Active Directory - Authentication Problem

Hi Guys,
I'm seeing something really weird in my Environment.
For example, we have two users as example below in our Active Directory:
jonesp - Paul Jones
jonesph - Phillip Jones
These users can't login into any Mac connected in Active Directory, on PCs the login goes fine.
But when I renamed the login jonesp to jonespa, both users can login in the Macs.
Anyone have this issue too? There is a KB telling about this behavior?
This happens on Macs running 10.7.* and 10.8.*.
Thanks

Sorry CT,
The problem isn't with Active Directory, this only happens on Macs.
The problem doesn't happens with Windows and Linux, only on Macs.
Anyway thanks for your help.
Regards

Similar Messages

WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
a managed server using the node manager? I can boot the server without the AD
authenticator and I can also boot the server using a script and successfully authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
configuration works fine with weblogic running on W2K, but not on Solaris (it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Solved the problem. The 'domain root' directory specified in the remote start configuration,
must contain a copy of the file 'SerializedSystemIni.dat' that was created along
with the domain, in order to boot when an AD authenticator is configured. If an
AD authenticator is not configured, no file is required. This was not a platform
specific issue; on Win2K I had configured the 'domain root' remote start parameter
to point to an existing domain root and not a new directory.
"Andrew Walker" <[email protected]> wrote:
>
Has anyone managed to setup a WLS 7.0 Active Directory authenticator
and booted
a managed server using the node manager? I can boot the server without
the AD
authenticator and I can also boot the server using a script and successfully
authenticate
through AD. My AD control flag is set to OPTIONAL and I have also setup
a default
authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
This
configuration works fine with weblogic running on W2K, but not on Solaris
(it
looks like the control flag is being ignored). Errors as follows
####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
<main>
<kernel identity> <> <000000> <FileLo
gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000415> <System
has file descriptor limits of - soft: 1,024, hard: 1,024>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000416> <Using e
ffective file descriptor limit of: 1,024 open sockets/files.>
####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
<main>
<kernel identity> <> <000418> <Allocat
ing: 3 POSIX reader threads>
####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <0003
64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
Problem instantiating
Authentication Providerjavax.management.RuntimeOperationsException:
RuntimeException
thrown by the getAttribute method of the Dynam
icMBean for the attribute Credential>
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)
####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
<server01>
<main> <kernel identity> <> <000
342> <Unable to initialize the server: Fatal initialization exception
Throwable: weblogic.security.service.SecurityServiceRuntimeException:
Problem
instantiating Authentication Providerjavax.management.
RuntimeOperationsException: RuntimeException thrown by the getAttribute
method
of the DynamicMBean for the attribute Credential
weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
Authentication Providerjavax.management.RuntimeOper
ationsException: RuntimeException thrown by the getAttribute method of
the DynamicMBean
for the attribute Credential
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
at weblogic.Server.main(Server.java:31)

Weblogic with Active Directory Authentication provider problem: DN for user ....: null

I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
- I defined an Active Directory Authentication provider
- changed it's order in the Authentication Providers list so that it comes first
- set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
        <sec:name>MyOwnADAuthenticator</sec:name>
        <sec:control-flag>SUFFICIENT</sec:control-flag>
        <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
        <wls:host>10.20.150.4</wls:host>
        <wls:port>5000</wls:port>
        <wls:ssl-enabled>false</wls:ssl-enabled>
        <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
        <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
        <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
        <wls:cache-enabled>false</wls:cache-enabled>
        <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
</sec:authentication-provider>
I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin>
<BEA-000000> <authenticate user:tadmin>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
<BEA-000000> <DN for user tadmin: null>
<BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
<BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
#!SEARCH REQUEST (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.324
# LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
# command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
# baseObject   : CN=wl,DC=at,DC=com
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (&(cn=tadmin)(objectclass=user))
# attributes   : objectClass
#!SEARCH RESULT DONE (145) OK
#!CONNECTION ldap://10.20.150.4:5000
#!DATE 2014-01-23T14:52:09.356
# numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com" in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
Here are some other things I tried but did not change anything:
- the other "msDS-" attributes were not set so I tried initializing them to some value
- I tried other users defined in AD LDS, not tadmin
- in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
- I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thanks.

I managed to narrow it down: the AD LDS does not support the userAccountControl.
Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
<BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>

Unable to find user list in Active Directory Authenticator

Hi all,
I am using weblogic 10.3 and want to configure ActiveDirectory Authenticator for my weblogic application. We have one managed srever under admin server . I have configured a Active Directory Authenticator named "ADAuthenticator" and made following changes as per the below values:
I set the control flag to "OPTIONAL" .
Security Realms-->myrealm-->Providers-->ADAuthenticator-->Provider Specific
UserName Attribute : ServiceBEA
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(ServiceBEA=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(ServiceBEA=%u)(objectclass=user))
Static Group Name Attribute : ServiceBEA
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
These are my AD settings. After doing this i click on save and then activate changes and then restarted the admin server.
But the problem is when i login to weblogic console to check the user list under "User and Group" i am unble to find any Active Directory users.
I don't know where i made the mistake. Can some make me out of this trouble.
Any help is highly appreciated.
Thanks in advance !

Hi Sean,
Actually we have already a Active Directory with username "ServiceBEA" in our windows server. So i used this "ServiceBEA" as UserName Attribute in weblogic console while creating a Active Directory Authenticator.
You mean to say that we should go for "sAMAccountName" or what? If that is the case then i have also tested with following values, but still no luck.
UserName Attribute : sAMAccountName
Principal : ServiceBEA
Host : xxxxxx
User Search Scope : subtree
Group From Name Filter : (&(sAMAccountName=%g)(objectclass=group))
Credential : xxxxxx
Confirm Credential : xxxxxx
User From Name Filter : (&(sAMAccountName=%u)(objectclass=user))
Static Group Name Attribute : sAMAccountName
User Base DN : values provided as per requirement
Port : 389
User Object Class : user
Use Retrieved User Name as Principal : checked
Group Base DN : same values as per User Base DN
Static Group Object Class : group
Group Membership Searching : unlimited
Max Group Membership Search Level : 0
Please advise what to be place in case of User Name Attribute.
Any help is highly appreciated.
Thanks in advance !

Active Directory Authentication in Weblogic 8.1

Hi,
We want to do authentication from Microsoft Active Directory using weblogic 8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working. Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me know how
to proceed.
2. Is there any tool by which I can get to know the different attribute asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind. Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

Amit,
We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
and downs though.
|
|
1) First, make sure you are sending right LDAP queries to AD. To verify this,
we used free 3rd party LDAP browser from Softerra. There is also java based free
browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
Play with your LDAP settings using this and make sure AD is returning the right
data.
|
2) AD has some default settings that makes it return only the top 1000 users.
Use ntdsutil.exe to modify these default settings
|
3) AD needs to have the right set of users and groups. To configure this, refer
to WLS docs. This is very well documented in WLS docs. Also refer to this article
http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
reference
|
4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
another product AD/AM (AD in Application Mode) in combination with MIIS server.
But if you are using sp2, you shouldn't be worry about this.
|
5) In your providers, you might want to get rid of the DefaultAuthentication provider,
once you are able to establish a connection with your ActiveDirectoryAuthentication
provider. The DefaultAuthentication provider causes some problems and does not
let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
investgated the root of this prob. When we deleted DefaultAuthentication provider,
everything worked normally - so we didn't really care that much :-)
|
6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
your are able to authenticate talk to your AD.
|
These are the ones I could think of. Hope this helps..
Regards,
Anant
"Amit" <[email protected]> wrote:
>
Hi,
We want to do authentication from Microsoft Active Directory using weblogic
8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working.
Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me
know how
to proceed.
2. Is there any tool by which I can get to know the different attribute
asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there
any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind.
Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in
Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi

BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

Dear all
        In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message:
       " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
      Anyone has encountered similar issue?
   BO version: BO XI 3.1 SP5
   Authenticate: Windows AD
Thanks and Regards

Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
http://service.sap.com/sap/support/notes/1323391
http://service.sap.com/sap/support/notes/1199995
-Ambarish-

Active Directory Authentication and permissions for user group in APEX 4.0

Hello,
I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
Help with Authentication (APEX_LDAP.AUTHENTICATE)
Re: LDAP Authentication Via Groups
Thanks,
Tony

You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.

Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
Additional technical information:
Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
Timestamp: 2015-04-14 12:27:20Z
AADSTS50020:
User account '[email protected]' from external
identity provider 'live.com' is not supported for application
'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
be added as an external user in the tenant. Please sign out and sign in
again with an Azure Active Directory user account.
It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

I assume you created a web application using VS2013 which uses the WS-Federation protocol.
The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
The user will need to either sign-out or use an in-private session in the browse.
If you switch to openID connect(sample at
https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

Active Directory provider problem in 11g

I am having the opposite problem than many others I see setting up Active Directory as the user store for OBIEE 11g. On two of the installations I have done the Active Directory users work but the original weblogic user does not work in OBIEE. It works fine in the WLS console and the FM Enterprise Manager but fails in analytics. The error I'm getting is:
'weblogic' was authenticated but could not be located within the Identity Store.
When others were having this problem they had left the default provider's control flag set at "REQUIRED" and not changed it to "SUFFICIENT". But I have done this (and gone back and reset it again) but the error persists. Any thoughts.

Setting virtualize=true worked. I had tried this before but I think I did what I almost did this time. I almost created the variable virtual instead of virtualize. Thanks. The instructions I followed from Oracle didn't have this step. And I am wondering why it is necessary. The help for the SUFFICIENT setting says:
A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, control is returned to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
Before I set this. yes, my AD users could login to EM and the WLS console. Other than this the AD integration has worked well.
Edited by: dirkt on Sep 19, 2011 12:36 PM

Active Directory Authentication, AFP Home Folders in the wrong place!

Hi,
I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
-Xserve G5, Mac OS X Server 10.4.7
-OD Master bound to AD for authentication
-Hosts AFP and SMB shares, all stored on Xserve RAID
On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
Going slightly mad,
Jason

Hi there,
Just wanted to share my make-due solution.
I have setup the automount sharepoint at "/Data/Home".
When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
-Desktop
-Library
The other icons related to the home dir on the Dock remain big "?" 's.
So I manually added them and assigned them the propper rights.
Now users can log in without any problems, network home folders are working.
So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
If anyone has ANY idea, please share.
Thx!!
Have a nice day

Active Directory Permissions Problems

Hi all,
I'll be brief and to the point.
New iMacs
10.5.2
Bound to Active Directory
Login works fine
Authentication to network shares works fine (albeit slow)
But - when saving a file, let's say an HTML document in Coda, it comes up saying "You need administrative privileges to save the file, however you have permissions to replace the file".
Same in Excel, different message, but the same deal, can't modify files, but can create, delete, rename.
Same in Illustrator - only lets 'save as' and write over the top.
The permissions on the AD end are set fine to read&write. Even if I create a new file, it will save it once, then if I try and edit, same deal.
The permissions are granted as part of a 'group' - but I've added the individual username also and hasn't changed anything.
Any thoughts would be GREATLY appreciated.

I have an issue with OSX Leopard (10.5.2) , where by I can't write to NTFS shares on W2K3 servers with SMB signing turned on and IPV6 disabled for the interface.
To recreate the issue:
Create a folder named test that contains two files one named ._test.txt and test.txt on OSX and copy to an SMB share on W2k3.
This results in spurious errors about permissions and locked files.
Copying a file larger than 4k results in the error:
"The operation cannot be completed because you do not have sufficient privileges or some of the items."
Using mount_smbfs from a shell on OSX results in the error: "Permission denied"
host:~ user$ mount_smbfs //user@server/share /Volumes/test-smbmount/
Password:
host:~ user$ cp test.docx /Volumes/test-smbmount/
cp: /Volumes/test-smbmount/test.docx: Permission denied
Using smbclient from a shell on OSX results in SUCCESS!!!
host:~ user$ smbclient \\\\server\\\share -U user
Password:
Domain=DOMAIN OS=Windows Server 2003 3790 Service Pack 2 Server=http://Windows Server 2003 5.2
smb: \> put test.docx
putting file test.docx as \test.docx (784.7 kb/s) (average 784.7 kb/s)
smb: \>
There is an alternative solution if you do need to drag and drop in your gui world, it'll cost you $120
link: http://www.thursby.com/products/dave-eval.html
I have mailed the developer as he has obviously identified the root problem of the issue and I urged him to share his patch/resolution with Apple in the interests of the user community and a darn nice thing to do.I had a response form the developer to my request. I sent my workaround solution to the developer and stated that in my opinion the pricing for the software seems unnecessarily high based on the functionality it provides and way above what I would be willing to pay to resolve one small issue.
<developers response>
Pricing is a difficult topic to discuss -- but if you have no use for the product, any price is too much. As for reporting bugs to Apple, they'll listen to customers much sooner than they'll listen to developers. And they have some of the brightest engineers I know. If you report the bug to them, they'll likely have it fixed in the next update.
</developers response>
I couldn't find away to report the bug myself so I had a friend do it for me. The response I had back from Apple was less than satisfactory.
They believe that the issue is to do with NTFS streams and that a file containing ".com.apple.smb.streams.on" needs to be created and placed into the root of shared volumes. This is not a fix!
If you want to prevent writing the "Apple Double" files to a remote share, enter the following into a terminal:
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
Problem still exists.
ref: http://docs.info.apple.com/article.html?artnum=301711
<apple double description>
ref: fhttp://docs.info.apple.com/article.html?artnum=106510
Before Mac OS X, the Mac OS used 'forked' files, which have two components: a data fork and a resource fork. The Mac OS Standard (HFS) and Mac OS Extended (HFS Plus) disk formats support forked files. When you move these types of files to other disk formats, the resource fork can be lost.
With Mac OS X, there is a mechanism called "Apple Double" that allows the system to work with disk formats that do not have a forked file feature, such as remote NFS, SMB, WebDAV directories, or local UFS volumes. Apple Double does this by converting the file into two separate files. The first new file keeps the original name and contains the data fork of the original file. The second new file has the name of the original file prefixed by a "._ " and contains the resource fork of the original file. If you see both files, the ._ file can be safely ignored. Sometimes when deleting a file, the ._ component will not be deleted. If this occurs you can safely delete the ._ file.
</apple double description>
I am not the only one this issue. A quick peruse on http://macwindows.com/ will show that numerous people are suffering and numerous workarounds have been suggested. Sadly none of which work for me. Each work around is stranger than the previous. Such as disabling IPV6 and updating Daylight Savings Time.
The issue lies with the samba integration. I am primarily a Gentoo Linux user and this kind of bug would have been resolved almost instantly if present in open source software.

Active Directory accounts problem logging in to Mavericks

We have twenty iMacs in a lab and five in an Internet café, all wired to a multiple subnet network. OS X Mavericks is bound to Active Directory. Frequently OS X Mavericks behaves as if the network user account password is entered incorrectly until the iMac is restarted. This did not happen when we had Mountain Lion. We never have problems logging in to Windows computers bound to Active Directory.

We have twenty iMacs in a lab and five in an Internet café, all wired to a multiple subnet network. OS X Mavericks is bound to Active Directory. Frequently OS X Mavericks behaves as if the network user account password is entered incorrectly until the iMac is restarted. This did not happen when we had Mountain Lion. We never have problems logging in to Windows computers bound to Active Directory.

Active Directory Server Problem

Hi All,
This mail Seeks to get help from people who have worked with Active Directory Server.
The following is our Current scenario.
We are in the process of establishing an SSL connection to Active Directory Server from java environment(a standalone class) in Windows 2000.
1.Active Directory Server is installed in an independent Win 2k machine.
2.SSL is enabled in the Active Directory Server Machine by installing the Enterprise Root Certificate.
3.Microsoft High Encryption pack is installed in both the client and the Server(AD)
4.The .cer file from the AD machine is imported in to the Client's keystore(cacerts) using the keytool utility.
5.The AD m/c is part of a domain named "rsa" and client m/c is part of the domain named "cts"
With the above setup,The following code tries to Establish an SSL context to the AD through JNDI.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://blr03srv1.rsa.com:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,"CN=Administrator,CN=Users,DC=rsa,DC=com");
env.put(Context.SECURITY_CREDENTIALS,"password");
try{
     DirContext ctx = new InitialDirContext(env);
     ctx.close();
}catch (Exception e){
     e.printStackTrace();
When we try to run this Client we are facing a SSLHandShakeException with a message saying "No trusted certificate found".
As far as we know the .cer file is successfully imported in to the cacerts which is used by the J2SE as the default keystore.
Hence we ran out of ideas,as we think that there could be some other issue which is causing this problem.
We are looking forward to get inputs from AD enlightened people to Solve this issue
Thanks in Advance,
Manivannan.A

I had problem the same and still I did not obtain to decide it, if for perhaps obtaining he passes me the solution.
thank's
Fernando Queiroz Fonseca
Graduando em Engenharia El�trica
Universidade Federal de Uberl�ndia
http://www.fernandoqueiroz.com.br
email : [email protected]

Active Directory login problem

I have my MacBook Pro bound to the domain. It has a computer account viewable in the Active Directory.
However, after this I then expected to be able to enter my domain credentials at the OS LoginWindow instead of logging on using a local account but it wont work......anyone know what may be the problem here ?
Thanks in advance

I have the same problem when i try to login using the AD domain account the screen just jumps around as if you have entered teh wrong password.

Active Directory Adapater Problem

Hi everyone,
I´ve installed Xellerate with OC4J against Oracle 10G Data Base. Connector Pack 9.0.3. Active Directory 2000
the reconciliation process is working fine but I´m facing a little problem. when I update one user in AD and the scheduled task is processed the user I have modified in AD is marked as deleted in xellerate´s user administration.
any help is appreciated
regards

Make sure the IP specified under WWW is correct & its working. Necessary network & firewall settings are deployed. If its working earlier & not working now means certainly, there are some changes being performed either at the network or firewall.
Check, whether you can reach to the site directly using IP, if not there is trouble at the network & firewall end.
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Active Directory - Authentication Problem

Similar Messages

Maybe you are looking for