SAP ECC 6.0 / Active Directory Password synchronization

Similar Messages

• Active Directory password change error

  I have about 10 Macs running 10.4.11 that are bound to Active Directory (Windows 2000 Server).
  Users see the warning that their password is about to expire. However, for users who have a local account on the machine, when they attempt to change their password via System Prefs, only the local password is changed - the Active Directory password remains unchanged.
  For users who do not have a local account on the machine, this error occurs:
  "You cannot change your password to the password you entered. Your system administrator may not allow you to change your password or there was some other problem with your password."
  We have the following password requirements in place via Group Policy: complexity, length, min age (2 days), max age (90 days), history (last 4 remembered).
  Oddly, I myself am able to change my Active Directory password just fine via System Prefs. Thinking it was a permissions issue, I created an account with the same AD permissions as mine, but no dice. Oddly, I logged into a different Mac and attempted to change my password there, but received the above error. So not only am I the only one able to change their password, but I can only do this on one of the computers.
  Can anyone explain what exactly happens after you click the "change password" button, in terms of what kind of request is sent to our domain controller, and how the domain controller handles that? I'm hoping maybe that will help me to understand what is going wrong.
  Thanks.

  count me in on the issue as well. this has not always been the case for us. the console shows the directory services crashing and making a crash report. i'd really appreciate a fix for this.
  Below is the activity from the console log upon attempting to change the pass.
  12/8/08 12:19:17 PM ReportCrash[1045] Formulating crash report for process DirectoryService[857]
  12/8/08 12:19:17 PM com.apple.launchd[1] (com.apple.DirectoryServices[857]) Exited abnormally: Segmentation fault
  12/8/08 12:19:17 PM DirectoryService[1046] Launched version 5.5 (v514.23)
  12/8/08 12:19:17 PM DirectoryService[1046] Improper shutdown detected
  12/8/08 12:19:17 PM ReportCrash[1045] Saved crashreport to /Library/Logs/CrashReporter/DirectoryService2008-12-08-121916localhost.crash using uid: 0 gid: 0, euid: 0 egid: 0
  12/8/08 12:19:21 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:22 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:24 PM com.apple.DirectoryServices[1046] DNS update failed!
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] DirectoryService(1046,0xb031c000) malloc: * error for object 0x94de1a40: Non-aligned pointer being freed (2)
  12/8/08 12:19:39 PM DirectoryService[1046] DirectoryService(1046,0xb031c000) malloc: * error for object 0x94de1a40: Non-aligned pointer being freed (2)
  * set a breakpoint in mallocerrorbreak to debug
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] * set a breakpoint in mallocerrorbreak to debug
  12/8/08 12:19:39 PM DirectoryService[1046] Failed to changed computer password in Active Directory domain calacademy.org
  12/8/08 12:19:39 PM com.apple.DirectoryServices[1046] Enter machine password:
  12/8/08 12:19:40 PM com.apple.DirectoryServices[1046] Successfully registered hostname with DNS

• Connector for Active Directory Password Sync

  Friends,
  We have some questions about the Connector for Active Directory Password Sync:
  1. There is a need to extend the AD schema when using this connector.
  2. If I have 10 domain controllers and are not synchronized, the documentation tells us to install the dll in each domain controller. Is there any way to do this if necessary, to install this dll in a single domain controller?
  Thanks for your help.
  regards

  Definitely:
  For your Point-1 Look for the Preinstallation section in the AD Password Sync Connector Guide which talks nothing about extending AD schema which supports the validity of the statement.
  For your Point-2 Look for Metalink Article-432727.1 which confirms that the connector has to be installed on all the DC's
  Thanks
  SRS

• OSX 10.8.2 Change expired Active Directory password at logon screen doesnt work

  Hello
  My system:
  MacBook Pro 2012
  OSX 10.8.2
  I have a problem with changing e expired Active Directory password at the logon screen.
  If i type in the old and the new passwort, it appears a message with following text:
  "The password does not meet the requirements of the server"
  Even if i type in a password like Tes0t!*2013, the message appears and i can not
  change the password.
  I have already disabled the "password must meet the password complexity requierements" policy in our default domain policy.
  Does anyone know how to solve this problem?
  Thanks.
  Dani

  Safe Boot , (holding Shift key down at bootup), use Disk Utility from there to Repair Permissions, test if things work OK in Safe Mode.
  Then move these files to the Desktop...
  /Users/YourUserName/Library/Preferences/com.apple.finder.plist
  /Users/YourUserName/Library/Preferences/com.apple.systempreferences.plist
  /Users/YourUserName/Library/Preferences/com.apple.sidebarlists.plist
  /Users/YourUserName/Library/Preferences/com.apple.desktop.plist
  /Users/YourUserName/Library/Preferences/com.apple.recentitems.plist
  Reboot & test.
  PS. Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive.

• Oracle account and microsoft active directory password synchronisation

  Hi
  We are migrating our application to use windows active directory authentication. We have separate oracle account for
  each logged in user in the application, and these oracle credentials have to be the same as the windows active directory
  credentials.
  Also, a password change on windows Active directory should change the oracle account password.
  Is there a tool available to manage and synchronize the microsoft active directory and oracle account.
  We use oracle 10g and application is hosted on Windows 2008 server.
  Thanks
  Karthik

  There's an OOTB connector for Password Synch between AD -> OIM. Please use that.
  http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
  For password synch, OIM- AD/Oracle, you can use triggers.
  Enabling update for provisioned user in OIM11g

• How can I configure ECC6.0 to use LDAP (Active Directory) password

  We're setting up an integrated authentication between the ECC 6.0 and the LDAP server, in our case the Microsoft Active Directory. We have some users that can't use WebGui because some features, that only run in the SapGui. We have already configured UME in the Sap Portal accessing directly the ADS server, and Sap Logon Ticket from Portal to ECC. Everything is ok to access the WebGui and SapGui by the Portal with the Sap Logon Ticket. However it demands that all users make the authentication previously in the Sap Portal. Is there another scenario only with SAP tools, for example using Sap Logon directly to the Active Directory. Obs.: Our entire sap servers are UNIX.

  I had already read all these notes.
  In the last week, I tried to configure the UME in our PI/XI environment to access the LDAP. As the result, the ABAP stack was perform the authentication perfectly above the LDAP. However I had some problems with the Java stack and I comeback the back. I will try it, in the next week again.
  It's what I'd like to ECC environment. Anyone has already configured the UME in an ECC? Install a basic Java stack without all Java components only the UME in order to make this integration. If it’s possible I’ll very appreciate any documentation.
  Other problem is the limitation of datasource in the UME, I didn't remember exactly but I guess that is only 5 (Authorization in the ECC, BI, SolMan, PI, APO, CRM, LDAP, Portal, etc). If it's possible I'll group the environments in different UME managers. Forget this paragraph lets focus in the integrated authentication in this thread after that authorization.

• Unable to change Active Directory password on OSX

  I'm working IT in a Windows environment with Active Directory services. We have some Macs in the environment, mostly running 10.8, but all definitely running 10.6.8 or later.
  The issue lies with changing passwords. When a user attempts to change his password in the Users & Groups pane of System Prefs, it will throw an error about either complexity, systems admin permission, or some other issue. THESE PASSWORDS DO MEET ALL COMPLEXITY REQUIREMENTS AND THEY ARE ALLOWED TO CHANGE THEIR OWN PASSWORDS.
  I obviously need to look further into the user accounts but for the most part they are mobile accounts and the machine is on the domain before the specific user account is ever created. Also Keychain access is set to sync with account.
  The only solution I've been able to come up with is to reset the users password back to their old password through AD.
  I don't even know where to begin to resolve this issue, the ideal solution is that a user can change their password in OSX and have it populate across the domain just like it does on Windows.
  Help!!! 
  Thanks for your time.

  you may want to try the forums at http://www.macwindows.com

• SSO All SAP solution with windows Active directory

  Dear Experts,
  We have multiple sap solution like
  SAP ERP EHP7
  SAP BW
  SAPBO
  SAP EES/MMS
  SAP Solution Manager
  And all solutions based on Operating system AIX and database is DB2
  We want to configure SSO ( using windows 2012 active directory users ) with all above systems and it's clients.
  Kindly guide me how to achieve SSO using Windows 2013 active directory users.
  DO we need LDAP between Active directory and all servers ?
  we need additional SAP license
  please guide me
  Regards

  Hello
  You can use SAP Single Sign-on 2.0 solution by SAP to integrate all your systems with SSO. The solution contains all what is required for configuring SSO in SAP ABAP and Java Systems. To know more, you may refer:
  1. SAP NetWeaver Single Sign-On 2.0 – SAP Help Portal Page
  2. Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 1/4 - YouTube
  3.Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube
  4.  Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 3/4 - YouTube
  5. Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 4/4 - YouTube
  You will have to buy license for SAP Single Sign-on 2.0.
  Regards,
  Tapan

• SAP IDM with MS Active Directory (OU names in Arabic)

  Dear Gurus,
  With SAP IDM , we need to integrate with MS Active directory such a way that SAP IDM only fetches users who have “SAP” in one of the AD field. That means do not read entire AD but only fetches users in SAP who have “SAP” tagged in one of the AD field.
  Is it possible ? We tried that in SAP LDAP connector but its not possible in LDAP connector in SAP as LDAP connector is reading through all the users in our CUA system.
  Question is it possible through SAP IDM that we use some thing (maybe  BAPI) to restrict users and do not read all users but only users having “SAP” in one of the AD field.
  Also note that our AD has some OU's name in Arabic.
  Regards,

  If you want to filter this in the ADS Initial Load job then you can modify the repository LDAP Filter:
  (&(objectclass=person)(orgUnit=SAP))
  Replace orgUnit=SAP with your your attribute and tag.
  Br,
  Chris

• LDAP bindError: Active Directory Password Filter is not working

  Hi,
  I have setup the OID Server in SSL mode by following the instruction given in OIM Admin
  Guide.
  I am able to bind the OID using ldapbind from OID server and ldapbindssl from system on which AD is install.
  but in the logs of Password Filter where AD is present following Error logs.
  "LDAP bindError"
  Server Unavailable
  OR
  Unable to connect to OID
  I am using OID 10.1.2 on which Portal is install and using Active Directory 2003.
  I also tried with Active Diectory 2000.but getting same message.
  Regards,
  RB

  Hi,
  run the AD Pwd filter installer again, and make sure you provide the correct full hostname of the OID server, and also "cn=orcladmin" as the OID user and the password.
  It happens sometimes that the installer does not write the correct values to the windows registry and so the PWD Filter does not get the correct information.
  If ldapbindssl is working then the pwd filter will work also, if the correct information is in the registry.
  The values are stored in the registry on:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\orclidmpwf
  Best regards,
  Octavian

• Active Directory & password expiry

  Hello,
  I'm testing Sun Secure Global Desktop software 4.2 with active directory login authority but Ihave some problems with the password expiry.
  Ifollowed the instructions in manual step by step, but I'm experiencing errors and the password expiry doesn't work at all.
  Here's my krb5.conf file:
  [libdefaults]
  default_realm = DMZ2.ZUCCHETTI.IT
  default_checksum = rsa-md5
  kdc_timesync = 1
  udp_preference_limit = 1
  [realms]
  DMZ2.ZUCCHETTI.IT = {
  kdc = eracle.dmz2.zucchetti.it
  kdc = eraclebk.dmz2.zucchetti.it
  admin_server = dmz2.zucchetti.it
  kpasswd_protocol = SET_CHANGE
  [domain_realm]
  .dmz2.zucchetti.it = DMZ2.ZUCCHETTI.IT
  dmz2.zucchetti.it = DMZ2.ZUCCHETTI.IT
  and my Sun Secure Global Desktop software error log:
  2006/01/20 15:09:32.822 (pid 2036) server/login/error #1137766172822
  Sun Secure Global Desktop Software (4.2) ERROR:
  Unable to change the password for user .../_service/sco/tta/ldapcache/CN=test8,OU=ASP Commercialisti,D
  C=DMZ2,DC=ZUCCHETTI,DC=IT.
  Users will be unable to change their passwords.
  Ensure that the AD connection is correctly configured ( admin_server
  setting and "kpasswd_protocol = SET_CHANGE" in krb5.conf, as appropriate),
  and that the new password passes any directory server constraints.
  In my krb5.conf file, I forced the use of TCP, instead of UDP ( line udp_preference_limit = 1) and I opened all the required TCP ports in my firewall.
  I even looked at firewall log and I've noticed that no traffic UDP is filtered.
  What's wrong with my configuration?
  Can you help me, please?
  Many Thanks

  Any news on this? We are experiencing the same issue.
  Also, when an AD passwd is expired and OS X is locked, the users are unable to logon as they get no prompt to enter a new password.
  Only options then  isto hard reset the MAC, at the logon screen, they do get a prompt to enter a new password.

• Can't change Active Directory password

  I have a PowerBook that has successfully bound to an Active Domain (the server is running Serve 2003). When I try to change my password from the Accounts preference pane it rejects my password as not following the rules for a valid password. The problem is that I am following the rules and the password should be valid. Is there something I'm missing, or is there a binding option I should or shouldn't be using?
  Thanks

  Chances are that you're actually not following the password complexity rules. Your IT folks may not have told you every little exception. I'll give you what I consider to be the common rules:
  1. Must be at least eight (8) characters long.
  2. Must contain at least one UPPER case letter.
  3. Must contain at least one lower case letter.
  4. Must contain at least one number (0-9) or a symbol created by SHIFTing a number ( Shift 0-9 = !@#$%^&*() )
  5. Must not contain any form of your user name
  6. Must be a password you've never used before.
  7. Must not contain any words in the dictionary.
  8. Must begin with a letter, not a number.
  See if you can use this password: P@55w0rd
  If you're absolutely postive that your password meets the complexity rules then try changing it on a Windows machine. A failure may display a message with the complexity requirements.
  Hope this helps!
  bill

• Unable to change Active Directory passwords

  I am trying to configure the Macs here in the building to authenticate to our 2003 domain. I am able to bind them to the domain and I can login. The problem is that on just one of the Macs the user cannot change her password. After she types in her old password and new one the computer presents an error message stating that she doesn't have permission to change her password. I went over there and logged on with my account and tried to change my password as well and encountered the same problem. If someone knows how to fix this please let me know, I've been fighting with it for a week now and am at the end of my rope.

  Never mind I just figured it out. The problem was that her clock differed from the server's clock by about 6 minutes. After setting the machine to sync its clock with our in house network time server the problem went away.

• Users can't change Active directory password on MACs

  When they change the account password thought system perferences, the changes are not being passed to the DC and federated services server.
  I have logged off and logged back in, And rebooted. If they open the login keychain it will update but is there any way a end user can change there password with out involving IT?
  Mac are runing 10.6.8 and 6.5.1 AD .

  Hi,
  One of our users has iMac, 10.6.8.
  She has not got any local account.
  She logs on to AD domain, with domain ID
  When after 40 days or so she is asked the change the password; it does not work.
  If we change it for here through AD or through another Windows PC, it works.
  Could you please let me know the best course of action for this type of users who are not administrators of iMac?
  I tested by changing my account's PAssword and it worked( I have administrative role).
  Kind regards

• Password Synchronization Connector Error in SSL secure mode (636)

  Hello friends,
  I tell them my case:
  I have an Oracle Identity Manager environment BP15 9.1.0.2 and I installed an Active Directory Password Synchronization plug. The connector works properly in unsafe mode (389), then you have configured the SSL connector in safe mode (636) the log shows the following:
  Inside *********** **************** sgslldpcopenLDAPConnection
  Debug [10/28/2011 2:21:00 PM] Inside sgsladac c-tor
  Debug [10/28/2011 2:21:00 PM] AD Host
  Debug [10/28/2011 2:21:00 PM] 192.168.1.10
  Debug [10/28/2011 2:21:00 PM]
  Debug [10/28/2011 2:21:00 PM] AD Port
  Debug [10/28/2011 2:21:00 PM] 636
  Debug [10/28/2011 2:21:00 PM]
  Debug [10/28/2011 2:21:00 PM] AD Base DN
  Debug [10/28/2011 2:21:00 PM] DC = domain1, DC = com
  Debug [10/28/2011 2:21:00 PM]
  Debug [10/28/2011 2:21:00 PM]
  Debugging the code
  Debug [10/28/2011 2:21:00 PM] Inside ConnectToADSI
  Debug [10/28/2011 2:21:00 PM]
  ldap_connect failed with
  Debug [10/28/2011 2:21:00 PM] Server Down
  Debug [10/28/2011 2:21:00 PM]
  Debug [10/28/2011 2:21:00 PM]
  Connection to AD failed
  Debug [10/28/2011 2:21:00 PM]
  Out of openLDAPConnection ********** *****************
  Debug [10/28/2011 2:21:00 PM] Inside sgsladac destroyer
  Debug [10/28/2011 2:21:01 PM] Datastore --- Connect to AD
  Debug [10/28/2011 2:21:01 PM]
  Inside *********** **************** sgslldpcopenLDAPConnection
  Any suggestions to solve this problem.
  thank you very much

  1. Check your ports, make sure they are open.
  2. For password sync you'll need to have SSL certificates configured so AD, OIM and the connector can talk securely. Make sure the proper keystore is used and certificate is present on all 3 (the connector includes the guide to install them)
  With the above I got my connector working to this point. Hope that helps.
  - JP