Troubleshooting - Active Directory user is denied login to FotoWeb
Note: Active Directory integration via LDAP in FotoWeb is set to End of Life from January 1st, 2024, and will be removed from our software in a future version. We strongly recommend switching your identity provider as soon as possible.
Fotoware currently supports a variety of other identity providers, such as Microsoft Entra ID (formerly Azure Active Directory), ADFS + SAML, or any other SAML 2.0 compatible provider, such as Okta, OneLogin, and many more.
Contact Fotoware Support or your Fotoware Partner if you need assistance migrating to a new identity provider.
Symptom
Users in an AD group that have been imported into FotoWeb cannot log in correctly.
The log message reads: "User <username> is denied login (not a member of any imported groups)"
Possible cause
The user that is making LDAP requests for the FotoWeb AD integration (i.e., the "admin user" you select in "Directory settings" in the FotoWeb Site Configuration) must have the "Read Member Of" permission on the domain object.
This property may not be active if the Active Directory server has been migrated from Windows 2003 or earlier.
Solution
- Open the properties of the domain object in the Active Directory management console. You may have to right-click the domain object and choose View - Advanced Features to get access to the features you need.
- Now right-click on the domain object and choose Properties. Go to the Security tab and select Advanced to modify advanced permissions for the domain object.
- Finally, add the user that will be used for LDAP lookups in FotoWeb and make sure Read Member Of is selected for that user. Also, at the dropdown list at the top of the screen, select Apply to: Descendant user objects.