO and THEN moved the kbox ?

Have you tried rejoining the kbox to the domain after the move?  As far as I am aware, where in the OU tree the kbox resides doesn't matter (again, from experience, not speaking in definites). 

Are you using full admin credentials to join the kbox?  Is it possible you joined the kbox using your temporary credentials and when they were pulled, so was the kbox access to the domain as it can't use those credentials any longer?

Answered 05/02/2014 by: Wildwolfay
Red Belt

  • Correct, I enabled SSO, then moved the object. I was granted temp rights to create user accounts in the default computers container, so I joined and enabled sso. I then moved the kbox computer and user account to my own OU per the Dell kb. The documentation is pretty sparse, so there isn't anything more about what to do after moving the objects. I could try disabling SSO and then reenable, but that may put me back at square one which means I'd have to ask the domain admin for rights again.
    • Well if you're joining it through the Kace UI (right??) then you just need an admin login to join it to the domain. You should be doing that with a domain admin account, not temporary rights, as far as I know/would think.

      Once the device is joined I see no harm in moving the OU, which is probably why the article says you can.
      I've had another problem solved by unjoining the device from my domain and rejoining, so it never hurts. Maybe have them use admin credentials on the device?
      • Yes, through UI. I'm a dept admin on a campus with 30,000 people, so I'm the admin with full rights for our dept ou, not the whole domain. The kbox can sort of be joined to a specific OU, but the kbox user account can only be created in the default computers ou, so that's why admin rights are needed in the default computers ou. The kb I referenced specifically states that the objects can be moved, but clearly there are other necessary steps that are not documented yet.
Please log in to comment
Answer this question or Comment on this question for clarity