[IAG] DingTalk authentication failed – Failed to obtain the user’s group – Export IP does not match
Problem Description
DingTalk authentication is configured, and only users in the customer's DingTalk organizational structure are allowed to authenticate. "Automatically obtain the user's group" is checked, and the authentication error is as follows:
413915d5570aa72ff6.png (544.27 KB)
Process——
-
Uncheck "Automatically obtain the user's group", the user's DingTalk authentication is normal, and the DingTalk authentication connection parameter configuration is normal;
-
Compare the parameters in the DingTalk program and determine that the parameter configuration of "Automatically obtain the user's group" is also normal;
-
The customer environment has multiple public network addresses, and the IP address of the IAG to access the external network is not fixed;
Root cause
After checking "Automatically obtain the user's group", you need to add the export IP address (the public network address used by IAG to access the DingTalk program) to the "Server export IP" of the DingTalk developer program;
solution
In the "Server Egress IP" of the DingTalk developer program, fill in all the egress IP addresses of the customer environment.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=7069&isOpen=true