Active Directory synchronization working, authentication not on CUBM BE5000 8.6(1a)

Similar Messages

• CMC Authentication Active Directory Synchronization Updates Drops Users

  We are using SAP Business Objects on a Windows Server 2008 box and have configured single sign-on using Active Directory. We schedule the Active Directory in the Authentication tab to synchronize every day. Yesterday not all of the users updated and actually were dropped from the CMC. We think it was because one of the domain controllers went down for a group of users during the last CMC Active Directory Update. My question is, are there any log files we can look at for the active directory synch to see if there were any errors detected during the synchronization. It would be nice too, to be able to see a list of what actually happened during the Active directory synch like what groups, users and user group associations where added and deleted.
  The result was when the users were dropped we lost any manual security setups and the user lost their favorites and preferences settings because they were dropped. Is there anyway we can insulate our Acitve Directory updates from accidentally dropping users when something goes wrong with the Active Directory Synch Update?
  Any best practices would be greatly appreciated.
  Thanks,
  Bill

  Hi Bill,
  Usually, if a group has been deleted or renamed in the AD controller, the group is deleted from the CMC. If a DC is not available, the group shouldn't have been deleted.
  As far as I know, there are no options for debugging the action of the schedule. If you suspect that this can happen again, you can enable/disable traces on your CMS programming the creation/copy of CMS_trace.ini when the AD graph/alias schedule is going to happen.
  There is an Idea that you can vote to avoid users being deleted when the group is accidentally deleted from the CMC:
  https://cw.sdn.sap.com/cw/ideas/2645
  In the meantime, you can also create Enterprise alias for your AD users, so even if the problem appears again, the security, inboxes and favourites will still be there.
  1401058 - How to create Enterprise aliases for LDAP or AD accounts
  [https://service.sap.com/sap/support/notes/1401058]
  Regards,
  Julian

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• SAP HCM/Active Directory synchronization

  Hi,
  I am trying to integrate SAP R/3 (master database) to Active Directory.
  And Active Directory will be used by rest all systems.Adding of new employee is done at SAP HCM and the same data should be created in Active Directory.
  I went through couple of forum threads but did not get the solution,
  Integrating SAP HR and active directory services
  LDAP/Active Directory synchronization
  http://forums.sdn.sap.com/click.jspa?searchID=47039448&messageID=7577288
  Please le me know how can achieve this.Your help is greatly appreciated...
  Regards,
  Rudradev Devulapelli

  It is a tool for user data synchronization, provisioning, compliance etc. It is an Java application so it is installed on AS Java.
  I have played with it only for a few days and I was able to use it to synchronize some data from AD and ERP. So I guess your scenario would be something like this:
  - HR adds new employee,
  - IDM synchronizes data between HCM and AD ie. it creates new user in AD,
  - user uses AD to authenticate to access, for example, file share.
  But IDM can do a lot of things besides this simple example. So I suggest you to go through "Technical Overview Presentation":
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab
  and "Working with Microsoft Active Directory":
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40bba5aa-50f7-2a10-739d-e48e40730478

• Laptop (Running Windows 8.1) no longer able to print and now see message Active Directory Domain Services is not available

  Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
  or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
  this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
  admin rights) It never lets me fully connect to it.
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services,  etc. Its really annoying because this printer was working fine nearly 2
  weeks ago. Looking for any advice now. Thanks.
  -Chris

  Hi Chris,
  à
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
  I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
  if this printer still exist in registry. For more details, please refer to following KB.
  Registry entries for printing
  If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
  then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
  àand now see
  message Active Directory Domain Services is not available
  By the way, would you please let me know where/when get this
  Active Directory Domain Services is not available error message? Or provide a screenshot of it?
  (Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
  Printer
  Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Sharepoint 2013 Active Directory Import- Manager field not updating

  Hi,
    SharePoint 2013 Active directory import  -Manager field not updating
  Concern/Issue-
   We are using SharePoint and configured the Active Directory Import .First import it seems everything is working fine and OOB Organization chart  built using User profile data is coming out right.
  Now the user is moved from one Organization Unit to Another.
  Now our Manager field is not Updating .There is change in AD manager attribute but not reflecting in the SharePoint User profile.
  Manger field is mapped to "manager" attribute in SharePoint.
  We tried removing the user and Re-Import using Incremental import but no luck.
  Thanks for help in advance
  Sachin

  Moving a user from one OU to another in AD won't normally change the Manager attribute in AD.  You would need to edit the user's organization settings to change the manager value in AD.  I've also seen these changes not be picked up unless something
  other than just the manager field in AD changing.  Try changing something like Office location and see if the manager change is picked up by AD Import.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Server 2012 CDP PKI Setup on Subordinate CA - Active Directory Certificate Services could not create an encryption certificate

  Hi,
  When I check pkiview.msc on my 2012 Subordinate CA I get the error shown in the first picture below. I'm also getting errors similar to below in the event log:
  "Active Directory Certificate Services could not create an encryption certificate.  Requested by contoso\admin1.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)."
  I'm assisting in setting up a 2 tier PKI infrastructure using Windows 2012. The root CA looks good, but we're getting errors on the subordinate. The server was working, but we discovered that the server would only issue certificates with a maximum of a 1
  year expiry date - obviously no good, so we decided to run through the following commands on the root CA (as recommended byhttp://www.techieshelp.com/subordinate-ca-increase-certificate-validity/)
  certutil -setreg ca\ValidityPeriodunits "Years"
  certutil -setreg ca\ValidityPeriod "5"
  restarted AD certificate services on the root and subordinate CA.Then did the following on the subordinate CA:
  1.On the Subordinate CA create a new CA request by right clicking the server in ADCS and select New Request.
  2.Supplied the original request file from the subordinate CA (I couldn't find a way of generating a new request file)
  3.Issued the certificate using the Root CA.
  4.On the Subordinate CA ADCS installed new CA cert.
  However, I keep on getting CDP or AIA errors on my subordinate CA.Also I'm missing a CDP field value when I look at the certificate listed in the personal and trusted certification authority store on my subordinate CA.
  In addition, when I look at my CDP locations in Certificate Authority, I see a lot of CDPs, but I'm not sure if I need them all - I suspect I could just get away with LDAP, the C:\windows path and a single http:// path.
  I've tried renewing the existing certificate and CRL on my subordinate CA, but that didn't work either.
  Please advise.
  Thanks

  Ok, the process to renew the subordinate CA is incorrect. Once the registry setting to change the validity period was made on the root CA, the root CA ADCS service needs to be restarted. That is the only time those keys are read. Then:
  1) On the subordinate CA, open the CA tool, right click the CA and select Renew CA Certificate. You can use the same key, no need to create a new one. It will create a NEW certificate request file
  2) Copy that to the Root CA and submit like you would have done during the initial install
  3) Approve the request and export the issued certificate
  4) On the subordinate CA, in the CA tool, right click the CA and choose Install CA Certificate.
  You can not reuse request files.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

  I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
  What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
  Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
  Any suggestions or help is greatly appreciated. Thanks,

  Hi g-pirtle,
  Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
  I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
  Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
  Thanks again,

• Problems with Active Directory Users showing as not found in Open Directory work group manager

  I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?

  Hi Zero
  It's very reassuring to know im not the only one having issues with this..
  Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
  So today im going to re- run the terminal commands as layed out in the online guides.
  However i was kinda hoping someone would be able to supply us with an answer.
  thanks
  J

• LDAP bindError: Active Directory Password Filter is not working

  Hi,
  I have setup the OID Server in SSL mode by following the instruction given in OIM Admin
  Guide.
  I am able to bind the OID using ldapbind from OID server and ldapbindssl from system on which AD is install.
  but in the logs of Password Filter where AD is present following Error logs.
  "LDAP bindError"
  Server Unavailable
  OR
  Unable to connect to OID
  I am using OID 10.1.2 on which Portal is install and using Active Directory 2003.
  I also tried with Active Diectory 2000.but getting same message.
  Regards,
  RB

  Hi,
  run the AD Pwd filter installer again, and make sure you provide the correct full hostname of the OID server, and also "cn=orcladmin" as the OID user and the password.
  It happens sometimes that the installer does not write the correct values to the windows registry and so the PWD Filter does not get the correct information.
  If ldapbindssl is working then the pwd filter will work also, if the correct information is in the registry.
  The values are stored in the registry on:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\orclidmpwf
  Best regards,
  Octavian

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Removing Active Directory Synchronization - will it delete all end-users?

  I need to split our company across two AD Forests and do not want to setup AD LDS for Dirsync and authentication.  Can I disable LDAP synchronization on CUCM 8.5.1 and have it leave the current users objects?  I would look to add passwords to each of the users in the Cisco directory and have Cisco perform the authenication locally.                  

  The threads recommend that I remove LDAP synchronization and authentication on CUCM Admin.  Then run this command:
  You can conver the users back to standard CUCM users using sql query update...Ths is easy to do
  run sql update enduser set status=1
  Will this procedure work?
  1) remove LDAP sync and auth from CUCM Admin (stay signed in)
  2) run the update on the enduser table (before the 3:15am garbage collection run)
  3) I assume that none of the end user accounts can be used now since the passwords were stored on AD and not in the enduser table.  I would have to update each of the enduser entries and add a password.
  What could go wrong?

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• Project Server 2010 Active Directory Synchronization - duplicate Windows Name - Event ID 7734

  Environment: SharePoint Server 2010, Project Server 2010, SP2, DEC 2013 CU (Farm Build number: 14.0.7113.5001)
  Scenario: 
  Domain user has been added to the Active Directory group being synchronized with Project Server for the Team Members group.
  That user has participated as a team member in numerous projects, added documents, been assigned tasks, typical project stuff...
  Employee quits.
  AD account is deleted. (NOT deactivated or moved into another OU)
  Time passes...
  Employee gets rehired.  NEW AD account is set up: same display name, SamAccountName, email address, different GUID of course.
  Daily Active Directory job runs again and throws event ID 7734 and the sync ends with a partial fail.
  I understand why this is happening.  Solutions I've found point me to deleting the Enterprise Object resource in Project Server and then rerunning the sync.  Sure, this works BUT won't all of the previous documents, tasks,
  etc. be disassociated from that user?  If so, this is not ideal.
  2 questions:
  Is there a better way to deal with the fixing of the resource in Project Server to somehow link the old resource to the new resource allowing the sync to run successfully while still leaving the association to all old content intact?
  How are other organizations dealing with rehires when they have been added as resources in Project Server?  What is the best practice guidance from Microsoft on this?  Are other companies not actually deleting AD accounts when users leave organizations
  or are they putting them into a "ARCHIVE" OU or something like that? This happens at least half a dozen times a year at my company. We would like to keep our AD as clean as possible, but this appears to change our approach.
  Any suggestion/guidance is appreciated.

  For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
  Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
  found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
  Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
  Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
  the thread.