10.7.2 & Active Directory

I know that Lion first two releases has issues with Active directory.. but Im using 10.7.2 now and I was able to bind my Mac to the main domain but not with the child domain..
main domain: domain.com
child domain: test.domain.com
I'm able to bind 10.5 & 10.6 with the child domain just fine.. but not 10.7, and when i try to bind 10.7.2 it goes through the process and then dsplay an error message: Authentication server failed to complete the requested operation.
Any idea ?

I was having the same issue and it seemed to stem from a mis configuration in Kerberos. I nuked the local KDC and the bind worked as expected.
Destroy Local KDC:
sudo rm -rf /var/db/krb5kdc
sudo rm -rf /etc/krb5.keytab
sudo rm -rf /Library/Preferences/edu.mit.Kerberos
Bind the Server to Active Directory.
Also - and I'm not sure if this had any effect, but in our Domain our Admin accounts are in a different forest than the computer accounts and standard user accounts, this is usually not an issue, but just to be safe, instead of allowing the AD plugin to create the computer object I created it in the correct OU first and made sure that my standard user which lives in the same forest had permission to join that object.

Similar Messages

  • SharePoint Foundation Active Directory Problem

    Hey,
    I have a problem with the Active Directory connection to SharePoint Foundation.
    My Situation looks like this:
    I'm working on a kind of project controlling plattform. Each of our customers has its own site. Also each customer has an account in our Active Directory. For the administrative part, we have a list which contains some infos of the customer, the url to its
    site and the contact person.
    I wrote an import-script which creates a site and a new item in the list. To put the contact person in the list-item, I use a code-snippet like this:
    try
    user = web.EnsureUser(loginName);
    catch (Exception ex)
    throw new Exception("LoginName " + loginName + " not found");
    Now the problem is, that the try/catch block fails too often which means: SharePoint doesn't know the loginNames of some of our customers.
    Why does SharePoint not know maybe 1/5 of all our customers? All of them have an account in our active directory, none of them ever logged in the SharePoint (at the time they even doesn't know, that they have a SharePoint site for this project).
    I searched the internet for the problem but all I found where questions related to the synchronization of ad-properties to SharePoint Foundation. But I don't want to sync the phone-number or something like that - I want SharePoint only to know all the loginNames
    of our customers, not only 1/5 of them.
    How do I achive this, what am I doing wrong?
    Thank you!

    web.EnsureUser has nothing to do with the UPS at all. This has nothing to do with synchronisation (it does have a role but it's a maintenance one and nothing to do with authentication.
    The simplest answer is that the login names are being entered wrongly. Having said that there are a few areas you can look at to try to identify the problem:
    Does it fail repeatedly for the same username? Can you add that user to the site manually using a people picker control and if so will the script work afterwards? Are there any trends in the user accounts that SharePoint cannot find?

  • Error while creating a user in Active Directory.

    Hi Guys,
    I am creating a custom connector for AD and Exchnage , I am able to create user in AD using my Java Code... but i am also getting below error, I want to finish the operation smoothly.... Please find below error logs.
    13:51:15,635 ERROR [STDERR] Data AccessException:
    13:51:15,636 ERROR [STDERR] com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_AD_CHILD_GRP_NAME from UD_AD_CHILD where UD_AD_CHILD_KEY = Description: ORA-00936: missing expression
    SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
    at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
    at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.getChildTableFieldValue(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
    at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.insertResponseMilestones(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.update(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.updateSchItem(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeProcessAdapter(Unknown Source)
    at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeAdapter(Unknown Source)
    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpCREATEADUSER.implementation(adpCREATEADUSER.java:85)
    at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
    at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(Unknown Source)
    at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(Unknown Source)
    at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(Unknown Source)
    at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(Unknown Source)
    at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
    at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
    at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
    at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
    at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.setProcessFormData(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
    at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:237)
    at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
    at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
    at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
    at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
    at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
    at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
    at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
    at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
    at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
    at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
    at org.jboss.ejb.Container.invoke(Container.java:960)
    at sun.reflect.GeneratedMethodAccessor135.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
    at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
    at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
    at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
    at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
    at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
    at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
    at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
    at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
    at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
    at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
    at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:112)
    at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
    at $Proxy758.setProcessFormData(Unknown Source)
    at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
    at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
    at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
    at $Proxy803.setProcessFormData(Unknown Source)
    at com.thortech.xl.webclient.actions.DirectProvisionUserAction.handleVerifyProcessData(Unknown Source)
    at com.thortech.xl.webclient.actions.DirectProvisionUserAction.goNext(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
    at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
    at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
    at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
    at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
    at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
    at java.lang.Thread.run(Thread.java:619)
    Thanks,
    Hemant

    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
    This is definitely a Custom Adapter because OOTB Adapter name is adpADCSADDUSERTOGROUP and NOT adpADDUSERTOADGROUP
    So, it is your custom code and in the code you are passing incorrect value of the Active Directory Child process form...
    The correct name is UD_ADUSRC and the Group Name column name is UD_ADUSRC_GROUPNAME.
    While you are passing UD_AD_CHILD as the child process form and UD_AD_CHILD_GRP_NAME as Group Name column name..
    Use OOTB Adapter... Correct these discrepancies... Your addition of group will work
    And since you are creating custom adapter, you need to be more careful and remain consistent throughout..
    Then if you want to use UD_AD_CHILD_GRP_NAME, use it everywhere consistently... Pass only this value in the adapter...
    And even in lookups, if any... Search everywhere... Keep things consistent... They will work... Because good news is that you are able to create user in AD via Java Code...
    And if any post is even slightly helpful, it is a good habit to mark it with helpful or correct ... And also mark the entire question as answered so that other people also are benefited.

  • OIM 9.1.0 Integration with Active Directory 2008 R2

    Hi,
    My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
    My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
    Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
    Any guidance is really appreciated.
    Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
    Is this a working and supported scenario by OIM v9.1.0 ?

    I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
    -Bikash

  • Laptop (Running Windows 8.1) no longer able to print and now see message Active Directory Domain Services is not available

    Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
    or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
    this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
    admin rights) It never lets me fully connect to it.
    I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services,  etc. Its really annoying because this printer was working fine nearly 2
    weeks ago. Looking for any advice now. Thanks.
    -Chris

    Hi Chris,
    à
    I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
    I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
    if this printer still exist in registry. For more details, please refer to following KB.
    Registry entries for printing
    If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
    then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
    àand now see
    message Active Directory Domain Services is not available
    By the way, would you please let me know where/when get this
    Active Directory Domain Services is not available error message? Or provide a screenshot of it?
    (Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
    Printer
    Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
    does not guarantee the accuracy of this information.
    If any update, please feel free to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Active Directory accounts no longer connect to Server

    I administrate a small office network.
    We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
    After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
    When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
    This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
    Also of note, the AD accounts have no problems accessing shares on the 2000 server.
    Any ideas why this is only effecting AD accounts and a solution?

    There are a couple of things you can check...
    1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
    2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
    3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it...

  • New Server 2012 install - Active Directory not working properly

    We recently converted from 2003 to 2012. Our 2012 R2 server seems to be running fine. We did a DCPROMO on the OLD 2003 DC just fine but now there are all sorts of odd errors (Sharepoint can't authenticate users, Can't run Exchange 2013 on another 2012 server
    because it can't find AD, etc.)
    on the DC we have a Group Policy error 1096. "Group Policy Object LDAP://CN=User,cn={2B476B3E-2749-4B1B-8EC1-F5672A66F94F},cn=policies,cn=system,DC=mydom,DC=local\\mydom.local\SysVol\mydom.local\Policies\{2B476B3E-2749-4B1B-8EC1-F5672A66F94F}\User\registry.pol"
    So far I haven't found anything on how to fix this (and the AD itself.) There are some errors in the DCDIAG log, too:
          Starting test: NetLogons
             Unable to connect to the NETLOGON share! (\\ISD-DC1\netlogon)
             [ISD-DC1] An net use or LsaPolicy operation failed with error 67,
             The network name cannot be found..
    Starting test: FrsEvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
    Any suggestions how we can fix these errors are greatly appreciated!

    Hi,
    Did you migrate the Active Directory from Windows server 2003 to Windows server 2012?
    Please refer to this article:
    https://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
    Regards.
    Vivian Wang

  • Creation of a second Exchange 2013 server on a different site (with the roles of MBX and CAS) fails on prepare active directory and prepare schema.

    Hello everyone
    I have a network infrastructure  consisting of 3 sites, site A, site B, and site C. i have 2 domain controllers on every site, and the AD roles are on the primary domain controller on site A. On site A I have an Exchange 2013sp1 CU6.
    I want to create a second Exchange on Site B, with the roles of mailbox (the exchange on Site A will be first DAG member and the Exchange on Site B will be the second member of the DAG) and CAS.
    First question: Is my  thought correct about installaing on the same server mailbox and CAS server?
    Second question: how many DAG witnesses I need for the DAG? One per site, or one in general (for example located on site A)
    Third question: When I am trying to perform “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  I receive the error
    “ Setup encountered a problem while validating the state of Active Directory:
     The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:
    http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
    I tried  to run the PrepareSchema from  the ISO of Exchange 2013 SP1 and form the extracted content of Exchange 2013SP1 CU6 archive, but still receive the same error. Any ideas?
    Thanks in advance.

    Thank you for your answer,
    I have tried to run "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  from
    Exchange 2013 CU6 media, but I still receive  the error:
    The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema
    can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
    any ideas?

  • How to install Small Business Server 2008 in an existing Active Directory domain

    It is shown on this page:
    http://support.microsoft.com/kb/884453, "How to install Small Business Server 2003 in an existing Active Directory domain".
    Is it possible to do this with SBS2008 ?
    If "YES", are there any published information about the procedure ?

    Yes, it is. Thank you very much.
    But there is something that confuses me - I want to migrate from Win2003Std to SBS2008. And also, I want to keep the existing Win2003Std as a second DC for a long time.
    But it is written in the shown article:
    ... After the migration is finished, you must remove the Source Server from the network within 21 days. ...
    Is this rule mandatory for the scenarios where the Source Server is Std, not SBS ? As I know, I can have more than one DC(Win2003Std/Win2008Std) together with SBS2003. But what about SBS2008 ?

  • Active Directory LDAP integration; can not see the XMLP_ groups/roles

    We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
    It is working to a certain extent:
    Users can log on to the XML Publisher using login/password as defined in AD.
    -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
    Problems/questions:
    The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
    -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
    Is there any way to monitor the login process to try and see what goes wrong?
    -Roald
    -Roald

    The problem has been solved, it was self inflicted, typo in the config file:
    <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
    (semicolon instead of comma after Users).
    It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
    -Roald

  • Looking for Help with Active Directory Script to Remove a User from msExchDelegateListLink

    I'm struggling to put together an Active Directory Powershell script that will remove a specific user from the msExchDelegateListLink.
    It looks like Set-AdUser would do the trick. I would want to remove a user in the format of
    {CN=Wood\, Sandy,OU=Networking,OU=IT,DC=my,DC=domain,DC=com}
    Has anyone succeeded in doing this before?
    Orange County District Attorney

    I use this:
    $user = '<user name>'
    $userDN = Get-ADUser $user | select -ExpandProperty DistinguishedName
    $delegates = Get-ADUser $user -Properties msExchDelegateListBL |
    select -ExpandProperty msExchDelegateListBL
    foreach ($delegate in $delegates)
    Set-ADUser $delegate -Remove @{msExchDelegateListLink = "$UserDN"}
    Never quite got around to putting it into a function.
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

  • Cannot log into DTR with Active Directory User

    Greetings,
    I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
    500   Internal Server Error
      SAP J2EE Engine/6.40 
      Application error occurred during the request procession.
      Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
    Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
    This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
    Any help is greatly appreciated.
    Thanks,
    Marty

    Hi Marty,
    In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
    http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
    It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
    Regards,
    Manohar

  • Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

    We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
    The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
    Additional technical information:
    Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
    Timestamp: 2015-04-14 12:27:20Z
    AADSTS50020:
    User account '[email protected]' from external
    identity provider 'live.com' is not supported for application
    'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
    be added as an external user in the tenant. Please sign out and sign in
    again with an Azure Active Directory user account.
    It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

    I assume you created a web application using VS2013 which uses the WS-Federation protocol.
    The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
    For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
    The user will need to either sign-out or use an in-private session in the browse.
    If you switch to openID connect(sample at
    https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

  • Active Directory, single sign-on and  SRM Users

    We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
    - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
    - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
    My questions are:
    1. If active directory is being used do we need to create actual users within the SRM system?
    2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
    Many Thanks

    Hi Claire,
    The Single Sign On work only if user exist on every systemes.
    For example :
    If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
    For Active Directory you can synchronize your user table to AD by using LDAP option.
    The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
    Finally use the SSO certificate between Portal ECC and SRM.
    Regards,
    Gilles SEBBAG
    Sap Technical Consultant.

  • Single sign on and microsoft active directory

    Hi,
    I have EBS 12.1.3 on linux. I know that I can implement single sign on to login to EBS. Now the question is: can I integrate this single sign on with my existing Microsoft Active Directory? Can you send me some links or documentation?

    Self-reply:
    http://blogs.oracle.com/stevenChan/2006/05/indepth_using_thirdparty_ident.html
    Thanks

  • SSO using Windows Active Directory but without EP or Java stack

    Good morning and thank you in advance for your help.
    The question is:
    our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
    I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
    Best regards
    Max

    Hi Willi,
    It won't be that easy to understand each other... as my english is not that good either
    Most of the points introduced in the SAP help link are automatically performed by sapinst.
    Almost all my customers running on MS are not using an AV, and neither get into troubles...
    but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
    Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
    Best regards
    SAP on SQL General Update for Customers & Partners April 2014
    10. Do Not Install SAPGUI on SAP Servers
    Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
    To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
    “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
    SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
    SAP on SQL General Update for Customers & Partners September 2013
    Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
    The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
    Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

Maybe you are looking for