Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Hai,
Since we replaced Domain Controller (DC) with new one, we can not login using Active Directory user, while we login to websense manager always get error like below:
"You do not have permission to access websense manager"
Whereas, we already done steps below:
1. Add new DC and delete old DC on Server --> Setting --> Active Directory Service
2. Add user from new DC as Super administrator on Administration --> Super Administrator
3. Edit Program Files\Websense\bin\dc_config.txt by replacing old DC with new DC
4. Edit Program Files\Websense\bin\config.xml by replacing old DC with new DC
5. Edit Program Files\Websense\config.xml by replacing old DC with new DC
6. Restart all websense service
Please help me?
Note:
We use websense manager 6.3
Recently, we can just login using websenseadministrator.
Thanks,
nana
Sorry Samantha and thank for you help, I just reply email this time. Actually, the problem already solved 4 days ago by keeping only one dc on directory service as your reference, then re-add user.
To make fail over, I done by step below:
1. Keep one DC on Directory services (ex. 10.1.1.6)
2. Add User (ex. LDAP://10.1.1.6 CN=Users,DC=contoh,DC=com/Domain Admins)
3. Add other DC (ex. 10.1.1.7)
4. Delete old DC (10.1.1.6)
5. Add Same User (ex. LDAP://10.1.1.7 CN=Users,DC=contoh,DC=com/Domain Admins)
Recently, on Administration has 2 list of user
LDAP://10.1.1.6 CN=Users,DC=contoh,DC=com/Domain Admins
LDAP://10.1.1.7 CN=Users,DC=contoh,DC=com/Domain Admins
6. Re-add old DC (10.1.1.6).
Recently, Directory Service has 2 DCs : 10.1.1.6 and 10.1.1.7
Is possible for Websense to call LDAP by script below:
LDAP://CN=Domain Admins,CN=Users,DC=contoh,DC=com.
So, Whatever IP address or name server, it's no problem as long as the same domain name.
For detail to solve this problem, please visit my blog (Indonesia Version) http://errorguide.wordpress.com/2011/02/01/you-do-not-have-permission-to-access-websense-manager/
Regards,
Nana
Can you go to the server that is running the DC Agent Service (Probably on the policy server) and goto your websense\bin folder to verify the following:open the file named dc_config.txt you should see the old domain controller change from =on to =off It will take an hour for the map to refresh, or you can stop the dc agent service in the same folder, rename the xiddcagent.bak to xiddcagent.bak.old then start dc agent service restart the filtering service It should no longer reference that dc
Best regards
Dear Yuting,
Before I sent email to this forum, I cleared old DC at the list of dc_config.txt. Recently, I already followed your advice by adding old DC and set them off. Then, stop dc agent service, renamed xiddcagent.bak, start dc agent and filtering service, wait an hour. But the problem still occurred.
FYI, I have 5 DC, 3 DCs are Global Catalog (GC). Followed old configuration, I add 2 GC (NewDC_GC1 and DC_GC3) to dc_config.txt like belwo:
[OTHERDOMAIN] Serv1=on [MYDOMAIN] NewDC_GC1=on NewDC2=on DC_GC3=on DC4=on DC_GC5=on OldDC_GC01=off OldDC_GC02=off OldDC06=off [OTHERDOMAIN2] Serv01=on Serv02on
What should I do?
Could you please delete and re-add those delegated domain admin accounts in Websense Manager to see if it helps or not.
Dear Samantha,
I already deleted and re-add domain admins by steps below, but the problem still occurred.
1. Administration --> Super Administrator --> Edit Managed Administrator --> select Domain admins --> Delete --> OK
2. . Administration --> Super Administrator --> Edit Managed Administrator --> find and select Domain admins on Directory object --> Add --> OK
LDAP://dc_gc_ipaddress CN=Users,DC=contoh,DC=com/Domain Admins
dc_gc_ipaddress = IP address of Global Catalog and FSMO holder
3. restart DC agent, filtering, policy server, network agent and user service
Hi nana,Then we need to troubleshoot this issue.Please refer to these kb articles:
http://www.websense.com/support/article/t-kbarticle/v7-Why-can-t-I-log-on-to-Websense-Manager-1258048451152
http://www.websense.com/support/article/kbarticle/Troubleshooting-Delegated-Administration-Logon-Issues ---Use domain admin account to restart Apache2websense service and ApacheTomcatWebsense.---Use domain admin account to run user service and dc agent.---For dc agent you can refer to this kb article: http://www.websense.com/support/article/t-kbarticle/v7-DC-Agent-does-not-see-some-or-all-users-1258048446442
I didn't find policy broker and testAuth on my websense, how I to enable them?
Dear nana,
Sorry,here are the trouleshooting steps for you.
WindowsUse the following steps to gather troubleshooting information for the Websense Policy Broker service:
1. On the Policy Broker machine, right click My Computer and select Properties2. Select the Advanced tab, and then click Environment Variables.3.Under System Variables, click New.4.In the New System Variable dialog box, enter the following information: .Variable name: WBSN_BROKER_LOGGER.Variable value: DEBUGWhen you are finished, click OK, then click OK again to close the Evironment Variables dialog box.5 .Use the Windows Services dialog box (Start > Programs > Administrative Tools > Services) to stop the Websense Policy Broker service.6. Browse to the BrokerLogs directory (by default, C:\Program Files\Websense\bin\BrokerLogs), and then rename the BrokerService_PolicyBroker.log file to BrokerService_PolicyBroker.old.7. Use the Windows Services dialog box to start the Websense Policy Broker service.8. Attempt to log on to Websense Manager using a network account. The logon should fail.9. Log on to Websense Manager using the WebsenseAdministrator account. The logon should succeed.10. Review the newly generated BrokerService_PolicyBroker.log file. What errors do you see for the failed login attempt? This should help to identify the problem.
Do not forget to remove the debugging environment variable when you are finished troubleshooting the problem!This can be accomplished with the following command: unset -f WBSN_BROKER_LOGGER Documentation: Websense Manager Help Notes & Warnings Do not forget to remove the debugging environment variables when you have finished troubleshooting the problem!
Before I do your reference steps, I inform you that no Websense Policy Broker Service on our websense server. Below all websense services in the server:
Websense DC Client
Websense Filtering Services
Websense Network Agent
Websense Policy Server
Websense Real-Time Analyzer
Websense Usage Monitor
Websense User Services
Is it posible to perform your step without Websense Policy Broker Services?
I neglect that you are using v6.3 ,6.3 does not have policy broker. Policy broker troubleshoot is for v7.Confirmed with another tech just now,there are two things we need to verify now.---You need to use TestLogServer to see if the delegated admin can be identified ,if you can not see the user name in TestLogServer,please troubleshoot your dc agent.http://www.websense.com/support/article/t-kbarticle/v7-DC-Agent-does-not-see-some-or-all-users-1258048446442---If you can see the user name in testlogserver ,then we need to troubleshoot the delegated admin account.(for version 6.3 7.0 and 7.1)http://www.websense.com/support/article/kbarticle/Cannot-log-into-Manager-after-entering-new-Global-Catalog-server
Thank you for your patience nana.If the above can not resolve your issue,I suggest you raise a case to technical support .
Sorry for my wrong v7 troubleshoot steps the first time and thank you for sharing with us.I am very glad to hear that your problem has been resolved .Thank you nana.
