T5-2 ILOM authentication via Active Directory
Hello,
We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
(ActDir) ServerUserAuth - Error 0, failed to validate user group access
We have a group defined and I have set it under Admin groups using the DN.
Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
TIA.
Jeff
Hello Man !
your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
I have Cisco aironet 1142n access point. I have no ACS / WLC
but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
These APs are standalone. Please provide any configuration document
"How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
Thanks & Regards,
Rizwan Haider Siddiqui.
Similar Messages
-
Can I configure WS-Sec authentication via Active Directory with OSB or OWSM
Hi
I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
Regards,
Néstor BoscánHi.
OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
OWSM
http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
and
http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
hope this helps
best
rolando -
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
Client Certificate Mapping authentication using Active Directory across trusted forests
Hi,
We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
Mapping".
However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
1. Is this possible?
2. If yes, what do we need to do to make this work.
Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"1. Yes!
2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
and mapping?
/Hasain
We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
To simulate the scenario, I setup up two separate forests and established a trust between them.
I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
I setup a test ASP page to capture the Login Info on both the servers.
With the client and the server in the same forest, I got the following results
Login Info
LOGON_USER: CORP\ASmith
AUTH_USER: CORP\ASmith
AUTH_TYPE: SSL/PCT
With the client in the domain with the PKI and the server in the other Forest, I got the following response
Login Info
LOGON_USER:
AUTH_USER:
AUTH_TYPE:
I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied -
Oracle 9i/10G DB authentication using Active Directory (with out OID)
Hello All,
We want to use a Single-Password authentication scheme using the Active
Directory as the primary source for userId/Password.
We don't want to use the Active Directory and OID bridge.
As we have many databases and would like to configure all Databases to use Active
Directory for Authentication. Our goal is to have single id/password across all
the databases and any user should be able to login from any computer using their
windows id/password, note that we don't want to use the OSAuthentication.
We have read the documents provided by oracle for authentication using Active
Directory, we were able to create Oracle Schema in Active Directory and were
also able to register a DB with Active Directory and then created user as global
user in Oracle Database and provided the DN of the user. When we tried
authenticate with all this setup it comes back and says invalid ID/Password !!!
And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
Envoirnment:
Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
Operating System: Windows 2000/ Windows 2000 Server
Constraint: We don't want to user OID ( as we don't have license for this
product ! )I have a thread started similar to your request.
OS Authenication on Windows
Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
SHOW PARAMETER OS_AUTHENT_PREFIX;
SHOW PARAMETER REMOTE_OS_AUTHENT;
CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
GRANT CREATE SESSION TO OPS$SOMEUSER;
For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
I really wish Oracle or somebody created a guide or book on how to do this. -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts) -
Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
MarcThe possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts - -
Authentication on Active Directory using JNDI (A Proffessional Appraoch)
I am using following code for getting authenticated on Active Directory by user logon name.
Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
thanks in advance
* Created on Nov 10, 2004
package auth;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
* @author Tushar Agrawal
* Created On Nov 10, 2004
public class UserAuthentication {
public UserAuthentication() {
super();
public NamingEnumeration loginToActiveDirectory(
String logonName,
String password,
String domain) {
boolean success = false;
NamingEnumeration attrs = null;
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
env.put(Context.SECURITY_CREDENTIALS, password);
//env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.version", "3");
env.put(Context.REFERRAL, "follow");
try {
String base = "";
DirContext ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(
new String[] {
"sAMAccountName",
"userPrincipalName",
"displayName",
"memberOf",
"objectSid",
"title" });
NamingEnumeration e =
ctx.search(base, "sAMAccountName=" + logonName, controls);
if (e.hasMore()) {
SearchResult r = (SearchResult) e.next();
attrs = r.getAttributes().getAll();
/*while (attrs.hasMore()) {
System.out.println(attrs.next());
ctx.close();
} catch (AuthenticationException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
} catch (NamingException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
return attrs;
tushar agrawalYou''l find more info at :
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
That's the right way to do it. -
Portal Authentication using Active Directory
I am trying to set up authentication using Active Directory. Can anyone provide me with instructions on what to do ? I know that I have to go to System Admin - > System Configuration - > UM configuration and change the Data Source. What else do I need to do...How do specify which domain to authenticate against. Do I have to change the XML file. Please help.
It depends on what you wanna do with the AD server. If you want to read/write on the AD then you have to first setup SSL connection between the two boxes.Else if you just want to read from AD server you don't require a SSL connection. Then you have to select the hierarchy type in the System Admin - > System Configuration - > UM configuration. Save.
Next thing you do is to open the config tool and modify your xml file accordingly.
And restsart the server.
Hope this helps.
Regards,
Hassan -
Db10g external password authentication with Active Directory via OID
HI ALL
- i have the synchronization AD-to-OID
- i have the external authorization of AD users via SSO (external authorization plug-in)
- i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
- but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
error:
ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
i.e. those users are not recognized as users with external passwords.
Any ideas, please ...Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
To accomplish what you want to do
1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
3) Reverse the schema from OID and transport it to AD
Aside from that, it's a no-brainer. -
Db10g external password authentication from Active Directory via OID
HI ALL
- i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
- i have external authorization of AD users via SSO (external authorization plug-in)
- i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
- but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
error:
ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
i.e. those users are not recognized as users with external passwords.
Any ideas, please ...I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
request from my server to the LDAP box:
LDAP: [Base Object]
LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
LDAP: [Scope]
LDAP: wholeSubtree
LDAP: Equality Match *[3]
LDAP: [Attr Descr]
LDAP: objectClass
LDAP: [Value]
LDAP: posixAccount
LDAP: *[3]
LDAP: [OctetString]
LDAP: uid
LDAP: [OctetString]
LDAP: myusername
reply from the LDAP server:
LDAP: [Error Message]
LDAP: 0000208D: NameErr: DSID-031001CD
LDAP: , problem 2001 (NO_OBJECT), data
a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)? -
Authentication of Unix or Linux Systems via Active Directory
Hi,
Is there a inbuilt solution in Windows 2012 R2 which can be used to authenticate Unix or Linux users ?
I understand there are there are many 3rd Party solution for this but I want to know if there is any available inbuilt in Windows Server.
Thanks
VivekWhat do you mean exactly?
You can start with these:
Mixing It Up: Windows, UNIX, And Active Directory: https://technet.microsoft.com/fr-fr/magazine/2005.01.activedirectory(en-us).aspx
How to Join UNIX / Linux to Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/25944.how-to-join-unix-linux-to-active-directory.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
SAP R/3 Authentication with Active Directory on Win2k server.
Hello list ,
We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
1) SAP GUI .
2) SAP BW
3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
Wish to implement SSO for all our users.
Some research we have done suggests
1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
"All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
I have created an OSS ticket but we are still in a queue since 5 days already.
Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
Thanks in advance.
Harsh BusaTim,
you are perfectly right: that Vintela product is not certified (as SNC solution).
But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers. -
ISE 1.2 Admin Access via Active Directory
Hi Experts,
Good Day!
I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
Thanks for your great help.
niksNiks,
I just got done doing this. First of all you have to have the Active Directory setup as an external data source. Once you do that Click on Administration - - Admin Access.
For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
Then click in Administrators - - Admin Users. Click Add a user - - Create Admin User. Ensure to check the External box and you will notice the Password field goes away. Fill out the appropriate information and then assign them to an Admin Group.
Once you are done with that you can test that user by logging out of your ISE session. You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user. Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
Make sure that you don't delete or disable your original admin account in this process. (Change the password if you like.) -
Can't connect to Small Business Server 2003 via Active Directory
I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!Hi Andbrowny, thanks for your response.
Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.
Maybe you are looking for
-
Scheduled Web Intelligence report fails with ORA-01013 and WIS 10901
Hi, the environment I'm working in is BOXI R2 SP4 on a Solaris 10 server using WebLogic running against Oracle 9i database. I have a report written by one of the users. In SQL Viewer the SQL detailed is two joined Select statements. Each time
-
User and Screen freezing and/or corruption with screen graphics
I am using a mid-2007 Intel iMac, 20" screen. When logging into and out of a particular User, the screen keeps freezing and/or filling in with streaks. It also freezes completely or gets a Kernel Panic. Anyone know how to read these things? here is t
-
Using headers as references - issues
are other people having lots of issues using headers as references? the 2 main problems i see are: - in simple ( e.g. a+b/c) type formulae, numbers can get confused when it references absolute cells, i think this is caused by the header containing sp
-
11g interval partitioning and global index maintenance
hi gurus, in 11g interval partitioning system can automatically manage the creation of new partitions based on data. in this case do we need to manage global indexes? in earlier versions, we have to update global indexes whenever there is a partition
-
I can't open some of my apps on my macbook pro
I can't open some of apps like iphoto, keynote, ilol(this is most important one). If I trying to open, computer just shut down and restart. Some people suggest me to format mac os x and reinstall so I did it but still doesn't work. what should I do?