AD Integration: 1 Forest containing 2 Domains - Run Accounts/Profiles (SCOM 2012)
I know there are plenty of threads on AD integration & Run As accounts\Profiles, but none quite answering my scenario...so here goes.
1 Forest containing 2 domains -
abc.com and
def.com.
abc.comcontains SCOM 2012 infrastructure (Mgmt Servers (MS1, MS2), Ops DB, Reporting DWDB).
abc.com
1. Created SCOM Admins
Global Security group
2. Created SCOM_MS_Action
domain user account (used during SCOM setup & also Local Admin on all
abc.com machines via Action Account AD group/GPO)
3. Ran MomADAdmin.exe DEV-OPSMGR12 "abc\SCOM Admins" abc\SCOM_MS_Action abc.com
(SCOM_MS_Action
added to SCOM Admins group as a result)
4. Created Auto Agent Assign
rule for abc.com
against MS1 for "servers", Run As Profile left as
default setting.
RESULT: All servers in abc.com
populated MS_PrimarySG_xxx
group as expected.
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added to
SCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
9. Set "def\SCOM_AD_Assign"
Run As account to "More Secure"
Is"More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign
rule? I was under the impression never to use the Default MP?
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targetting "All Objects"
Is this correct?
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
RESULT: def.com contains OperationsManagement\DEV-OPSMGR12
container but no MS_PrimarySG_xxx
group exists?
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group,
Object?
Thanks in advance - I find these Run As accounts very confusing when it comes to multiple domains!
OK, solved this one myself. To answer my own questions :) this is what needed to be done (whether it's entirely correct or not is up for debate, however I ended up with the result I was after, so I am happy for now):
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added toSCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
YES
9. Set "def\SCOM_AD_Assign"Run As account to
"More Secure"
Is "More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
YES, and added the Management Servers as "...the computers to which the credentials will be distributed"
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
YES
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign rule? I was under the impression
never to use the Default MP?
Questionable, I did select the Default MP, otherwise the unsealed error occured when creating the Auto Agent Assign rule
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targeting "All Objects"
Is this correct?
NO, instead I targeted the Class "AD Assignment Resource Pool"
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group, Object?
NO, otherwise alerts appear in regards to abc.com discovery rules breaking. Looks like for additional domains this rule should not be touched.
RESULT: All servers in def.com
populated MS_PrimarySG_xxx
group as expected
Note: Domain Controllers should not be included in the Auto Assign rules supposedly (makes sense) so I altered the query to ensure they didn't populate in the
MS_PrimarySG_xxx group:
(&(sAMAccountType=805306369)(objectCategory=computer)(objectClass=computer)(operatingSystem=*Server*)) (!(primaryGroupID=516))
(!(primaryGroupID=516)) equates to exclude DCs.
Hope this helps others
Steve
Similar Messages
-
Changing RunAs account in SCOM 2012R2
For SCOM 2007R2, we had SetActionAccount.ps1 to change the RunAs account for a group of servers (from the console, via OM shell). Does anyone have a way to change the RunAs account for a group of servers in 2012R2? I'm not smart enough to hack the SetActionAccount.ps1
for 2012R2.
"Fear disturbs your concentration"Hi,
param ([string]$newActionAccountName)
$str=get-history | select-object -first 1
$str=$str.commandline | out-string
$start = $str.indexOf("-Id") + 4
$end = $str.indexOf(" ;", $start)
$length = $end - $start
$context = $str.substring($start, $length)
$Group = Get-SCOMGroup -id $context
$mg = Get-SCOMManagementGroup
$newActionAccount = Get-SCOMrunAsAccount -Name $newActionAccountName
$actionAccountRunAsProfile = $mg.GetMonitoringSecureReferenceForActionAccount()
if ($newActionAccount -eq $null -or $newActionAccount.Count -eq 0)
throw "Action Account '$newActionAccountName' was not found."
if ($newActionAccount.Count -gt 1)
throw "More than one action account was found with the same names as '$newActionAccountName'."
$ComputerGroup=$Group.GetRelatedMonitoringObjects().DisplayName
$healthServices=Get-SCOMClassInstance -Class (Get-SCOMClass -Name "Microsoft.SystemCenter.HealthService") | ? {$ComputerGroup -eq $_.displayname}
$secureDataHSRefs = $mg.GetMonitoringSecureDataHealthServiceReferenceBySecureReferenceId($actionAccountRunAsProfile.Id) |
where {$healthServices -contains $mg.GetPartialMonitoringObject($_.healthServiceId)}
foreach($secureDataHSRef in $secureDataHSRefs)
$healthService = $mg.GetMonitoringObject($secureDataHSRef.HealthServiceId)
$currentActionAccount = $mg.GetMonitoringSecureData($secureDataHSRef.MonitoringSecureDataId)
"Computer: '" + $healthService.DisplayName + "' ...changing action account" + "'`n From: '" + $currentActionAccount.Name + "'`n To : '" +
$newActionAccountName + "'"
$secureDataHSRef.MonitoringSecureDataId = $newActionAccount.Id
$secureDataHSRef.Update() -
Forest and domain functional level Windows Server 2012 R2 - what's new?
Hi, I still can't find documentation about the new domain and forest functional levels in WS 2012 R2.
a) "What's New in Active Directory in Windows Server 2012 R2"
http://technet.microsoft.com/en-us/library/dn268294.aspx
No word about it.
b) "Understanding Domain and Forest Functional Levels"
http://technet.microsoft.com/en-us/library/cc771294.aspx
Still WS 2012.
ThorstenFor what's New in Active Directory in windows server 2012 R2,
Read the following Blog
http://policelli.com/blog/archive/2013/06/27/whats-new-in-active-directory-in-windows-server-2012-r2-preview/
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer". -
Hi,
after reading many Posts and Blogs i came to the conclusion that it is still unclear to me what is needed to Monitor Active Directory successfully and what is the securest way configuring the RunAs or Action Account. I hope the experts here can make a clear
Statement to answer the question for all time ;-)
1. Action Account:
Here is described what permissions and rights are needed to use a low-privileged account:
https://technet.microsoft.com/en-us/library/hh212808.aspx
Now you might say: that was asked and answered so many times..you are right, but the answer was from run as "local System" to "you Need local admin". So also the AD MP documentation still says you Need a local Admin account.
here are other references which says you Need local admin rights:
http://micloud.azurewebsites.net//2014/02/26/scom-agent-grayed-out-when-trying-to-monitor-domain-controllers/
Even Kevin Holman says here
https://social.technet.microsoft.com/Forums/systemcenter/en-US/2a0e5a2b-a3d9-42d4-8474-9f690007caa0/opsmgrlatency-cn-gets-auto-created-in-domain-not-configuration:
"Basically - if your domain controllers are running as local system default agent action account, in most cases you will not need to ever set up any replication monitoring run-as accounts.... as local system on a DC has all the rights necessary.
(in most cases).
"Simple questions: Is this really enought to Monitor every aspect of an ActiveDirectory Domain and Domain Controller using a low privilege account the the permissions in the article? Or is using local System better? Is there a difference when
using SCOM2012R2 with the new Agent? Most documentation referes to SCOM2007(except the replication Monitoring where it is clear that other permissions are needed:
http://blogs.technet.com/b/jimmyharper/archive/2009/05/20/configuring-or-disabling-replication-monitoring-in-the-active-directory-management-pack.aspx )The MP guide is not really clear about it. The only thing they are clear about is whenever you want to use client monitoring. In those situations low privileged will not work.
For each of the client-side monitoring scripts to run successfully, the
Action Account must be a member of the Administrators group on both the computer
on which the client management pack is running and the domain controller that is being monitored. The
Action Account must also be a member of the
Operations Manager Administrators group, which is configured through the Operations console in so that all the scripts that are configured on the Root Management Server can run properly
Both a local system and domain admin are a risk. If someone loads a malicious management pack that makes changes to the AD services you are screwed. The local system has unrestricted access to local resources including domain services.
The only reason I don't want a domain admin account in SCOM is that you have an additional layer where the password potentially could be retrieved. That's not the case with a local system account. But the risks are the same.
See: https://msdn.microsoft.com/en-us/library/ms677973%28v=vs.85%29.aspx
But this not an answer to your question. :-) -
Alert summary MP run as account profile in multiple domains
Hi,
I have a general question about run as account profiles and targeting of objects. We have an Alert Summary MP account that uses the scom action account. The target is all objects. the Runas account used is a domain
account in domain XYZ. When targeting all objects, it tries to run on domain ABC and caused an alert.
How can I specifically configure the profile to use account XYZ\accountname for objects in XYZ domain and then ABC\accountname in the ABC account.
Thanks Lance1) Create Group XYZ contains all objects in domain XYZ
2) Create Group ABC contains all objects in domain ABC
3) Create two runas account, ones in domain XYZ(XYZSCOMActioAccount) and the others in domain ABC(ABCSCOMActioAccount)
4) In the account profiles, add two runas as account, ones with account XYZSCOMActioAccount and target group XYZ and the others with account ABCSCOMActioAccount and target group ABC
Roger -
I am currently running 4 ipod classics through my own account/profile on itunes. They belong to me, my husband and 2 kids.
The kids are getting older now and have their own laptops. I would like them to have their own itunes accounts as they will be away from home much of the time and will want to make their own puchases.
How can I set them up so that they are independent from my account, but not lose the content that I have downloaded for them over the years? (A lot of content).You and your husband can share a store account and still have seperate iCloud accounts for your contacts, bookmarks and stuff like that. Click here for instructions to make an apple account without entering a credit card. Make sure you use a different email address for each apple account.
Set up your iPhone/iPad whatever using the new account for iCloud. Then go into settings/store and sign in with your purchasing account, you may need to sign out of the other account. To the best of my knowledge, your household is allowed to share purchased legally, someone please correct me if I'm wrong.
Once you each have your own devices set to your own accounts you can set them to backup to that account and it will keep all your contacts seperate. -
Hi there,
In my SharePoint 2010 farm - on the SQL Server:
The MSSQLSERVER service is running under Local System.
1. Can I change it to run as a normal Domain User account?
2. Does it need any extra privileges?
3. Is it a safe thing to do?
Brief description will be very useful.
Thanks so much.You need to create Service account with password never expire option+ User never change password
Then you need to go through below recommendation from Microsoft
Security Considerations for a SQL Server Installation
Planning for Services, Accounts, and Connections
Hope you got starting point
Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply. -
"Administrator" Domain Admin account is loggen in on temporary profile.
Good day,
I have an issue on logging in on my "Administrator" domain admin account on windows server 2008r2. I noticed it because my wallpaper, and desktop shortcuts are different from what I set before. Also, I checked the path for my docs and noticed
that it's no longer pointing where it has should be.
I attached pictures for more details of my problem.
akosijesyang - the conquerorHi,
Checkout the below thread for similar discussion,
http://social.technet.microsoft.com/Forums/en-US/43c7c956-7f15-4e51-bf99-f775cd2fb5e9/windows-server-2008-r2-temporary-profile-for-admin-account?forum=winservergen
Regards,
Gopi
JiJi
Technologies -
Hello everyone,
While using the Web Application Transaction Monitoring to monitor certain websites using specific credentials, this Event 7000 occures on the Watcher Nodes which happen to be also Management Servers.
Here are the details:
The Run As Accounts used are Windows account types.
They have been tested on the websites and are correct.
In the Distribution the More Secure option is selected but no object is present. They are used only for web monitoring.
The Web Application in WATM is using NTLM as the authentication method.
In Monitoring, the web application appears healthy as it is working properly and is being correctly monitored.
In Profiles there is a User Authentication Action Account profile created automatically and has the Run As Account. It is scoped to the management server which is also the watcher node for the web application.
The problem:
On the management server acting as a Watcher Node for the web application, in the OpsMgr log the event ID 7000 is recorded, causing a trigger for a monitor that changes the health of the Management Server to Warning. The monitor should automaticaly resolve
when all Run As Accounts are validated.
Any ideeas on how to resolve this issue without overriding the monitor?
Thanks,
Marius
http://mariusene.wordpress.com/The SCOM Run As Account wizard does not allow me to specify the basic/simple/digest type account in the form domain\username. I belive the website uses Windows integrated (NTLM) authentication so there is no workaround but to create a Windows
Account type in SCOM.
I just dont want the Health Service to try to validate the run as account locally on the watcher node because its in a different domain.
I suppose in this case a disable of the monitor for those watcher nodes is the only solution?
http://mariusene.wordpress.com/ -
Hi, I experienced the Data Source Could Not Be Initialized issue with the SharePoint Database Monitor.
From the suggested related topic, I tried to override the ConnectionString for each of the database. Example as below
Provider=SQLOLEDB;Server=server1;Database=database1;Integrated Security=SSPI
server1 is a active-passive cluster for failover. And now I got the error message "Login Failed for user domain\momaccount. I expect the default SharePoint monitor account will be used instead of MOM service account.
Is it possible to override the RunAs account to use the SharePoint credential that's already created for others MOSS monitoring?
Thanks.
SonicWaveHi Sonic, This thread has been open for some time without any replies. Is it still current or has it been answered already? In which case we could close the thread.
Have you ran through the sharepoint management pack guides and set sharepoint monitoring runas account to the right profiles?
Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient -
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
Software always installs to Domain Admin account on connected PC-cant install to Domain User account
I have completed the following steps:
Set up Windows Server 2012 R2 Essentials successfully
Successfully connected a Windows 8.1 Pro PC to the network by running the Essentials Connector software
The PC has the following users: Original local account created when I installed Windows 8, Domain Admin account created when I ran the Essentials Connector account, Domain User created after PC was connected to the network.
Everything seems to be working fine. I have installed MS Office 365 Pro, Skype, various other applications while logged in as the Domain User. Every one of these installs triggered a UAC prompt, which was expected, and after entering the Domain Admin
credentials the install proceeded successfully. After install, the software was available to the Domain User, shortcuts appeared in the Start Menu or Desktop, appropriate directories were created in the Documents folder.
All except for 3 applications - upon being prompted for permission to install, I enter the Domain Admin credentials, installation proceeds, but the software is installed to the Domain Admin account-not the Domain User account. Shortcuts appear on the Domain
Admin desktop-Not the Domain User account, etc. I've tried:
Downloading a new copy of the software to the Domain User desktop & running it from there
Right-click file, Install as Admin
click file, Install as a different user
Right clicking file, Properties>Compatibility & changing compatibility settings
Right clicking file, Properties>Compatibility>Run as Administrator
None of these options have changed the result, the software is still installed to the Domian Admin account as opposed to the Domain User account. Any idea why these 3 software wont install correctly but everything else has? Any suggestions as to how to install
the software to the profile that doesn't involve making the Domain User an Administrator? Thanks for any help!Hi voltron5,
Many programs may provide options: "install for everyone" or "just for current user", when you install them.
Please check if there are such options during the installation process.
If those three programs are all third-party applications. I suggest you should contact with the corresponding
support and confirm this.
If those three programs are Microsoft applications, would you please let me know specific information of those
three applications? Such as their names and so on. Meanwhile, when complete the installation, please check the software path was added in administrator environment variables or system environment variables.
Hope this helps.
Best regards,
Justin Gu -
I have a AD FS 2.0 server (Server 2012) in my forest root domain. My user domain is a child domain within that forest. I am unable to find any documentation that tells me if I need to do any further configuration to have it authenticate users from the child
domain or if that should just magically happen because of the Parent Child trust relationship.
Upon rebuilding the server again and making sure that the server name and the pool name were diffrent so I could create the proper SPN entries, I am now unable to access my server using any of the AD FS urls'. It will prompt me for my credentials 3 times
and then tell me I am not Authorized. I have been searching on the web but have been unable to find the solutionsI have made DNS changes, added http SPN entries. Changed the Authentication settings on IIS... I am stuck. Any help would be great.I have been using the "AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation".
I am trying to federate with a diffrent organization where I am the IP and I have no control over the SAML 2.0 side... That being said, I changed my DNS and now I can get to my server using the IDPInitiatedlogon URL. When I run
through the URL that bounces me between the other organization and then back to my AD FS server.... I get stuck in a loop where it asks me for credentials 3 times and then tells me I am "Not Authorized"
Here is a bit of the fiddler trace:
<a href="https:///adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust">https://<other-org-adfs>/adfs/ls/?wtrealm=urn:ca:bc:gov:sfs&wa=wsignin1.0&whr=https://<my-org-adfs>/adfs/services/trust
http://<my-org-adfs>:443
http://<my-org-adfs>:443
http://<my-org-adfs>:443
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
http://<my-org-adfs>:443
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
https://<my-org-adfs>/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2f<other-org-adfs>%2fadfs%2fservices%2ftrust&wctx=337b6722-1acc-4e91-a3c7-35ab6e55e2dd&whr=https%3a%2f%2f<my-org-adfs>%2fadfs%2fservices%2ftrust
http://<my-org-adfs>:443
It seems to be stuck looping between /adfs/ls and /adfs/ls/auth/integrated . It then times out and gives me the error in the browser. -
Forest root domain displayed as network label, rather than child domain
Following on from this post (which I stupidly contributed to without realising it's a gaziillion years old):
http://social.technet.microsoft.com/Forums/windowsserver/en-US/44cab27b-e2ef-4496-bfa7-add7ac014401/server-2008-and-windows-7-detect-their-domain-incorrectly-why?forum=winserverPN&prof=required
I run a DMZ child domain which is pretty tightly locked-down, and the display name when you hover over the NIC shows the network as the forest root domain. None of the answers in the above thread state why this should be the case clearly, and a vague response
from support saying that 'Product Group' (which one?!) have been asked for feedback was never followed up on.
Since I can't open LDAP directly between my DMZ machines and the forest root PDC, and therefore can't even generate a profile to copy into a registry key & deploy either by GPO or batch file, I'm SOL finding a solution to this - but would at least like
a viable explanation for the behaviour, as opposed to 'it's by design'Can I ask if something is not working correctly because of this? The display of the connected network does not affect communication or how DNS will resolve. Are you chasing this down because you don't like the display, or is there an outage?
Thanks!
- Chris Ream -
**Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.** -
Workflow Manager 1.0 configuration- Specified RunAs account is invalid
Hello - I am trying to install and configure Workflow manager 1.0. As part of workflow manager configuration specifying the user id in
Configure Service Account section throwing error as "Specified RunAs account is invalid".
I tried different ways and means suggested in forums and KBs - but I think it is unable to validate the user in Active Directory. Our Active Directory is AD 2003 functional level and wondering it has any issues with Workflow manager 1.0?
Here are the environment details:
WF Machine: Windows Server 2008 R2 SP1
AD: Active Directory 2003
Workflow Manager 1.0 installed and also applied the below latest workflow and service bus hotfixes.
http://support.microsoft.com/kb/2799754;
http://support.microsoft.com/kb/2799752
Also moved the service account to the default OU=Users container in AD as specified in below forum but no luck.
http://social.msdn.microsoft.com/Forums/en-US/servbus/thread/3d803e15-606a-4f06-96fe-97c23ad3c01a
I am not sure where the issue is wondering if any one has run into similar issue. Appreciate any feedback.Thanks for your response.
No it still didnt work, we right clicked the users OU, provided read permissions on it directly not from any groups. as well as for computers OU.
For me it is not showing invalid user, but wizard crashes as soon as we enter the service account details in the wizard. may be since the solution you are providing is not working for me.
http://social.technet.microsoft.com/Forums/office/en-US/d70662fc-8e10-4862-975d-e441bf9c32f0/what-permission-does-the-service-account-requires-on-ad-for-the-workflow-manager-10-to-be?forum=sharepointadmin
However we had one other test account which has full control on many areas is able to pass thru in this wizard with out crashing.
We arent able to get the same permissions applied for prod account as it isnt right to simply take elevated permissions full control on AD Objects.
Windows/AD team is looking for specific permission which this workflow manager requires to provide access.
I dont see this documented with microsoft Either.
SQL DB creation ability, Domain Account, Farm admin - is the criteria i believe.
Maybe you are looking for
-
Suddenly - without any actions by me - FF ESR 10.0.12 refuses to accept Adobe Flash? (System Win 7 64 Ultimate) It started with a very annoying bar, which cost me 2 hours to deactivate, which told me to update an very old and unused Adobe Reader plug
-
Problem when compiling example from TechEd 2008
Hi, I' am using sap sneak preview 7.01 and I'm trying to compile the ZMHO_EX3_* webdynpro example. I get the error : "syntax error : long text". When I check the syntax I have allways the same error : Field ")" is unknown... each time the source cod
-
Asset acqusiton list - table format display
Dear Asset experts, can you please advise how to get list of Asset acquistion (report S_ALR_87012050 - RAZUGA_ALV01) to ALV format? There is only a hierarchical view which is difficult to export to xls table format. When I click "ALV format" in selec
-
I've ready a few posts and cant seem to correct this. I have an 1920x1080 After Effects CC project has a simpe 3 part animation to it. A :15 OPEN that animates to a STILL FRAME and then an :15 OUTRO. The STILL FRAME is exported from AE (COMP TO LAYER
-
Express database solve is taking time to refresh.
We created one model solve through OFA, But if we submit the solve its taking 6 to 7 hours to complete the solve. What could be the problem ? Is there any design issue ? and what are all the thing we need to take care while designing the solve model.