AAA integration with Microsoft NPS RADIUS Active Directory

Similar Messages

• Integrating SAP ECC 6.0 with Microsoft Windows 2003 Active Directory

  Hi Gurus,
  We are planning to integrate our SAP ECC 6.0 with Microsoft Windows 2003 Active directory.
  I have several questions on this:
  1. Can i authenticate all the users from SAP
  2. It is used only for user authentication or can it be also used for password authentication
      ie user can login using his windows password?
  3. While integration in SAP does a separate table or a field is created in database.
  4.If a employee leaves a company than in SAP is it possible to lock & deactivate the user automatically.
  Thanks in advance.
  Regards,
  Nihar

  Hi Mastek,
  You should be able to accomodate your needs with respect to integration of your AD accounts with SAP ECC ABAP. This can be done via LDAP connector configuration. The below has info on how to perfrom the configuration at a high level. You will have to integrate, and map certain user data. You may also want to do some LDAP Connector research:
  [http://help.sap.com/saphelp_nw70/helpdata/en/10/1a063a15c611d4b61f0000e835363f/content.htm]
  On the Java stack - you can also confugure UME to integrate/authenticate with AD:
  [http://help.sap.com/saphelp_nw70ehp2/helpdata/en/12/7678123c96814bada2c8632d825443/content.htm]
  Hope this helps!

• ECC 6.0 integration with Microsoft Dynamics CRM

  Hi All
  I am working on a ECC 6.0 integration with Microsoft Dynamics CRM. I need to send the customer master data, va01/va02, vl01n/vl02n/ vf01/vf02 to CRM system. One option I have is to send in the form of IDOC with TRFC - TCP/IP. But looks like this needs a middleware like Biztalk.
  Is there a way I can send this data using a Internet service in ECC 6.0 ??? As this would cut the cost of the Biztalk.
  I really appriciate your thoughts on this. We don't have XI either.
  Thanks a lot
  Van

  HI Van Dan Jan,
  We have just implemented integarion of SAP with Microsoft stack (Microsoft CRM, Share point and Axapta), But in all integration BizTalk as a middleware used.
  There is two way requirements :
  1. whenever Most of the control are at the Microsoft level like : Customer creation, Creation of orders, which need to be synchronus activity we have used RFC which internally calls BAPI. (So SAP adapter Configured at BizTalk). and whenever Biztalk receives request file from CRM or share point to there location they call SAP RFC's.
  2. When DATA is needed from SAP to microsoft stack like to syncronize the missing transaction like customer pad and all.
  Scheduled job at BizTalk end which call SAP to get the DATA via RFC mode :
  In SAP we have two things
  1.  if DATA size is small (below 2 MB) like  in last 1 hrs what are the sales contract created in SAP that need to updated in Microsoft other system than Biztalk will trigger a job at 1 hr interval or on deemand to get the detail which directly we pick from data base or using BAPI to get the detail via RFC.
  2. If Data Size is large (more than 2 MB)  like total transation happened in a day for all customers: then we wriiting the data in OS or application server  and that job also get initiated from Biztalk end by sending any parameter to SAP.
  advantage of using BizTalk is most of the control you can give it to them so they can run there job on deemand basis.
  There is a something known as web service we can use to avoid Interfacing tool, but I dont have much Idea about that,
  and  please check how many interfacing point is there with SAP in your project, because if Interfacing points are more then I think it is not good to write a web services for so many things.
  do let me know if you need further information.

• Monitoring Microsoft Windows 2008 Active Directory by a remoted Agent

  Oracle documentation (E14542-01) said that for remote Agent monitoring with default settings, Grid Control can monitor only the Active Directory associated with the primary domain controller.
  But for Microsoft Windows 2008 Active Directory primary domain doesn't exist anymore, can we use a remote Agent to monitor Microsoft Windows 2008 Active Directory ?
  Thanks
  Dominik

  Dominik wrote:
  Oracle documentation (E14542-01) said that for remote Agent monitoring with default settings, Grid Control can monitor only the Active Directory associated with the primary domain controller.
  But for Microsoft Windows 2008 Active Directory primary domain doesn't exist anymore, can we use a remote Agent to monitor Microsoft Windows 2008 Active Directory ?I think , you can monitor it . Please check :
  Oracle Enterprise Manager Grid Control Certification Checker [ID 412431.1]
  How to Install the Microsoft Active Directory Plugin for Grid Control R2 [ID 359621.1]
  Regards
  Rajesh

• SAP Workflow integrated with Microsoft Outlook

  Hello All,
  I have the following question. When an work item comes in the SBWP inbox, as soon as the work item is executed by the user
  the workitem disappears from the SBWP. Now my question is if SAP Workflow is integrated with Microsoft Outlook (so that email containing the work item as a link reaches Outlook), is there a way to make the email disappear from the Outlook as soon as the SAP work item is completed.
  Can someone throw some light on the same.
  Thanks,
  Sachin

  Hi,
  Duet workflow scenario is available. SAP Application sends workitem to Duet Server and Outlook client has Duet add-in. You need Duet Server and user license.
  Also SAP MAPI Service Provider is available. You can access SAP Inbox items from your outlook client. I think SAP MAPI Service provider is free.
  Regards,
  Masa

• DPM integration with Microsoft Azure backup queries

  Hi All,
  We have made the test set-up environment with installed the below details
  DPM 2012 R2 on VM (Windows 2012 R2)
  We are using a raw disk of 200 GB for disk staging.
  DPM integrated with microsoft azure.
  Able to take file backup and databases backups from DPM and can perform the restore from Disk staging as well as from azure
  Queries:
  Will DPM support deduplication for exchange (2007,2010,2013) databases and for sql databases (2000, 2005,2008,2012,2014) ?
  on the wire compression is enabled but how to verify that?
  Is it possible to mount the raw disk to some other drives except local Disk (C:\)
  How to do granular recovery in DPM 2012 R2 for microsoft exchange?

  Chris,
  Really sorry for the delay in response.
  I found lots of warning messages in the logs like below one:
  578    788    24-Apr    20:49.7    18    readeriterator.cpp(587)    [000000002435A140]    0BABF215-19DF-49F5-B8DF-7210CB336DD5    NORMAL  
   "CFileReaderIterator:GetNextFileReader -> Skipping Hardlink with Physical FilePath: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy34\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001042b_31bf3856ad364e35_6.2.9200.16384_none_f8e4c1f6d2951dd3\KBDARMW.DLL,
  Logical FilePath: \\?\Volume{bd3973d0-2f82-11e4-93f6-806e6f6e6963}\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001042b_31bf3856ad364e35_6.2.9200.16384_none_f8e4c1f6d2951dd3\KBDARMW.DLL"
  578    788    24-Apr    20:49.7    18    readeriterator.cpp(587)    [000000002435A140]    0BABF215-19DF-49F5-B8DF-7210CB336DD5    NORMAL  
   "CFileReaderIterator:GetNextFileReader -> Skipping Hardlink with Physical FilePath: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy34\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001042e_31bf3856ad364e35_6.2.9200.16384_none_fa395780d1ba2b68\KBDSOREX.DLL,
  Logical FilePath: \\?\Volume{bd3973d0-2f82-11e4-93f6-806e6f6e6963}\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001042e_31bf3856ad364e35_6.2.9200.16384_none_fa395780d1ba2b68\KBDSOREX.DLL"
  So, I'm checking with concerned guys in here about this. I'll get back to you once I receive any update from them.  However, if it very urgent and need immediate assistance, I suggest you to open up a support ticket with Azure technical Support team
  as they will be able to provide you very quick solution.
  Regards,
  Manu

• CCME integration with Microsoft Business Contact Manager

  Hi,
  Can anyone tell me, if a CCME can be integrated with Microsoft BCM such that when a call comes in details of the client pop up, should they exist in the Business Contact Manager.
  Finding exact information is like find a needle in a hay stack.
  Regards
  LN

  Hi Swinster,
  Apologize for the late reply.
  What is your current situation? As JS2010 stated, also in this KB article:
  http://support.microsoft.com/kb/2101557
  During the 'Specialize phase' of Sysprep, Sysprep.exe looks at the Last Modified Date of the ntuser.dat file for each user profile to determine which user profile to copy to the default user profile. However, the earlier cleanup functions of sysprep.exe
  loads each Ntuser.dat file to make security ID (SID)generalizations. You cannot predetermine which user profile will be copied if more than one user profile exists.
  How about we skip the copyprofile option?
  Further, see if the following article would help to customise the user profiles settings:
  Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2
  http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx
  Or we may consider seek help at the office outlook forum for the BCM deployment.
  Best regards
  Michael Shao
  TechNet Community Support

• Groupware integration  with microsoft exchange server

  I have a query regarding Groupware integration with microsoft exchange server.whether we require IIS server and microsoft exchange server on the same machine for groupware integration.or they can be on different machines.
  thanks,
  Pramod

  hi,
  We actually implemented integration of SAP with microsoft exchange server. It is not necessary for server and IIS to be in the same machine.
  regards,
  Ganesh.N

• ACS Integration with Microsoft Active Directory Services

  Hello Everyone,
  I've been tasked to design the integration of ACS with MS AD. What I want to know is the below assuming I have a software ACS or a ACS device and the protocol for authentication is Radius
  - What is the criteria for the AD to integrate with ACS software of appliance
  - Should that AD be hosted on the domain controller or not?
  - If not, on what (Domain Controller, Tree, Forest, Branch, Flower, Fruit  ) should the AD be hosted on?
  - What will I have to do to authenticate users logging into Cisco Security Manager with ACS integrated with AD?
  - Are there any other dependencies that I will have to categorically mention in my design document?
  Thanks,
  Rishi

  In ACS v5.x, there is a screen for integrating the ACS with AD. 
       (Users and Identity Stores > External Identity Stores > Active Directory)
  Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain.  This allows you to use existing AD credentials to login and administer your network devices. 
  Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts.  The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices. 
  The authentication would occur like this:
  User SSH/telnet/console to device
  Device contacts ACS using TACACS or RADIUS
  User receives login prompt and enters AD credentials
  Devices sends credentials to ACS
  ACS validates credentials in AD
  ACS sends authentication OK message to Device
  Device logs user in.
  Command Authorization looks something like this:
  User enters a command
  Device sends command authorization request to ACS
  ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
  Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
  Device allows or denies the user command.
  Criteria:  We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.
  AD is hosted on our local domain controller (Bonus:  no planting of flowers required!)
  Dependencies: 
  Issue:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.
            Device ---> ACS ---> AD
  Solution:  Configure the Device to look at ACS first, then a local table if ACS is not available.  Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available.  (You can configure local user accounts on the Device and in the ACS) 
            Device ---> ACS ---> AD
            Device ---> ACS ---> AD ---> ACS local
            Device ---> ACS ---> AD ---> ACS local ---> Device local
  The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy.  It is far FAR superior to the old ACS v3.3 that we had for years.
  I hope this helps for your design document!
  --Chris

• Portal Integration with Microsoft Active Directory

  We are working on a project to integrate Oracle9iAS Portal with Microsoft Active Directory. I am wondering if anyone has any experience with this and hence suggestions. Particularly, I'm wondering if its possible and how to use Active Directory to manage the Portal user accounts and group relationships?

  Please note that we finally got this working. For Active Directories sake, I would suggest using userPrincipalName or sAMAccountName as the Unique Attribute. Also, note that Active Directory uses OUs for organization, not CNs, so the search base should be either just the DN of the domain or an OU in the domain. Also, be sure to specify the full DN of the Bind DN as in CN=Administrator,CN=Users,DN=domain,DN=com

• ODI Integration With Microsoft Active Directory to bring User id to Table

  Hi All,
  I have to bring the USER Id of  Employees from the Microsoft Active Directory based on the Mai id of the user.
  I have a table like below:
  User_name
  Mail_id
  Vishwas
  [email protected]
  John
  [email protected]
  Depak
  [email protected]
  I need to bring the User id of that employees from Active Directory and load it to another table
  Now the Issues is What are the Things i have to perform in ODI to do this:
  I have gone through some of the Blogs for the same but every where i found using ODI for External Authentication.
  Can i get the User Ids in a relational tables so that i can join it with above table and load it to target ?
  Please let me know if any body have the solution for it
  Thanks
  Regards

  I think you can user ldap driver to read entries from your ldap server. Please check the documentation at LDAP Directories - 11g Release 1 (11.1.1)

• Issue with Reset Password from Active Directory Integration Pack

  I seem to be having some issues with a subscription in the Reset Password activity from the Active Directory Integration Pack. The "User Password" field refuses to take a value from a subscription provided earlier in a Generate Random
  Text activity. As you will see in the screenshot below, when the Reset Password activity runs, the User Password value is blank.
  Any idea why this might be happening? It looks like a possible bug with the Active Directory Integration Pack.

  Hi John,
  I think this is not a bug, this should be by design because the password is a secure string. If you look for the Published data for Reset User Password activity at
  http://technet.microsoft.com/en-us/library/hh553463.aspx it is not listed there as well.
  If you need the the string (e.g. to send it via email) use the
  data from the "Generate Random Text" Activity.
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu

• 802.1x MAB with Microsoft NPS ieee802Device object group

  Hi,
  according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
  - Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
  - Created a new OU "ethers" in AD
  - Created a simple objekt by means of an ldifde.exe import
  dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
  changetype: add
  objectClass: myieee802Device
  cn: 001b21******
  macAddress: 00:1b:21:**:**:**
  When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
  Has anybody got this running so far?
  Stefan

  Stefan,
  Many thanks for your reply. in my test environment, what I have encountered is:
  1. I created the user account and used the mac address as account and password, which can access into the AD.
  2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:
  http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
  3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.
  4. Enable the 802.1x and MAB function in the port of cisco 3750.
  by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            QBBB\002622c997ff
      Account Name:            002622c997ff
      Account Domain:            QBBB
      Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        3C-DF-1E-C6-48-13
      Calling Station Identifier:        00-26-22-C9-97-FF
  NAS:
      NAS IPv4 Address:        10.197.40.2
      NAS IPv6 Address:        -
      NAS Identifier:            -
      NAS Port-Type:            Ethernet
      NAS Port:            50219
  RADIUS Client:
      Client Friendly Name:        Wired
      Client IP Address:            10.197.40.2
  Authentication Details:
      Connection Request Policy Name:    Secure Wired (Ethernet) Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:        QINGXXX1.QBBB.net
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  Just for you reference and hope can get you help, thanks a lot!
  --Scott

• OIM integration with Microsoft CRM by using webservices? (OIM: Oracle Identity Management)

  Hi Guys,
  can you provide me integration document for my new project
  OIM with Microsoft CRM, by using webservices.
  Venkat
  [email protected]

  user1106726 wrote:
  We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
  We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
  Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
  Is this possible?yes
  >
  Is there a custom connector that will work with ILM 2007/FIM 2010Yes, if you write one you will have a custom connector
  >
  Is this a simple customization or something that can be problematic and expensive?It won't be simple. Problematic and expensive maybe, depends on how good you are with OIM and ILM

• Windows client error joining with Samba 4.2 Active Directory server

  I have a basic samba 4.2 ADC setup on CentOS 7 and I get a RPC server not available whenever I attempt to join a windows client to the domain. The smb.conf is default on created during provisioning. All indicated pre-testing seems to work as expected. The windows client finds the domain and recognizes a valid user or not but the last step of joining the domain ends with the error "Unable to join the Domain RPC server not available. Does anyone have any ideas?
  Thanks Paul 
  This topic first appeared in the Spiceworks Community

  I have a scenario for you in active directory when two passwords may be valid:
  Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
  Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
  The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
  User1 decides to call the helpdesk and changes his password to "456".
  The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
  valid.
  If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
  emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
  Regards,
  ~JG
  Do rate helpful posts