SGD 4.7 - Cannot enable Active Directory authentication

I've followed the steps in the Admin Guide, and have a service object created. Running tarantella service list --name service_name produces the following output (obfuscated):
Name: service_name
Enabled: 1
Url: ad://url_to_dc
Base-domain: same as above
Security-mode: kerberos
Type: ad
...all of which looks correct. I've added the recommended log filters. Directory services (server/directoryservices/*) returns the following INFO message when attempting a logn:
No Login authorities are available.
The configured service objects will not be used.
When I click the "Test" button in the service object property screen, the above log fills with what look like appropriate log messages and a Success result from the AD server, then the above message is displayed. Running the tarantella config list | grep login command produced the following output:
login-ad-base-domain: same domain as above
login-ad-default-domain: ""
login-ldap-thirdparty-ens: 1
login-lday-thirdparty-profile: 1
login-thirdparty-ens: 0
login-thirdparty-nonens: 0
login-thirdparty-superusers: sgd_trusted_user
login-web-tokenvalidity: 180
server-login: enabled
Any ideas?

Problems can be
Incorrect domain
Name resolutions fails: OSGD server must be able to resolve the global catalog server
Timeserver: OSGD server must have the same time as the AD
Wrong /etc/krb5.conf
Global Catalog Server
Check, if the domain has a global catalog server:
nslookup -query=any _gc._tcp.DOMAIN_lowercase
Example for Domain TBSOL.DE
[root@tab-ol5u7-SGD1dev-adm tmp]# nslookup -query=any _gc._tcp.tbsol.de
Server:         192.168.99.1
Address:        192.168.99.1#53
Non-authoritative answer:
_gc._tcp.tbsol.de       service = 0 100 3268 office-ad.tbsol.de.
Authoritative answers can be found from:
tbsol.de        nameserver = office-ad.tbsol.de.
office-ad.tbsol.de      internet address = 172.16.1.14
Kerberos Layer
Simple Kerberos file
[libdefaults]
default_realm = TBSOL.DE
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
   TBSOL.DE = {
     kdc = office-ad.tbsol.de
     admin_server = office-ad.tbsol.de
[domain_realm]
   .tbsol.de = TBSOL.DE
   tbsol.de = TBSOL.DE
Icon
The format (tabs and spaces) of the Kerberos file is not relevant.
(other experience: after correcting the format of the kerberos file, pwd change works !)
Use kinit to test the Kerberos file.
Tarantella needs a restart, if this file is changed.
Icon
The OSGD documentation mentions in "2.2.4.2 Active Directory Password Expiry" to set
kpasswd_protocol = SET_CHANGE
This was not needed in these tests.
Login check via kinit
kinit <userprincibalename>@DOMAIN_uppercase
Example of kinit
[root@tab-ol5u7-SGD1dev-adm tmp]# kinit [email protected]; echo $?
Password for [email protected]:
kinit(v5): Preauthentication failed while getting initial credentials
1
[root@tab-ol5u7-SGD1dev-adm tmp]# kinit [email protected]; echo $?
Password for [email protected]:
0
[root@tab-ol5u7-SGD1dev-adm tmp]#
Check password change with KPASSWD
[root@tab-ol5u7-SGD1dev-adm log]# kpasswd [email protected]
Password for [email protected]:
Enter new password:
Enter it again:
Password changed.
Check password change on AD request
Mark user, that he has to change his password on the next login in the AD.
[root@tab-ol5u7-SGD2dev-adm tmp]# kinit [email protected]
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@tab-ol5u7-SGD2dev-adm tmp]# kinit [email protected]
C

Similar Messages

Weblogic with Active Directory Authentication provider problem: DN for user ....: null

I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>MyOwnADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
        <wls:host>10.20.150.4</wls:host>
        <wls:port>5000</wls:port>
        <wls:ssl-enabled>false</wls:ssl-enabled>
        <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
        <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
        <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
        <wls:cache-enabled>false</wls:cache-enabled>
        <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject   : CN=wl,DC=at,DC=com
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (&(cn=tadmin)(objectclass=user))
# attributes   : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.

I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>

Cannot add Active Directory Domain Services role on - DirectoryServices-DomainController . Status: -2147021879 (80070bc9)

Hi everyone,
I've been banging my head against this for a while and hope someone can help me.
Running Windows Server 2008 R2 Standard with Service Pack 1.
When I try to add the Active Directory Domain Services role to the server it gets to about 90% complete and then dies.
The ServerManager.log shows the following information, I have run the System Readiness Tool - output below - with no errors found.
At a loss on what to do next. The only other links I've found suggest rebuilding the server which I would really like to avoid...
Help appreciated,
John
ServerManager.log (extract)
==========
name : Active Directory Domain Services
state : Changed
rank : 1
sync tech: CBS
guest[1] : Active Directory Domain Controller
guest[2] : Identity Management for UNIX
ant. : empty
pred. : empty
provider : null
name : Active Directory Domain Controller
state : Changed
rank : 4
sync tech: CBS
ant. : .NET Framework 3.5.1
pred. : Active Directory Domain Services, .NET Framework 3.5.1
provider : Provider
8720: 2012-01-18 10:54:41.853 [Sync] Calling sync provider of Active Directory Domain Controller ...
8720: 2012-01-18 10:54:41.853 [Provider] Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
8720: 2012-01-18 10:54:41.853 [Provider] Begin installation of 'Active Directory Domain Controller'...
8720: 2012-01-18 10:54:41.853 [Provider] Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
8720: 2012-01-18 10:54:41.853 [Provider] Installation queued for 'Active Directory Domain Controller'.
8720: 2012-01-18 10:54:41.853 [CBS] installing 'DirectoryServices-DomainController ' ...
8720: 2012-01-18 10:54:42.399 [CBS] ...parents that will be auto-installed: 'NetFx3 '
8720: 2012-01-18 10:54:42.399 [CBS] ...default children to turn-off: 'WCF-HTTP-Activation '
8720: 2012-01-18 10:54:42.415 [CBS] ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
8720: 2012-01-18 10:54:42.415 [CBS] ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipping 'NetFx3' because it is already in the desired state.
8720: 2012-01-18 10:54:42.430 [CBS] ...current state of default child 'WCF-HTTP-Activation': p: Installed, a: Installed, s: InstallRequested
8720: 2012-01-18 10:54:42.430 [CBS] ...skipped child 'WCF-HTTP-Activation' because it is already installed
8720: 2012-01-18 10:54:42.461 [CBS] ...'DirectoryServices-DomainController' : applicability: Applicable
8720: 2012-01-18 10:54:42.461 [CBS] ...'NetFx3' : applicability: Applicable
8720: 2012-01-18 10:54:42.539 [CbsUIHandler] Initiate:
8720: 2012-01-18 10:54:42.539 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:54:42.758 [InstallationProgressPage] Installing...
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Error: -2147021879 :
8720: 2012-01-18 10:55:03.740 [CbsUIHandler] Terminate:
8720: 2012-01-18 10:55:03.787 [InstallationProgressPage] Verifying installation...
8720: 2012-01-18 10:55:03.802 [CBS] ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
8720: 2012-01-18 10:55:03.818 [Provider] Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
8720: 2012-01-18 10:55:03.818 [Provider]
[STAT] ---- CBS Session Consolidation -----
[STAT] For
'Active Directory Domain Controller'[STAT] installation(s) took '21.9535541' second(s) total.
[STAT] Configuration(s) took '0.0007754' second(s) total.
[STAT] Total time: '21.9543295' second(s).
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
8720: 2012-01-18 10:55:03.818 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes made
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Sync operation completed
8720: 2012-01-18 10:55:03.818 [InstallationProgressPage] Performing post install/uninstall discovery...
8720: 2012-01-18 10:55:03.833 [Provider] C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
8720: 2012-01-18 10:55:03.833 [CBS] IsCacheStillGood: False.
8720: 2012-01-18 10:55:04.333 [CBS] >>>GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.784 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
8720: 2012-01-18 10:55:34.784 [CBS] <<<GetUpdateInfo--------------------------------------------------
8720: 2012-01-18 10:55:34.815 [DISCOVERY] hr: -2147021879 -> reboot required.
8720: 2012-01-18 10:55:34.831 [InstallationProgressPage] About to load finish page...
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Loading finish page
8720: 2012-01-18 10:55:34.831 [InstallationFinishPage] Finish page loaded
CheckSUR.log
=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 13.0
2012-01-18 10:33
Checking Windows Servicing Packages
Checking Package Manifests and Catalogs
Checking Package Watchlist
Checking Component Watchlist
Checking Packages
Checking Component Store
Summary:
Seconds executed: 220
No errors detected

Hi John,
Thanks for posting.
Performed some research and some results say that this problem can be caused by HD Write Caching.
To disable Write Caching:
1. Go to Device Manager.
2.Click the plus sign (+) next to the Disk Drives branch to expand it.
3.Right-click the drive on which you want to enable or disable disk write caching, and then click Properties.
4.Click the Disk Properties tab.
5.Click to select or clear the Write Cache Enabled check box as appropriate.
6.Click OK.
If no luck, Please check if any erros can be found in Event log, Dcpromoui.Log and Dcpromo.log
The following articles maybe helpful to you:
Known Issues for Installing and Removing AD DS
http://technet.microsoft.com/en-us/library/cc754463(v=WS.10).aspx
You cannot install Active Directory Domain Services
http://support.microsoft.com/kb/975142
Thanks
ZHANG

Active Directory Authentication in Weblogic 8.1

Hi,
We want to do authentication from Microsoft Active Directory using weblogic 8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working. Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me know how
to proceed.
2. Is there any tool by which I can get to know the different attribute asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind. Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

Amit,
We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
and downs though.
|
|
1) First, make sure you are sending right LDAP queries to AD. To verify this,
we used free 3rd party LDAP browser from Softerra. There is also java based free
browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
Play with your LDAP settings using this and make sure AD is returning the right
data.
|
2) AD has some default settings that makes it return only the top 1000 users.
Use ntdsutil.exe to modify these default settings
|
3) AD needs to have the right set of users and groups. To configure this, refer
to WLS docs. This is very well documented in WLS docs. Also refer to this article
http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
reference
|
4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
another product AD/AM (AD in Application Mode) in combination with MIIS server.
But if you are using sp2, you shouldn't be worry about this.
|
5) In your providers, you might want to get rid of the DefaultAuthentication provider,
once you are able to establish a connection with your ActiveDirectoryAuthentication
provider. The DefaultAuthentication provider causes some problems and does not
let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
investgated the root of this prob. When we deleted DefaultAuthentication provider,
everything worked normally - so we didn't really care that much :-)
|
6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
your are able to authenticate talk to your AD.
|
These are the ones I could think of. Hope this helps..
Regards,
Anant
"Amit" <[email protected]> wrote:
>
Hi,
We want to do authentication from Microsoft Active Directory using weblogic
8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working.
Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me
know how
to proceed.
2. Is there any tool by which I can get to know the different attribute
asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there
any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind.
Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in
Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

Dear all
        In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message:
       " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
      Anyone has encountered similar issue?
   BO version: BO XI 3.1 SP5
   Authenticate: Windows AD
Thanks and Regards

Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
http://service.sap.com/sap/support/notes/1323391
http://service.sap.com/sap/support/notes/1199995
-Ambarish-

Unable to find user list in Active Directory Authenticator

Hi all,
I am using weblogic 10.3 and want to configure ActiveDirectory Authenticator for my weblogic application. We have one managed srever under admin server . I have configured a Active Directory Authenticator named "ADAuthenticator" and made following changes as per the below values:
I set the control flag to "OPTIONAL" .
Security Realms-->myrealm-->Providers-->ADAuthenticator-->Provider Specific
UserName Attribute : ServiceBEA
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(ServiceBEA=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(ServiceBEA=%u)(objectclass=user))
Static Group Name Attribute : ServiceBEA
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
These are my AD settings. After doing this i click on save and then activate changes and then restarted the admin server.
But the problem is when i login to weblogic console to check the user list under "User and Group" i am unble to find any Active Directory users.
I don't know where i made the mistake. Can some make me out of this trouble.
Any help is highly appreciated.
Thanks in advance !

Hi Sean,
Actually we have already a Active Directory with username "ServiceBEA" in our windows server. So i used this "ServiceBEA" as UserName Attribute in weblogic console while creating a Active Directory Authenticator.
You mean to say that we should go for "sAMAccountName" or what? If that is the case then i have also tested with following values, but still no luck.
UserName Attribute : sAMAccountName
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(sAMAccountName=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(sAMAccountName=%u)(objectclass=user))
Static Group Name Attribute : sAMAccountName
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
Please advise what to be place in case of User Name Attribute.
Any help is highly appreciated.
Thanks in advance !

WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
a managed server using the node manager? I can boot the server without the AD
authenticator and I can also boot the server using a script and successfully authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
configuration works fine with weblogic running on W2K, but not on Solaris (it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Solved the problem. The 'domain root' directory specified in the remote start configuration,
must contain a copy of the file 'SerializedSystemIni.dat' that was created along
with the domain, in order to boot when an AD authenticator is configured. If an
AD authenticator is not configured, no file is required. This was not a platform
specific issue; on Win2K I had configured the 'domain root' remote start parameter
to point to an existing domain root and not a new directory.
"Andrew Walker" <[email protected]> wrote:
>
Has anyone managed to setup a WLS 7.0 Active Directory authenticator
and booted
a managed server using the node manager? I can boot the server without
the AD
authenticator and I can also boot the server using a script and successfully
authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup
a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
This
configuration works fine with weblogic running on W2K, but not on Solaris
(it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
<main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException:
RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException:
Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute
method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Active Directory Authentication and permissions for user group in APEX 4.0

Hello,
I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
Help with Authentication (APEX_LDAP.AUTHENTICATE)
Re: LDAP Authentication Via Groups
Thanks,
Tony

You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.

SGD cannot access Active Directory

hello everyone
I have sgd server and Active Directory server in a segment before , they worked well.
now I place my sgdservers in a DMZ segment , and place the AD server in backend segment.
there is a firewall between the two segments. now sgd cannot access the ad in the web console.
I know there are some ports which must be opened as the manual said. but even if I open all ports between the two server(SGD server and AD server) , sgd still cannot access the active directory.
SGD Server : SGD4.4.1907 Solaris10
AD Server: windows2008
it seems that there is no problem when using nslookup
# nslookup adsrv1.mydomainname
Server:         10.0.4.111
Address:        10.0.4.111#53
Name:   adsrv1.mydomainname
Address: 10.0.4.111
# nslookup 10.0.4.111
Server:         10.0.4.111
Address:        10.0.4.111#53
111.4.0.10.in-addr.arpa name = adsrv1.mydomainname.
# nslookup -querytype=any _gc._tcp.mydomainname
Server:         10.0.4.111
Address:        10.0.4.111#53
_gc._tcp.mydomainname     service = 0 100 3268 adsrv2.mydomainname.
_gc._tcp.mydomainname     service = 0 100 3268 adsrv1.mydomainname.
# nslookup -querytype=any _ldap._tcp.mydomainname
Server:         10.0.4.111
Address:        10.0.4.111#53
_ldap._tcp.mydomainname   service = 0 100 389 adsrv2.mydomainname.
_ldap._tcp.mydomainname   service = 0 100 389 adsrv1.mydomainname.Any prompt reply will be appreciated

I also use "dig" command to check DNS setting.
It is surprised that , I cannot dig with sgd server's hostname , but dig with sgd server's FQDN is successful .
# dig sgdsrv01
; <<>> DiG 9.3.4-P1 <<>> sgdsrv01
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 1361
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sgdsrv01.                      IN      A
;; Query time: 1 msec
;; SERVER: 10.0.4.111#53(10.0.4.111)
;; WHEN: Tue Jan 20 10:44:20 2009
;; MSG SIZE rcvd: 26
# dig sgdsrv01.mydomain.com
; <<>> DiG 9.3.4-P1 <<>> sgdsrv01.mydomain.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *NOERROR*, id: 1613
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sgdsrv01.mydomain.com.   IN      A
;; ANSWER SECTION:
sgdsrv01.mydomain.com. 3600 IN    A       10.0.6.41
;; Query time: 1 msec
;; SERVER: 10.0.4.111#53(10.0.4.111)
;; WHEN: Tue Jan 20 10:44:37 2009
;; MSG SIZE rcvd: 61AND I also set /etc/hosts file as the following:
127.0.0.1       localhost
::1     localhost
10.0.6.41     sgdsrv01   sgdsrv01.mydomain.com telford
10.0.6.42     sgdsrv02.mydomain.com   sgdsrv02
10.0.4.111    adsrv1.mydomain.com     adsrv1
10.0.4.112    adsrv2.mydomain.com     adsrv2
10.0.4.101    apsrv01.mydomain.com    apsrv01
10.0.4.102    apsrv02.mydomain.com    apsrv02

Unable to expand Roles n policies after enabling Active directory security

I am running weblogic 10.3 on Linux and integrated console security with Microsoft AD.
Below error occurs when I tried to expand roles and policies.
Please help.
Message: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression
Stack Trace: com.bea.console.exceptions.ManagementException: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:678) at com.bea.console.actions.security.roles.RoleTableAction.expandGlobalRolesNode(RoleTableAction.java:208) at com.bea.console.actions.security.roles.RoleTableAction.expandNode(RoleTableAction.java:193) at com.bea.console.actions.security.roles.RoleTableAction.execute(RoleTableAction.java:102) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116) at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:255) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158) at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:256) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:133) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686) at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266) at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107) at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292) at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:54) at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: weblogic.management.utils.NotFoundException: [Security:090311]Failed to set resource expression at com.bea.security.providers.xacml.entitlement.RoleManager.getRole(RoleManager.java:134) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperImpl.getRoleExpression(XACMLRoleMapperImpl.java:499) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperMBeanImpl.getRoleExpression(XACMLRoleMapperMBeanImpl.java:389) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:447) at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:445) at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:443) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10$1.run(AuthenticatedSubjectInterceptor.java:582) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor$10.run(AuthenticatedSubjectInterceptor.java:580) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.management.mbeanservers.internal.AuthenticatedSubjectInterceptor.invoke(AuthenticatedSubjectInterceptor.java:573) at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:307) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426) at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy70.getRoleExpression(Unknown Source) at com.bea.console.actions.security.roles.RoleTableAction.createRoleNode(RoleTableAction.java:671) ... 81 more

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd">
<name>ABC</name>
<domain-version>10.0.1.0</domain-version>
<security-configuration>
<name>ABC</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
<sec:name>MYSECURITY</sec:name>
<sec:control-flag>OPTIONAL</sec:control-flag>
<wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
<wls:host>ad.win.XYZ.com</wls:host>
<wls:port>3210</wls:port>
<wls:user-name-attribute>SamAccountName</wls:user-name-attribute>
<wls:principal>CN=ABC (APPLICATION),OU=Service Accounts,OU=Infrastructure Solutions,OU=USPC,DC=americas,DC=win,DC=xyz,DC=com</wls:principal>
<wls:user-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:user-base-dn>
<wls:credential-encrypted>{3DES}3gr1b24C1+ZescfrcJGfTA==</wls:credential-encrypted>
<wls:user-from-name-filter>(&(SamAccountName=%u)(objectclass=user))</wls:user-from-name-filter>
<wls:cache-size>3200</wls:cache-size>
<wls:group-base-dn>DC=americas,DC=win,DC=xyz,DC=com</wls:group-base-dn>
<wls:bind-anonymously-on-referrals>true</wls:bind-anonymously-on-referrals>
<wls:all-groups-filter>(objectclass=group)</wls:all-groups-filter>
<wls:group-membership-searching>limited</wls:group-membership-searching>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}Da9bWdtd5q7ah0l1OlmgTprs5EsrhL0siPsTNKzMDOasnQwrpgSVnAKFIdM3O/CjsXOzrq2fBACcbtup4aQCbNpjynWFUDB1</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}IwjibsnAdGEU/pYi+0n1bg==</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<rotation-type>byTime</rotation-type>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25000</listen-port>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server1</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25010</listen-port>
<listen-port-enabled>true</listen-port-enabled>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
<java-compiler>javac</java-compiler>
<client-cert-proxy-enabled>false</client-cert-proxy-enabled>
</server>
<server>
<name>ABC_server2</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25020</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server4</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25040</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server5</name>
<ssl>
<enabled>false</enabled>
</ssl>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<machine xsi:nil="true"></machine>
<listen-port>25050</listen-port>
<cluster xsi:nil="true"></cluster>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
</server>
<server>
<name>ABC_server6</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25060</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server7</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25070</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server8</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25080</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server10</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25100</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server9</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25090</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<listen-address></listen-address>
</server>
<server>
<name>ABC_server3</name>
<log>
<file-name>logs/AdminServer.log</file-name>
<number-of-files-limited>true</number-of-files-limited>
<file-count>7</file-count>
<file-time-span>24</file-time-span>
<rotation-time>00:00</rotation-time>
<rotate-log-on-startup>true</rotate-log-on-startup>
<logger-severity>Info</logger-severity>
<log-file-severity>Info</log-file-severity>
<stdout-severity>Info</stdout-severity>
<domain-log-broadcast-severity>Notice</domain-log-broadcast-severity>
<memory-buffer-severity>Trace</memory-buffer-severity>
<log4j-logging-enabled>false</log4j-logging-enabled>
<redirect-stdout-to-server-log-enabled>true</redirect-stdout-to-server-log-enabled>
<domain-log-broadcaster-buffer-size>1</domain-log-broadcaster-buffer-size>
</log>
<listen-port>25030</listen-port>
<web-server>
<web-server-log>
<number-of-files-limited>false</number-of-files-limited>
</web-server-log>
</web-server>
<server-debug>
<debug-scope>
<name>default</name>
<enabled>true</enabled>
</debug-scope>
<debug-scope>
<name>weblogic</name>
<enabled>true</enabled>
</debug-scope>
</server-debug>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>ABC</name>
<credential-encrypted>{3DES}RhnPr+8XsDxhU8rgpPiikqpyeP74wxX/T2mnALX9oFI=</credential-encrypted>
</embedded-ldap>
<configuration-version>10.0.1.0</configuration-version>
<configuration-audit-type>logaudit</configuration-audit-type>
<app-deployment>
<name>ABC25090</name>
<target>ABC_server9</target>
<module-type>ear</module-type>
<source-path>/home/arajpoot/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25080</name>
<target>ABC_server8</target>
<module-type>ear</module-type>
<source-path>/home/aherleka/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25030</name>
<target>ABC_server3</target>
<module-type>ear</module-type>
<source-path>/home/rprajapa/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25060</name>
<target></target>
<module-type>ear</module-type>
<source-path>/home/xyin/working/default-app/dist/ABC.10.1.0.ear</source-path>
<sub-deployment>
<name>/</name>
<target></target>
</sub-deployment>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>ABC25010</name>
<target>ABC_server1</target>
<module-type>ear</module-type>
<source-path>/home/payadav/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC25050</name>
<target>ABC_server5</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8070</name>
<target>ABC_server7</target>
<module-type>ear</module-type>
<source-path>/home/irakshit/working/default-app/dist/ABC.10.1.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8020</name>
<target>ABC_server2</target>
<module-type>ear</module-type>
<source-path>/home/wchou/working/default-app/ABC.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8100</name>
<target>ABC_server10</target>
<module-type>ear</module-type>
<source-path>/home/amulik/working/default-app/dist/ABC.9.5.0.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<app-deployment>
<name>ABC8040</name>
<target>ABC_server4</target>
<module-type>ear</module-type>
<source-path>/home/nchanda1/working/default-app/dist/ABC.10.0.3.ear</source-path>
<security-dd-model>DDOnly</security-dd-model>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
<jdbc-system-resource>
<name>ABCCDWDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource-2021-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCCDWDataSource_coper</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCCDWDataSource_coper-9655-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCOracleDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCOracleDS-5997-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCReportDataSource</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCReportDataSource-6033-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABC_NEON_DATASOURCE</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABC_NEON_DATASOURCE-9653-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCRDRDS</name>
<target>ABC_server9,ABC_server8,ABC_server3,ABC_server1,ABC_server5,ABC_server7,ABC_server2,ABC_server10,ABC_server4,ABC_server6</target>
<descriptor-file-name>jdbc/ABCRDRDS-5401-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCtest</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCtest-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>ABCreport</name>
<target>ABC_server6</target>
<descriptor-file-name>jdbc/ABCreport-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>

Active Directory authentication, OS X network homes on Xserve

Hi
I'm looking for a general guide/tips for our deployment of OS X in our Windows network.
Everyone in our institution has an Active Directory account.
We also have an Xserve 10.4.4 running as an OD Master with 400 accounts for people who use Macs. It shares out OS X network home folders for these accounts. This means these people have a seperate AD and OD account.
We aim to get these users authenticating with AD on the Macs and seeing a network home that will ultimately be a combination of an OS X folder (Public, Sites) and a Windows folder (My documents etc.)
We can backup the data in their existing OS X home folders for them to pull into the new homes that will be created for them through AD authentication.
We can successfully bind the Xserve and client Macs to AD. We have a group of AD users in WGM. MCX preferences are enforced at computer level.
The big questions are:
How do we tackle the mapping of a (OS X/Windows combo) home folder stored on the Xserve for new Active Directory accounts when they are created?
What could we do with AD/OD current users existing Active Directory folders when they start to use AD to authenticate on the Macs (current OS X home data will be backed up and pulled in to new OS X accounts later) ?
Do we definately need Kerberos running on the Windows server ?
What would happen to an existing AD/Windows-only user with a Windows folder mapped to an SMB/Windows server share if they authenticated to OS X for the first time - local home creation (default/forced) ?
Any advice appreciated - we have Windows/Mac people working in harmony here and we're close to what we want!
Many Thanks

Try this (on the client computer):
Login locally using a user with administrator privileges.
Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.
Open a command prompt window and type the following command to find the profile name of your wireless network: netsh
wlan show profiles
Let's say the profile to use in the example is "office-network". Open regedit and
look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec%
/c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".
Reboot the laptop for this to take effect.
If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer
Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon.
These step still require the wireless network to be your domain network as Windows can only Cache 50 credentials maximum.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

Windows Active Directory Authentication

Hi Experts,
I have an enterprise application running in a clustered environment. The jars are diployed in jboss and wars in tomcat servers. The requirement is to authenticate users with thier Windows username/password with active directory itself and depending upon their roles give access to various functionalities in the application. Could someone guide on how the windows authentication should be done?
Thanks

We were able to successfully enable the Windows AD Authentication.
Section 4 would be on the SIA's or server tier. Sections 5,6,and 7 would be for the Java Web app server or web tier.
We got an error when trying to enable SSO though.
The server encountered an internal error (com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "account@domian_name" but not key type (18) + KVNO (32) in this entry: Principal: [1] account@domain_name TimeStamp: Wed Dec 31 19:00:00 COT 1969 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [......] )) that prevented it from fulfilling this request.
We disabled the SSO for the time being, but the Windows AD works fine.

Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
Additional technical information:
Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
Timestamp: 2015-04-14 12:27:20Z
AADSTS50020:
User account '[email protected]' from external
identity provider 'live.com' is not supported for application
'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
be added as an external user in the tenant. Please sign out and sign in
again with an Azure Active Directory user account.
It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

I assume you created a web application using VS2013 which uses the WS-Federation protocol.
The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
The user will need to either sign-out or use an in-private session in the browse.
If you switch to openID connect(sample at
https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

Active Directory Authentication, AFP Home Folders in the wrong place!

Hi,
I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
-Xserve G5, Mac OS X Server 10.4.7
-OD Master bound to AD for authentication
-Hosts AFP and SMB shares, all stored on Xserve RAID
On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
Going slightly mad,
Jason

Hi there,
Just wanted to share my make-due solution.
I have setup the automount sharepoint at "/Data/Home".
When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
-Desktop
-Library
The other icons related to the home dir on the Dock remain big "?" 's.
So I manually added them and assigned them the propper rights.
Now users can log in without any problems, network home folders are working.
So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
If anyone has ANY idea, please share.
Thx!!
Have a nice day

What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory. We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides. In 10.6, this worked beautifully. Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch. In 10.8 server, this is not working. Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share. When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password. Please try again." On a 10.7 client, the window shakes.
What confuses me even more is that no local users can mount the share as well. I try as our admin account, I receive the following error message on our 10.6 clients:
Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
This was the error message we were receiving on 10.7 clients before it magically started working:
In any case, authenticating as an AD user is still no go. Any ideas?

I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

SGD 4.7 - Cannot enable Active Directory authentication

Similar Messages

Maybe you are looking for