Microsoft KB Archive/324035

= FIX: User cannot log on when in nested groups or cross-domain nested groups =

Article ID: 324035

Article Last Modified on 12/15/2005

-

APPLIES TO


 * Microsoft Content Management Server 2001 Service Pack 1

-



This article was previously published under Q324035



SYMPTOMS
A user cannot log on to the Site Builder for Microsoft Content Management Server (MCMS) 2001 or to the Web Browser Client for MCMS although the user belongs to a Microsoft Windows NT nested user group on the same domain or a foreign domain that has been granted user rights in MCMS with a valid user role.



CAUSE
When a user logs on to MCMS, the server enumerates all of the user groups that the user is a direct member of. Additionally, only the user groups on the domain that the user belongs to are enumerated in the logon process. As a result, if the groups are from a foreign domain, or if the user is added to the group through nested user groups assignments (for example, User A is added to Group1, Group1 is added to Group2, and Group2 is added to an MCMS user role) and assigned to an MCMS 2001 user rights role, the user cannot log on to MCMS by using either the Site Builder or the Web Browser Client.



Service pack information
To resolve this problem, obtain the latest service pack for Content Management Server 2002. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

906142 How to obtain the latest Content Management Server 2002 service pack

Security update information
To resolve this problem, apply Microsoft Content Management Server 2001 security update MS03-002. For more information, and to obtain this update, click the following article number to view the article in the Microsoft Knowledge Base:

810487 MS03-002: Cumulative patch for Microsoft Content Management Server

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time      Version         Size  File name --  23-May-2002  17:12:04  4.1.942.200   140 KB  AESecurityService.exe 23-May-2002 17:10:12  4.1.942.200  1.04 MB  AEServerObject.dll 23-May-2002 17:14:48  4.1.942.200   132 KB  AEUsrMgr.dll 04-Jun-2002 13:35:24  4.1.942.200  71.5 KB  Enummembership.dll Note Because of file dependencies, this update requires Content Management Server 2001 Service Pack 1.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was corrected in Content Management Server 2002 Service Pack 1.



Steps to reproduce the problem

 * 1) Create four items across two domains: Domain1\User1, Domain1\User2, Domain1\Group1, and Domain2\Group2.
 * 2) Make Domain1\User1 a member of Domain1\Group1.
 * 3) Make Domain1\User2 a member of Domain2\Group2.
 * 4) Add both Domain1\Group1 and Domain2\Group2 to a CMS role.
 * 5) Log on with both users.

You can log on by using Domain1\User1 because MCMS only queries the domain that the user came from for membership.

The fix permits cross-domain authentication that follows Active Directory rules, similar to file system access control lists (ACLs).

Because the fix more closely adheres to Active Directory, users who are added to a domain local group on a domain that is foreign to the CMS server cannot log on. This configuration works before you apply this fix, but it is no longer supported.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbbug kbfix kbcontentmgtserv2001sp1fix kbqfe kbcontentmgtserv2001presp2fix kbhotfixserver KB324035

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.