ACS - LDAP TCP Keepalive (v5.2)

Similar Messages

• ACS 4.2 - LDAP TCP Keepalive

  Hello
  I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
  When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
  I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
  Is there any possibility to enable Keepalives in ACS?
  Thanks in advance for any help!

  I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
  Did you make any progress with your TAC case?
  Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
  # show tech-support | i ldap | i tcp
  ldap            389/tcp
  ldaps           636/tcp                         # LDAP over SSL
  tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
  Also try adjusting "Max. Admin Connections" for LDAP.
  From the admin guide:
  LDAP Connection Management
  ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
  ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
  If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
  After the authentication process is complete, the connection manager releases the connection to the connection manager.
  I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
  Cheers
  R.

• Lack of TCP keepalive parameter in Microsoft SQL Server ODBC Driver for Linux

  Hello,
  the problem in the
  aforementioned driver is the lack of TCP keepalive parameter that results in hanged threads because of closed connections on the SQL Server side, but not closed
  sockets on the client side. This could happen due to network-related problems.
  The driver is used in mission critical 24/7 uptime application and due to hanged threads the application cannot continue it's work and it needs to be restarted.
  This is observed in the latest version of the driver on RHEL 5.6.
  If you need clarification please ask.
  Does anybody know any workaround to this situation or a solution that I'm not aware of?
  Thank you for your help,
  luk.s

  Find the TCP socket of the ODBC connection in your process and set the keep-alive option and keep-alive timeout on it.
  You can do that by interposing socket system call.
  Or use libkeepalive: http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#libkeepalive

• TCP keepalives sent too early and terminates connection

  I'm trying to implement an persistent TCP connection between an Android phone and a desktop server.
  I've got heartbeat threads on both ends which are sending keepalive-packets on application level successfully.
  The problem is that after a while (varies between 5-20min) the phone is starting to send TCP keepalives to the server, which the server does not seem to respond to. (I'm using Wireshark to monitor this).
  This results in an exception on the server thread which is reading from the phone:java.net.SocketException: Connection reset
  Why are the phone sending TCP keepalives so early? Even when there's constantly activity on application level? And why doesn't the desktop server respond to this keepalives?
  I've checked my Android phone's settings with "sysctl -A | grep net.ipv4" and "net.ipv4.tcp_keepalive_time" is set to 7200 (2 hours).
  Thanks.

  shuwo wrote:
  I'm holding both a wakelock and a wifilock, so that shouldn't be the problem. I also tried it without putting my phone to sleep at all. I want a persistent connection because I need live data to be transmitted over the network, is there any other method for that?
  If it isn't keep alive packets, what could it be? What causes a connection reset on server side?I wouldn't rely on a persistent connection. Mobile phones and bad network conditions/lost connections is bound to happen, and can happen frequently.
  What do you mean by live data? Are you e.g streaming data? Polling (e.g. once per minute) could otherwise be better, that is how gmail works.
  I doubt that the battery will last more than 6-7 hours if the phone never goes down to sleep mode. You can easily test it. Create an app, that just aquires a wakelock and then run it on your phone without doing any else like accessing network etc. Constantly using the network will also reduce the battery time even more.

• What is tcp-keepalives-in and tcp-keepalives-out

  Can anyone help me out by telling the both things and the differences between
  tcp-keepalives-in and tcp-keepalives-out
  Thanks
  Irshad

  Irshad,
  If you have already not read this link...
  http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00801365f3.shtml

• ACS LDAP authenication - restrict to only certain LDAP users?

  I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.
  I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.
  Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.
  Can I create an LDAP filter someplace in ACS that specifies only XXX users can
  authenticate against LDAP and to deny all other users?
  Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.
  I'm running ACS v4.2.0.124.

  Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6
  Hope that helps.

• ACS - LDAP or AD

  Hi PPL,
  Currently i have 4 ACS's synced with AD.
  Due to security concern we thinking of going to LDAP.
  I can't find exactly what i'll lose/gain on each method.
  Can someone provide more information ?
  Thanks!

  Chen,
  You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.
  If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.
  Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
  Tarik Admani
  *Please rate helpful posts*

• ACS LDAP Integration

  Hello Friends,
  While i am trying to integrate ACS (10.216.24.25) with the AD server (10.216.12.73), i am getting error.
  Following is the capture i got,
  The error says, says “bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurity”
  Can you please check it, how to fix this issue?
  I am attaching the wireshark capture also.

  Hi Rashid,
  A very quick way to sort this out could be to first test by browsing the LDAP database with a free LDAP browser such as Softerra:
  http://softerra-downloads.com/ldapadmin/ldapbrowser26.msi
  Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to ACS.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Need Help With ACS LDAP setup to Query AD

  I have 2 Win 2003 ADs, one of them is configured and working under Windows Database (using remote agent) configuration. I am trying to setup the second AD with Generic LDAP setup. I want to know what exactly I should use in the fields UserObjectType and Class, and GroupObjectType and Class for Windows 2003 AD. All Cisco documents give example of Netscape LDAP syntax. I was told by our server admin. what to put under Admin DN, CN=myid,OU=mygroup,OU=myorg,DC=mydomain,DC=com
  I have both user & group directory subtree fields filled with DC=mydomain,DC=com.
  I am using the ip address for Primary LDAP server, and port is 389, LDAP version 3 is checked.
  Is any of these DC, OU, etc. case sensitive?
  With all entries that I have tried, when I go to map a group, I am getting error "LDAP server NOT reachable. Please check the configuration". My ACS can ping the domain controller's IP address fine.
  Please help. Thank you in advance,
  Murali

  Murali,
  These references may help...
  http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-4574-8a27-67e89c206a54/uldap.doc
  http://www.microsoft.com/technet/archive/winntas/plan/dda/ddach02.mspx?mfr=true
  http://technet.microsoft.com/en-us/library/aa996205.aspx
  Regards,
  Richard

• Authentication ACS LDAP PEAP ?

  Hello
  Could you tell me if its possible to do 802.1X authentication with LDAP server using PEAP MS-CHAP v2 (Machine autentication) ?
  in fact, with Windows external database, its work fine.
  We use only machine authentication with vlan assignement over PEAP.
  Another think, we wan't to use Mac authentication Bypass for printers or other laptop... but we wonder if it could be work with an external Windows database or LDAP ?
  Thanks for your help

  No this isnt possible as LDAP servers do not support MSCHAP v1 or v2.
  You'd need something that can carry a plain text password inside the EAP tunnel - like EAP-GTC

• ACS Communication TCP/UDP ports

  Hi,
  I have a WEBVPN (on Cisco 2811) which will authenticate its client using ACS, ACS in turn will be integrated with AD.
  the three components (WEBVPN, ACS and AD) have a firewall in between them, I need to configure to allow the communication between the three components, I need a list the ports required for such configuration.
  Also I have to ACS appliances working in HA mode, they will be installed in different locations with firewall in between,What are the ports the 2 appliances are communicating through to ensure full HA?

  Table 2 have this information,
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/ps7032/prod_qas0900aecd80108148_ps2086_Products_Q_and_A_Item.html
  Regards,
  ~JG
  Do rate helpful posts

• LDAP Connectivity ACS

                     Hi,
  I have a requirement to change the server that the ACS Appliance( 2 x running primary / secondary) (5.2) using as an external identity store. I previously changed the server Host name under External Identity Stores\LDAP\ Server connection Tab. The issue was that when I performed a test bind it was successful BUT under the Directory Groups Tab I lost the Group name entries - only recovering them as I exited the config without saving anything.
  So my question is how do I change the server connection and re instate the directory Group list ? There are a number of entries and I need them all back in with minimal disruption to the network. There must be an easier way than entering them all manually ?
  Thanks,
  Pete

  Any changes in server connection like ip or credential would not be allowed unless you remove all the refrences from the ACS config because the connection is built based on that information.
  However, you can create more than one LDAP instance in ACS 5.2. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server.
  Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP identity store instance.
  ACS 5.3 does not require that each LDAP instance correspond to a unique LDAP database. You can have more than one LDAP instance set to access the same database.
  Regards,
  Jatin

• CSS keepalive TCP flags

  CSS keepalive TCP flags
  Hi. I have a problem with the way an application behaves in response to CSS tcp keepalives, I'd be grateful for any advice.
  Using standard TCP keepalives, an application logs a broken connection for every keepalive, filling up the app logs, causing the administrators to complain. If I change the tcp-close type to FIN, the application doesn't log an error, but it still logs the connection, same complaint from the admins.
  The application developers feel that it's not their problem, they're comparing the keepalives to nmap probes and indeed, it is possible to confirm that the service is up with nmap, without generating an error/connection log entry on the server.
  According to some Wireshark captures, the TCP flags of a CSS keepalive, compared to an nmap probe, are as follows;
  CSS
  CSS --> Syn --> Server
  CSS <-- Syn, Ack <-- Server
  CSS --> Ack --> Server
  CSS --> Rst, Ack --> Server
  nmap -sS
  NmapPC --> Syn --> Server
  NmapPC <-- Syn, Ack <-- Server
  NmapPC --> Rst --> Server
  So, my question is, can the tcp behaviour of CSS keepalives be modified, to dispense with the arguably superfluous 'ack'ing that's illustrated above?
  Thanks
  Andy

  Thanks for the replies.
  I've tried tcp-close fin, it stops an error being logged, but the application still logs the connection.
  I wouldn't be concerned, other than the fact it clearly is possible to both establish that the service is running on the server and not log the connection attempt, using Nmap's more abbreviated tcp behaviour.
  I am curious, though. What is the CSS acknowledging when it sends an ACK in the RST packet?
  Regards
  Andy

• GSS - Keepalive using TCP/VIP

  Hi,
  I created content is the CSS for FTP
  When i used Keepalive type as ICMP for GSS answer everything is working fine.
  when I configured GSS Answer using keepalive VIP/TCP the answer status is offline.
  when i do tcp dump on the GSS interface the keepalives are sending from the GSS.
  Do i have to do any configuration in CSS to respond to GSS keepalives.

  Are you doing KAL-AP ?
  Or is it TCP keepalive and the GSS is just opening a TCP port with the CSS VIP ?
  Is your content rule alive ? Check with 'show summary'
  Did you try it from a client ?
  Is there a firewall between GSS and CSS ?
  Try to capture a trace on the CSS.
  Does the real servers know how to reach the GSS ?
  Gilles.

• IOS LDAP authenication against sAMAccountName

  Hi,
  I'm running a 881 with c880data-universalk9-mz.151-3.T.bin and now I'm trying to enable LDAP authentication. This works but it only allows me to authenticate against the full CN (like CN=Firstname Lastname). But I would like to authenticate againt the sAMAccountName since this is the same username the users are using in Windows.
  This is my config:
  ldap server dc01
  ipv4 10.10.250.111
  bind authenticate root-dn CN=LDAPReader,CN=Room,DC=customer,DC=local password 7 encrpasswordhere
  base-dn OU=Room,OU=Users,DC=customer,DC=local
  search-filter user-object-type *
  Any idea on how to do this?
  Thanks!
  Regards,
  Armand.

  Hi Anisha,
  I've just removed the search-filter user-object-type * line and added the search-filter user-object-type sAMAccountName line. Then I've performed a debug ldap all:
  001356: Apr  5 10:20:13.608 CET: LDAP: LDAP: Queuing AAA request 79 for processing
  001357: Apr  5 10:20:13.608 CET: LDAP: Received queue event, new AAA request
  001358: Apr  5 10:20:13.608 CET: LDAP: LDAP authentication request
  001359: Apr  5 10:20:13.608 CET: LDAP: Attempting first  next available LDAP server
  001360: Apr  5 10:20:13.608 CET: LDAP: Got next LDAP server :dc01
  001361: Apr  5 10:20:13.608 CET: LDAP: Server connection not up. Current state DOWN
  001362: Apr  5 10:20:13.608 CET: LDAP: No servers left in LDAP server-group. Perform method failover
  001363: Apr  5 10:20:13.608 CET: LDAP: Failed to send request. No more LDAP servers left.
  001364: Apr  5 10:20:13.608 CET: LDAP: Performing method failover
  001365: Apr  5 10:20:19.184 CET: LDAP: Received timer event
  001366: Apr  5 10:20:19.184 CET: LDAP: Connection timeout occured. Retrying
  001367: Apr  5 10:20:19.184 CET: LDAP: Opening ldap connection ( 10.10.250.111, 389 )ldap_open
  ldap_init libldap 4.5 18-FEB-2000
  open_ldap_connection
  ldap_connect_to_host: 10.10.250.111:389
  001368: Apr  5 10:20:19.184 CET: LDAP: socket 0 - connecting to 10.10.250.111 (389)
  001369: Apr  5 10:20:19.184 CET: LDAP: socket 0 - connection in progress
  001370: Apr  5 10:20:19.184 CET: LDAP: socket 0 - local address 10.10.250.254 (51705)
  001371: Apr  5 10:20:19.184 CET: LDAP: Connection on socket 0
  001372: Apr  5 10:20:19.184 CET: LDAP: Connection to LDAP server (dc01, 10.10.250.111) attempted
  001373: Apr  5 10:20:19.184 CET: LDAP: Connection state: DOWN => CONNECTING
  001374: Apr  5 10:20:19.184 CET: LDAP: Received socket event
  001375: Apr  5 10:20:19.184 CET: LDAP: Checking the conn status
  001376: Apr  5 10:20:19.184 CET: LDAP: Socket read event socket=0
  001377: Apr  5 10:20:19.184 CET: LDAP: Found socket ctx
  001378: Apr  5 10:20:19.184 CET: LDAP: Making socket conn up
  001379: Apr  5 10:20:19.184 CET: LDAP: Notify the protocol codeldap_open successful
  Notify LDAP main if it has to initiate any bind requests
  001380: Apr  5 10:20:19.184 CET: LDAP: Protocol received transport up notication
  001381: Apr  5 10:20:19.184 CET: LDAP: Connection state: CONNECTING => UP
  001382: Apr  5 10:20:19.184 CET: LDAP: Set socket=0 to non blocking mode
  001383: Apr  5 10:20:19.184 CET: LDAP: Performing Root-Dn bind operationldap_req_encode
  Doing socket write
  001384: Apr  5 10:20:19.188 CET: LDAP: Root Bind on CN=LDAPReader,CN=Room,DC=customer,DC=local initiated.
  001385: Apr  5 10:20:19.188 CET: LDAP: Received socket event
  001386: Apr  5 10:20:19.684 CET: LDAP: Received socket event
  001387: Apr  5 10:20:19.684 CET: LDAP: Checking the conn status
  001388: Apr  5 10:20:19.684 CET: LDAP: Socket read event socket=0
  001389: Apr  5 10:20:19.684 CET: LDAP: Found socket ctx
  001390: Apr  5 10:20:19.684 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
  001391: Apr  5 10:20:19.684 CET: LDAP: Passing the client ctx=87179024ldap_result
  wait4msg (timeout 0 sec, 1 usec)
  ldap_select_fd_wait (select)
  ldap_read_activity lc 0x86A7DB08
  Doing socket read
  LDAP-TCP:Bytes read = 22
  ldap_match_request succeeded for msgid 1 h 0
  changing lr 0x85034958 to COMPLETE as no continuations
  removing request 0x85034958 from list as lm 0x8715A3F8 all 0
  ldap_msgfree
  ldap_msgfree
  001392: Apr  5 10:20:19.688 CET: LDAP: LDAP Messages to be processed: 1
  001393: Apr  5 10:20:19.688 CET: LDAP: LDAP Message type: 97
  001394: Apr  5 10:20:19.688 CET: LDAP: Got ldap transaction context from reqid 26ldap_parse_result
  001395: Apr  5 10:20:19.688 CET: LDAP: resultCode:    0     (Success)
  001396: Apr  5 10:20:19.688 CET: LDAP: Received Bind Response
  001397: Apr  5 10:20:19.688 CET: LDAP: Received Root Bind Response ldap_parse_result
  001398: Apr  5 10:20:19.688 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
  001399: Apr  5 10:20:19.688 CET: LDAP: Root DN bind Successful on :CN=LDAPReader,CN=Room,DC=Customer,DC=local
  001400: Apr  5 10:20:19.688 CET: LDAP: Transaction context removed from list [ldap reqid=26]ldap_msgfree
  ldap_result
  wait4msg (timeout 0 sec, 1 usec)
  ldap_select_fd_wait (select)
  ldap_err2string
  001401: Apr  5 10:20:19.688 CET: LDAP: Finished processing ldap msg, Result:Success
  001402: Apr  5 10:20:19.688 CET: LDAP: Received socket event
  001403: Apr  5 10:20:33.832 CET: LDAP: LDAP: Queuing AAA request 79 for processing
  001404: Apr  5 10:20:33.832 CET: LDAP: Received queue event, new AAA request
  001405: Apr  5 10:20:33.832 CET: LDAP: LDAP authentication request
  001406: Apr  5 10:20:33.832 CET: LDAP: Attempting first  next available LDAP server
  001407: Apr  5 10:20:33.832 CET: LDAP: Got next LDAP server :dc01
  001408: Apr  5 10:20:33.832 CET: LDAP: First Task: Send search req
  001409: Apr  5 10:20:33.832 CET: LDAP: Check the default map for aaa type=username
  001410: Apr  5 10:20:33.832 CET: LDAP: Ldap Search Req sent
                      ld          2266468388
                      base dn     OU=Lokaal10,OU=Room,DC=customer,DC=local
                      scope       2
                      filter      (&(objectclass=sAMAccountName)(cn=armandputs))ldap_req_encode
  put_filter "(&(objectclass=sAMAccountName)(cn=armandputs))"
  put_filter: AND
  put_filter_list "(objectclass=sAMAccountName)(cn=armandputs)"
  put_filter "(objectclass=sAMAccountName)"
  put_filter: simple
  put_filter "(cn=armandputs)"
  put_filter: simple
  Doing socket write
  001411: Apr  5 10:20:33.836 CET: LDAP:  LDAP search request sent successfully (reqid:27)
  001412: Apr  5 10:20:33.836 CET: LDAP: Sent the LDAP request to server
  001413: Apr  5 10:20:34.344 CET: LDAP: Received socket event
  001414: Apr  5 10:20:34.344 CET: LDAP: Checking the conn status
  001415: Apr  5 10:20:34.344 CET: LDAP: Socket read event socket=0
  001416: Apr  5 10:20:34.344 CET: LDAP: Found socket ctx
  001417: Apr  5 10:20:34.344 CET: LDAP: Receive event: read=1, errno=9 (Bad file number)
  001418: Apr  5 10:20:34.344 CET: LDAP: Passing the client ctx=87179024ldap_result
  wait4msg (timeout 0 sec, 1 usec)
  ldap_select_fd_wait (select)
  ldap_read_activity lc 0x86A7DB08
  Doing socket read
  LDAP-TCP:Bytes read = 22
  ldap_match_request succeeded for msgid 2 h 0
  changing lr 0x85034958 to COMPLETE as no continuations
  removing request 0x85034958 from list as lm 0x8715A3F8 all 0
  ldap_msgfree
  ldap_msgfree
  001419: Apr  5 10:20:34.348 CET: LDAP: LDAP Messages to be processed: 1
  001420: Apr  5 10:20:34.348 CET: LDAP: LDAP Message type: 101
  001421: Apr  5 10:20:34.348 CET: LDAP: Got ldap transaction context from reqid 27ldap_parse_result
  001422: Apr  5 10:20:34.348 CET: LDAP: resultCode:    0     (Success)
  001423: Apr  5 10:20:34.348 CET: LDAP: Received Search Response resultldap_parse_result
  001424: Apr  5 10:20:34.348 CET: LDAP: Ldap Result Msg: SUCCESS, Result code =0
  001425: Apr  5 10:20:34.348 CET: LDAP: Failed to get any search entries ldap_msgfree
  001426: Apr  5 10:20:34.348 CET: LDAP: Closing transaction and reporting error to AAA
  001427: Apr  5 10:20:34.348 CET: LDAP: Transaction context removed from list [ldap reqid=27]
  001428: Apr  5 10:20:34.348 CET: LDAP: Notifying AAA: REQUEST FAILED
  001429: Apr  5 10:20:34.348 CET: LDAP: Received socket event
  I'm not really good at AD but "armandputs" is my sAMAccountName in the AD. My CN=Armand Puts in the AD.So there is still something going wrong. Any idea's?
  Thanks!