Allow join domain and user AD authentication through WatchGuard UTM

Similar Messages

• I'm unable to load my Microsoft Exchange account.  Think I'm entering the wrong info for domain and user but haven't figured out the correct inputs...

  I think the problem is with my domain and user name information.  Does anyone have any suggestions...

  I know that when i tried to add a Live/Hotmail account I tried MS Ex but ended up having to forward my Live to my Gmail or just add an IMAP account.

• Provision to Exchange if it's in a root domain and users in child AD: OIM

  Hello,
  Users are in a child domain at: dc=test,dc=mydomain,dc=com.
  This is the base context value I provide for my ADITResource.
  However, Exchange is installed at the root domain: dc=mydomain,dc=com.
  Due to this, when I try to provision to Exchange, I get an error:
  2009-08-17 13:13:54,722 DEBUG [OIMCP.MEXC] com.thortech.xl.integration.Exchange.tcExchangeTasks :
  checkIfMailboxCreated : No value for homeMDB fetched
  I'm guessing it can't see the mailstores since they are located a level above in the tree. When I ran reconciliation to get the mailstore names, I updated the base context temporarily to dc=mydomain,dc=com. But I can't keep it at this since then AD users will not get provisioned.
  Has anyone come across a situation like this before? Is there a workaround? Can a connector talk across root/child domains?
  Any suggestions would be great.
  Thanks.
  Edited by: user4486549 on Aug 18, 2009 12:00 PM

  What I actually meant was that pre Exchange 2007 you could do the whole provisioning process of both AD and Exchange through JNDI. The RUS would automatically create the Exchange object based on the data that you put into the users AD object.
  It looks to me that in Exchange 2007 you will need to create the AD account (which can be done through JNDI) and then run certain powershell which seems to be slightly more complex but not not impossible. Especially not if you have your OIM server running on a windows host which should mean that you don't have to bother with the remote connector stuff. (At least if the OIM server is in the same domain as your production domain).
  Best regards
  /Martin

• Domain and User Level Security

  Dear Friends
  Tuxedo Version : 8.0
  Weblogic Server: 7.0
  Operating System : Win 2000
  I have successfully run the simpapp example with WTC as the connector between
  the remote domain (tuxedo) and local domain (WLS).
  Now, i want to perform authentication, the documents are not being of much help
  so can anybody give me any suggestion to create domain level security and ACL.
  Please note, i'm just using the services (import).
  As per the documents and newsgroup,
  i made changes to the TUXEDO ENVIRNMENT, ubbdomain, adding SECURITY , AUTHSERV
  parameters in it.
  Also made respective changes in WTC, but when i run the example,
  it throws an exception as TPENOENT.
  Thank you in anticipation.
  Please help me !

  Hi Shamu,
  I answered similar questions in a posting with title "Service
  Authentication How to". The questions were posted after your post.
  Check out the questions and my reply see whether they are useful to you.
  Regards,
  Honghsi
  shamu wrote:
  >
  Dear Friends
  Tuxedo Version : 8.0
  Weblogic Server: 7.0
  Operating System : Win 2000
  I have successfully run the simpapp example with WTC as the connector between
  the remote domain (tuxedo) and local domain (WLS).
  Now, i want to perform authentication, the documents are not being of much help
  so can anybody give me any suggestion to create domain level security and ACL.
  Please note, i'm just using the services (import).
  As per the documents and newsgroup,
  i made changes to the TUXEDO ENVIRNMENT, ubbdomain, adding SECURITY , AUTHSERV
  parameters in it.
  Also made respective changes in WTC, but when i run the example,
  it throws an exception as TPENOENT.
  Thank you in anticipation.
  Please help me !

• Virtual Mail Domains and Users

  I'm having an issue with virtual hosts and mail hosts.  I have three domains lets call them domain1.com, domain2.com and domain3.com
  now lets say I have a user russ and he wants to recive mail only at domain2.com is there anyway to just let him recieve mail at that domain?  becasue he also recives mail at domain1.com becasue it is the default domain.
  Any help on this is greatly appreciated.
  Thank You,
  Russ

  Did you ever sort this properly or just go with your 'fix'?
  I have set up our 10.5 mailserver and everything works fine for people with accounts on the server but forwarders to external mail accounts are not working properly.
  Emails sent from an external source to a forwarding account on our server receive a bounce message with the errors...
  <[email protected]>: host mailserver.domain1.com[/var/imap/socket/lmtp]
  said: 550-Mailbox unknown. Either there is no mailbox associated with this
  550-name or you do not have authorization to see it. 550 5.1.1 User unknown
  (in reply to end of DATA command)
  ...and...
  Diagnostic-Code: smtp; 550-Mailbox unknown. Either there is no mailbox
  associated with this 550-name or you do not have authorization to see it.
  550 5.1.1 User unknown
  In this case '[email protected]' is an account on the mailserver set as a forwarder to '[email protected]'
  Despite the sevder getting the bounce message the actual message is however forwarded and received by '[email protected]'
  Paul

• Domain Users are allowed by default to join domain

  Hi everyone !
  Recently i install Windows Server 2012 Standard
  Configure Active Directory Domain Services
  Create simple user "test1"
  then i go to windows 7 client and join domain with this "test1" user.
  and i shocked how is it possible that a simple domain user which is not a part of any domain admin or admin group and can join or rejoin domain successfully.
  Help me to get out of this how can i restrict simple domain user to join domain and why it was by default ?

  > then i go to windows 7 client and join domain with this "test1" user.
  By default, EVERY user can join up to 10 clients to the domain.
  > and i shocked how is it possible that a simple domain user which is not
   Why shocked? What's the issue when users join computers to the domain?
  > Help me to get out of this how can i restrict simple domain user to join
  > domain and why it was by default ?
  Create a GPO, link it to the domain, move it up to above "Default Domain
  Policy" and configure Computer - Policies - Windows Settings - Security
  Settings - Local Settings - User Rights Assignment: Add Workstations to
  the domain.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• How to capture userinfo after a partner application is authenticated through SSOSDK?

  I have successfully installed and deployed the Partner application for Portal using SSOSDK. My question is, once the user is authenticated through SSOPartnerServlet.java and gets thrown back to the partner app(PAPP), how do we get the user info(i.e. username) from the PAPP?
  Is there an API?
  I have already asked this question from oracle tech and they told me to post it
  Thanks,
  Hamid

  Pass the name of a subrotine to handle your user commands to the fm parameter.
  I_CALLBACK_USER_COMMAND = 'USER_COMMAND'.
  Then code for the user command function,
  form user_command using r_ucomm type sy-ucomm.
  case r_ucomm.
  when '<FCODE of your button>'.
  Code your logic....
  endcase.
  endform.
  To add your button using your own pf-status, you should copy a standard gui status and modify it.
  To trigger this pf-status you should pass routine name to I_CALLBACK_PF_STATUS_SET.(I_CALLBACK_PF_STATUS_SET = 'SET_PF_STATUS..)
  form set_pf_status.
  set pf-status 'ZSTAT'.  "THis ZSTAT must be created by copying a STANDARD pf-status of say some std program like SAPLKKBL. and then modifying it.
  endform.

• Windows machines can't join domain after 10.5.4 upgrade

  Howdy folks,
  I have a ticket open with Apple on this but am posting here in hopes that someone might have an idea for me.
  I upgraded our Mac OS X Server 10.5.3 to 10.5.4 on Sunday, and this morning several users reported that their PCs running Windows XP SP2 were unable to login to the Windows domain hosted on this machine. It's the primary domain controller for the Windows users.
  One thing to note is that I had to reinstall the server completely because the 10.5.4 patcher crashed, creating all kinds of mayhem. I did a fresh install of OS X Server 10.5 and immediately applied the 10.5.4 combo updater to it. I had to restore the Open Directory from an archival copy, and the SMB was created fresh. Not sure why but the SMB services weren't preserved by the Server settings export command in Server Admin.
  I thought unbinding the PC from the Windows domain and then rebinding it with a new name would help, but I've been completely unable to add older computers to the domain, even after removing the old computer records first.
  I've got a reproducible failure mode for this problem on a Windows XP virtual machine running on VMware Fusion on my Mac. Here's the method I've been using to create the failure:
  1. Change Windows XP System name to something new that doesn't already have a computer record on the Mac OS X Server and reboot.
  2. After the reboot, run "NewSID" program on Windows to globally change my Windows machine's SID to a new, random value, and reboot again.
  3. Attempt to use the Network ID wizard in the Windows Control Panel to re-add the machine to the domain under a new name so there's no conflict with any old computer records floating around in Open Directory. After it prompts me to enter the username, password and domain name for a user who's authorized to add machines to the domain, I get a dialog box that displays this error:
  "Your computer could not be joined to the domain because the following error has occurred:
  An internal error occurred."
  Not too informative.
  Here are the error messages I see in /var/log/samba/log.smbd (searching for the new computer name in the search field):
  netbios connect: name1=BIGMAC name2=JEFFVM6
  netbios connect: local=bigmac remote=jeffvm6, name type = 0
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'JEFFVM6$'
  odssam_getgrnam gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Groups record for 'JEFFVM6$'!
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'JEFFVM6$'
  kDSStdAuthNewUser was successful for account "jeffvm6$"
  At that point it's impossible to join the computer to the domain no matter what. The most puzzling thing is that SOME of our users were able to login without any problems whatever. The ones that were either physically off or somewhere else when the 10.5.4 upgrade was applied are the only PCs that seem to be having problems.
  Any help at all is appreciated. I suspect this is some kind of a SID conflict because the SMB server had to be recreated from scratch, but have no idea how to fix the client, the server, or both to make the computer account creation process work.

  The problem is fixed.
  The issue boils down to an argument between the Open Directory server on bigmac (the OS X Server machine) and the SMB server on bigmac. The crucial information I needed to solve this problem was located here: http://www.radiotope.com/node/61
  The Open Directory database had to be restored from a backup following this weekend's problematic upgrade, and it had a different value for the SID for the Windows domain than the one used by the SMB server software itself. Even stranger was that the Open Directory database actually had the wrong domain name! The It was listed as "BIGMAC" in Open Directory, even though it was set to the correct Windows domain name in the SMB server.
  The solution was to demote the SMB server from a Primary Domain Controller to a Standalone Machine, and then repromote it. Although I changed no values in the settings, and did not modify the plist containing the SID in the Open Directory via the Inspector in Workgroup Admin, after the SMB PDC was repromoted, the SIDs and the domain names in Open Directory and the SMB config agreed with each othe. Now new machines can join the domain and users can login just as they did before. No client-side modifications are necessary.
  Hope this is helpful to someone else. It was quite the hair-pulling experience for a while there.
  Jeff Kirk

• Bi office and USER variable problem

  Hello,
  On my OBI (10.1.3.3.1) platform users are authenticated through LDAP using mail as username (user attribute equals mail in LDAP settings). If authentication succeed variable USER is set to uid (from LDAP) and so web user (created in presentation) has name uid. The problem is when I try to log to bi office using mail. User can log in (LDAP), but there is no presentation catalog. I've checked the logs of bi office and find out that I'ts looking for user mail, but web user has a name equals to value of uid (from LDAP) not mail. I think that when log to bi office It doesn't execute initialization block associated with LDAP - doesn't set USER variable to uid. Does anyone know how to get rid of this?
  I have also another questions: How delete web user or change his name in Presentation Catalog? I think I cannot simply delete/rename directory using Catalog Administrator.
  Thank you in advance.

  I have a Date column in the dashboard prompt which is specifed as 'in between' because I want my report to return fields only in between the dates specified in the dashboard prompt by the user. In the report in answers I have the Date column filter as 'is prompted'.
  Now I want to use a variable (not sure if it is presentation variable) in the title of the report so the dates picked by the user appear in the title of the report when we show up it dashabord.
  Thanks

• Auto Join Domain using WAIK without install Operating System Image

  Hi all, i have a question.
  In my Environment, i have requirement like this :
  If user get new laptop with operating system already installed,
  is it possible to automatic join domain when user plug in LAN cable to their computer?
  I already explore about this and i found WAIK can help me to auto join domain, but i must install that OS image too.
  I just want to auto join domain, is it possible to skip install OS image process when i using WAIK?
  Can i get a solution for my requirement?
  Thanks for help!
  Best Regards,
  Henry Stefanus

  http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx
  Help your self :)
  UMESH DEUJA MCP,MCTS,MCSA,CCNA

• What Will I Miss The Most Not Joining Domain

  Friend of my has a company where some of the machines are not joined to the domain and users just login with local account. I asked why and they provided two reasons:(a) Some take their machines home so it's easier to just have one login. I pointed out, if they are not connected to VPN, could they not just login via: .\username instead or {domain name}\username ? Why is that so hard?(b) These machines are Windows 8 standard. How hard to upgrade to Win 8 Pro?It seems to me that the biggest drawback of not being joined to the domain is lack of access to network resources (folders) that have user/group security? But then I see you can view the network and login to network shares without using a machine joined to the domain.What are the other big advantages of having the workstation domain joined? Ability to enforce group machine policies?...
  This topic first appeared in the Spiceworks Community

  Friend of my has a company where some of the machines are not joined to the domain and users just login with local account. I asked why and they provided two reasons:(a) Some take their machines home so it's easier to just have one login. I pointed out, if they are not connected to VPN, could they not just login via: .\username instead or {domain name}\username ? Why is that so hard?(b) These machines are Windows 8 standard. How hard to upgrade to Win 8 Pro?It seems to me that the biggest drawback of not being joined to the domain is lack of access to network resources (folders) that have user/group security? But then I see you can view the network and login to network shares without using a machine joined to the domain.What are the other big advantages of having the workstation domain joined? Ability to enforce group machine policies?...
  This topic first appeared in the Spiceworks Community

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• MBAM 2.5 - Connection between Machines and Users in DB Error

  Hey everyone.
  I'm having a bit of trouble deploying MBAM 2.5.
  I had a previous installation of MBAM 2.0. The 2.5 installation went smooth, the GPOs are deployed and everything is working well. Except for one thing. I can't rescue TPM passwords or use Drive Recovery if I complete the User Domain and User fields in the
  forms.
  After consulting the database I can see that both ComplianceCore.Machines_Users and RecoveryandHardwareCore.Machines_Users is not updating, thus not associating users with the respective computers. All else is working great, all tables are being refreshed
  with Machines, Volumes and Users. Only thing not working is the association of Users with Machines.
  Is this a known bug or could there be something wrong in my configuration?
  Thanks in advance,
  Miguel Duarte

  That can be the issue as well, see this: http://technet.microsoft.com/en-us/library/dn645378.aspx It reads the following:
  The enterprise domain must contain at least one Windows Server 2008 (or later) domain controller.
  If it is possible, can you share your inetpub folder with me? it should be on the IIS server, a root directory of the IIS server. 
  thanks!
  Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

• MDT 2010 Vista cannot finish after joining domain

  Hi,
  I have a problem with deployment process after joining domain. I am deploying Vista using MDT 2010 with LiteTouch.  Everything works fine. However, deployment process stops after joining domain. I suppose that autologon is disabled/don't work after joining domain and all following steps can't be started.
  What is wrong with my configuration or Task Sequence?
  Thanks in advance, Jan.

  Hi Jan,
  Thank you for your post.
  As you said that the deployment process stopped after joining domain, may I know if there is any error received? If so, please let me know the details.
  Meanwhile, I would like to share the following with you:
  Avoiding Legan Notice that breaks MDT autologon
  http://blogs.msdn.com/alex_semi/archive/2009/08/28/avoiding-legan-notice-that-breaks-mdt-autologon.aspx
  Thanks.
  Nicholas Li
  TechNet Subscriber Support in forum
  Nicholas Li - MSFT