AD group mapping failure

Similar Messages

• Migration mapi failures

  We're doing a migration from Exchange 2003 sp2 org to a new Exchange 2010 org using Quests migration tool.  We are running into random mapi logon error on mailboxes being moved.  It doesnt seem to be permissions because we can logon to problem
  mailboxes using mfcmapi and the mailbox eventually does move.  We have adjusted the throttling polices on exchange 2010 according to quests documentation and are still randomly getting errors.  I found this error in the RCA Protocol Logs on exchange
  2010 that seems to coincide with the mapi failures and was wondering if anyone had any idea what it means
  RopHandler: Logon: Could not create folder Conversation Action Settings. -> MapiExceptionSearchEvaluationInProgress: Unable to create folder. (hr=0x80004005, ec=1177)
  Thanks
  ~Earl

  So we make a competing product "DigiScope"
  http://www.lucid8.com/product/digiscope.asp and while our customers have not reported any issue like this here are my guesses at what it might be;
  1. Could be the version of Outlook you are using on the machine you are running from.  Outlook 2007 would be my best recommendation.
  2. Could be the account you are logged in as, i.e. we recommend that our customers setup a special account to use with our tool since existing accounts may have limitations based upon other group memberships etc.   We call that special account DSAdmin
  and within this link there are details on how to set it up http://www.lucid8.com/download/documentation/DSWebHelp/SETUP/Rights_Required_for_Online_Database_And_Mailbox_Access.htm
  3. Could be a bug within the Quest product, however if you are running the latest version I would doubt that this was the case since I would hope any such bug was fixed by now, unless of course you are running an older version, so I think # 1 or # 2 would
  be the issue.
  Troy Werelius
  www.Lucid8.com
  Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 --> 2007 --> 2010 with Lucid8's
  DigiScope

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Word couldn't send mail because of MAPI failure, Unspecified error.

  This issue is crossposted in Microsoft Answers Word and OUTLOOK.  I am posting here in hopes that someone at Mircrosoft may have a solution or at least elevate the issue to someone who does.
  http://answers.microsoft.com/en-us/office/forum/officeversion_other-word/word-could-not-send-mail-because-of-mapi-failure/f62678fe-ef1d-42b5-8cfe-1e43d6a1d609
  http://answers.microsoft.com/en-us/office/forum/office_2013_release-outlook/word-couldnt-send-mail-due-to-mapi-failure/1f03cf74-9258-411b-9e2b-e41cb5006d71
  I dabble with VBA and write and maintain several amateur Word Add-Ins.  Accordingly, I have Word 2003, 2007, 2010 and 2013 installed on my PC.  They get along fine.  However, I am unable to "Share" or "Send" an open Word
  document as an E-mail attachment in any version!  In each case Word returns an error mesage "Word couldn't send mail because of a MAPI failure, Unspecified error (the same issue occurs with Excel and Powerpoint except the error dialog is a bit different.)
  Using Word 2003, I (CAN) "Send to (Mail recipient for review)" in which case OUTLOOK is opened with the document as an attachment.  I can also "Send to Mail Recipient" from Windows Explorer, in which case the Word file is attached to
  an OUTLOOK message, and I can create an instance of OUTLOOK and send mail from Word using VBA.
  I have repaired all Office versions.  I have removed the registry keys for all office versions and repaired all versions again.  I have run "fixmapi" until I am blue in the face. I have renamed the MAPI32.DLL files and ran sfc \scannow
  to ensure that the MAPI32.DLL file is not corrupt.  In view of these actions and in view of what I can do, something tells me that the MAPI files are fine.
  So what is this "Unspecified error?"  This problem is rife on the internet and most of the "canned" solutions have been marked "Answered" by some MS support engineer.  These "canned" solutions might have
  fixed the issue at one point, but they don't work now.  At least not for me.
  Thanks.
  Greg Maxey Please visit my website at: http://gregmaxey.mvps.org/word_tips.htm

  Hello Greg,
  I noted that there are 2 knowledge articles that describe scenarios where you may encounter this error.
  KB 291152 You receive a "Word couldn't send mail because of MAPI failure" error message when you try to send a Word document as an e-mail attachment in Word 2002
  http://support.microsoft.com/kb/291152/EN-US
  KB 929362 You cannot send a file by clicking Send in a different program when Outlook 2007 is running as administrator
  http://support.microsoft.com/kb/929362/EN-US
  Please let me know the following:
  1. What version of Outlook are you using?
  2. Do you have Outlook open when you attempt the File > Share > Email as attachment from Word? If not, does the error occur if you open Outlook, open Word and then try to send the email?
  3. If you close/reopen Word and then try the send again, do you get the same error?
  4. Are you running either Outlook or Word in an elevated mode?
  5. What happens if you start both Outlook and Word as "Run As Administrator". You may have to right-click each applications' .exe file to be able to choose the "Run As Administrator" option.
  6. Do you get the same error when using File > Share > Email as attachment using Excel?
  7. In Internet Explorer, open the Internet Options. On the General tab within the browsing history, delete your temporary Internet files and website files
  8. Does the issue occur in selective startup mode?
  Steps to setup selective startup mode:
  Click on the Windows Start button, in the Search box type msconfig and then hit enter. This should open up the System Configuration Utility. Make the following adjustments within each tab.
  Services Tab:
    - Check the option 'Hide All Microsoft Services'
   - Click on button 'Disable All'
  Startup Tab:
   - Click the button 'Disable All'
   - Go back through the list and enable any Microsoft items
  Click Ok. It will say “You must restart your computer for some of the changes
  made by System Configuration to take effect”. Hit the ‘Restart’ button.
  When the PC reboots try to run your test again.
  To return back to a normal boot launch msconfig again and choose 'normal startup' on the general tab, click Ok and then reboot the PC.
  Regards,
  Dennis

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• MAPI failure Word 2013 --- Outlook 2010

  One of my clients upgraded from Office 2010 to Office 2013, but had to keep using Outlook 2010 because Xobni doesn't work yet with 2013. When she tries to send a Word 2013 document as an attachment from within Word 2013 through Outlook 2010 she gets the
  MAPI failure error message (link broken). Same document in Word 2010 works fine. Tried loading the pst into her Outlook 2013 as a test, and it worked. Seems specific to this combination. Any workaround? Manageable, but interferes with productivity and error
  prone.

  I had similar issue. I finally figured it out.
  Rename Msmapi32.dll located in C:\Program Files (x86)\Common Files\System\MSMAPI\1033
  I spent a few hours looking and found this:
  http://support.microsoft.com/kb/926196/en-us
  (Similar issue on Outlook 2003-2007) 
  Tried this and it worked for my Windows 7 Office 2010 issues after downgrading from 2013.

• User in a windows group - mapping to acs group appears not be working

  I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
  Any suggestion?

  Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
  1. External User Databases - Database Configuration - Windows Database - Configure
  Make sure your domain is listed on moved to the Domain List section
  2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
  Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
  3. External User Databses - Unknown User Policy
  Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
  Check “The database in which the user profile is held” radio dial in the Configure Enable Password Behaviour section
  Hope that helps!

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• AXL SQL Query user-extension- line group-hunt group mapping

  Hi all
  I want to take an export  about user-extension- line group-hunt group mapping
  Can somebody help me about it   I have CUCM 9.1

  There's a lot of table joins in that full mapping! I'll break it down into steps. When you say extension you need to bear in mind that a number and a device are two different things, and a user is associated to these things separately. I'll break it down into chunks.
  User to Device:
  SELECT enduser.userid, device.description FROM enduser, device, enduserdevicemap WHERE enduser.pkid = enduserdevicemap.fkenduser AND enduserdevicemap.fkdevice = device.pkid AND enduser.userid='FOO'
  User to Directory Number:
  SELECT enduser.userid, numplan.dnorpattern FROM enduser, numplan, endusernumplanmap WHERE enduser.pkid = endusernumplanmap.fkenduser AND endusernumplanmap.fknumplan = numplan.pkid AND enduser.userid='FOO'
  Number to Hunt List:
  SELECT numplan.dnorpattern, device.name FROM numplan, device, devicenumplanmap, typeproduct WHERE numplan.pkid = devicenumplanmap.fknumplan AND devicenumplanmap.fkdevice = device.pkid AND device.tkproduct = typeproduct.enum AND typeproduct.name = "Hunt List" AND numplan.dnorpattern='FOO'
  Hunt List to Line Group
  SELECT device.name, linegroup.name FROM device, routelist, linegroup WHERE device.pkid = routelist.fkdevice AND routelist.fklinegroup = linegroup.pkid AND device.name="FOO"
  Line Group to Directory Number
  SELECT linegroup.name, numplan.dnorpattern FROM linegroup, linegroupnumplanmap, numplan WHERE linegroup.pkid = linegroupnumplanmap.fklinegroup AND linegroupnumplanmap.fknumplan = numplan.pkid AND linegroup.name="FOO"
  All of this (and more!) is fully documented in the CUCM Database Data Dictionary.
  GTG
  Please rate helpful posts.

• Don't want to trigger alert in mapping failure

  Hi Experts,
  I have defined one alert category and corresponding rule in RWB to trigger alert for any failure like Receiver determination error, mapping error etc for all interfaces like Create order, cost center, shipments etc.
  I have done complete configuration and getting alerts email in mail box if any interface fails with any reason.
  But, Now, I came up with requirement that for one particular interface the alert should not trigger for mapping failure only and other interface should also not affect.
  Need your help to configure the same.
  Thanks in advance for your help.
  Regards,
  Shele.

  Thanks a lot for replies.
  the solution achived by defining as suggested.
  u2022 Created alert rule for interface specific with u201CNo Restrictionu201D to handle all types of error instead of one generic rule to handle all interfaces.
  u2022 Created Multiple Rules ( Like Receiver determination error, IDOC Adapter errors etc) instead of "No Restriction" for required interface to handle errors excluding mapping error. It had sucessfully suppressed the alerts only if u201Cmapping Erroru201D occurs.
  Thanks,
  Shele.

• How to catch a mapping failure event

  Hi All,
  Is there a way to catch  a mapping fauilure and take an appropriate action like sending a fault message to the sender system?
  Does the fault message feature serve the same purpose? Will a fault message be always triggered if there's a mapping failure?
  Thanks,
  Sandeep

  Hi Santhosh,
  Thank you so much for your answer. I've assigned you points as well
  Is it possible to write some custom code for managing this alert? An example:
  When a mapping failure occurs, I would like to make a web service call to the sender system.
  Ay thoughts?
  Thanks,
  Sandeep

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• What is group.mapping

  When I config discussion secure connection at em, I find the property group.mapping, as online document the value should be category, but at a webcenter guru's blog said it's default value should be forum. Then my question is what the property standard for? Anyone can explain it in detail? Thanks a lot!

  Hi,
  see the explanation for group.mapping here - http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_ann_disc.htm#BJFEBABF

• Move group mapping ACS 3.3 or 4.0

  Hi,
  is there some possibility to move some group mapping UP/DOWN in list of mapping? When i create some mapping it's at the end of list but i need to move this rule to another position in list becouse there is sequential system for matching rules..

  In ACS 3.3(11):
  External User Database...Database Group Mappings...Pick Database...Pick Domain(If Windows) or Pick Tree(if NDS)...
  This should bring you to your group listings...click Order Mappings then you can move your groups up or down.

• OID users , users to group mapping took off

  Hi,
  I do not know how and why the OID users, user to group mapping was taken. I am not able get anything from logs.
  Can anyone help?
  Thanks a lot!!!

  Hi,
  I do not know how and why the OID users, user to group mapping was taken. I am not able get anything from logs.
  Can anyone help?
  Thanks a lot!!!