AD FS with multiple forest

Similar Messages

• People Picker search order with multiple forest domains

  I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
  The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
  All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
  Any Solution for that?
  Thanks for your feedback!
  P.

  Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
  Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

• LDAP Synchronisation with CUCM with multiple forest

  Hello,
  We have CUCM 10.5.
  We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
  We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
  Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
  If it not possible is there an easy way to achieve that?
  Any help would be appreciate.
  Thank you

  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

• Multiple Forests SSO with BO Edge 3.1

  I have to setup and configure SSO on a 3.1 Edge with multiple forests. The setup looks like this right now.
  BO Servers (call it BOXIServer) are in one forest (call it BODomain.top.local)
  AD users and groups on another forest (call it UsersDomain.bottom.local)
  My plan is to create 2 service accounts. One service account to integrate the AD and start up SIA (Call it ADServiceSSO) and the Second service account to implement the Vintela (call it VintelaServiceSSO) as I used to do it on the single domain setup.
  The questions are:
  1.     Is it possible to get SSO to work with this type of configuration (I think I read somewhere that u201CWhen operating with multiple forests, the users must be created on the domain in which the BOE server residesu201D which is not what I have here!)?
  2.     Should I create the 2 service accounts on the forest where the BO server is (BODomain.top.local), or where the Users and groups are (UsersDomain.bottom.local)?
  3.     How would I formulate the setspn and ktpass commands on this type of configuration?
  Would it be true that I can create the 2 services account on BO Servers Forest (BODomain.top.local) and the commands would look like this:
  setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO
  Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ BOXIServer.BODomain.top.local
  Or I can create the 2 services account on users and groups forest (UsersDomain.bottom.local) and the command would look like this:
  setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO @ UsersDomain.bottom.local
  Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ UsersDomain.bottom.local
  Thank for your help
  Aws

  MF requires a 2-way transitive trust, so with this enabled there is no need to span forests with service accounts. 1 account in the same forest as the BO server is fine and straight forward to configure, although you are free to add more as you like.
  Everything else is dependent on the 2 way trust as DNS will have certain records for each other forest that will allow the CMS to query remote forest users and MF users to access the CMS resources. Which is what we want.
  The rules on groups is to put MF users in groups from their own forest and then map into BO, adding all users from multi forests int a single forest group may not work properly in our internal tests.
  The last piece seems to be a Microsoft limitation, but when accessing an SSO URL from a remote forest the FQDN must be used for SPN recognition. When the host name or IP is used the request for SPN is sent to the wrong forest and SSO fails.
  Regards,
  Tim

• ADFS single sign-on with office 365 and multiple forests

  I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
  to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
  to achieve single sign-on?

  Hi,
  Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
  Multi-forest and Multi-tenant scenarios with Office 365
  http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
  Hybrid Deployment Prerequisites
  http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
  SupportMultipleDomain switch, when managing SSO to Office 365
  http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
  For more information about Office 365, I suggest you refer to Office 365 community below:
  http://community.office365.com/en-us/f/default.aspx
  Best Regards,
  Amy

• I have a page with multiple quicktime players on it, and want to close all other players when any of the players is started.

  I have a page with multiple quicktime players on it, and want to close all other players when any of the players is started.
  <div id="mp3-player" style="display:none;height:15px !important;float:left;margin:0px 0 15px 0px; width:270px !important;">
                         <div style="height:15px !important;width:270px !important;">
                             <embed src='http://209.15.205.3/~cityval2/MP3/352681.mp3' width="270px" height="15px" AUTOPLAY=false CONTROLLER=true LOOP=false PLUGINSPAGE="http://www.apple.com/quicktime/" />
                          </div>
                      </div>

  One key point.
  1. Migration within  the same forest ; we can say operation is cut & paste (Source account wil be not present)
  2. Migration between the forest ; we can say operation is copy  & paste ( Source account will be present)
  Also find some ADMT cool stuffs.
  ADMT Series – 1. Preparing Active Directory
  ADMT Series – 2. Preparing the ADMT Machine
  ADMT Series – 3. SID History
  ADMT Series – 4. Password Export Server
  ADMT Series – 5. Machine Preparation
  ADMT Series – 6. Service Account Migration Wizard
  ADMT Series – 7. Group Account Migration Wizard
  ADMT Series – 8. User Account Migration Wizard
  ADMT Series – 9. Merging Users with a Different sAMAccountName
  ADMT Series – 10. Security Translation Wizard – Local Profiles
  ADMT Series – 11. Computer Migration Wizard
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
  LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• How can a family with multiple existing accounts use Home Sharing?

  I'd like to use the new Home Sharing feature, but it appears to be restricted to families in which all of the family members share a single user account.
  We already have separate accounts for each family member. Is there some way for us to use Home Sharing without abandoning most of our existing accounts, along with all of the purchases made by those accounts? I don't think anyone in this situation would be willing to do that.

  Eh. I am not too sure since I have not messed with it much but I do have a great deal of experience with multiple accounts. Each computer can be authorized for multiple accounts. As can iPods. iPods can sync songs/videos/apps from multiple accounts as long as the computer is authorized with them. What I have set up here, is I buy my stuff I want, my parents buy what they want and so do my brothers. When my bro gets something I want I just move it to my computer. That way all our accounts are separate, but if there is something I want I can get it. Also, since the music no longer has DRM, it won't matter. It will play on any computer. What you should see is if you can just do the shared library with multiple accounts. Then if you don't have videos or such, you can get apps or music. Hope this helps!

• How do I use your iPhone with multiple iTunes libraries

  Hi, I have my music spread out between 3 seperate Itunes libraries on 3 different profiles on my computer. I have the newest generation Ipod Nano, Ipod Shuffle, and Iphone 4s. My Ipod's are both full, so I've decided to start putting music onto my phone. With my Ipod's, I can plug them into one profile on the computer, download the music on the Itunes library that exists on that profile, then do the same with the other profiles with no issue. However when I try to do this with my phone, It asks me to erase the music I have gotten from one Itunes library and sync with the current library, as soon as I plug it in to a different Itunes on one of the other profiles. I have my Iphone configured with the Manually manage music option, and I still haven't found a way to use my Iphone with multiple music libraries. PLEASE HELP

  http://support.apple.com/kb/PH12113 - If you use manual syncing, you can sync items from more than one iTunes library to your iPod. (You can sync iPod touch, iPhone, and iPad with only one iTunes library.)
  http://support.apple.com/kb/HT1202 - When manually managing content, you can add content from multiple libraries to your iPod or iPad. Even when manually managing music, some content may be available from only one library at time. This includes all content on iPhone and video content on iPod and iPad.
  They seem inconsistent as far as the iPad is concerned but in both articles the iPhone appears to only be able to sync to one library at a time.
  Troubleshooting Home Sharing - http://support.apple.com/kb/TS2972

• How to share account with multiple devices?

  3 kids with 3 devices - an iPod Touch and two iPads Mini - family shares one account with Apple/iTunes and one library on our family PC.  They use FACETIME and MESSAGES with their friends, and they all see each others messages and conversations.  How do I fix this?  Is there a setting or a way to create sub-accounts off the family account so they can still share the main library for music and video OR do I have to create separate Apple/iTunes accounts for each kid?  Is there a setting on their devices that can help?  Any help is greatly appreciated.  I'm not even sure the right question to ask...

  How to use multiple iPods, iPads, or iPhones with one computer
  http://support.apple.com/kb/HT1495
  How to Share a Family iPad
  http://www.macworld.com/article/1163347/how_to_share_a_family_ipad.html
  Using iPhone, iPad, or iPod with multiple computers
  http://support.apple.com/kb/ht1202
  iOS & iCloud Tips: Sharing an Apple ID With Your Family
  http://www.macstories.net/stories/ios-5-icloud-tips-sharing-an-apple-id-with-you r-family/
  How To Best Use and Share Apple IDs across iPhones, iPads and iPods
  http://www.nerdsonsite.com/blog/2012/06/07/help-im-appleid-confused/
   Cheers, Tom

• How can I merge all of the new FF windows that are open into one window with multiple tabs? Safari has a merge windows feature that I like. This is really nice when conducting reasearch on multiple sites at the same time.

  When I clik on weblinks they all open into new windows making it somewhat painful to clik on window in the menu bar to go to each new page. I would rather have a feature that would allow me to merge all of those individual windows into tabs within one page.
  == This happened ==
  Every time Firefox opened

  Thank you. That worked. I was able to open 1 window with multiple tabs. Thanks cor-el!

• How can I share only the same music with multiple iTunes accounts

  Hello
  I hope someone can help. [I am using Windows Vista (Unfortunately J) and iTunes 10]
  I am trying to share the same music library with multiple iTunes accounts. Basically, I want to know if there is a way to automatically upload to other libraries when importing new music into my library, vice versa. [Better information below]
  Me, my sister and my dad all use iTunes (on different iTunes accounts), and before now we used to have are own music on our own windows user. Due to many duplicates and a loss of hard drive space I have brought an external hard drive and organised all the music.
  It was all going well - I first populated all the music onto my iTunes, exported the library, and then imported it on both the other users. However! Because this is only a copy of the library, when I try to import a new CD, it will not show up on there’s until I “Add File to Library”! Originally I thought about using the same library however we each have are own apps etc, that we don’t want to share.
  If you need anymore information please ask!
  Matt

  Hello roaminggnome
  Unfortunately the support is down at the moment, I will have a better look later. I did go though the Apple support previously, however I found nothing that worked.
  The first thread I came across was “Home Sharing” however no mater what I did, it did not appear in the iTunes sharing list (I did go though the “Show Sharing Networks” support as well)
  Secondly, I saw “Using A Single Library With Multiple Accounts On The Same PC” (Something like that) but all this did was let us share the same music location, if I was to rip extra music, it will not show in there library
  Matt

• How to configure one TREX host with multiple index servers ?

  Hi All,
  Does anyone know how to configure TREX on the one host,
  with multiple index servers ?
  Reason for this is to make better use of resources available on the host server(4 Gig, 4 Processor, Windows2003), to improve the search performance of
  our KM content for portal users.
  I am using TREX 7 and have not been able to do this,
  despite reading the Single and Distributed install
  documentation.
  Any help would be appreciated.
  Regards,
  Andres

  Hi Andres,
  To make use of the RAM a Server provides you have to run two indexserver processes (each can then consume 2 GB);
  Proceed like this:
  1. Go to TREXdeamon.ini; check if section [indexserver2] is there (it is already provided, but not active in standard installation)
  2. In TREXdeamon.ini go to
  [daemon]
  references sections below
  programs=nameserver,preprocessor1,indexserver1,queueserver,alertserver
  and add indexserver2 here. Restart TREX; second porcess is then started; can be checked in TREX monitor in Portal as well
  3. To distribute existing indexes to the new process, start TREXadmintool and go to Index: Landscape
  Go to the last two columns and move the indexes (move master here/secondary mouse click)
  If you don't distribute the indexes the new index server process will be regarded when an new index is created.
  Hope this helps!
  cheers
  Bettina

• ITunes setup on a NAS with multiple windows users - how?

  iTunes setup on a NAS with multiple windows users?
  I am very confused on what is the best way to handle this setup for my friends family.  Any help would be appreciated.  Sorry in advance as I know this is a long winded post - I have a feeling this will help others faced with the same issues or questions.
  CURRENT SETUP
  I have three new Windows 7 machines networked (two desktops and one laptop) that have four users on each - as busy family with children who need the computers for homework, projects, games, etc...  The goal of this setup is that any user can log onto any computer and have there documents available to them no matter computer was free to use.  I set this up using the library function in Windows 7 and seems to work pretty well.
  I have put a Buffalo Linkstation NAS on the system as well.  This was going to serve two purposes 1)  run some backup software to protect the computers and 2) consolidate the iTunes content in one place for all users.  There is also an iPad in the home that I should would be better served by accessing the content on the NAS without requiring any of the computers being on.  Dave is thinking about getting some other playback devices like Apple TV so thought a NAS would be a good way to go.
  CURRENT ITUNES SETUP - I have created a new iTunes library on the NAS by holding the SHIFT button down while starting iTunes and pointed to that folder on a Share on the NAS.  There was no music on the system at the time as we are planning to copy this over from an OLD machine that is now not being used.  I have also authorized all the computers and turned on the home sharing feature (although I am not sure what good that does).
  This “shift” button trick seesm to also point the default directory there without point to it in the advanced setup tab of iTunes.
  I then synced one of the iPods with purchased content on it and synced that to the library after asking me to do so before an update.  All the content showed up in the library and was playable - awesome.
  I then logged into each user on each machine (yikes) and installed iTunes  and used the “shift” trick to connect each users iTunes to the database on the NAS.  Everything seems to work - but I have not tested it thoroughly.
  SUMMARY
  3 new Windwos 7 networked machines
  4 identical users on each machine
  1 TB Buffalo linkstation
  iTunes setup with the folder on a SHARE
  all user’s itunes connected to the iTunes folder on the NAS
  all computers authorized with home sharing turned on.
  one iTunes user account signed in on each machine
  multiple iPods and one iPad in the system
  QUESTIONS/CONCERNS
  Is there a better way to do this on a NAS?
  Would home sharing be better in some way?
  I understand the NAS should show up under the shared section in iTunes - I assume that would mean that would mean each user has an iTunes library on their documents?
  I have read that there may be corruption issues if users on the different machines try to access iTunes at the same time.
  Will there be any issues syncing that various iPods with?
  Ugh - sorry for the long post and all the questions.  I am just trying to find the best way to do this.  I wish Apple would put out a best practices document for setups like this.  Thanks in advance.

  This is a user to user support forum. Your fellow users can offer solutions or workarounds based on their experience with the application. If you think it should work differently drop a line to iTunes Feedback.
  For reasons unknown Apple haven't chosen to allow iTunes to be suspended in one profile and active in another. My recollection is that this applies even if each profile has a different library, although it is some time since I've committed a personal test.
  I'm not sure why my suggestion make less sense that your current approach?. As I understand it currently everybody is either signed into their own account when they can do something other than work with iTunes, or they sign into the special iTunes account where they can't access any of their other stuff. You don't have to disable fast user switching. Follow exactly the same steps, but make sure everyone closes iTunes before turning the computer over to another user. Disabling fast user switching helps to enforce that action.
  tt2

• Using a seagate external drive with multiple macs

  i got a 1TB seagate external hard drive for backup and transfer purposes... it had a little program to help set it up and i set it up for use with mac and pc ( only onther option was stricty this computer.) it works on my computer and a pc but when i tried transfering files from another older mac i have it showed that i could only read on that computer...
  how can i get it to work with multiple macs...?

  I have the oldest macbook (1.83. 2 gigs ram, 60 gig internal hard drive)
  I have all my logic content on my external maxtor firewire 400 drive (usb 2.0 is actually faster than firewire 400) and everything is fine. the good thing is if your external drive has 7200rpm, but the ones with 5600rpm should do as well.
  Once you drag your apple loops to logic from your external drive, logic will remember for the next visit. And when you are opening a project which is on the external drive , just find it with logic finder and all should be fine.

• Error while posting Customer with Multiple sales areas using DEBMAS05.

  Dear experts,
  We are generating IDOCS vis SAP DS for posting Customer master. The message type used is DEBMAS and basic type is DEBMAS05.  we have a requirement to create 1 customer with multiple sales areas. However, we are ending up with a strange error:  "Fill all required fields SAPMF02D 0111 ADDR1_DATA-NAME1". Despite the IDOC going into status 51, the customer gets created and the 1st sales area too. the 2nd sales area however is not created!  The IDOC data definitely contains Name1, otherwise the customer would not have been created in the first place.
  As the error message is related to the Address data, I also explored upon exploring this erorr further on the lines of Central Address management where in the ADRMAS and DEBMAS have to be passed together(IDOC Serialiization).  OSS Note (384462)  provides further details about this. One Important point from the note is: 
  "As you have to specify the logical name of the sending system among other things, SAP is not able to make any default settings in the standard systems. When you use the serialization groups delivered as a standard by SAP, the address objects are imported before the master objects.Thus the sequence address data before master objects must only be adhered to if one of the following points applies to your application:
  Such fields are set as required entry fields that are only provided by the BAS in the Customizing of the customer or vendor master.
  For your customers, contact persons exist to which a private address or a different business address is assigned.".
  This is not the case in our situation, as we do not have required entry fields in customizing that are only provided by the BAS, so the error is all the more confusing and I am not too sure what the cause is.
  If someone have experienced the same issue before and have found a solution to it, kindly help out.

  I have found the cause and solution to this problem.
  This error ”Fill all required fields SAPMF02D 0111 ADDR1_DATA-NAME1” and other similar errors like “Fill all required fields SAPMF02D 0111 ADDR1_DATA-SORT1“ which occurrs during the IDOC posting when there are more than one sales area or company code occurs when the customer number range is set up for Internal numbering. This means, that the number gets generated only at the time of save and upon debugging the IDOC, we found out that after creating the customer and the first sales area/company code record, the segment E1KNA1M is cleared completely! This is the reason, it throws an error which points to a mandatory KNA1 field as missing. (Like NAME1, SORT1 etc.)
  This was resolved by splitting the IDOC into 2.
  The solution is to First post only the KNA1 segment and create the customer.
  In the second step, pass the IDOC with all other segments along with E1KNA1M, but pass only KUNNR in E1KNA1M and the rest of the fields in E1KNA1M as “/”:  you would have got the KUNNR after the first step.
  Important note: This requirement to split the IDOCs does not occur when the customer number is known upfront. (Meaning cases where the customer number is externally generated) I also tested this and created a customer with external numbering and I was able to post more than 1 sales area with the same IDOC. 
  I noticed multiple threads with the same issue, but none of it had a concrete answer. I hope this information will be useful for anyone facing similar problems.
  Cheers
  Venkat