Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Hi All,
I have just added my first 2010 exchange server to our organisation.
Upon trying to enter the product key, i get the following:
Error:
Active Directory operation failed on DC01.myorg.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
set-exchangeserver -Identity 'CAS01' -ProductKey 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'
I get a similar error when trying to run the cmdlet New-ClientAccessArray.
It would appear there is a inheritance of permissions issue somewhere but where. Most other references to this error are on mailbox moved where the error is with the mailbox being moved. where is it here?
Any thoughts? This is driving me mad :(
Hi,
After much research on the forums I found this solution that worked for me:
Technet
Article
Tanks,
Arthur.
Similar Messages
-
This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment. The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment. DNS has no record of it, nor is it located anywhere else. We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related? I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck.... System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC. Extremely frustrating..... I have an issue logged with MS now, but they aren't looking at them until Nov 9. Has anyone seen this issue at all? More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help
Create a "global catalog" on the 2nd domain contoller, will fix this problem.
To create a new global catalog:
On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
In the console tree, double-click Sites , and then double-click <var>sitename</var> .
Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
Restart the domain controller. -
Can not update exchange due to error with Active directory
Error:
The following error was generated when "$error.Clear();
Install-CannedRbacRoles -InvocationMode $RoleInstallationMode -DomainController $RoleDomainController
" was run: "Active Directory operation failed . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I have tried everything I can find on the web. any assistance would be appreciated. Thank you.I see now that you have logged into domain
Another thing, check if Allowed Inheritance is blocked on this account (bmoore)?
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
What could be the problem, considering the items below :
- inheritance is not broken to the level of the distribution group object
- the account used to run the cmdlet is a member of the Organization Management group
- creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
shows no differences.
- adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
- there is no Deny permission on the group's ACL
- the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issuesAnyone ever come up with a solution to this? I get something similar when Activesync tries to create objects on user containers.
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3
So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment. You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes: check the "inherit permissions",
and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
I got to this point by following a Migrate to Exch2010 paper by MS. I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched. The Exch server is also a DC. I installed a new 2012r2 server and then patched
it. Installed Exch2010SP3Ru8 and all seems well.
The old Exch2003 server is still in production. My iPhone army connects remotely for mail, and all works great. I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit. It eventually shows up in the Server
Manager on the new 2010 Exch Server. I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works. I go to the SM on the 2010 box and migrate the mailbox to the new server. It works. I can connect with
outlook, send receive mail to other users in the org. I then try to connect with my iPhone and I get the message in Event Viewer over and over.
Went so far as to Promo the new 2012 server to a DC. seems to be fine. Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues.... -
Hello,
We have a multi domain parent child AD domain infrastructure and now we upgraded our exchange from Exchange 2007 to Exchange 2013. Since last few days, we see the below error on the mailbox server event viewer.
EVENT ID : 1121
The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error.
Request GUID: '93a7d1ca-68a1-4cd9-9edb-a4ce2f7bb4cd'
Database GUID: '83d028ec-439d-4904-a0e4-1d3bc0f58809'
Error: An Active Directory Constraint Violation error occurred on <domain controller FQDN>. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-0315286E, #1:
Our Exchange setup is in parent domain, but we keep on getting this error for various domain controllers in each child domain in the same site. We then configured one of the parent domain domain controller on Exchange. Still we are getting this error for
the configured parent domain DC.
Verified the AD replication and there is no latency or pending stuffs.
Any support to resolve this issue will be highly appreciated. Thank you in advance.
Regards,
Jnana R DashHi,
In addition to Ed's suggestion, I would like to clarify the following things for troubleshooting:
1. Please restart IIS at first.
2. If the issue persists, please ping your DC on your Exchange server to check if Exchange can communicate with DC.
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support -
Problem during the changing of Password in Active Directory
Hello All !
I am facing a problem during the password modification
in active directory, i got the same exception as other are getting i.e
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190959, problem 5003 (WILL_NOT_PERFORM), data 0
Can any body help me how i will come to know that 128 bit
Encryption is done successfully. Although i Installed the MS High Encryption Pack but it's registry is not done in Conrol Panel.
is this a problem(as i think) ?
I am giving the code please check it out->
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
//import java.io.*;
//import javax.net.ssl.*;
//import java.security.*;
import java.io.UnsupportedEncodingException;
public class setpassword
public static void main (String[] args)
Hashtable env = new Hashtable();
String adminPassword = "";
String userName = "ou=MCA,ou=Trainee,dc=ControlsNet,dc=local";
String newPassword = "yadav";
String keystore = "D:\\j2sdk1.4.2_12\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
env.put(Context.SECURITY_PROTOCOL,"ssl");
String ldapURL = "ldap://gateway.ControlsNet.local:636/";
env.put(Context.PROVIDER_URL,ldapURL);
try {
LdapContext ctx = new InitialLdapContext(env,null);
ModificationItem[] mods = new ModificationItem[1];
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
ctx.close();
catch (NamingException e) {
System.out.println("Problem resetting password: " + e);
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
Please reply me immideiately as soon as you see this problem.
I think some of u already solved this problem. thanks in advance.Believe it or not, looks similar to the problem in the post http://forum.java.sun.com/thread.jspa?threadID=580113&tstart=0
More unbelievable is the huge security hole in your network !String adminPassword = "";
env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
env.put(Context.SECURITY_CREDENTIALS,adminPassword);An administrator with a blank password !
The ldap standard (rfc 2251) defines an anonymous user as a user with a null passsword. By default, Active Directory does not allow anonymous users to perform searches against the directory, let alone reset a user's password. -
Active Directory integration problem, Bind AC and OD
Hi.
I'm trying to set an Open Directory as "connect to a Directory System" because I have a windows 2000 server with Active Directory. But i have a problem when i click on "open directory Access", Access Directory appear and I select Active Directory.
xxx.yyy is the server with active directory, with its admin and its password. but i cant Bind it and an error always appear.
can you help me?
what's "active directory domain"?is it xxx.yyy?
and what's "computer ID"?
Are there others parameters to set for example in DNS or other?
help help helpWhat are you trying to achieve by doing this?
Got to http://www.afp548.com/ and serach for AD-OD integration.
http://www.afp548.com/article.php?story=20051202151540574 -
Problems using native query in Active Directory connector v 9.1
Hello,
Has anyone ran into a problem when trying to do a query with a not operator?
I want to import all users, but not computers.. so I tried the query (&(objectClass=user)(!objectclass=computer))
I tried this query directly in the active directory and it worked.
The problem is when I apply it to OIM it gives out the following error:
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Enter
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Enter
INFO,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],Starting Active Directory Trusted Reconciliation
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ActiveDirectoryRecon::setTaskSchedulerObjectName() Exit
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Enter
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],ADLookupMaps::getADFieldsArray() Exit
DEBUG,29 Oct 2008 19:48:06,337,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,350,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,363,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcUtilAttributeNameMap::getLookupDecodeValue() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ADReconTaskAttrs::parseAndSetMultiValAttrs() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],ActiveDirectoryRecon/performReconciliation :query (&(&(objectClass=user)(!objectclass=computer))(whenChanged>=19000101000000.0Z))
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Enter
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForDirContext() Exit
DEBUG,29 Oct 2008 19:48:06,374,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Enter
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::hashTableEnvForLDAPContext() Exit
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Enter
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::validateCertificates() Exit
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],Critical Extensions Supported
DEBUG,29 Oct 2008 19:48:06,375,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Enter
DEBUG,29 Oct 2008 19:48:06,549,[OIMCP.ADCS],tcADUtilLDAPController::invalidateSSLSession() Exit
DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::connectToAvailableAD() Exit
ERROR,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],The error occured in tcADUtilLDAPController::searchResultPageEnum():Unbalanced parenthesis
DEBUG,29 Oct 2008 19:48:06,989,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Enter
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::disconnect() Exit
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],tcADUtilLDAPController::searchResultPageEnum() Exit
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryRecon::performReconciliation() Exit
INFO,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],End of Active Directory Reconciliation....
DEBUG,29 Oct 2008 19:48:06,990,[OIMCP.ADCS],ActiveDirectoryReconTask/execute End
Thanks in advance,
TomicHi,
Try this and it will work.I am using it.
(&(objectClass=user)(!(objectClass=computer)))
Regards
Nitesh -
Integrating Final Cut Server 1.5 with Active Directory
Following the directions in the Final Cut Server Setup Guide and I am running into errors. Fun with Final Cut Server. Fun with Kerberos.
Final Cut Server v.1.5 is running on an Intel Xserve running 10.5.6 Server, joined to AD. Active Directory is running on a Windows Server 2008 setup.
I dropped the ini files on the domain controllers, as directed by Apple KB (http://support.apple.com/kb/HT3688) and I ran the commands directed in the setup guide.
The adprincadd command should be run literally, of course, but there's a mistake straight-away when it should read "./adprincadd.pl", the ".pl" is missing. Also it says "fcsvr/fqdn of fcsvr", so naturally I replaced the fqdn, but the "fcsvr" prefixed threw me off. It gave me errors until I opened Kerberos.app and notcied that the kerb ticket was in ldap/, then the command worked for me. At least no errors, until I checked the ticket and it said I had no permissions and that the keytab entry was invalid. Wheeee.
1. First I tried:
(some info redacted)
node09:sbin root# ./adprincadd.pl -dc dc01.example.com. fcs.example.com.
Getting kerberos principal for computer account
Kerberos principal is ---
Getting computer id...---
Getting AD Domain...---
Base DN is dc=example,dc=com
getting kerb ticket using [email protected] got ticket
SASL-bind to dc01.example.com. successful
Computer record is at CN=---,CN=Computers,DC=example,DC=com
Checking to see if ---.--.---. exists...000020B5: AtrErr: DSID-031529F7, #1:
0: 000020B5: DSID-031529F7, problem 1005 (CONSTRAINTATTTYPE), data 0, Att 90303 (servicePrincipalName)
at ./adprincadd.pl line 165
2. Then I noticed the /ldap in Kerberos.app and changed the adprinadd command:
Everything ran well, with no errors...
Finding kvno...2
Reading /etc/krb5.keytab...done.
Creating new keytab file...done.
Writing out temporary keytab...done.
Making backup of old keytab and moving new keytab into place...done.
Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab ldap/---.example.com"
3. Verifying with kinit gave me the keytab errors:
kinit matx; kvno -k /etc/krb5.keytab ldap/fcs.example.com
Please enter the password for [email protected]:
ldap/[email protected]: kvno = 2, keytab entry invalid
kvno: Permission denied while decrypting ticket for 'ldap/[email protected]'
Thoughts?Hello, I'm having issues with the client login after AD integration. I followed the steps from http://support.apple.com/kb/HT3818 and the Terminal output reported a success.
I'm able to add AD groups in Final Cut Server Group Permissions. However, when I try logging in on the FCServer client using credentials associated with AD group I've added, I'm getting an error message from the client stating:
"Please re-enter the username and password or contact the server administrator. Please note that the username and password are case-sensitive."
The FQDN is correct in the Server field of the client.
I'm able to log into the client using locally created user accounts that I've created on the server so I know the client is communicating correctly.
The only thing I can find in the Console for the client machine is this:
11/25/09 10:50:12 AM /Users/*/Desktop/Final Cut Server.app/Contents/MacOS/Final Cut Server[1773] Warning: accessing obsolete X509Anchors.
In the server Console, this is a suspect message: /Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/MacOS/fcsvr_stored[77891] pps proxy error: dsDoDirNodeAuth = -14091
Not finding much info out there regarding this. Any guidance is appreciated. -
How to create User in the specific group in Microsoft Active Directory
Hi,
I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
it get added to Domain Users group.
I tried adding memberOf attribute with value "TestUsers"
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
It gives me following error :
code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
Following is the code I am using.
public LDAPResult createUserID(
String userId,
String pwd,
String pId,
boolean resetonLogOn,
LDAPConnection ldCon) {
boolean flag = false;
int code=0;
try {
String pwdLastSetVal;
String desName;
String desc;
/* Specify the DN of the new entry. */
String dn =
"CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
/* Create and add attributes to the attribute set. */
String objectclass_values[] =
{ "top", "person", "organizationalPerson", "user" };
// LDAPEntry findEntry=null;
/* Create a new attribute set for the entry. */
LDAPAttributeSet attrs = new LDAPAttributeSet();
/* Attribute sAMAccountName */
LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
attrs.add(attr);
/* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
attr =
new LDAPAttribute(
LDAP_PASSWORD_KEY,
(byte[]) this.encodePassword(pwd));
attrs.add(attr);
/* Attribute Display Name */
desName = userId + ":" + pId;
//desName = userId ;
attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
attrs.add(attr);
/** Attribute userAccountControl to enable the userid.
attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
attrs.add(attr);
/* Attribute pwdLastSet to reset the password on first logon*/
if (resetonLogOn == true) {
pwdLastSetVal = "0";
} else {
pwdLastSetVal = "-1";
attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
attrs.add(attr);
/* Attribute Description */
desc = " Account Created by HelpNow App";
attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
attrs.add(attr);
/* Attribute objectclass */
attr = new LDAPAttribute("objectclass", objectclass_values);
attrs.add(attr);
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
/* Create an entry with this DN and these attributes . */
LDAPEntry myEntry = new LDAPEntry(dn, attrs);
/* Add the entry to the directory. */
ldCon.add(myEntry);
flag = true;
}catch (LDAPException e) {
flag = false;
code=e.getLDAPResultCode();
}catch (Exception e) {
flag = false;
code=LDAPException.OTHER;
}finally {
ldaprs.flag=flag;
ldaprs.code=code;
return ldaprs;
}Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150
-
Ldap Sync: User is not able to create in Active Directory through OIM
Hi ,
I have enabled the ldap sync between OIM and Active Directory.
Option 1: with password
While creating the new user in OIM , I am getting the below error .
80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Could not modify entry.[[
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
remaining name 'cn=ADTESTLDAp10F ADTESTLDAp10LL,cn=Users,dc=cgtest,dc=adtest,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.modify(ConnectionHandle.java:301)
at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.modify(BackendJNDI.java:781)
[2013-08-04T17:06:58.840-07:00] [oim_server1] [ERROR] [OVD-60600] [oracle.ods.virtualization.engine.util.ADUtilities] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Cannot set password : LDAP Error 53 : [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0[[
Looks like password is not able to set properly. But I am able to create the same user in AD using the same password.
Option 1: without password
Another testing, I have also tried to create user without password. There is no error coming to log file. and I am able to see the below message in log file
oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPreProcessHandler] [APP: oim#11.1.2.0.0] [SRC_METHOD: createUser] User created in LDAP with GUID 9dc8f6f4b8564216a5d75d86f7cad0a2
But user is not created in AD . this is another issue.
Thanks,
AmitThanks for your reply.
I have seen sample xml and my target looks the same
<wlserver dir="${weblogic.domain.dir}"
port="${weblogic.domain.admin.server.port}"
servername="${weblogic.domain.admin.server.name}"
username="${weblogic.domain.admin.user}"
domainname="${weblogic.domain.name}"
password="${weblogic.domain.admin.password}"
configFile="config.xml"
generateConfig="true"
action="start"
beahome="${env.BEA_HOME}"/>
my requirement is to use ant task.. otherwise I am able to create through configuration wizard
Thanks -
Change password in Active Directory using the JNDI GSS-API/Kerberos
Hi
I am trying to the JNDI GSS-API to change a user password.
When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
Here's my java code:
public class ChangePasswordLDAPCommand implements Command {
static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
@SuppressWarnings("unchecked")
public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
logger.info("Início - execute");
try {
CoreConfig config = CoreConfig.getInstance();
String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
Subject subject = new Subject();
Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
Map<String, String> map = new HashMap<String, String>();
Map<String, String> shared = new HashMap<String, String>();
map.put("com.sun.security.auth.module.Krb5LoginModule","required");
map.put("client","true");
map.put("useTicketCache","true");
map.put("doNotPrompt","true");
map.put("useKeyTab","true");
map.put("useFirstPass","true");
map.put("refreshKrb5Config","true");
logger.info(">>>>> map.toString(): "+map.toString());
shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
shared.put("javax.net.debug","SSL,handshake,trustmanager");
shared.put("sun.security.krb5.debug","true");
shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
logger.info(">>>>> shared.toString(): "+shared.toString());
krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
krb5LoginModule.login();
if(krb5LoginModule.commit()){
//Recupera o usuario a ser alterado
UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
} catch (LoginException e) {
e.printStackTrace();
} catch (PrivilegedActionException e) {
e.printStackTrace();
logger.info("Fim - execute");
return Command.CONTINUE_PROCESSING;
@SuppressWarnings("unchecked")
public class JndiAction implements java.security.PrivilegedExceptionAction{
private static Logger logger = Logger.getLogger(JndiAction.class.getName());
private UsuarioTOLDAP usuarioTOLDAP = null;
public JndiAction(UsuarioTOLDAP usuarioTO) {
this.usuarioTOLDAP = usuarioTO;
public Object run() {
performJndiOperation(usuarioTOLDAP);
return null;
@SuppressWarnings("unchecked")
private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
logger.info(">>>>> entrei na JndiOperation");
try {
CoreConfig config = CoreConfig.getInstance();
String distinguishedName = "";
String keystore = "C:/Documents and Settings/user/.keystore";
System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
System.setProperty("javax.net.debug","all");
System.setProperty("sun.security.krb5.debug","true");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
env.put("javax.security.sasl.qop","auth-int");
env.put("javax.security.sasl.strength","high");
env.put("javax.security.sasl.server.authentication","true");
String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
// Cria o contexto inicial de acesso ao LDAP
//DirContext ctx = new InitialDirContext(env);
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//set password is a ldap modfy operation
ModificationItem[] mods = new ModificationItem[1];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
// Perform the update
ctx.modifyAttributes(userName, mods);
ctx.close();
} catch (NamingException e1) {
e1.printStackTrace();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}Edited by: c0m4nch3 on Jan 21, 2010 12:13 PMRefer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
Good luck. -
Can't connect to Small Business Server 2003 via Active Directory
I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!Hi Andbrowny, thanks for your response.
Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB. -
Getting list of all users and their group memberships from Active Directory
Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
public static void main(String[] args){
String[] attributeNames = {"memberOf"};
//create an initial directory context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "p8admin");
try {
// Create the initial directory context
DirContext ctx = new InitialDirContext(env);
//get all the users list and their group memberships
NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
while (contentsEnum.hasMore()){
NameClassPair ncp = (NameClassPair) contentsEnum.next();
String userName = ncp.getName();
System.out.println("User: "+userName);
try{
System.out.println("am here....1");
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
System.out.println("am here....2");
Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
System.out.println("-----"+groupsAttribute.size());
if (groupsAttribute != null){
// memberOf is a multi valued attribute
for (int i=0; i<groupsAttribute.size(); i++){
// print out each group that user belongs to
System.out.println("MemberOf: "+groupsAttribute.get(i));
}catch(NamingException ne){
// ignore for now
System.err.println("Problem encountered....0000:" + ne);
//get all the groups list
} catch (NamingException e) {
System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you. -
An Active Directory error 0x51 occurred when trying to check the suitability of server
We have several exchange administrators and two exchange 2010 servers and one exchange 2007 server. I am getting the following error message
when opening up Exchange Management Console on one of the exchange 2010 server.
"An Active Directory error 0x51 occurred when trying to check the suitability of server 'dc101.domain.local'. Error: 'Active directory
response: The LDAP server is unavailable.'
dc101 does not exist anymore. I tried changing the Configuration Domain Controller by manually specify a domain controller but get the exact
same error message and also gets an empty list when selecting the domain. Other administrators who logs into to the same server do not get this error message.
If I open the exchange management console on another exchange server, it works without problem. Is there a setting somewhere I need to change
to point it to the correct domain controller using power shell?I fixed it for myself.
Organization Configuration->Modify Configuration Domain Controller->select Use a default domain controller
Maybe you are looking for
-
ASSERTION FAILED error in SRM 7.0 when creating documents
Hi Experts, We are using SRM 7.0 When i am clicking on shop button to create shopping cart / create contract / create RFx we are getting RUNTIME ERROR : ASSERTION_FAILED Termination occurred in the ABAP program "/SAPSRM/CL_CH_WD_GAF_FACTORY==CP" - in
-
If you upload a photo in the 'Photo Stream Uploads' folder (PC), it is automatically imported to iPhone (via Wi-Fi). How come when you delete a photo from the Photo Stream folder (PC), it is not deleted in the Photo Stream (iPhone)?? I mean doesn't i
-
Secure wireless on existing network
My boss wants to provide internet wireless capability to service customers while they are waiting. We have a small LAN with forty workstations and only one port on our router to the outside. I am worried about security. I was thinking of putting a wi
-
All of sudden now the 'join the conversation' pop up in usatoday.com does not show content. The box will pop up but is blank. Will not allow me to post. Any fixes for this? Thanks
-
Hi Gurus, i have some quries related Excise Duty... 1). Can we maintain condition record for condition type JMOD(Excise 16%), in VK11? If not how the excise value picked up into Sales order? 2). What is the different between Tax code and Taxclassif