Active Directory error "-2147016672"

Similar Messages

• An Active Directory error 0x51 occurred when trying to check the suitability of server

  We have several exchange administrators and two exchange 2010 servers and one exchange 2007 server. I am getting the following error message
  when opening up Exchange Management Console on one of the exchange 2010 server. 
  "An Active Directory error 0x51 occurred when trying to check the suitability of server 'dc101.domain.local'. Error: 'Active directory
  response: The LDAP server is unavailable.' 
  dc101 does not exist anymore. I tried changing the Configuration Domain Controller by manually specify a domain controller but get the exact
  same error message and also gets an empty list when selecting the domain. Other administrators who logs into to the same server do not get this error message. 
  If I open the exchange management console on another exchange server, it works without problem. Is there a setting somewhere I need to change
  to point it to the correct domain controller using power shell?

  I fixed it for myself.
  Organization Configuration->Modify Configuration Domain Controller->select Use a default domain controller
   

• Active Directory error using Upgrade Mgmt Tool - BI 4.1 sp 3

  I am in the process of creating a new BI 4.1 SP 3 environment within out company.  The software has been installed and I wanted to perform a Complete Upgrade from our existing XI 3.1 sp5 environment into our new 4.1 environment.  Also, we are using Windows Active Directory authentication and AD groups for security.
  The Upgrade Mgmt Tool fails with an Active Directory Error message similar to the one below:
  Active Directory Authentication failed to get the Active Directory groups for account with ID <insert really long alpha numeric string here>; CN=<insert name of employee no longer working for the company>.  Please make sure this account is valid and belongs to an accessible domain.
  Well, the account is not valid because this executive no longer works here.  Most likely within Active Directory all groups owned by this person were transferred over to his replacement.  Is there an way to have the upgrade mgmt tool bypass this validation check?  Or does anyone have any other suggestions how to get around this error?  Once this error occurs I can't upgrade.  I guess the alternative is to do an incremental upgrade, group by group, until I find the offending group but I was wondering if there was an easier way as that will be very time consuming.

  @JRKPrasad  Thank your for your thoughtful and accurate response.  It took less than 2 minutes to update AD in BI 3.1.x and the UMT tool is off and running migrating content from BI 3.1 to our new BI 4.1 environment. 
  Again, thank you very much for reading my post and responding.  It was a huge timesaver.

• DNS and Active Directory error 4000 server 2008

  Hello all,
  My network skills aren't very good and I'm facing a dilemma. First off we have two Windows servers on the network. The newest is 2008 Standard (named Vader) and the other is 2000 (dells3). Obviously I'd like to get rid of the 2000, but the people in charge
  of my budget haven't given me the option to do so and it's the only back up we have.
  Earlier in the week we had lots of problems. One of our nas boxes locked everyone out who was mapped to it and it would only let me log in through the web portal. Two of our Macs our marketing department uses suddenly locked up and wouldn't let them back
  in (both were part of the Active Directory). A second nas box won't let certain people map to it and for awhile I had issues logging into Vader itself.
  I believe all of these problems are connected to some issues on Vader and possibly in conduction with dells3. In Server Manager under DNS I get error 4000 "The DNS server was unable to open Active Directory. 
  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."
  Then under Active Directory Domain Services I get error 2042 "It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded
  the tombstone lifetime. Replication has been stopped with this source."
  Followed by more text I can post if needed.
  Under File Services error 1202 "The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the
  next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues."
  And finally if I try to open Active Directory Domains and Trusts "The configuration information describing this enterprise is not available. The server is not operational."
  I'm not sure where to start or what to post that might help. Any and all help is appreciated.
  Edit: Also I can only add dells3 as the DNS on Vader in the DNS Manager if I try to add Vader to itself I get an error.

  It's the other way around.  Overall, I'm advising ripping the 2008 server out of AD and adding it back . Let's look at this as a series of steps:
  1.) You do a force demote of the 2008 server because it's tombstoned.  This means the 2008 server is no longer a DC. You are doing a force because it doesn't have the ability to replicate.  If it could replicate, we'd just do a graceful demotion
  and be done with it.
  2.) Once the 2008 server is demoted, we go to the 2000 server which holds the only good copy of AD.  From that server we run a metadata cleanup using the ntdsutil utility.  We use that utility to clean out references to the 2008 server which is
  no longer a DC.
  3.) Once you have a clean AD, you can then promote the 2008 server back into Active Directory.  Make sure Vader is pointing to Dells3 as its primary DNS server before promoting or you'll run into issues.
  Hopefully that clarifies things. 

• Active Directory error message "the following object is not from a domain listed in the Select location forestB\username

  Hello Community
      "forestA" is my forest it is a Windows 2008 Server Enterprise Edition
  domain controller using Active Directory and the UI.
      In my forest ("forestA") trust relationship I created a "One-Way, Out-going"
  forest trust with Forest-Wide authentication so that a different forest user(s) or
  group(s) with a different admin in a forest named “forestB” can access the resources in my “forestA”
      But also forestB needs to create a "One-way, Incoming" forest trust so that
  I can either add the user(s) or group(s) from “forestB” into to a "Global Security - Group"
  in my "forestA" or I can
   add user(s)  as  "domain user(s)" from “forestB” into my "forestA".
      The problem is that when I right click  the global group in my forestA  and then
  properties, when I click "Members" and then the "Add" button when I type
  "forestB\username" I get an error message from Active Directory stating:
      "the following object is not from a domain listed in the Select location
  dialog box, and is therefore not valid: forestB\username".
      Am I doing something wrong when creating the one-way trust in my
  “forestA” or is the one-way trust being created wrong by the other domain admin in the other “forestB”?
      Or could I possibly need to select "Change Domain" or "Change Domain Controller"
  before adding the users or Groups to my forestA from forestB?
      That is why I am asking
   how do you add an Active Directory user from one forest into another forest?
      Thank you
      Shabeaut

  Hello Denis Cooper
      That is the end result.
      What I was trying  to do was that I was trying to
   bring in the user(s) and group(s) from “forestB”  into
  my “forestA”  Global group.
      Later on I was going to add the user(s) or Global groups(s) that I brought into my dc in my forestA
   into the domain local groups  on my member servers in my forestA.
      So since the error message is:
  "the following object is not from a domain listed in the Select location dialog box, and is therefore not valid: forestB\username".
  Does your response
   mean only Global group(s) from forestB not domain user(s) from forestB have
   to been added to domain local groups in forestA?
  Or is it also possible to add Global group(s) from “forestB” to Global group(s) in my “forestA” and if so
  how without getting the above error message?
  Thank you
      Shabeaut

• Active Directory Error 0x51 occurred when trying to check the suitability of server ' servername '. Error: 'Active directory response: The LDAP server is unavailable'. It was running the command 'Get-OwaVirtualDirectory'.

  This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment.  The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment.  DNS has no record of it, nor is it located anywhere else.  We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related?  I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck....  System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC.  Extremely frustrating.....  I have an issue logged with MS now, but they aren't looking at them until Nov 9.  Has anyone seen this issue at all?  More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help

  Create a "global catalog" on the 2nd domain contoller, will fix this problem. 
  To create a new global catalog:
  On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
  In the console tree, double-click Sites , and then double-click <var>sitename</var> .
  Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
  On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
  Restart the domain controller.

• Active Directory Error(error code 53 - 0000001F)

  Hello,
  We got a webapp writing to AD, that is throwing the following error:
  Root exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0We are using 'unicodePwd', ssl is enabled and the account that is writing to AD is domain administrator account. Also, our webapp is on a different domain(Linux) than Active Directory, though this has not caused us problems in the past.
  Our previous version of the code was working, and the only change made in the code is that we allow dot(.) character in the user name. However, the test case that failed does not have a dot(.) in the user name.
  Any ideas? I haven't found anything on google that helped

  used to work, but now you've moved the web application somewhere else, and now it doesn't work ?
  Well the obvious question is what exactly have you changed ? What is the difference between when it used to work and now ?
  -- Not much has changed! (I can't debug the code that actually makes the call, all I have is a jar by another group that does all the "low-level" stuff. ) I know for a fact that we are now allowing the user name to contain a dot character. But, the test case that failed does not contain the dot character. It is possible that other changes have been made, but after scanning a few of the files the code looks the same.
  -- Forget, the domains part, it's only confusing. My fault mentioning it.
  Does the password meet the complexity requirements. Is it performed over a secure connection such as SSL or TLS ?
  -- Yes, I checked the password policy --we have disabled most requirements
  -- Yes, I believe so
  -- The attributes
  userAccountControl=66048
  scriptPath=Logon.bat
  ldap.first.name.property=John
  ldap.email.property=[email protected]
  homeDirectory=\\10.10.10.10\Users\b216
  ldap.last.name.property=Smith
  profilePath=\\10.10.10.10\Users\b216
  cn=b216I guess I'll have to wait for the developer who wrote the code to help me out, because it seems like something changed in the code below me. Our test cases are the same.
  However, if you do know what this error usually indicates, it could help us solve the problem faster.
  Thanks!

• Active Directory error 1864 (replication)

  Hello colleagues
  I have 5 DC's (1dc.test.local - 5dc.test.local) and 1 DC (6dc.test.local) out of domain 3 months. All DC's is Windows 2003 in one domain test.local. Then I changed IP address for 6dc.test.local and connect it to LAN of domain (to another 5 DC's). I see that
  6dc.test.local now have lastest update copy of DNS zone and AD. Now I want remove 6dc.test.local from a domain but I can't do this, after run DCPROMO I take an error:
  "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
  and have error 1864 (about replication) in events.
  Maybe someone already have this problem? How can I remove 6dc.test.local from domain and that another DC's in domain khows about it?
  Please help!

  Hi,
  Please remove the 6th dc using following command.
  DCPROMO /Forceremoval
  If that one also failed run the metadata cleanup using script given below. make sure you run this scriptfrom PDC server and then delete the records manually from DNS console given below. Once you have done that kindly Rebuild the OS & then Promote as
  Domain controller.
  https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3
  Repeat running the vbs script till the wrong/unnecessary dc’s are removed.
           Cross check the removal – dsa.msc [ad users and computers] > Domain Controllers OU
   Adsiedit.msc
   Expand domain partition, select OU=Domain Controllers, make sure only the necessary domain controllers are listed.
   Delete the incorrect domain controllers.
  Dnsmgmt.msc [Dns Management]
        Expand the forward lookup zones\_msdcs folder
  i.      Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
  ii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
  iii.      Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
  iv.      Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
  v.      Select [forward lookup zones\_msdcs.domain.com\gc] – delete incorrect HostA records
  vi.      Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] – delete incorrect _ldap entries
  vii.      Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] – delete incorrect _ldap entries
  viii.      Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] – delete incorrect _ldap entries
        Expand the forward lookup zones\domain.com folder
  i.           
  Delete Host(A) records of dc’s which are non-existant.
  ii.           
  Correct the NameServer (NS) records
  iii.           
  Follow steps similar to ’ A ii ‘ >> ‘ A viii’
           Dssite.msc [Sites and Services]
        Expand the [Sites\Sitename\Servers] – delete incorrect server’s
  B.      Delete incorrect subnet configurations [Sites\Subnets]
        Delete incorrect site links [Sites\IP]

• LDAP realm with Active Directory

  Hello,
  In the sun one app server admin console i have set the security role to LDAP.
  I have set up security roles in my web.xml such as this:
  <security-role>
  <description>This role represents administrators of the system, see actor administrators</description>
  <role-name>administrators</role-name>
  </security-role>
  ..and mapped the roles to groups in sun-application as follows:
  <security-role-mapping>
  <role-name>administrators</role-name>
  <group-name>CMS_PM</group-name>
  <principal-name>rlancett</principal-name>
  </security-role-mapping>
  My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
  directory: ldap://earth.tier2consulting.com:389
  base-dn: cn=Users,dc=tier2consulting,dc=com
  jaas-context: ldapRealm
  search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
  search-bind-password: ******
  search-filter: sAMAccountName=%s
  I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  WARNING: va:850)
  FINEST: JAAS authentication aborted.
  INFO: SEC5046: Audit: Authentication refused for [administrator].
  I am pretty stuck on this having looked arounds all the forums:
  Has anyone got sun one app server using Active Directory to get user/group information for security roles?
  Thanks.

  Howdy,
  I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
  The error message you get back from the directory contains an error code in hexidecimal:
  LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
  If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
  1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
  It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
  System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
  Okay, hope this helps somebody.
  Now it's up to you to find out why it can't find the administrator!
  Craig

• How to authenticate using Active directory!

  Hi all!
  at present im using a code given below, its working fine! currently we are using mixed mode active directory! we are going to migrate that to Native mode!
  import java.util.Properties;
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.Vector;
  import com.aigss.codegene.utils.PropertyDispatcher;
  public class LdapAuthentication//Servlet extends HttpServlet
       private java.util.Hashtable cache = new java.util.Hashtable();
        * @param loginid
        * @param passwrd
        * @return boolean
       public boolean authenticate(String loginid, String passwrd) {
            if(passwrd.trim().equalsIgnoreCase(""))
            return false;
            Properties props = new Properties();
            String ldapHost = "ldap://HDCQ3Q5CDOM01:389";
            String DN =
                 "CN="
                      + loginid.trim()+"DN=,CN=Users,DC=pslsdc,DC=legacy,DC=r5,DC=websi,DC=net";
            System.out.println("DN: "+DN);     
            props.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
            props.put(Context.SECURITY_AUTHENTICATION, "simple");
            props.put(Context.SECURITY_CREDENTIALS,  passwrd);
            props.put(Context.SECURITY_PRINCIPAL, DN);
            props.put(Context.PROVIDER_URL, ldapHost);
            try {
                 DirContext ctx = new InitialDirContext(props);
                 System.out.println("successfully authenticate DN: " + DN);
                 return true;
            } catch (Exception ex) {
                 System.out.println(ex+loginid);
                 try{
                      throw new Exception("login failure : "+ex+loginid);
                 }catch(Exception e){
                      e.printStackTrace();
                 return false;
  }when i try to connect into Active directory the new one, im unable to get authenticate, user not found error is coming! (data 525)
  im unable to continue!
  i tried changing the DN to : [email protected]
  also DN: mydomain\vijayvignesh
  then im getting error:
  java.lang.Exception: istar login failure : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vecei almost tried everything!
  if any one can find a solution pls do come forward!
  remember my code works fine in Mixed mode active directory, when we shift that to native mode, it is not working!

  If you would read the Active Directory error message, it actually gives you a hint:
  "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
  There was a security feature introduced in Windows Server 2003 that would allow administrators to only allow connections over encrypted sessions (eg. SSL/TLS or Kerberos signing and sealing). This setting is configured somewhere in the Domain Controller's Group Policy, called something like "LDAP Server signing"
  One solution is to use SSL/TLS. Refer to my previous post titled "JNDI, Active Directory & Authentication (part 2) (SSL)" at
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50

• Error while creating a user in Active Directory.

  Hi Guys,
  I am creating a custom connector for AD and Exchnage , I am able to create user in AD using my Java Code... but i am also getting below error, I want to finish the operation smoothly.... Please find below error logs.
  13:51:15,635 ERROR [STDERR] Data AccessException:
  13:51:15,636 ERROR [STDERR] com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_AD_CHILD_GRP_NAME from UD_AD_CHILD where UD_AD_CHILD_KEY = Description: ORA-00936: missing expression
  SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
  at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
  at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getChildTableFieldValue(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
  at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.insertResponseMilestones(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostUpdate(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.update(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.updateSchItem(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeProcessAdapter(Unknown Source)
  at com.thortech.xl.adapterfactory.events.tcAdpEvent.finalizeAdapter(Unknown Source)
  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpCREATEADUSER.implementation(adpCREATEADUSER.java:85)
  at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
  at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
  at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(Unknown Source)
  at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(Unknown Source)
  at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(Unknown Source)
  at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(Unknown Source)
  at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
  at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
  at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
  at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
  at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.setProcessFormData(Unknown Source)
  at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.setProcessFormData(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:237)
  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
  at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
  at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
  at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  at org.jboss.ejb.Container.invoke(Container.java:960)
  at sun.reflect.GeneratedMethodAccessor135.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
  at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
  at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
  at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
  at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
  at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
  at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
  at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
  at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
  at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
  at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:112)
  at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
  at $Proxy758.setProcessFormData(Unknown Source)
  at Thor.API.Operations.tcFormInstanceOperationsClient.setProcessFormData(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
  at $Proxy803.setProcessFormData(Unknown Source)
  at com.thortech.xl.webclient.actions.DirectProvisionUserAction.handleVerifyProcessData(Unknown Source)
  at com.thortech.xl.webclient.actions.DirectProvisionUserAction.goNext(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
  at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
  at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
  at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Thread.java:619)
  Thanks,
  Hemant

  at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADDUSERTOADGROUP.implementation(adpADDUSERTOADGROUP.java:49)
  This is definitely a Custom Adapter because OOTB Adapter name is adpADCSADDUSERTOGROUP and NOT adpADDUSERTOADGROUP
  So, it is your custom code and in the code you are passing incorrect value of the Active Directory Child process form...
  The correct name is UD_ADUSRC and the Group Name column name is UD_ADUSRC_GROUPNAME.
  While you are passing UD_AD_CHILD as the child process form and UD_AD_CHILD_GRP_NAME as Group Name column name..
  Use OOTB Adapter... Correct these discrepancies... Your addition of group will work
  And since you are creating custom adapter, you need to be more careful and remain consistent throughout..
  Then if you want to use UD_AD_CHILD_GRP_NAME, use it everywhere consistently... Pass only this value in the adapter...
  And even in lookups, if any... Search everywhere... Keep things consistent... They will work... Because good news is that you are able to create user in AD via Java Code...
  And if any post is even slightly helpful, it is a good habit to mark it with helpful or correct ... And also mark the entire question as answered so that other people also are benefited.

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.)

  Hi All,
  I could see following error event in all client computers , Could you please some one help me on this ?
  Log Name:      Application
  Source:
  Microsoft-Windows-CertificateServicesClient-CredentialRoaming
  Event ID:      1005
  Level:         Error
  Description: Certificate Services Client: Credential Roaming failed to  write to the Active Directory. Error code 5 (Access is denied.)
  Regards, Srinivasu.Muchcherla

  If you are not using certificates and Credential Roaming for clients then simply ignore the error message.
  If you are using certificates then you are getting access denied message when Credential Roaming is trying to write to your AD. More details about Credential Roaming here: http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
  http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx
  This is probably related to the fact that your schema version not 44 or higher: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5b3a6e61-68c4-47d3-ae79-8296cb3be315/certificateservicesclientcredentialroaming-errors?forum=winserverGP 
  Active Directory
  ObjectVersion
  Windows 2000
  13
  Windows 2003
  30
  Windows 2003 R2
  31
  Windows 2008
  44
  Windows 2008 R2
  47
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?