Attempting to authenticate to domain

We've been working on integrating the Macs into our Active Directory at a largely PC company, and one of our admins complained recently that the Macs attempt repeatedly to authenticate to the domain and fail, even though a user may be logged in and working just fine. He says this doesn't happen with the PCs running Windows and would like to make it stop.
I haven't the slightest idea what would be causing it but we've searched through the settings in Directory Access and cannot find anywhere to change this. Any pointers would be appreciated.
On a side note, I've noticed that LDAPv3 is on by default. Is that potentially the culprit here?

Is this page of any help? Or maybe this one?

Similar Messages

Windows Server 2008 R2: Server unable to authenticate with Domain Controller

Hello, I was wondering what could be the reason for this error if it is certain that there was no other computer on the network using the same name:
This computer could not authenticate with<Domain-controller>, a Windows domain controller for domain <Domain-name>, and therefore this computer might deny logon requests. This
inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized.
What would cause the machine account pw to be 'not recognized'?

You can track changes in AD by enabling AD Auditing: https://technet.microsoft.com/en-us/library/cc731764%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
As reading the logs is usually a complicated and time consuming task, it is recommended to use a third party tool for auditing. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

ZTIDomainJoin has attempted to join to domain [Domain.LOCAL] too many times. Count = 4_ZTIDomainJoin_25-6-2013 13:06:20_0 (0x0000)

Hello,
in my invironment the domain-join isn`t working well.
In the log : ZTIDomainJoin has attempted to join to domain [Domain.LOCAL] too many times. Count = 4 ZTIDomainJoin 25-6-2013 13:06:20 0 (0x0000)
What can i do to fix this issue permanent?
Thx

The log you actually want to look at is %SystemRoot%\Debug\NetSetup.log. As Keith said, this file will tell you why a Domain Join is failing and should point you in the right direction to understand what's wrong. There's a
good (but old) primer on debugging the issues here: http://technet.microsoft.com/en-us/library/cc961817.aspx
David Coulter | http://DCtheGeek.blogspot.com |
@DCtheGeek

Stuck on 'attempting to authenticate' connection i...

I'm not quite sure what I've done, but would appreciate any support! I was trying to change my wireless key password to something more memorable, and thought I had done so successfully. I used my laptop to do this, I'm on windows 8. However what appears to have happened is that my laptop will not now connect to my Home Hub 5 and is stuck on 'attempting to authenticate'. All our other devices, iPads, iPhones etc have remained connected with no problem at all. I cannot find a way to move past this point on my laptop and would appreciate any support people could offer to resolve this issue! Thanks!!

Delete any existing connections on your laptop for the home hub, then rescan again, and connect with the new password, as Windows 8 is storing the old password in its settings, and trying to use that.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

ISW 6.0 - repeated attempts to authenticate as "guest"

I have a deployment of ISW 6.0. In my isw-broker log.txt file I repeatedly see the following:
[14/Aug/2009:02:11:50 PDT] WARNING [B2130]: Login Failed:
com.sun.messaging.jmq.auth.api.FailedLoginException: [B4068]: DN not found for user guest in repository ldap
[14/Aug/2009:02:11:50 PDT] [B1066]: Closing: [email protected]:0->jms:0 because "java.io.IOException: Stream closed". Count: service=0
broker=6
The corresponding searches for "guest" appear in my Directory Server access log as:
[14/Aug/2009:02:11:50 -0700] conn=9686 op=-1 msgId=-1 - fd=257 slot=257 LDAP connection from 172.16.1.188:45183 to 172.16.1.188
[14/Aug/2009:02:11:50 -0700] conn=9686 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Aug/2009:02:11:50 -0700] conn=9686 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.000320 dn="cn=directory manager"
[14/Aug/2009:02:11:50 -0700] conn=9686 op=1 msgId=2 - SRCH base="ou=messagequeuecredentials,ou=globalconfig,ou=1.1,ou=identitysynchronization,ou=services,dc=xyz,dc=com" scope=2 filter="(cn=guest)" attrs="1.1"
[14/Aug/2009:02:11:50 -0700] conn=9686 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0.000320
[14/Aug/2009:02:11:50 -0700] conn=9686 op=2 msgId=3 - UNBIND
[14/Aug/2009:02:11:50 -0700] conn=9686 op=2 msgId=-1 - closing from 172.16.1.188:45183 - U1 - Connection closed by unbind client -
These are occuring about 1 every second. I can't seem to find where "guest" is configured. Any ideas on this?

Are you sure to use a 1.6 Java environment. If not, do it since you may have unwanted side effects like display problems
or keyboard input problems.
So please uninstall and retry if you don't have a 1.6 java JRE.
Then, if you still meet the same error, check your configuration directory. It should be started, so if you don't see any access
(from the installation wizard) in the configuration directory access logs, it probably means that either your config. DS was not
started when the wizard ran, or the wizard doesn't connect to the right host/port. May be the system can not resolve your
config. DS hostname (s0007) for example.
If you see something in the (config. DS) access logs, please post it .
If you're not sure about which is your config. DS, then you can identify it by its suffix (or at least one of them), which must be
o=netscaperoot . So, just grep all your dse.ldif files for each DS instance you may have. One of them, (and only one !) should
have that suffix defined.
I hope this helps.

7210 doesn't authenticate to secondary domain controller

We've been testing a 7210 configured to authenticate to a domain controller's MS active directory. Our testing indicates that when our primary domain controller is off line that the 7210 does not attempt to authenticate to the secondary domain controller. I would have expected it to behave like any other device set to authenticate on our domain and to use the secondary controller if the primary domain controller becomes unavailable.
Has anyone else noticed this behaviour and more importantly is there a way to configure the 7210 to ensure it will use the secondary if need be?
Cheers.

For others who may come across this we ended up putting a support call in to Sun. The answer from Sun is:
"... have been informed that this is by design to occur like this. Many people don't believe it should so there is an
RFE raised and development is occurring to resolve this under an internal bug."
regards
Stephen Meatheringham

Can't authenticate Mac VPN client from RADIUS server

Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
Christine

If it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside

Messages (Jabber) Refuses to Authenticate AD Users after 10.9.2/Server 3.0.3 update

Once again, an update appears to have broken Messages/Jabber's ability to authenticate AD users after the 10.9.2/Server 3.0.3 update even though it was working well before. Hoping someone here has some ideas for how to help!
I can log in just fine as a local user (e.g. [email protected]), but no luck with AD users (e.g. [email protected]). As always, it fails with no intelligible error message whatsoever:
Mar 1 09:46:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] connect
Mar 1 09:46:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] disconnect jid=unbound, packets: 0
Mar 1 09:48:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] connect
Mar 1 09:48:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] disconnect jid=unbound, packets: 0
I reset the jabber server configuration as described here to no avail: https://discussions.apple.com/thread/5354428
The DNS configuration looks good:
changeip -checkhostname
Primary address     = 10.0.17.15
Current HostName    = comet.ADdomain.private
DNS HostName        = comet.ADdomain.private
The names match. There is nothing to change.
dirserv:success = "success"
The Jabber status from jabber:
serveradmin fullstatus jabber
jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "comet.ADdomain.private"
jabber:hosts:_array_index:0 = "comet.ADdomain.private"
jabber:setStateVersion = 1
jabber:startedTime = "2014-03-01 17:39:06 +0000"
jabber:readWriteSettingsVersion = 1
Full jabber server startup log:
Mar 1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: waiting for jabberd to finish startup...
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: loaded user table (1 users)
Mar 1 09:52:19 comet.ADdomain.private jabberd/router[1785]: couldn't open filter file /etc/jabberd/router-filter.xml: No such file or directory
Mar 1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: jabberd service startup completed.
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/s2s[1787]: starting up (interval=60, queue=60, keepalive=0, idle=86400)
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: starting up
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
Mar 1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: initialized auth module 'apple_od'
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: initialised storage driver 'sqlite'
Mar 1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'sess-end' (order 0 index 0 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-sess' (order 0 index 1 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-sess' (order 1 index 2 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'in-sess' (order 2 index 3 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=5347] listening for incoming connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [comet.ADdomain.private] configured; realm=comet.ADdomain.private, registration disabled, using PEM:/etc/certificates/mail.ADdomainbio.com.E41BBC081993E348B26181D9CB334A28137A8D8D.concat.pem
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [c2s] online (bound to 127.0.0.1, port 49353)
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5222] listening for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5223] listening for SSL connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: ready for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'in-sess' (order 3 index 4 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'in-sess' (order 4 index 5 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] set as default route
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] online (bound to 127.0.0.1, port 49354)
Mar 1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: ready for connections
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'in-sess' (order 5 index 6 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'in-sess' (order 6 index 7 seq 0)
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Starting up...
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Loading persistent rooms from disk...
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Finished loading rooms from disk
Mar 1 09:52:20 comet.ADdomain.private Rooms[1792]: Connecting to XMPP server at 'comet.ADdomain.private' as 'rooms.comet.ADdomain.private'...
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'in-sess' (order 7 index 8 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'in-sess' (order 8 index 9 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'in-sess' (order 9 index 10 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'in-sess' (order 10 index 11 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-sess' (order 11 index 12 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'in-sess' (order 12 index 13 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'in-router' (order 0 index 14 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-router' (order 1 index 1 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-router' (order 2 index 12 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-router' (order 3 index 2 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'out-router' (order 0 index 2 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-sm' (order 0 index 0 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'pkt-sm' (order 1 index 6 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-time' added to chain 'pkt-sm' (order 2 index 15 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'pkt-sm' (order 3 index 16 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-sm' (order 4 index 9 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-sm' (order 5 index 8 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'pkt-sm' (order 6 index 11 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'pkt-sm' (order 7 index 17 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'echo' added to chain 'pkt-sm' (order 8 index 18 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-sm' (order 9 index 12 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'pkt-user' (order 0 index 3 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-user' (order 1 index 12 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'pkt-user' (order 2 index 5 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-user' (order 3 index 9 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'pkt-user' (order 4 index 13 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'pkt-user' (order 5 index 4 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'pkt-user' (order 6 index 10 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-user' (order 7 index 0 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'pkt-router' (order 0 index 14 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-router' (order 1 index 8 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-load' (order 0 index 19 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'autobuddy' added to chain 'user-load' (order 1 index 20 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-load' (order 2 index 3 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster-publish' added to chain 'user-load' (order 3 index 21 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-load' (order 4 index 2 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-load' (order 5 index 4 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-create' (order 0 index 19 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'template-roster' added to chain 'user-create' (order 1 index 22 seq 0)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-delete' (order 0 index 19 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'user-delete' (order 1 index 11 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'user-delete' (order 2 index 10 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-delete' (order 3 index 2 seq 4)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-delete' (order 4 index 3 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-delete' (order 5 index 4 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'user-delete' (order 6 index 0 seq 3)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'user-delete' (order 7 index 7 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'user-delete' (order 8 index 5 seq 2)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'disco-extend' (order 0 index 16 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'disco-extend' (order 1 index 17 seq 1)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: version: jabberd sm 2.2.17-409
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: [comet.ADdomain.private] configured
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: attempting connection to router at 127.0.0.1, port=5347
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] connect
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] authenticated as jabberd
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: connection to router established
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [sm] online (bound to 127.0.0.1, port 49355)
Mar 1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: sm ready for sessions
Mar 1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [comet.ADdomain.private] online (bound to 127.0.0.1, port 49355)
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] connect
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] authenticated as proxy65.comet.ADdomain.private
Mar 1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [proxy65.comet.ADdomain.private] online (bound to 127.0.0.1, port 49356)
Mar 1 09:52:23 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] connect
Mar 1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] authenticated as rooms.comet.ADdomain.private
Mar 1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [rooms.comet.ADdomain.private] online (bound to 127.0.0.1, port 49357)
Mar 1 09:52:24 comet.ADdomain.private Rooms[1792]: Successfully connected to XMPP server, ready for activity
I am not sure if it's attempting to authenticate to AD or not, and if so, why it might be failing. Any suggestions would be greatly appreciated!

uscadvit wrote:
Here is the output without the name of our AD:
Advanced Options - User Experience
Create mobile account at login = Disabled
     Require confirmation        = Enabled
Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
Use Windows UNC path for home = Enabled
     Network protocol to be used = smb
Default user Shell             = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute       = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority    = Enabled
Advanced Options - Administrative
Preferred Domain controller    = not set
Allowed admin groups           = not set
Authentication from any domain = Enabled
Packet signing                 = allow
Packet encryption              = allow
Password change interval       = 14
Restrict Dynamic DNS updates   = not set
Namespace mode                 = domain
That looks correct. Lets collect a few more config items.
Copy / paste the output of this command when run against c2s.xml:
sudo grep '<id require-starttls="true" pemfile="' /Library/Server/Messages/Config/jabberd/c2s.xml
Ours looks like this:
<id require-starttls="true" pemfile="/etc/certificates/chat.example.com.1234567890.concat.pem" private-key-password="12345678-1234-1234-12345678" cachain="/etc/certificates/chat.example.com.1234567890.chain.pem" realm="example.com">example.com</id>
Copy / paste the output of this command when run against sm.xml. To give us context, it will display the 6 lines above and below the text:
sudo grep -C 6 'If not set, the SM id is used. -->' /Library/Server/Messages/Config/jabberd/sm.xml
Ours looks like this:
    <local>                <id>example.com</id>            </local>
Copy / paste the output of this command:
sudo serveradmin settings jabber
Ours looks like this:
jabber:dataLocation = "/Library/Server/Messages"jabber:s2sRestrictDomains = nojabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"jabber:sslCAFile = "/etc/certificates/chat.example.com.1234567890.chain.pem"jabber:jabberdClientPortTLS = 5222jabber:sslKeyFile = "/etc/certificates/chat.example.com.1234567890.concat.pem"jabber:initialized = yesjabber:enableXMPP = nojabber:savedChatsArchiveInterval = 7jabber:authLevel = "STANDARD"jabber:hostsCommaDelimitedString = "example.com"jabber:jabberdClientPortSSL = 5223jabber:requireSecureS2S = nojabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"jabber:enableSavedChats = nojabber:enableAutoBuddy = yesjabber:s2sAllowedDomains = _empty_arrayjabber:logLevel = "ALL"jabber:hosts:_array_index:0 = "example.com"jabber:eventLogArchiveInterval = 7jabber:jabberdS2SPort = 0
Also, while you're troubleshooting, I found Adium's debug window to be invaluble for showing errors during logon (even if you plan to use Messages).
You can open it in debug mode by holding option + click Adium.app, select "start in debug mode". Then in Adium menu > Debug window.

Why is Domain required for an identity in the FIM Service?

I have a scenario where FIM is managing identity, but not all identities have an Active Directory account. I have a flag in the FIM Portal (Service) that indicates if a particular
user is entitled to an AD account or not. My provisioning setup adds or removes the AD account as appropriate. To support FIM Portal activities for those that do have AD accounts, I populate AccountName, Domain, and ObjectSID in the FIM Service from their
corresponding attributes in AD.
What I have noticed is that it does not seem possible to null out or delete the Domain attribute for a user in the FIM Service. I can delete the attributes for both AccountName
and ObjectSID without issues.
When attempting to remove the Domain attribute for a user I get the following in the event logs:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Procedure or function 'GetDomainConfigurationIdentifiersFromDomain'
expects parameter '@domainName', which was not supplied.
I assume that something internal to the FIM Service is trying to do some magic with validating the domain name and the domain configuration. I did found a post saying, “Yeah,
you have to populate Domain”:
http://social.technet.microsoft.com/Forums/en-US/f207caa9-3a6f-4f2d-8461-a83777280803/fim-service-ma-export-failedmodificationviawebservices-error?forum=ilm2
My question is why is Domain required for a user? It is obviously needed for users that have AD accounts an must authenticate with the Portal, but in the case where a user
does not have an account (and therefore does not have a domain), it feels odd to store the incorrect data for the user. It also looks weird when you bring up list of users in the portal and see domain values for users that do not have accounts. In this particular
case, the client has many domains and does have the Domain and AccountName attributes displayed on the user search results page.

Hi Henry,
Using another domain attribute and workflow to maintain the actual Domain and DomainConfiguration is a good suggestion, thanks.
My original question still stands however... Why is Domain required in the FIM Service?
It is sounding like the answer is "It is not really required on it's own, but there is an internal process that requires it if there is a value for DomainContext set (and there is some magic that sets DomainContext, so you have to manually clear it.)"
Since DomainContext is automatically set when a client writes a value to Domain. I would suggest that it is a bug that DomainContext is not automatically cleared when Domain is cleared.
I poked around a bit and the bug can be fixed by changing the stored procedure definition to allow null parameters. In the FIM Service database the stored procedure [fim].[GetDomainConfigurationIdentifiersFromDomain] has a parameter declaration of "@domainName
NVARCHAR(448)". If this is changed to "@domainName NVARCHAR(448) = null" the problem appears to be solved.
Making this change would of course be totally unsupported, but perhaps it can be included in a future product update.
For now I will use Henry's workaround, or just live with potential out of date Domain data.
Thanks

Same username and password in different domain cannot be auth.

I created 2 domains with a user created into each domain. The users have same username and password, like below
Domain1: user1 (password)
Domain2: user1 (password)
Then I create 2 policy sets
PolicySet1 with Domain1 and add a policy (called Policy1) with user1 from Domain1 and proper permissions
PolicySet2 with Domain2 and add a policy (called Policy2) with user1 from Domain2 and proper permissions
Now I apply policy1 to a document to form a secured document called SecuredDoc1.pdf
Then I apply policy2 to a document to form a secured document called SecuredDoc2.pdf
I open SecuredDoc1.pdf, and try to authenticate with user1 (password), I can successfully open the document
I open SecuredDoc2.pdf, and try to authenticate with user1 (password), I can NOT open the document.
Is this a bug? Does RightManagement authenticated with domain id?
Thanks

Although LiveCycle will allow you to create two users with the same user ID (each in different domains) it is not recommended for the reson you are experiencing. The domain is not used in the authentication, LiveCycle attempts to authenticate with the first user id it locates that matches the supplied user id.
In your example, The first instance of "user1" that LiveCycle is finding happens to be part of "Domain1", this is why SecuredDoc1.pdf can be opened and SecuredDoc2.pdf can't be opened (the user1 that is a member of the policy applied to the second document is not the user that has been authenticated).
You need to keep all user ids unique.
Regards
Steve

ISE and 3850 3.2.2SE - Authenticating Wrong Domain and More

Hi everyone,
Have been forced in to accepting the new session aware networking commands and I am running in to a few issues. I finally have a service policy that is authenticating dot1x and MAB (we use EAP-TLS for the desktop and MAB for the phone), however I am experiencing two major issues:
When attempting to authenticate both devices, the port has a port-security issue and moves to an err-disabled state.
When attempting to authenticate just the phone with the service-policy, the phone is authenticated in to the data domain. However, if I use a service-policy that authenticates just MAB the phone will be correctly authenticated in to the voice domain.
Can anyone give me some pointers in the right direction? Attached is the interface configuration and service-policy I'm using.
Thanks,
Mark

Hi salodh,
Please find attached the following:
1-Device.txt = The output when only authenticating MAB and one device. As you can see it starts unauthorized and once authorized remains on the data domain despite receiving the correct service template I have configured that allows voice domain access.
2-Devices.txt = This is what occurs when authenticating both dot1x and mab in a sequential manner for two devices. Once the second device is authenticated there is no access session for it, as you can see the port is put in to an err-disabled state.
Thanks,
Mark

Block Based replication of Domain Controllers to DR site

I have to bring up a business critical application at a DR site using the same hostname and IP address as in production site. For this purpose, I plan to use a block replication software to replicate data from production servers to a SAN at the DR site.
For DR invocation or testing, I am planning to take a snapshot from the SAN, create virtual disks and attach them to newly created VM's at the DR site.
This application depends on Active Directory and hence I need to have a domain controller at the DR site. If I create a new domain controller for the DR site, as it will be in a separate IP subnet, it will have to be in a separate AD site and the application
servers will not be able to use this domain controllers, as they will look for domain controllers in their AD site (which is from the production site). If I put the domain controller in the same IP subnet as the application servers, the same IP subnet has
user workstations and hence user authentication requests from production site will start coming to the DR site across the WAN.
In this scenario, I am proposing to replicate the domain controllers also from the production site to the DR site, like the application servers. But I am not sure if block replication of production DC's to DR site and then when required for testing/invocation,
can we create a new VM and attaching virtual hard disks with the replicated data, will bring these VM's up as domain controllers in the DR site or will they have any negative effects ? Would this be a supported solution ? Any response will be highly appreciated.
Thanks in advance.

You don't want to run any type of duplicated software to clone the DC, that is a bad idea. You could end up with lingering objects and/or Directory Service corruption.
If you want the DC's to exist in the same subnet then you are in a quandry. You can start to modify srv records so the DC won't authenticate clients (BUt you will have to manually change that at DR time).
I have a Blog that talks about lag site replication that blocks clients from ever attempting to authenticate to the DC, you should be able to use this same logic.
http://blogs.dirteam.com/blogs/paulbergson/archive/2013/05/14/how-to-build-an-ad-replication-delay-lag-site.aspx
You will want to create yourself a group policy that prevents the DC in the DR site from registering records that will advertise itself as an authenticating DC. If you need to use the DR site, you will need to remove the gpo and either reboot the DC
or run a gpupdate and restart NetLogon on the DC so it will register the records so the clients can then use this DC.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.

Network Policy Server: No Domain Controller Available

When attempting to configure our domain controller as a Network Policy Server, I am receiving an error message stating that there is no domain controller available for domain K12.TX.US (which is the NETBIOS name of our domain).
The Full DNS Name of our Domain is : nederland.k12.tx.us
Log Name: System
Source: NPS
Date: 3/7/2014 12:55:51 PM
Event ID: 4402
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
There is no domain controller available for domain K12.TX.US.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="49152">4402</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.000000000Z" />
<EventRecordID>84518</EventRecordID>
<Channel>System</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data>K12.TX.US</Data>
</EventData>
</Event>
Please help, as I believe that this is causing the following error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/7/2014 12:55:51 PM
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: ADMIN-PDC.nederland.k12.tx.us
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: abusby
Account Domain: K12.TX.US
Fully Qualified Account Name: K12.TX.US\abusby
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-19-92-0C-E4-E9:NISD_Testing
Calling Station Identifier: B8-E8-56-A8-D4-D9
NAS:
NAS IPv4 Address: 10.250.1.15
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: Testing Access Point
Client IP Address: 10.250.1.15
Authentication Details:
Connection Request Policy Name: BlueSocket Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: ADMIN-PDC.nederland.k12.tx.us
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 7
Reason: The specified domain does not exist.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-03-07T18:55:51.061488000Z" />
<EventRecordID>3106129068</EventRecordID>
<Correlation />
<Execution ProcessID="584" ThreadID="4712" />
<Channel>Security</Channel>
<Computer>ADMIN-PDC.nederland.k12.tx.us</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">abusby</Data>
<Data Name="SubjectDomainName">K12.TX.US</Data>
<Data Name="FullyQualifiedSubjectUserName">K12.TX.US\abusby</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Data>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineName">-</Data>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">00-19-92-0C-E4-E9:NISD_Testing</Data>
<Data Name="CallingStationID">B8-E8-56-A8-D4-D9</Data>
<Data Name="NASIPv4Address">10.250.1.15</Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">-</Data>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">Testing Access Point</Data>
<Data Name="ClientIPAddress">10.250.1.15</Data>
<Data Name="ProxyPolicyName">BlueSocket Wireless Connections</Data>
<Data Name="NetworkPolicyName">-</Data>
<Data Name="AuthenticationProvider">Windows</Data>
<Data Name="AuthenticationServer">ADMIN-PDC.nederland.k12.tx.us</Data>
<Data Name="AuthenticationType">PEAP</Data>
<Data Name="EAPType">Microsoft: Secured password (EAP-MSCHAP v2)</Data>
<Data Name="AccountSessionIdentifier">-</Data>
<Data Name="ReasonCode">7</Data>
<Data Name="Reason">The specified domain does not exist.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>

Yes I did see that article, and there are plenty of logs from another device that authenticates via
RADIUS. Requests from our 802.1x wireless network are giving the "the specified domain does not exist" error. I can enter the username asusername,
username@domain, or domain\username and
neither method fixes the error.

Joining Windows 2012 Server to SBS 2011 Domain

Hi All,
I have been trying to get a new Windows 2012 Server to join a SBS 2011 domain. The error message I am getting is:
The following error occurred attempting to join the domain: xxxx. The specified domain does not exist or could not be contacted.
I have a bunch of other Windows 7/XP workstations that have joined successfully. I have also tried disabling TCP/IP v6 on the 2012 server and joining the domain with the netdom command. The SBS 2011 server is listed as the primary DNS server on the 2012
server.
What else can I try here?
Thanks,
DR.

I am having the same issue has the OP. I have my DNS settings pointing to the sbs server that hosts the domain and DNS. I am receiving the same error.
Server 2012 R2 Standard
SBS 2011 Essentials
Jerry T

Can't Authenticate in LDAP directory after upgrade from 10.4.11 to 10.5.1

Hi, all
Yesterday I have tried to upgrade my Xserve Intel from 10.4.11 Tiger to 10.5.1 Leopard Server
In my server there is this service:
-AFP
-DNS
-SMB
-Open Directory Master
- XSAN Primary MDC
All works fine but when I try to acces with worgroup manager to LDAP directory I can't authenticate with "diradmin" this thing appen in local machine and with remote worgroup manager connected to the server.
I have tried with "root" user and I have been able to authenticate for some time, (5-15 min.) after It's impossible to access with all user.
The client still authenticate with user and password in all computer with 10.5.1 and 10.4.11 workstation, but now i wan't to add some new users and I can't do That!!!!!
So for now I have restore my old 10.4.11 Server Tiger, but I wish to know if someone have tried new 10.5.2 server upgrade and maybe there is some kind of fix to this problem.
Thank's In Advance

After posting on numerous message boards, and no one having an exact answer, but several making plenty of great suggestions, I think I've finally figured out the cause of this issue or at least part of the cause.
Within 'Server Admin', select "Open Directory",
under: Settings > Policy > Binding
there are six check boxes under "Security"... for testing kerberos, I have been checking the first four boxes, which are:
1. disable clear text passwords
2. digitally sign all packets (requires Kerberos)
3. encrypt all packets (requires ssl or kerberos)
4. block man-in-the-middle attackes (requires kerberos)
through troubleshooting this myself, and doing each change, followed by a server reboot, then immediately attempting to authenticate to /LDAPv3/127.0.0.1/, it seems that enabling some, or some combination of these Security settings triggers WordGroup Manager to not accept the diradmin password.
referring to the numbers above (1 through 4)...
2 or 4 by themselves fails
1 and 3 together fails
I haven't gone beyond that for testing and don't know what other combinations works or fails.
I don't know if there is something beyond this that is specific to my configuration or environment that plays a part in this failing. All I know is that turning off all Security checkboxes in this section fixes the problem.
I wonder if anyone who has never seen this problem can try this on their 10.5.2 Server and see if they are still able to authenticate as their diradmin to WGM. Regardless, seems that this is a WGM bug to me, right?
if you are having this problem, uncheck all of these boxes and then reboot before trying to authenticate.

Attempting to authenticate to domain

Similar Messages

Maybe you are looking for