Clarity and Active Directory Logins

If you opt to use Active Directory for logging into Clarity, there are a few things to review so you understand how this is set up and what we are looking for when we check against the users Active Directory credentials.
When logging into the Web Portal you will not use your email address, you will use your Active Directory credentials
We cannot reset your password, so that link on this login page will not work with this type of login
image-1776360770736.png
There are two places Active Directory integration is configured, one to add/update users to the web portal and one to log them in.

Active Directory Synch - Syncs Users Between AD & Clarity

One is in the Active Directory Synch tool located on the desktop of the Clarity host server.

There are several tabs that you need to configure, please refer to the help link below.  The AD server should match what you configure in the Clarity Web Portal.

https://s3.amazonaws.com/IMAGINiTSoftware/Documentation/Clarity/2026/System_Setup/Active_Directory_Integration.htm?rhsearch=Active%20Directory&rhhlterm=active%20directory

image-1775840380853.png

This tool is used to add/update and depending on setting, potentially remove users from Clarity when it synchronizes.

This runs in Services and only Synchronizes users between Active Directory and Clarity

This service has nothing to do with logging users into the Web Portal.

image-1775841707974.png

LOGIN ISSUE NOTE:
If a user is having issues logging in and was previously able to log in, the quick solution is to remove the user from the Clarity Users tab and run the Sync to add them again.   
If the issue is more global, it is likely a different issue and we will need the Clarity Host logs from the Server tab, Logs page to figure out the cause.
To force an Active Directory sync
Browse to the C:\Program Files\IMAGINiT Technologies\Clarity Active Directory Sync
then run the ClarityADSynchService.exe application.
It should bring up a UI – you will have to hit: Analyze and then Update to force the sync.

Diagnostics

C:\ProgramData\IMAGINiT Technologies\Clarity Active Directory Synch\Logs

Active Directory Authentication - Clarity Asks the AD Server to Verify Clarity User

The setting for logging users in is controlled in the Clarity Web Portal

https://s3.amazonaws.com/IMAGINiTSoftware/Documentation/Clarity/2026/index.htm#t=System_Setup%2FAuthentication_Options.htm&rhsearch=Active%20Directory&rhhlterm=active%20directory

Server tab, Authentication
Here you will enter the AD Server Name and AD Domain Query location (See Notes below)

image-1775840945912.png

Notes:

  • If you use the Active Directory Global Catalog, you can specify only GC: for the server (and leave the Domain Query blank). This will query the Global Catalog instead. For more information on this, see the Active Directory deployment guide.

  • For a simpler failover, it is also possible to list multiple Active Directory Servers, separated by commas. The system will try each server in the provided sequence.

  • When working with the Connect module, the Server/Authentication page also enables you to set several options for identifying users and determining access rights. For more information on this, see the Authentication Options, under the Clarity Security Overview.

Clarity AD Login Requirements

Basic Requirement:

  • The user must exist in Clarity
  • Their account must have the Active Directory checkbox selected

What We Are Checking For

Clarity AD Synch looks for 4 attributes to exist to be able to create a user:
- First Name
- Last Name
- Sam Account Name
- Email

In AD we must have the following fields, shown in green below, on the General tab and the login name (Pre-Windows 2000) on the Account tab.

When a user attempts to login:

  • We ask the AD Server (This information is seen in the Clarity web portal, Server tab, Authentication):
    • Is this a valid username/password combination? 
    • If so, what is the user's email? (and then we match it in the Clarity user database).
  • If we can’t find a match for any one of those things there will be an error

        

The error will show up in the AdminConsole log and looks similar to this:

INFO  2023-10-26 14:23:33,942 UserService            - Unable to find the Active Directory user: LOGINNAME
INFO  2023-10-26 14:23:33,942 etoryAuthenticatedUser - Unable to login user: LOGINNAME
INFO  2023-10-26 14:23:33,942 HomeController         - Unsuccessful login attempt for LOGINNAME: Unable to find the selected user account.
 INFO  2023-10-26 14:29:36,280 UserService            - GetDirectorySearchResult(ADSERVERNAME, DC=DOMAIN,DC=LOCAL, Secure): Error retreiving Search result
System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The user name or password is incorrect.

   at AdministratorConsole.Core.Services.UserService.GetDirectorySearchResult(String ldapServer, String userId, String password, String ldapDomain, String ldapAuthType)

The user name or password is incorrect.

This is a generic error and does not necessarily mean exactly that, sometimes the real issue is that the User doesn’t have an email address in AD, this can happen if the user was added manually rather than with the sync tool.

Follow
Was this article helpful?
0 out of 0 found this helpful
Reply