ACS and Domain Level

Similar Messages

• 2003 forest/domain level

  I am currently looking at upgrading our domain from 2003 to 2012.  I currently have 4 domain controllers spread out and all replication is healthy.  I have two 2003 domain controllers and two 2008rs domain controllers.  I need to know what
  is the best practice for promoting a 2012r2 server to a DC and would that cause log on issues?
  I've read some articles online that state all the current domain controllers should be fully updated before bringing in a 2012 domain controller.  Can someone point me in the right direction?  Are there articles I can read regarding this?
  Thank you

  Hi
  CRMNoon,
  If you want to have a 2012 forest and domain level you need to have 2012 DC's only.
  Make sure your domain is healthy. Then when promoting a server 2012 R2 to a DC, you need to consider the current environment and which domain controllers are for the FSMO roles placement.
  http://community.spiceworks.com/how_to/57636-migrate-active-directory-from-server-2003-to-server-2012-r2
  Here is the link for Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2:
  http://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Know issues for upgrading Domain Controllers to Windows Server 2012 R2
  https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_KnownIssues

• Domain and User Level Security

  Dear Friends
  Tuxedo Version : 8.0
  Weblogic Server: 7.0
  Operating System : Win 2000
  I have successfully run the simpapp example with WTC as the connector between
  the remote domain (tuxedo) and local domain (WLS).
  Now, i want to perform authentication, the documents are not being of much help
  so can anybody give me any suggestion to create domain level security and ACL.
  Please note, i'm just using the services (import).
  As per the documents and newsgroup,
  i made changes to the TUXEDO ENVIRNMENT, ubbdomain, adding SECURITY , AUTHSERV
  parameters in it.
  Also made respective changes in WTC, but when i run the example,
  it throws an exception as TPENOENT.
  Thank you in anticipation.
  Please help me !

  Hi Shamu,
  I answered similar questions in a posting with title "Service
  Authentication How to". The questions were posted after your post.
  Check out the questions and my reply see whether they are useful to you.
  Regards,
  Honghsi
  shamu wrote:
  >
  Dear Friends
  Tuxedo Version : 8.0
  Weblogic Server: 7.0
  Operating System : Win 2000
  I have successfully run the simpapp example with WTC as the connector between
  the remote domain (tuxedo) and local domain (WLS).
  Now, i want to perform authentication, the documents are not being of much help
  so can anybody give me any suggestion to create domain level security and ACL.
  Please note, i'm just using the services (import).
  As per the documents and newsgroup,
  i made changes to the TUXEDO ENVIRNMENT, ubbdomain, adding SECURITY , AUTHSERV
  parameters in it.
  Also made respective changes in WTC, but when i run the example,
  it throws an exception as TPENOENT.
  Thank you in anticipation.
  Please help me !

• Domain Level and Backup AD as VM?

  We're currently running Windows 2012 R2 Essentials (25 users license default) as the DC.  We're thinking to have the 2008R2 as the secondary (backup) DC.  Questions are:
  1. We have AD recycle bin enable, would it cause any issues lower the domain level to 2008R2?
  2. Can 2008R2 run as a VM on a Hyper-V (the host is 2008R2 and part of the domain, but not DC)?
  Thank you,

  Yes you can run a VM and promote it as a Domain Controller, however if your domain / forest functional level is set to Windows Server 2012 then you cannot have a Windows Server 2008 R2 as a domain Controller. For this you need to have Windows Server 2008
  R2 domain functional Level.
  Domain Functional Level and Forest Functional level cannot be downgraded. if it's already set to Server 2012 functional level then you cannot downgrade it to 2008 R2. Please go ahead and check what's ur Forest & Domain functional Level
  https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  https://msdn.microsoft.com/en-us/library/cc753104.aspx
  https://msdn.microsoft.com/en-us/library/cc730985.aspx
  Nirmal Madhawa Thewarathanthri
  Sorry but you are wrong.  I just lowered the levels to 2008R2.

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• How to enable BPEL loggers at domain and system level ?

  As far as I know there are two kind of BPEL loggers
  - at domain and
  - system level
  Where EXACTLY can I enable/disable them resp. set them to e.g. DEBUG mode?
  Peter

  Apart from the posts mentioned above, please note that log4j-config.xml is the files that has these logging entries.
  For domain level : SOA_ORACLE_HOME\bpel\domains\default\config\log4j-config.xml
  For system level : SOA_ORACLE_HOME\bpel\system\config\log4j-config.xml
  You set these loggers on domain level or system level depending on the information you are interested to see, so set that particular logger.

• Upgrading Forest and Domain Functional level

  Hi Everyone,
  If I have a mixed machines (Win2k3, Win 2k8 and Win2k12) and if I want to raise the forest and functional level to win2k12. Can I still have Win2k3 and Win2k8 machines as a member server? If yes, what would be the effect on the functionality of the machines?
  To give you info win2k3 are used for internal webservers and Win2k8 is use as a DFS server.

  Hiya,
  "Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However,
  functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest."
  http://technet.microsoft.com/library/understanding-active-directory-functional-levels%28v=WS.10%29.aspx
  That said, you might have some applications running on those servers, which matches a specific domain version. Listing attributes in a certain order, expecting a certain name etc.

• WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

  Hi All,
  I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
  I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
  I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
  I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
  Am I on the right path?
  Anyone done this before or have any bright ideas?
  Cheers,
  John

  With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
  1. EAP authentication
  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
  For the further description and configuraiton following URL may help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

• Credentials needed to raise domain and forest level from 2003 to 2012 R2.

  I migrated our environment from a single DC server 2003 to a single DC server 2012 R2.  I followed the migration process that is documented by Microsoft and others.
  However, I forgot to assign my account Enterprise Admin and Schema Admin before raising the domain and forest levels from 2003 to 2012 R2.  My account did have domain admin.  The GUI interface did not complain when I raised the level of the domain
  and then the forest.
  So I am thinking everything is OK.
  My question is am I going to have problems down the road with the AD environment?
  Thanks for any help or opinions.

  Using snapshot for a domain controller is not recommended, as usn rollback can occur. Allthough in server 2012 using snapshot for dc's has been improved and made 'safer', but I wouldnt use it as a backup solution.
  But back to your problem, Beaulieu, is it a single domain/single forest design? And the issue is that you have no membership in schema- and enterprise admins, but you do have an domain admin?
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Built-In Domain Level Groups dont have permissions on domain they should on 2012

  Hello,
  First this is a brand new domain environment with everything running server 2012 datacenter edition.
  Second I've never seen anything like the following occur in a domain environment. What I had is what appears to be a bad 2012 AD structure however so far all AD tests come back good. The problem is the built-in domain level groups do NOT offer any level
  of access that they should. For example if I add a user in the administrators group, they don't have any permissions that group is supposed to have. THe same with every other builtin, backup operators, server operators, account operators and on and on. The
  only way a user gets that level of access is if I add them into the domain admins group. As you can imagine this is crazy and not a solution for my help desk crew. (having them all be domain admins that is) So while I could very well use delegation, I need
  to find out why my builtin groups don't function as they should.  Anyone have any ideas on what to check or where to look?  I'm at the point of opening a case with Microsoft on this.
  Thanks in advance

  Because those builtin groups AREN'T domain level groups in the way you're thinking. The Administrators group on the server gives users administrator permissions on the server, but that doesn't mean permissions on the entire domain.
  If you look in the user list in ADUC you'll see that while Domain Admins are a Global security group, Administrators is only a local group, eg local to the server (or more accurately since they no longer have local details, to domain controllers), so doesn't
  grant permissions to anything outside of the domain controller. On all non DC's the machines have their own local administrators group which is independent of the domain one, and can have different memberships.
  So if you only need a user to have permissions to the DC then administrators is fine, but if you need them to have access to the entire network, eg other servers and workstations, then they need to be members of domain admins. If you only want them
  to have limited permissions then you need to grant those permissions either via a global/universal group, or by adding them to the relevant local group on each machine they need access to.

• Require cert and domain credentials to authenticate?

  Is there a way to require a machine certificate AND domain credentials to authenticate to a wireless network (Cisco LWAPP, ACS, AD)? 
  My objectives are:
  Permit access from corporate hardware ONLY, i.e., prevent users from logging from a personal laptop or PDA using their domain credentials.
  Validate that an employee is logging on to the network. 
  My current PEAP implementation only satisfies the second condition and from everything I have read EAP-TLS will only satisfy the first.  Is there a solution?
  thanks

  PEAP or EAP-TLS with machine auth will do  the first one then the user can log in as normal with their user credentials.

• Domain level security issue with InfoPath Form

  I have followed the article “Submitting Data from InfoPath 2007 to a SharePoint List” which can be found at
  http://msdn.microsoft.com/en-us/library/cc162745.aspx.
  But instead I am using SharePoint and InfoPath 2010.
  I get the following error after deploying and running the form with its security level set to domain.
  “A query to retrieve form data cannot be completed because this action would violate cross-domain restrictions. If this form template is published to a SharePoint
  document library, cross-domain access for user form templates must be enabled under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection.
  If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint
  Central Administration.”
  How do I get this form working on the server and client using domain level security?
  Extra Note: On an additional not the form works fine in SharePoint and InfoPath designer when the security level is set to Full Trust.

  Hi, Is this possible over a SharePoint "LIST"? I'm hitting brick walls and can't set the Security level on my form at all. Everything that I'm reading refers to Document Libraries but nothing about SharePoint List. It seems that this should work over a list,
  but I'm hitting brick walls all the way around. Here is a copy of the question that I posed below under Todd.Wilder's post:
  Hi,
  Following this forum question/comment I am attempting to set the security on my Infopath form to Full Trust. But, I don't have the Security and Trust option. I can set the Trusted Location through the Trust Center but I can't find anywhere to set security.
  I am using InfoPath 2010. What am I missing? Everything that I'm reading says that this is the problem and my error message is exactly like SomeGuy's message. One more piece to this is...this is a form over an Existing SharePoint List. I've found that I can
  see the Security if I start InfoPath and start a New Blank Form, but by editing the form from a SharePont list, the option to edit Security is not there. HELP!!
  I am following the instructions below that come from:
  http://msdn.microsoft.com/en-us/library/ee526352.aspx
  The InfoPath form designer automatically selects the appropriate security level (either Restricted or Domain) based on the features that you are using in the form. The security setting is always as restrictive as possible, starting at Restricted, to help
  ensure a greater level of protection for you and your data. Users can manually override this automated setting to select a level of security that is more appropriate for the form by following these steps:
  Click the File tab, and then click Form Options on theInfo tab.
  In the Categories list, click Security and Trust.
  Uncheck the Automatically determine security level (recommended) check box.
  Select the desired security level.
  Thank you,
  ~Tina~
  ~Tina~

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• How to get the domain level values in web ui pick list

  Hi Gurus,
              I was added one field through EEWB transaction and i was maintained the values in domain level.now my requirement is i was added this field in web ui.but i don't know how to get the values which are we maitained in domain level. pls send me the solution it is very needful for me..
  Regards,
  Bixamaiah.B

  Hi Bussa,
  Refer to the documentation on drop-down Boxes in UI here:
  CRM Web Client UI Framework [original link is broken]
  This should help you, but do get back if you face any issues in implementing the same.
  Regards,
  Padma Guda

• OS X Server clients can't login after IP renumber and domain Name change

  I can not seem to get the logins working again on my OS X server (10.9.4 w/ server 3.1.2 on a 1 yr old. MacMini) after I needed to renumber the IP and change the domain name. I destroyed the Open Directory server, recreated it and created one test account. If I log in to the client with a local account I can connect to the server (Go>Connect To Server)  from the client using my newly created account, but when I try to login to the server  using the same network account login I get the "shaking head" response immediately. I have rebound the server to this client and it says that network accounts are available, but seem to be at a loss to understand why it won't let me login...
  The only error message I see in any of the logs is the following:
  (AFP Error Log:) Sep 15 20:21:47 isis.mydomain.com AppleFileServer[3032] <Info>: major error <1>: No credentials were supplied, or the credentials were unavailable or inaccessible.
  I'm not sure what credentials it is referring to. I created a self signed certificate that I am using with OD, could that be the one?

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. Disable any internal firewalls in use, including third-party "security" software.
  10. If you've created any replica servers, delete them.
  11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.