Help troubleshooting Active Directory "Unauthorized" error in Rancher Server


I’m trying to set up Active Directory access control on my Rancher Server. I’ve entered all the details and all are correct to my knowledge. However, when I try to authorize my AD account all I get is the message “Unauthorized” and nothing else.

Obviously I’ve entered something wrong but I can’t see how to troubleshoot \ debug this. Weirdly nothing is thrown in the server container’s logs (viewing via the docker lgos command.

What’s the best way to get more info about the error?

Many Thanks,

Does this help?

@Ryuzaki probably means actual Active Directory, not Azure “let’s-make-an-identity-web-service-that-has-nothing-to-do-with-LDAP-and-call-it-Active-Directory-anyway-just-to-confuse-everyone”.

It is generally intentional that you don’t get any info back from an identity provider about why authenticating didn’t work. There are several steps involved in enabling Rancher access control though and we could be more helpful in telling you which part failed…

What is likely happening is the host/port/protocol are correct (or you would get a different message about communicating with LDAP), but the service account user/pass or the test user/pass at the bottom are wrong. First guess would be that there is an issue where the “default login domain” isn’t used for the service account, so you have to specify it, i.e. “Default Login Domain: MYCOMPANY”, “Service Account Username: MYCOMANY\someaccount”.

Thanks for the reply Vincent. Indeed this is a local Active Directory and not Azure.

I’ve played about a bit more and I’m sadly not getting any further. The details work on other systems but without some logging I’m flying blind. I appreciate that this area is sensitive though logging wise.

I am having the same issue and tried what @vincent was suggesting but still nothing.

@Ryuzaki did you ever made it work?


same here :slight_frown:

tested with latest rancher version , but can’t find any way to make it work

PS: the configuration tested works perfectly in other tools like portus for example

Any clues perhaps ?


I finally solve this issue by setting up :
Default Domain: empty

login of the user need to be like :

Hope this help.

1 Like

The proposed solution does solve the non-TLS configuration problem.

I’m having issue with TLS configuration and I did follow the steps provided in the link bellow.

I’ve also successfully configured gitlab to use the same AD.


I am trying to setup AD using a non-standard port, it does the initial validation of a test account but then when the information is saved the port is switched back to the standard “389” port vs the specified value and future authentications fail.
I am using the GA v.2.0.0 (rancher/rancher) release.

Is there a config file I can exec into the container and change so it pics up the correct default value or other work around?

Posting under this thread a the error message is the same.