Active Directory Cached Domain Login question
Hi all,
I would like to seek assistance on the following scenario setup where I have 2 independent AD forest setup
Production Forest #1 - Contoso
Test Lab Forest #2 - Contoso
Assuming both AD forests domain controllers are issued with Domain Controller Certs (to support smartcard login) from the same CA, and there exists a AD user acct - Mark in Production Forest #1 and this user is currently using a issued smartcard to perform
AD login on desktop client #1
Would it be possible to create a AD user acct - Mark in Test Lab Forest #2 and use the same issued production smartcard to perform AD login on laptop client #2 which is joined to Test Lab Forest #2? If not technically possible, why??? :(
I am trying to find a solution where I can have the laptop clients support login using the issued production smartcard. The challenge here is not all the laptop clients site have access to the production domain controllers hence am thinking of building the
Test Lab Forest #2 on another "server" laptop which provides a mobile means to allow the laptop clients to be joined to the Test Lab Forest and then supporting the issued production smartcard via domain cached login.
So far I know the only requirement is that the UPN match and that the PKI is trusted (in NTAuth) in the forest, but I'm not a PKI expert. I suggest to ask this question in the security forum as well:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog
Similar Messages
-
VDI 3 + Active Directory Child Domain Setup Question
Hi Everyone,
Quick question. Will this config work because I'm having some issues.
Domain A
Child Domains A.A, B.A, C.A, etc..
Kerbros is setup and pointing at domain A with admin account access.
VDI3 can see all the domains when I pull down the domain selector... however!... I can only log into the parent domain A. Attempts to log into child domains A.A, B.A, etc give me an 'Unknown user/password error'.
Will this config work? All child domains are part of the same forest which I thought was supported.
Many thanks in advanced for any replies.
DonoHello,
yes, forests with multiple child domains are supported and your configuration should be working.
In order to troubleshoot the problem, please follow the instructions at:
http://wikis.sun.com/display/VDI3/End-users+cannot+access+their+virtual+machines.
The cacao logs should contain more details about the error.
Thanks,
Katell -
I have a script which displays locked out accounts. It works great.
I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
Example: Davis, Susan
Want instead: Domain\Susan.Davis
I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
Here is my script:
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$domainname = $objDomain.name
$samaccountname = $objResult.Properties.samaccountname
$user = [ADSI]"WinNT://$domainname/$samaccountname"
$ADS_UF_LOCKOUT = 0x00000010
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
$objResult.Properties.name
John
JohnSorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
"$domainname\$($objResult.Properties.samaccountname)"
$domainname might not be what you're expecting, just FYI.
As for filtering, you can add to the if statement and check for your known usernames only.
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing) -
Windows 8.1 Enterprise joined to Active Directory, shows email login
In Windows 7, I knew how to set the login default domain to Active Directory via the registry. That setting does not seem to have the same effect in Windows 8.1 Enterprise.
I have a tablet joined successfully, and can login without any errors. The only problem I have is when it boots up, or someone logs out, the login screen defaults to the MS Live email login. We do not use that in our Domain, and I want to either disable
that option, or set it to connect to our Active Directory servers as the first option.
I have looked in Local Group Policy, the Registry, etc. and have not found anything that refers to that. Is it something simple that I am just overlooking?
AKChappyI believe the group policy you are looking for is called "Accounts: Block Microsoft Accounts"
You can find it here: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
More info:
http://technet.microsoft.com/en-us/library/jj966262.aspx -
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
Problem authenticating user in Active Directory cross domain
Hi,
We have two different AD servers serving our London and Tokyo networks. My application runs in London network but used by both London and Tokyo users.
The two ADs have domain trust setup between them. I have groups defined in London AD to which users from both the London and Tokyo ADs are assigned.
'm trying to connect to London AD using the "users credentials" and retrieve the groups they are assigned to.
I can connect to the London AD using any of the London user and I could retrieve the groups. But when I use a Tokyo user credentials to connect using the London AD server 'm getting Security exception with a code indicating "User Not Found".
The code I use which is very basic is given below . The code below run as such gives me the following error,
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece.
If I change in the code below, Provider URL to Tokyo AD Server URL then it works but I can't use that due to security restrictions. As per the Windows Team the domain trust should allow me to connect/bind to the London AD Server with the Tokyo credentials.
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "london ldap server url");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.REFERRAL, "follow");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(LdapContext.CONTROL_FACTORIES, "com.sun.jndi.ldap.ControlFactory");
ctx = new InitialLdapContext(env, null);
I would like to know how to authenticate a user in a cross domain Active Directory environment. I read in one of the blogs that the "simple bind" will not work for cross domain user authentication. Unfortunately the blogger didn't mention what would work :( . Any help is much appreciated.
Please bear with me if my query is a naive one and point me in the right direction.
Thanks
JothiHi Praveen,
to avoid losing data when user objects are moved to new locations in the LDAP server, it is possible to configure the User Management Engine to use the value of a specific unique attribute as part of the unique ID instead of the distinguished name.
For this, you have to change the following UME properties:
For user objects: ume.ldap.unique_user_attribute=<attributename>
For account objects: ume.ldap.unique_uacc_attribute=<attributename>
For group objects: ume.ldap.unique_grup_attribute=<attributename>
Be aware that the attribute (i.e. cn or uid) must be unique in the configured user/group path.
Please read SAPNote 777640 for more information regarding this problem and the way to change the UME properties.
Best regards,
Robert -
Active Directory replication and login errors (Plz HELP !!)
Hi All,
We have one forest domain (XXXX.LOCAL)and lots of child domains (XXX.XXXX.LOCAL).
We are facing issue that child domains are not able to login with forest administrator account and there are also lots of replication errors.
Exchange OWA gives error of not able to find particular XXX.XXX.local child domain.
dcdiag from child domain is :
C:\Windows\system32>
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>nltest.exe /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
C:\Windows\system32>
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = PMA-DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Connectivity
......................... PMA-DC01 passed test Connectivity
Doing primary tests
Testing server: HEC-CITY\PMA-DC01
Starting test: Advertising
Warning: PMA-DC01 is not advertising as a time server.
......................... PMA-DC01 failed test Advertising
Starting test: FrsEvent
......................... PMA-DC01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... PMA-DC01 failed test DFSREvent
Starting test: SysVolCheck
......................... PMA-DC01 passed test SysVolCheck
Starting test: KccEvent
......................... PMA-DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
[PMA-DC02] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: PMA-DC02 is the PDC Owner, but is not responding to DS RPC
Bind.
[PMA-DC02] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: PMA-DC02 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: PMA-DC02 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: PMA-DC02 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... PMA-DC01 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... PMA-DC01 passed test MachineAccount
Starting test: NCSecDesc
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
Fatal Error: Cannot retrieve SID
......................... PMA-DC01 failed test NCSecDesc
Starting test: NetLogons
......................... PMA-DC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... PMA-DC01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_INBOUND_REPL"
[Replications Check,PMA-DC01] Outbound replication is disabled.
To correct, run "repadmin /options PMA-DC01 -DISABLE_OUTBOUND_REPL"
......................... PMA-DC01 failed test Replications
Starting test: RidManager
......................... PMA-DC01 failed test RidManager
Starting test: Services
w32time Service is stopped on [PMA-DC01]
......................... PMA-DC01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000010
Time Generated: 04/21/2014 19:16:04
Event String:
Unable to Connect: Windows is unable to connect to the automatic upd
ates service and therefore cannot download and install updates according to the
set schedule. Windows will continue to try to establish a connection.
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:42
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs
.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the fol
lowing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on
the following DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._udp.PMA.XXXX.
LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._tcp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.PMA.XXXX.L
OCAL. 600 IN SRV 0 100 464 PMA-DC01.PMA.XXXX.LOCAL.' failed on the following DNS
server:
An error event occurred. EventID: 0x0000168E
Time Generated: 04/21/2014 19:44:43
Event String:
The dynamic registration of the DNS record '_kerberos._tcp.HEC-LAHOR
E._sites.dc._msdcs.PMA.XXXX.LOCAL. 600 IN SRV 0 100 88 PMA-DC01.PMA.XXXX.LOCAL.'
failed on the following DNS server:
An error event occurred. EventID: 0x00000C8A
Time Generated: 04/21/2014 19:44:51
Event String:
This computer could not authenticate with \\LHR-DC01.XXXX.LOCAL, a W
indows domain controller for domain XXXX, and therefore this computer might deny
logon requests. This inability to authenticate might be caused by another compu
ter on the same network using the same name or the password for this computer ac
count is not recognized. If this message appears again, contact your system admi
nistrator.
An error event occurred. EventID: 0xC00A0038
Time Generated: 04/21/2014 19:46:02
Event String:
The Terminal Server security layer detected an error in the protocol
stream and has disconnected the client. Client IP: 10.87.193.37.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 19:52:41
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was PMA\PMA-DC02$. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occu
r when the target server principal name (SPN) is registered on an account other
than the account the target service is using. Please ensure that the target SPN
is registered on, and only registered on, the account used by the server. This e
rror can also happen when the target service is using a different password for t
he target service account than what the Kerberos Key Distribution Center (KDC) h
as for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is
not fully qualified, and the target domain (PMA.XXXX.LOCAL) is different from th
e client domain (PMA.XXXX.LOCAL), check if there are identically named server ac
counts in these two domains, or use the fully-qualified name to identify the ser
ver.
A warning event occurred. EventID: 0x8000001C
Time Generated: 04/21/2014 19:53:42
Event String:
When generating a cross realm referal from domain XXXX.LOCAL the KDC
was not able to find the suitable key to verify the ticket. The ticket key vers
ion in the request was 25 and the available key version was 22. This most common
reason for this error is a delay in replicating the keys. In order to remove th
is problem try forcing replication or wait for the replication of keys to occur.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was LDAP/4a166db9-c39c-4069-99e7-8a233ce2c0
be._msdcs.XXXX.LOCAL. This indicates that the target server failed to decrypt th
e ticket provided by the client. This can occur when the target server principal
name (SPN) is registered on an account other than the account the target servic
e is using. Please ensure that the target SPN is registered on, and only registe
red on, the account used by the server. This error can also happen when the targ
et service is using a different password for the target service account than wha
t the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to us
e the current password. If the server name is not fully qualified, and the targe
t domain (PMA.XXXX.LOCAL) is different from the client domain (PMA.XXXX.LOCAL),
check if there are identically named server accounts in these two domains, or us
e the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 04/21/2014 20:13:25
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver pma-dc02$. The target name used was ldap/pma-dc02.pma.XXXX.LOCAL. This indi
cates that the target server failed to decrypt the ticket provided by the client
. This can occur when the target server principal name (SPN) is registered on an
account other than the account the target service is using. Please ensure that
the target SPN is registered on, and only registered on, the account used by the
server. This error can also happen when the target service is using a different
password for the target service account than what the Kerberos Key Distribution
Center (KDC) has for the target service account. Please ensure that the service
on the server and the KDC are both updated to use the current password. If the
server name is not fully qualified, and the target domain (PMA.XXXX.LOCAL) is di
fferent from the client domain (PMA.XXXX.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to i
dentify the server.
......................... PMA-DC01 failed test SystemLog
Starting test: VerifyReferences
......................... PMA-DC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : PMA
Starting test: CheckSDRefDom
......................... PMA passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... PMA passed test CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running enterprise tests on : XXXX.LOCAL
Starting test: LocatorCheck
......................... XXXX.LOCAL passed test LocatorCheck
Starting test: Intersite
......................... XXXX.LOCAL passed test Intersite
C:\Windows\system32>There are a number of things that can cause this, such as:
DNS is misconfigured to support a parent-child-additional tree forest.
Incorrect DNS zone replication scope for the design, which points back to the point #1.
AD Sites are misconfigured for the physical environment. For example if you have a hub and spoke physical environment, you can't use the default settings that bridge all sites (BASL) and must individually configure them.
Incorrect DNS settings on the DCs.
Multi-homed DCs.
Time service is not configured properly and/or syncing from the VM host, which should be configured otherwise (Microsoft, VMware and Citrix have KBs explaining this).
Default security settings at either the parent, child or both domains, have been altered.
Firewalls between DCs, such as perimeter firewalls, or installed antivirus protection features if not excluded on DCs properly, will cause this, too.
That's the short list. If you can describe some of the points above, it may help us pinpoint where the issue may be.
Some links that may help understand some of the bullet points:
AD Site Design, DNS & the DC Locator Process, and Auto Site Link Bridging, or Bridge All Site Links (BASL)
http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/
DNS Design Options in a Multi-Domain Forest - How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest
Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 12:22 PM
http://msmvps.com/blogs/acefekay/archive/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation.aspx
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM 3050 1
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
BOXI r2 - SSO in Active Directory multi domain
Hi all,
I have a customer with XI r2 on windows and infoview deployed on Tomcat. Security is (OK until yesterday) sedWinAD with SSO via Vintela. Yesterday they have add a new domain in krbc5.ini and new domain's users cannot login. Tomcat trace reports the following:
INFO: Server startup in 8516 ms
24625 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSManager - No Subject found on the current thread
24641 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS: Acceptor supports: KRB5
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Ticket service name is: HTTP/svrcrmboprod.sti.stg***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS name is: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Using keytab entry for: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting ticket .. **
with key
Principal: HTTP/svrcrmboprod.STI.STG***STI.STG
Type: 1
TimeStamp: Thu Jan 01 01:00:00 CET 1970
KVNO: 6
Key: [3, a8 7f 51 1a f1 40 e3 19 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted ticket:
Ticket:
encryption type: 3 (DECRYPTED OK)
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
TransitedEncoding:
client: Quattri***BFP.STG
session key: [3, 9e 46 40 31 df a8 68 1 ]
ticket flags: forwardable renewable ok-as-delegate preauthent
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
valid for:
all addresses
auth data:
[1, 30 82 3 62 30 82 3 5e a0 4 2 2 0 80 a1 82 3 54 4 82 3 50 4 0 0 0 0 0 0 0 1 0 0 0 c0 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 18 0 0 0 8 3 0 0 0 0 0 0 6 0 0 0 14 0 0 0 20 3 0 0 0 0 0 0 7 0 0 0 14 0 0 0 38 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc b0 2 0 0 0 0 0 0 0 0 2 0 15 d6 9d 6f 2a 3d ca 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f c2 f0 21 d3 2f 2d ca 1 c2 70 86 cb c2 44 ca 1 c2 70 4f bc e8 73 ca 1 e 0 e 0 4 0 2 0 20 0 20 0 8 0 2 0 0 0 0 0 c 0 2 0 0 0 0 0 10 0 2 0 44 0 44 0 14 0 2 0 4 0 4 0 18 0 2 0 45 6 0 0 de 4 0 0 1 2 0 0 3 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 16 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 7 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 0 0 10 0 0 0 0 0 0 0 10 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 20 0 4c 0 6f 0 72 0 65 0 64 0 61 0 6e 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0 0 0 0 0 0 22 0 0 0 5c 0 5c 0 73 0 76 0 72 0 62 0 66 0 70 0 66 0 73 0 68 0 66 0 2e 0 62 0 66 0 70 0 2e 0 73 0 74 0 67 0 5c 0 48 0 4f 0 4d 0 45 0 24 0 5c 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 2 0 0 0 0 0 0 0 2 0 0 0 4d 0 3a 0 3 0 0 0 1 2 0 0 7 0 0 0 9a 4 0 0 7 0 0 0 48 e 0 0 7 0 0 0 b 0 0 0 0 0 0 0 a 0 0 0 53 0 56 0 52 0 42 0 46 0 50 0 44 0 43 0 30 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 42 0 46 0 50 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 3b c2 da 85 8 fa d1 16 fe 9b 47 2f 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 36 40 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 99 33 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b d0 12 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 9b 11 b 6a 91 78 ec 27 6b 53 ee 1b 7a c 0 0 0 0 0 0 0 8e 60 6f 2a 3d ca 1 e 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 76 ff ff ff 16 15 71 e5 8 76 59 2a 0 de 13 b9 f8 a3 c4 94 0 0 0 0 76 ff ff ff a6 9f 99 90 c7 63 41 c6 4a b4 f 8d c2 70 44 9f 0 0 0 0 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Setting context expiry to [1253841580000]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Current wall time is [1253805580586]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting application request .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted application request:
++++ KRB-AP-REQ Message ++++
encryption type: 3 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 3
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
client: Quattri***BFP.STG
subkey: [3, da 34 d3 4 8f f2 e9 b9 ]
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
sequence number: 1846075710
++++++++++++++++++++++++++++
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Got delegated credential
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Delegated credential:
++++ KRB-CRED Message ++++
encryption type: 0 (DECRYPTED OK)
sender address: null
receiver address: null
nonce: -1
timestamp: null
credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** creating application response .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - created application response:
++++ KRB-AP-REP Message ++++
encryption type: 3
sequence number: 162921799
sub session key: null
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
++++++++++++++++++++++++++++
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator supports: KRB5
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator TGS key type:
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - 3
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
Found acceptor realm: null
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - GSS: Initiator getting service ticket for: BO_Admin
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** requesting service ticket .. **
with credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
for service principal: BO_Admin
at realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Resolving KDC for realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver -
UDP attempt #0 to DNS server svrstidc01.sti.stg/172.20.1.103
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data sent:
0d 20 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data received:
0d 20 81 80 00 01 00 01 00 00 00 01 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
c0 0c 00 21 00 01 00 00 01 c6 00 1a 00 00 00 64 00 58 0a 73
76 72 62 66 70 64 63 30 32 03 62 66 70 03 73 74 67 00 c0 3a
00 01 00 01 00 00 00 00 00 04 ac 15 01 66
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - params: 1000000110000000
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - Query sent:
Qname: _kerberos._udp.BFP.STG
Qtype: 33
Qclass: 1
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: _kerberos._udp.BFP.STG
Class: 1
TTL: 454
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: svrbfpdc02.bfp.stg
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
Do yuo have any tips?
Thanks in advance
FabrizioSorry,
I noticed that the trace is too long, so I put the most important
Thanks
F.
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include -
Active Directory Groups - Domain Users Group
Using the AD resource adpater, I am able to assign groups and remove groups, but I noticed that the Domain Users group does not appear in the list of groups the user belongs to. Looking AD the user does belong, but in IDM it does not list this group membership. Is this normal ?
Thanks for the reply. I noticed there are quite a few issues with trying to UNC map to any share outside of the local MXE3500. I'm also seeing some issues with FTP watches on an EMC NAS, that has been FTP enabled. The problem I'm seeing now is that the watch will only work, if the watch is at the root level. If I add a file path, its accepted as valid when I save the directory watch, but looking at the fa.log its appending the last directory on twice.
So if my watch is looking at FTP Directory Path of: lifelink
The fa.log shows: .../lifelink/lifelink/
the word lifelink is displayed twice, causing an error, stating: "Error checking file size delay"
thanks,
Dave -
Lync 2013 & Active Directory Intra Domain Migrations
Hi all,
Hopefully this is the correction forum to ask. Suppose the following scenario
Parent Domain containing Lync 2013 Servers
Child domains consisting of user accounts
It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain.
A few questions
Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
Thanks,Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain
All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object
Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information
Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered" -
How to script out to connect to Active Directory specific domain controller server?
How to script out a script that enable us to connect to the specific domain controller server, it is because I have 2 different servers version and both of them have been communicate with powershell, thus, I wanted to powershell to communicate with one
server version. How to script this out?Please see the Posting Guidlines:
http://social.technet.microsoft.com/Forums/en-US/a0def745-4831-4de0-a040-63b63e7be7ae/posting-guidelines?forum=ITCG
and this article on how to ask questions in a technical forum:
http://sincealtair.blogspot.com/2010/04/how-to-ask-questions-in-technical-forum.html
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " " -
Prevent Active Directory Parent Domain Admins from accessing Child Domain
We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
Thanks in advance for input and advice!
Best regards.Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
parent.parentdomain.com
child1.parentdomain.com
child2.parentdomain.com
child3.parentdomain.com
We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
2.) Promote a Child.parentdomain.com user to Enterprise Admin?
Thanks sorry for the confusion.
Ah ok.
Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
enterprise admins group. that way they are still only admins in the parent domain.
It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
based on the group membership you can also deny them the ability to log on.
the only thing you cannot prevent is the forest administrator account from doing something.
One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in. -
Active Directory - DS Name Cache rate hit thershold
Hi Team,
I would like the information for DS Name Cache Rate Hit threshold limit. What is threshold limit so that I can understand there is some issues.
Our monitoring systems is throwing alerts for DS Name Cache rate hit low its saying <80% on domain controllers. Also I have checked all domain controllers the DS Name Cache rate hit being changing in the flection of second 0 to 85 to 100 not
constant.
Also the memory and normal.
So can someone explain how I need analyze in more details so that ensure the alert valid or not.
Monitoring systems alerts come and clears automatically.
Could you please help me analyze this issue.
D.K Konar. NMSDid you gave a look to that? http://social.technet.microsoft.com/Forums/en-US/9d7b4fa2-ba0f-412e-981a-dbfafa0e55d2/ds-name-cache-hit-rate?forum=winserverDS
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Snow Leopard and Windows 2003 Active Directory Binding Issues
Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana -
Authenticating Workgroup Manager to Active Directory.
Dear all,
I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
Logging on to a client machine with an AD login works fine, no issues.
System image deployment over the network from the Xserve work fine.
The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
*Viewing directory: /Active Directory/All domains. Not authenticated*
When I click the padlock to authenticate, and enter my domain admin username and password, it says:
*The login information is not valid for this server.*
My login works as it allows me to add machines to the domain.
More info available as needed. If anyone can assist, thanks in advance.
Regards,
M.Hi
Viewing directory: /Active Directory/All domains. Not authenticated
When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
Apologies if you already know this, Tony
Maybe you are looking for
-
How do i move my itunes image to a new PC? Without losing my Data
How do i move my itunes image to a new PC? Without losing my Data
-
I need to wipe my personal info from my BB curve 8310 before I dispose of it. How do I do this and where do I find the "Options" button? Solved! Go to Solution.
-
APEX 3.0: Region caching and PDF Export
Hi, there was some comment in the APEX 3.0 Feedback Application that if a region has activated the new "Caching" settings, the Flash Chart data, PDF Export and CSV Export get also cached. That seems to work fine for the Flash Charts, they display the
-
How can I create Icon from byte[]
I have such kind of task: program gets byte[] from DB (it's a *.png image bytes), after that I need to recreate icon from this bytes. Oleg.
-
Organizer keeps will not open?
I have had PSE for 6 months and used it lots but a few weeks ago the organizer just stopped opening, i have to go in to Edit to open organizer and my photo thumbnails are not shown, just timmers, i have changed the name of the online services file i