AD account used for running SIA locked during group membership querying

Hello,
I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
     ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
Thanks...

Ted is right on the mark with this one.
The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
Thanks,
Jim

Similar Messages

  • Deleted e-mail account used for Icloud--now I cannot change my info without having that e-mail but it's gone! What do I do?

    Deleted e-mail account used for Icloud--now I cannot change my info without having that e-mail but it's gone! What do I do?

    Please answer me .
    Now I created iCloud Mail Alias on iCloud which name [email protected] Then I want to switch iCloud Mail Alias to be iCloud IMAP.
    My problem is I don't want that old mail which my boyfriend used to created - [email protected] and [email protected] - .
    How can I do?
    Please.

  • What does default account use for in Windows 10?

    What does default account use for in Windows 10???

    MR B
    I had understood that it is there and has been since windows 7, but rather I was asking what specifically do you want to know about the default account.  I suspect you would be better served by Googling it as there are 264,000,000 hits on the subject.
    Wanikiya and Dyami--Team Zigzag

  • If I cancel the indivial account online will it also canel my group membership?

    If I cancel the indivial account online will it also canel my group membership?

    Hi AmberJDL,
    Cancelling individual membership will not effect your team account.
    Regards,
    Romit Sinha

  • How do I set the account used for ical reminders?

    Hello folks,
    On my wife's computer we have OS X Lion.
    She has two email accounts loaded on Mail, using IMAP. These are Gmail accounts. I will refer to them as account #1 and #2
    In iCal she has calendars loaded from Gmail account #1.
    We have noticed that all her iCal event reminders are being sen to account #1 using account #2 for the sending. Even though the event is on a Gmail Calendar on account #1.
    She has no calendars loaded from account #2 (as she does not use calendars on that Gmail account).
    Neither of us can figure out why or who iCal is sending out reminders via her second gmail account, for appointments set in the calendar of her #1 email account. We can not see why logically iCal and/or Mail is linking these accounts in this way.
    We'd like to have it so that the reminders are only sent using account #1.
    Can anyone tell me how or why this is occurring, and what I can do about it?
    Thank you so much,
    Jonathan

    If you are referring to your "iCloud account", then simply tap "settings / iCloud" - delete the account you are currently logged in with, and add the correct one.
    iCloud Set up - http://www.apple.com/ca/icloud/setup/.

  • Apple account - used for fraud activities

    Hi, I recevied an email from Secure-IOS. [email protected] saying my Apple account has  been used for Fraud activities.
    Anyone ever received something similar?

    I also received the same e-mail today...

  • Changing the accounts used to run Service Applications

    We would like to install SharePoint 2013 using seperate accounts for different service apps (meaning seperate App Pools, presumably) Is there a concensus on what is the better approach:
    1.Create the basic Sharepoint config using AutoSPInstaller, but since it does not permit you to use seperate accounts per SA, we either want to create them automatically using the script to use a single services, then change the App Pools used by the SA
    later on through PowerShellby creating a new AP then reassigning the SA .
    2. Create the SA post AutoSPInstaller using a stand-alone script.Thoughts?
    Is there a reason why most guides specify using the same service account (and App Pool) for all service applications these days even for high security environments?

    Hi, the biggest reason to not use too many app pools is for resources. Each App Pool uses quite a bit.
    The max App Pools per farm is 20 if i remember correctly. (SP2010) Not sure if it is the same on SP2013.
    i Prefer doing it via SPAutoInstaller. Certain SA's you might want to do manually. i Usually do UPS manually

  • Hosting application server useful for running developed applications?

    Hi,
             For my online applications, I am going to host the application to run on internet using hosting server.
    My doubt is, as like my local application server , Will i be apply to use the hosting server to run the application?
    Or I need to use my local application server in that hosting server to exclusively run the applications ?
    Pls suggest regarding this.
    - TechniM

    You shouldn't, Developer Release is currently 11g Fusion Middleware.
    see http://www.oracle.com/support/library/brochure/lifetime-support-middleware.pdf, support for 9i ended 4 years ago.

  • HT204053 Can two different icloud accounts used for the same mac computer and same Itunes account still transfer photos and downloaded apps to all devices associated with that mac?

    I purchased my wife an Iphone and we currently use the same icloud account, but we just ran out of storage. I'm not sure if we need so much more space that I'm ready to upgrade to 15 total GB of storage. If my wife sets up her own icloud account for her iphone will she and I still be able to share our photos, downloaded apps and music with different icloud accounts?

    Apps and music aren't anything to do with your iCloud account, indeed you can use different ID's for each.
    If you create and use another ID for iCloud, you will not be able to share both photostreams to the same user account on the computer.
    This could be worked around with a second user account on the computer for the second user to do all their computing in. However you may find that photostreams shared albums will work around the problem for you. For example if you create a shared album and share it with your partner, any photos you add to that album will be available in your partners photostream on the computer.

  • My mail account used for sending spams

    Hello everyone,
    After an unfortunate click I ended on a russian site for which I had no interest. Since then, my mail sends spans to russian addresses. How do I know? I get the mail delivery failures from time to time and it shows an add in russian, similar to the one on the site which I don't know what it is.
    How can I stop my mail to send these messages ?
    Thx for help.

    Are the messages in your Sent Mail?
    If not, then they are using your email address as the reply to address for the Spam they are sending out. No way to stop them.
    If they are in your sent mail, change all of your email passwords.

  • Renamed account use for Installation

    Howdy,
    I have recently started a new job as a network administrator and have inherited 2 oracle servers. I have no previous Oracle experience. Running 816 on Windows 2000 in a Windows 2000 AD environment. The guy who setup these boxes installed Oracle as the enterprise admin. When I came on board I reset the Enterprise admin password and renamed the account. Now I cannot logon as sysdba vai sql+. Once I change the account name back to what it was I can logon.
    Question - What do I need to change in Oracle so I can change the account name.
    Thanks

    Please try the follow:
    sys@<sid> as sysdba, in sqlplus.
    Which user you rename?
    Yout try to enter with the user system and then change the sys password
    Regards,
    Wilson

  • AD security groups listed in user groups in Config Manager however not listed when selecting values for the "System Resource - System Group Name" query

    Morning All,
    We are in the process of setting up our SCCM 2012 infrastructure and are experiencing issues with our device collection querys based on AD security groups.
    I can see the security groups are being updated per adsgdis.log - i can see the computers that are members of the groups in AD are being recorded in the same log. Issue is when we build the device collection query - click the value button for the string,
    only 2 of the 18 AD security groups are displayed.  These are 2 AD groups we setup initially to test.
    We have since added several additional yet they only appear to populate as user groups in config manager.
    The same goes for additional OUs that we have created with AD.
    When i click the value button only the initial 10 OUs that were created are populating in the list of applicable OUs.
    We have the discovery methods Group Discovery & System Discovery enabled and set to search the parent OU recursively
    I'm wondering if there might be an SQL issue with this as it initially worked but stopped...
    Additionally we added an OU recently that now appears in in the Values options in the query but the ones added previously and additionally after are not showing up....
    Any help is appreciated.
    Thanks,
    Jeff

    Given the adsgdis.log lists the new pc and the group it's assigned to it appears the AD group discovery is working.
    Have the following excert from the adsgdis.log
    INFO: Processing discovered group object with ADsPath = 'LDAP://************.****.COM/CN=Software - Microsoft Project Professional 2010 x64,OU=Software,OU=US-West,DC=*****,DC=com' SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180
    (0x1FF4)
    INFO: DDR was written for group '*****\Software - Microsoft Project Professional 2010 x64' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg8ud94.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012
    7:08:13 AM 8180 (0x1FF4)
    INFO: DDR was written for system 'THURMANWIN7VM' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adhh8419.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180 (0x1FF4)
    Here you can see it processes the new members in the Software - Microsoft Project Professional 2010 x64 group and captures Thurmanwin7vm as a member.
    I did find some log entries that reference permission issues with objects in the SQL database and have opened a case with MS to get that looked into.  Hopefully that will be where the issue lies.

  • The server farm account should not be used for other services

    I have created a new SharePoint Foundation 2013 Farm. I only used the Farm Configuration Wizard to create the Search Service Application, all other aspects of the Farm was created using PowerShell.
    The SharePoint Health Analyzer is reporting the following error:
    Title: The server farm account should not be used for other services.
    Severity: 1 - Error
    Category: Security
    Explanation: DOMAIN\FARM_ACCOUNT, the account used for the SharePoint timer service and the central administration site, is highly privileged and should not be used for any other services on any machines in the server farm.  The following services were
    found to use this account: Distributed Cache Service(Windows Service)
    Remedy: Browse to
    http://centraladminsite:port/_admin/FarmCredentialManagement.aspx and change the account used for the services listed in the explanation. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142685".
    Now I understand how to change the account used to run the Distributed Cache Service, but my query is what account should I use in the least privelage model? I have setup the following 6 accounts as per TechNet guidelines (Link)
    and am not sure if one of these accounts should be used or if another account is required:
    SQL Server service account
    Setup user account
    Server farm account
    SharePoint Server Search service account
    Default content access account
    Application pool identity
    After reviewing the TechNet article again, I don't fully understand the section titled "Service application accounts". Is the article advising me to create a seperate account for each row in the table? e.g. 1 account for Business Data Connectivity
    Service, a different account for "Application Discovery and Load Balancer Service", another account for "App management" and another account for "Distributed Cache", so 4 extra accounts if I choose to install all of these services
    within the Farm?
    Also, what does the article mean when it says "Plan one set of an application pool and proxy group for each service application that you plan to implement."? How do I go about doing this?
    Kevin Evans

    After reviewing the TechNet article again, I don't fully understand the section titled "Service application accounts". Is the article advising me to create a seperate account for each row in the table? e.g. 1 account for Business Data Connectivity Service,
    a different account for "Application Discovery and Load Balancer Service", another account for "App management" and another account for "Distributed Cache", so 4 extra accounts if I choose to install all of these services within the Farm?
    Inder: Yes, It is suggested to have multiple service account for each service application. This increases security and dependencyof 1 account on multiple Service applications. Like below
    SQL Server service
    Local System account (default)
    Setup user
    Member of the Administrators group on the local computer
    Server farm
    Network Service (default)
    No manual configuration is necessary.
    SharePoint Server Search Service
    By default, this account runs as the Local System account.
    If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account
    to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.
    Default Content Access
    No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.
    Content Access
    Same requirement as the default content access account.
    Profile import Default Access
    Same requirements as server farm.
    Excel Services Unattended Service
    Must be a domain user account.
    http://technet.microsoft.com/en-us/library/cc263445%28v=office.15%29.aspx
    Also, what does the article mean when it says "Plan one set of an application pool and proxy group for each service application that you plan to implement."? How do I go about doing this?
    Inder: Each service account has a application pool and you can plan to use same application pool for multiple
    service accounts if required. These application pool are then consumed by proxy connection
    of each service application. On service application pool, you can see all the service applications and its proxy connection.
    If this helped you resolve your issue, please mark it Answered

  • Accounts used by application pools or service identities are in the local machine Administrators group.

    I am getting the Warning: "Accounts used by application pools or service identities are in the local machine Administrators
    group."
    Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow
    malicious code to execute.  The following services are currently running as accounts in the machine Administrators group: SPUserCodeV4(Windows Service) 
    OSearch14(Windows Service) 
    SPSearch4(Windows Service) 
    WebAnalyticsService(Windows Service) 
    I understand that the users running these Windows Services must not
    be a local administrator of the server. The user I have assigned for the aforementioned Windows Services are in the following Groups in the SharePoint Server:
    IIS_IUSRS
    Performance Monitor Users
    WSS_ADMIN_WPG
    WSS_RESTRICTED_WPG_V4
    WSS_WPG
    Which group must I remove the user from?

    Since I used the same account for all; I am getting the following error message:
    The server farm account should not be used for other services.
     the account used for the SharePoint timer service and the central administration site, is highly privileged and should not
    be used for any other services on any machines in the server farm.  The following services were found to use this account: SharePoint - 80 (Application Pool) 
    SPUserCodeV4(Windows Service) 
    OSearch14(Windows Service) 
    SPSearch4(Windows Service) 
    Web Analytics Data Processing Service(Windows Service) 
    Should I use another non administrator account for farm Administrator?

  • User Exit/ Badi for Changing Quant parameters during TO Creation

    Hi Gurus,
    Could you please guide me to advice the User Exit/Badi which can be used for changing Quant Data during TO Creation.
    User Requirement: Using "Recepient Field" in MIGO as a Key Value for FIFO in WM during goods issue. Receipient is copied into TR and TO (Standard SAP Functionality). For the purpose of Stock Removal based on Receipient Value, we need to copy this value into Quant Data field named Certificate Number ("LQUA-ZEUGN").
    I will highly appreciate reply from Gurus.
    Regards,
    Gupta M

    Hi manish,
    Use the Exit MWMTO001 for this purpose and modify the table accordingly. This will solve your problem.
    Thanks,
    Shibashis

Maybe you are looking for

  • Laptop crashed... need help

    My laptop has shut down and now says no bootable device--insert boot disk ??? I dont care about the computer as I can get another but I have alot of work files on here. Any Ideas how to get it to come back?  I can get to a start up menu and I have tr

  • Oracle 11gR2 2 node RAC on Oracle Linux - can't discover

    Hi folks, My rac1 can't discover iscis targets on openfiler, please assist/help/guide, been stuck for quite some time :-( [root@rac1 send_targets]# [root@rac1 send_targets]# iscsiadm -m discovery -t sendtargets -p openfiler [root@rac1 send_targets]#

  • Publsihing iweb file to .mac

    I am trying to publish an iweb podcast file to my .mac account. However I keep getting error message after I click on file> Publish to .Mac within iweb Am I doing anything wrong? I have setup a .mac account, but nothing else. Can anyone help.

  • Can''t import MP3 to slideshow in Premiere Elements 12

    I get an error message Unable to add the audio file. The selected file cannot be played your system does not have the required compressor/ decompressor or codec is not installed.

  • My iPad camera is not working

    My iPad camera is not working