Anyconnect permission with NT Domain user
Hi,
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
Is there a way to do this?
Thank you
Hi Stephane,
this is most easily done by switching from NT authentication to LDAP, and implementing the solution in this document:
hth
Herbert
Similar Messages
-
Can we map three BPC users with single domain user
Hi..
When we map the three BPC users in the ABAP server in the program UJA3_WRITE_SYS_USERS with domain user,can we map with only one domain user for all three BPC users or we have to use three different domain users to map the three BPC users?
Please do reply
Thanks
Bobbyyep
u can map three bpc user with single domain user.
but domain user must have management roles. -
Could not start the listener with a domain user
Hi all,
I am working on Windows 2003 with Oracle 10.2.0.2 !
With user "local system account", I can start the listener and I have no problems!
after chaning the user that runs the listener from local system account to a domain user, I cannot start the listener again!
(for the oracle service itself for the database, is it possible to change the user from local system to that domain user without problems)
attached the error message when starting the listener with cmd.
by starting the listener with the restart of the windows service, the listener crashed down after a few minutes
do I have to set additional permissions for that domain user?
thanks in advance
Stefan
C:\Documents and Settings\Administrator>lsnrctl start listener
LSNRCTL for 32-bit Windows: Version 10.2.0.2.0 - Production on 17-JAN-2008 11:51:29
Copyright (c) 1991, 2005, Oracle. All rights reserved.
tnslsnr wird gestartet: Bitte warten...
TNS-12537: TNS: Verbindung beendet
TNS-12560: TNS: Fehler bei Protokolladapter
TNS-00507: Verbindung beendet
32-bit Windows Error: 109: Unknown errorIn this case I see three error messages:
TNS-12537: TNS:connection closed
Cause: "End of file" condition has been reached; partner has disconnected.
Action: None needed; this is an information message.
TNS-12560: TNS:protocol adapter error
Cause: A generic protocol adapter error occurred.
Action: Check addresses used for proper protocol specification. Before reporting this error, look at the error stack and check for lower level transport errors. For further details, turn on tracing and reexecute the operation. Turn off tracing when the operation is complete.
TNS-00507: Connection closed
Cause: Normal "end of file" condition has been reached; partner has disconnected.
Action: None needed; this is an information message.
The most important is the tns-12560 error message, this means that an unsupported protocol exception was raised. Assuming you are using the same environment configuration when starting the listener with the local account and starting it with the domain authenticated user, then it has to do with permissions. Both the local administrator account and the domain authenticated user must belong to the ORA_DBA group, otherwise the user won't have enough privileges to start the listener.
On the other hand, make sure the sqlnet.ora file includes this line:
SQLNET.AUTHENTICATION_SERVICES= (NTS)
If you use a domain user name, log on under a domain with username and password which has administrative privileges on each node
~ Madrid -
CWS with multiple domain users sharing a computer off work
Hi,
I need to know if this is an expected behaviour and if there is a workaround to this. I have AnyConnect Web Security (3.1.04063) installed on Windows 7 Enterprise computer that is part of a Windows domain. Two domain users login to the computer at work. When User1 logs in and visits "whoami.scansafe.net", his relevant user/group info is displayed in the browser. When User1 logs off and User2 logs in, the page correctly displays info for User2 in the browser.
However, if at this point the computer is then taken off the work network say a home/public network where AD domain servers are not available. Both User1 and User2 can still logon to Windows but for both of them the "whoami.scansafe.net" page display the info for User2 only. It doesn't change even if the computer is restarted and User1 logs in - still User2 scansafe info is displayed. This happens to User1 untill the PC is brough up on Work network where Windows Logon service is available and User1 can now correctly see his scansafe info in the browser.
Shouldn't Web Security client app be pulling the info relevant to the logged on user for both on and off work networks ? If this is expected, is there a docu reference to this ?
Thanks,
Rick.Hi Rick,
That is the expected behaviour of AnyConnect Web Security (ACWS).
Reason is when you are off the network, ACWS will use the cached credential of the user who last login. In your example, if user2 is the last to login when he/she is connected to the work network, then his/her user credential will be cached.
It uses the information from the output of gpresult/r.
Regards, Jen -
Check Delegated user permission with AD Domain and OU levels
Hi
We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
Regards
LMSHi
We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
Regards
LMS
You can try this Powershell script:
$ou = "AD:\OU=Users,DC=contoso,DC=com"
$group = Get-ADGroup MyGroup
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
$acl = get-acl $ou
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll, ","Allow"
$acl.AddAccessRule($ace)
set-acl -aclobject $acl $ou
and you can also look at these given below links:
http://technet.microsoft.com/en-us/library/cc775585(v=ws.10).aspx
http://auditingactivedirectory.blogspot.in/2014/08/how-to-view-active-directory-delegated-permissions.html -
Conflict with the domain/user management
Unfortunately I configured the domain management twice with the Adobe server.
As a result, the edcprincipalentity table has duplicate records (i.e my name appears twice in the table).
I removed the duplicate domain and synchronized but I still able to see those records.
Due to this issue, the AWS_ASSIGNED_ID field in the form shows Id of 'System Context Account' using which i'm unable to populate the logged in user's details.
Any idea to remove the duplicate records?
Thanks,
NithI traced my workflow and form I figured out there's something wrong with the process so that the logged in user details are not appearing.
I tried opening the edcprincipaluserentity & edcprincipalentity tables to verify the assigned Id value of my principal.
There I noticed the duplicate entry. I confirmed that each entry has duplicated in the table. Hence the process doesn't recognize the assigned id.
Yesterday I tried re-installing the adobe suite and configured the domain again from scratch.
Now it is working without any issues.
Thanks & Regards,
Nith -
The domain users without administrative permission cannot install printers shared on printer server
Dears
We have a printer server that OS is Windows server 2003 .And all clinets are installed windows 7.Now,the domain users cannot installed printers shared on the printer server.When i logon the clinent computer with a domain user and access printer server by
URL \\192.168.37.1 ,i can see all printers shared on the printer server.Then i double click on printer to install it on client computer.It will ask me to input user name and password of local administrator .
How to install the printers with domain user directly. Thanksrefer step #8:
http://blogs.msdn.com/b/7/archive/2011/07/11/allowing-standard-users-to-install-network-printers-on-windows-7-without-prompting-for-administrative-credentials.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Domain users and local users can't login to reporting service web environment
Hello,
We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
We can only login with the buildin/administrator account on the local url: http://servername/reports
How can we allow login with domain users on other report manager url's?Below link may be helpful,
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
Regards, RSingh -
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
Hi all
The title basically states the problem - Outlook 2013 wont set up with a Domain. This only seems to affect Windows 8.1 pro, Win 7 Pro has no problems. If I log on to the computer itself (not the domain) Outlook runs no problem
If anyone has any ideas I would be most grateful
Thank you
FionnbarrHi Fionnbarr,
When you say "...with a Domain", do you mean login to the computer with a domain user account?
Does this happen on all your Windows 8.1 clients? What's the error message in full? At which exact step will you get this error?
So you have observed that "This only seems to affect Windows 8.1 pro", it could be an issue with this specific system. I would suggest we first check for Windows updates and install any available ones, then try again.
Regards,
Ethan Hua
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Why domain users account allowed to logon to servers directly?
I'm using Windows Server 2008 R2 with ADDS.
By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
"You cannot log on because the logon method you are using is not allowed on this computer"
I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
And, nothing set on the Deny Logon Locally.
But, tested that, those accounts with just Domain User Group are able to logon to Server!?
How or where should I check, to not allow normal user account to logon to server directly?
Thank you.Hi,
>>By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP.
By default, standard domain user accounts can log onto workstations and member servers, and they can’t log onto domain controllers unless we allow them to do so via group
policy.
By default, standard domain user accounts can’t remote desktop onto other computers unless they have been added to Remote Desktop User groups of the computers.
Regarding allowing log on locally, the following article can be referred to for more information.
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx
Regarding remote desktop user groups, the following article can be referred to for more information.
Configure the Remote Desktop Users Group
http://technet.microsoft.com/en-in/library/cc743161.aspx
>>How or where should I check, to not allow normal user account to logon to server directly?
We can utilize group policy setting
Deny logon locally to prevent users from locally logging onto the targeted computers.
Regarding this setting, the following article can be referred to for more information.
Deny logon locally
http://technet.microsoft.com/en-us/library/cc957048.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
An user as part of the domain users tries to open an office file from a document library but he got an authentication prompt asking him to authenticate. Domain users has only access to this library and not to the whole site. This uses to work in SharePoint
2007 without any problem but not in SharePoint 2013, we didn't have a workflow on SP2007.
Domain users has read access to only this document library in the site, but he shouldn't get an authentication prompt since he is part of the domain users and he is not trying to modify the document, he can open the document but gets two prompts, he can't
also see the list using explorer view since nothings appears using the explorer view.
Now, when opening the file, we can see..Updating Workflow Status, but we don't have any workflow working on this site or library, event any feature related to workflow.
If we go to the event viewer in the server, we find this information,
I also checked this thread but I couldn't find this scenario.
https://social.technet.microsoft.com/Forums/sharepoint/en-US/91bc770b-bb70-4885-a4ad-a243edb88753/event-id-8026-workflow-soap-getworkflowdataforitem-failed-doc-library-no-workflow?forum=sharepointgeneralprevious
I also created another list with the same permissions and using other office files but got the same behavior.
Now, we have migrated this site from SP2007 to SP2013.
Any ideas?OK, I am going to throw out a lot of ideas here so hopefully they get you closer to a diagnosis. Hang on :)
Does it happen to work for some users but not others? If so, try logging in on the "good" computer with the "bad" username. This will tell you if the problem is related to the end-user's system. Also, once the user downloads a document
successfully can they open and work on it in Word? Also, does the document library have any custom content types associated with it or does it just use 'Document'?
I notice that there are other folks on the web that have run into this same problem and the similarity seems to be that they are either on SharePoint 2007 or have upgraded from 2007. Did this doc library start out as a 2007 library?
What you might want to do is this: Make a site collection from scratch in 2013 (or find one that you know was created in 2013). Choose team site (or whatever you want) for the root web and set up the security the same way you have it on the malfunctioning
library. Now, use windows explorer to copy and paste some of the documents to the new location. Be sure you recreate any needed content types. Now test it from the troubled user's computer.
I'm thinking there may be something that is different about the library since it was migrated through various versions and updates since 2007. I've sometimes found that there can be problems (especially with user profiles but that's a different story) with
things that go through this evolution. -
Active Sync does not start as domain user with no Administrator rights.
Hi all,
Searched the forums and the net but can't find anything about this.
Situation:
In a domain where users only have standard users rights I installed on a PC as a domain admin Active Sync 4.5
When I logon as a user the Active Sync software can not be started.
I disabled the firewall and even set full rights permission on the Active Sync directory both didn't help out.
When I m logged on as this user I can choose to Start the program as a different user.
This only works when I Start it with the domain administrator account.
I hope that I do not have to give that information to this user to make this software work.....
Anyone had the same problems? Anyone a idea?
Thx in advance.
Kind regards,
Aartjantry this:
1. make sure you install "activesync" from local harddisk (not from network), and do not delete the setup file after
installation
2. local in as "local administrator" and connect your PDA and make sure it can sync, I did not create a profile and just leave PDA connect as "guest" for now
3. log off and re-login as "domain user", connect with USB should work
4. if they still cannot communicate, run "ActiveSync" from start menu
it works for me -
Domain users files sharing permission problem
Dear Domain Professional,
We have a three domain controllers 192.168.92 .162,167,150 All domain controller working with
Global Catalog servers ( Root forest ) . All domain controller live synchronize with each others like Users , Group policy , ADS, DNS.
lastnight we had a problem with file sharing permission . it had been asked username & password . why this problem was happened ?
Finally we had restated with all domain controller then file sharing perfectly working fine .i had verified all events in domain controller there is no any error issue .
Note:- we are using juniper firewall is there any security issue ?
happended
Regards
SubashHi,
According to the
repadmin results, there isn’t any replication issue.
I was wondering how long did the issue last until reboots of DCs?
If the period is short, then this behavior is normal, because AD replication takes time, this issue could occur before AD replication has completed.
Another possible cause is related to Kerberos authentication and authorization mechanism.
During a logon session, once a user has been authenticated successfully, it gets an
access token containing its SID and group membership and privileges.
The user's access token is subsequently inherited by any application process that the user starts during the logon session.
If we change user’s group membership and privileges
after the access token has been issued, the changes won’t be updated until this user logs off and logs on again.
Here are some related articles below for your references:
How Access Tokens Work
http://technet.microsoft.com/en-us/library/cc783557(v=WS.10).aspx
How the Kerberos Version 5 Authentication Protocol Works
http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
I hope this helps.
Amy -
Domain user or local administrator permission
We have a windows 2008 R2 domain environment with windows 7 clients. Users have domain user permission.
Security wise domain user rights is the way to go. But we have a lot of users with notebooks, with multifunctional printers at home. We configured a GPO to install printers, but they can't run setup to install the printer/scan software.
Also some notebook user need to install/upgrade work related software.
I thought of making the users power user.
Or local amdin user, with UAC turned on. But we had issues with UAC turned on a year ago(can't remember what it was). I could also work with GPO's, Software Restriction Policies, Applocker. But that's to much Admin overhead. I,m looking for a solution that
I and the users would benefit from.I like to know how other Admins deal with his
ThanxLet me try to be more clearly.
At the office we don't have any issues with installing printers drivers. We have about 100 users with laptops that need to install the multifunctional printers software(not drivers) at home. For most of them, installing the printer driver is
no problem, because of a printer GPO's we configured.
"Allow non-administrators to install drivers for these device setup classes" and "Point and Print Restrictions" GPO's.
So we don't have issues with domain users
installing printer drivers, but most of them have multifunctional devices at home. All different brands(canon, hp, Epson etc). As a domain user they don't have the permission to run the setup to install the scanner and printer software. They
only can install the printer drivers, because of the GPO.
This is one of the issues we have with domain users permissions. From security perspective, domain users permission is the way to go, but if does have its challenges. I don't want to install all the different software for those users, and on the other hand
they don't want to rely on IT department for things they can do them self.
For installing printerscanner software(not only drivers), the printer need to connected to the laptop. Users are not going to bring there multifunctional device to the office for me to install the software.
So it's more the experience of other administrators I'm looking for, how to deal with giving users more permission to install or upgrade some software, but still have the feeling that IT department is in control of those laptops.
Thanx
Maybe you are looking for
-
Mid 2013 Macbook Air - Worth the upgrade
Hey, I have a Macbook Pro 13 inch (early 2011) Im looking at getting a desktop computer (preferebly the Mac Pro when released) and I want to know if I should sell my Macbook pro and get the mid 2013 Macbook Air, to use for uni as the MBP is quite hea
-
Configuration Communication channel File Sender Structure
Hello all, I've a problem with configuration communication channel. My communication channel must be processed the following input structure: H HL00000015...... T..... T..... D.... HL... T.... D.... R.... The first field is TYPE, it is my key value.
-
My Safari browser won't open. I had upgraded to Mac OS X Lion. What do I do?
My iMac is 2008 built. In March 2012, I upgraded to Mac OS X Lion. Since then I had problems after problems. Since the computer was getting slower and slower, I thought the Prosoft Drive Genious 3 would be useful. When I installed it on iMac, it caus
-
Clone Stamp Tool Strange Behavior
When I select a source area and roll the mouse, a second copy of the entire image starts to move according to mouse movement. I then click the mouse again, and the image stops moving, but then the clone source has been relocated to a position exactly
-
Reference.txt & library.txt file question for SP6 SP2
Hi I need to be able to reference a portal component api library from a J2EE application outside of the IRJ application. This is normally done through the above files, however, the syntax in the files looks like the libraries have to be in the additi