We recently had to turn a couple of demo boxes into a 2 client development environment for an overly aggressive PPS-P deadline. Both demo boxes were connected to the network and both were PPS-P Servers. We wanted to nominate a specific box as the PPS-P server for the build.
Typically, the one we nominated, for some reason, would not allow us to add domain users to the Users tab of the PAC whereas, the other one would.
We received the following (not particularly helpful) error message when attempting to add a domain level user through PAC.
The following items cannot be saved
The total number of errors during submission is 1.
An unknown server error occurred when submitting User –
In our environment both boxes were using LOCAL (but different) accounts as the Application Pool identity and the Planning Service Account Identity. When we changed the local identity accounts over to DOMAIN level accounts we could add users on both boxes. It appears that the PPS-P web service needs access to the domain controller to check whether the user entered actually exists. In fact it does a little more than that as it retrieves the user SSID to store in the Planning database too.
Note: In addition to changing the user to a domain account we had to ensure that account existed in the local IIS_WPG (IIS Worker Process Group) also.
But, why, when using local accounts, would one server allow the addition of domain users and the other not? The answer was pass through authentication ! The server that worked under the local account was using an account and password combination that matched an account and password combination on the domain !
Nick Barclay posted about connection problems with PPS M&A a good while back and gave a great write up of how to overcome issues encountered. Now that’s worth a read if you are not familiar with IIS Application pools and identity accounts as the issue we encountered were related.
