Authenticate Users from a different domain

Similar Messages

• How to use CSACS 3.3 to authenticate users from multiple windows domain?

  Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
  hello, here is my scenario:
  ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
  And adding those domains as trusted domains in domain1 is not an option.
  Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
  Any input is much appreciated.

  Hi Betcy,
  I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
  You can find more details on following SAP note:
  #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
  I hope it helps.
  Kind regards,
  Lisandro Magnus

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• Authenticate users from a trusted domain

  Greetings,
  I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
  I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
  Domain B trusts Domain A (1 way)
  Is this possible? How?
  Thank you

  Hello Trevor,
  Thank you for your help.
  I have run the People Picker Tester and found that I am able to connect to the following ports:
  CONNECTED
  tcp/389
  tcp/686
  tcp/135
  tcp/139
  tcp/3268
  tcp/445
  and FAILED to connect to
  tcp/137
  tcp/138
  tcp/3269
  tcp/53
  tcp/749
  tcp/750
  The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
  With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
  My next question is around the two stsadm commands.
  The first command:
  stsadm -o setapppassword -password "SomeValue"
  1) What am I actually doing here? 
  2) Where will this password be used?
  3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
  The second command:
  stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
  http://webAppUrl
  1) is this command setting my default people picker domain search to Domain A accounts?
  2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

• Users from a different domain cannot login

  Hello Everyone,
  We have a sharepoint 2010 in domain A. Users are in domain A and domain B and there is a bi-directional trust between the two domains (belonging to 2 different forests).
  Users in domain A have no problem accessing the SharePoint.
  Users in domain B keep having IE prompting them for credentials and after 3 attempts lead them to a blank page.
  The people picker tool can easily find users in domain B and then assign them permissions, but there seems to be an issue when authentication occurs.
  So far there is no DNS or network issue has the site name is well resolved and a nslookup of the site returns the good information (right IP address).
  Thank you for your help ! :)

  Can you confirm if you're using Constrained or Unconstrained delegation?
  FYI new cross-forest functionality was added with Server 2012, but all of your DCs must be running 2012 or higher:
  http://technet.microsoft.com/en-us/library/hh831747.aspx
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• LDAP query to fetch users from Two different OU

  I am looking for an AD query to get AD enabled users from two different OU Stores & ServiceOffice under root domain.
  Using below syntax to fetch it simultaneously but not succeeding. Please help me.
  (&(objectCategory=person)(|(ou=Stores)(ou=ServiceOffice)))

  Hi Thanks for the revert. Actly i am setting this syntax in application not running powershell script to fetch users.
  So i need query in Ldap filter format only...
  i.e.
  (&(objectCategory=person)(|(OU=Stores,DC=Mumbai,DC=Users,DC=ABC,DC=com)(ou=ServiceOffice,DC=Chennai,DC=users,DC=ABC,DC=com)))
  Please correct my above query.

• Loading a combobox with data from a different domain

  I have filled in a combobox with values from an .asp page and
  have used it
  successfully. The problem is that if the flash file is ran
  from a different
  domain from the load location, the combobox doesn't get
  filled in (as
  apposed to the error if I ran it off of my drive).
  datafeed.asp spits out the appropriate stuff for the AddItems
  function to
  read correctly. (as I has said, it does work). The combobox
  gets filled in
  the development environment (Macromedia Flash MX Professional
  2004) as well
  as flash player.
  But when I upload it to one of my other websites, the data is
  never
  retrieved. Even though that the webserver containing the data
  feed, the
  webserver hosting the flash file and my machine can all read
  datafeed.asp.
  Am I missing a setting that allows a flash file to read data
  from another
  domain?
  The following code has been changed for security reasons. But
  believe me it
  works in its original format.
  myData = new LoadVars();
  myData.onLoad = AddItems;
  myData.load("
  http://www.mydomain.com/datafeed.asp")
  function AddItems() {
  for (i=0; i<numItems; i++) {
  var ProductID = eval("myData.ProductID"+i);
  var ProductName = eval("myData.ProductName"+i);
  var ProductSale = eval("myData.ProductSale"+i);
  var DataProvider = { productid
  roductID, productsale
  roductSale };
  _root.application.chooseproducts.prodlist_cb.addItem(ProductName,
  DataProvider);
  Thank You,
  Julian

  not sure, but this might be what you need...
  //allow loading of files from domain
  System.security.allowDomain("
  http://www.mydomain.com");

• Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest

  I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?

  Well, I’ve made some encouraging progress.
  I’ve managed to log on!
  I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
  Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
  I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
  I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
  Re-bound it to AD and boom CPU shot right back up.
  I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
  If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
  Plan going forward:
  I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
  If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
  It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
  I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you.

• How can I add a user Role member that is from a different domain

  We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
  wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
  Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access
  to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.
  How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?
  Here is the Error I'm seeing.
  Log Name:      Operations Manager
  Source:        OpsMgr SDK Service
  Date:          2/4/2015 1:11:59 PM
  Event ID:      26319
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      xxxxx.xxxx.xxxxxxxx.xxx
  Description:
  An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
   Exception message: The creator of this fault did not specify a Reason.
   Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="OpsMgr SDK Service" />
      <EventID Qualifiers="49152">26319</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
      <EventRecordID>172748</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
      <Security />
    </System>
    <EventData>
      <Data>UpsertUserRolesV2</Data>
      <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
      <Data>The creator of this fault did not specify a Reason.</Data>
      <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected]  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
    </EventData>
  </Event>
  Thanks for any help I can get in resolving this issue.
  Jake

  The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  
  So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
   Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On
  the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
  approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only
  Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.
  Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.
  Thanks,
  Jake

• Migrate Users from a child domain to a root domain in different forest

  Hello,
  it supported to migrate users from child source doman to target root domain?
  I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

  You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
  nltest /DOMAIN_TRUSTS
  If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Ssrs security access for users on a different domain

  Hi
  We are using ssrs 2008 r2 and have added a new domain to our network as we are working with another company.
  Our original domain was say "DomainA" which can access all our reports, how do we give access to the new domain "DomainB" access to our reports?
  We are unable to add DomainB users to our AD security groups so I have created a windows groups called SSRS_DomainB_Users and given them access to our parent folder and also added them into site settings as a system user.
  What is the best way to deal with this?
  Users in DomainB will eventually be added to DomainA and DomainB will then be deleted.
  One of the users I am testing with gets an error message :
  User 'Domain name/user' does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
  Thanks

  Hi Nasa1999,
  According to your description, you want your reports can be accessed by user from different domain. Right?
  In this scenario, we should do Internet Deployment for your reports so that users from different domain can access the reports. Please the articles below:
  Planning for Extranet or Internet Deployment
  Using Reporting Services in an Internet/Extranet Environment
  SQL Server 2008 Reporting Services
  for Internet deployment
  Reference:
  SSRS reports
  global access
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou

• I want to authenticate user from database

  hello
  im trying to authenticate the user from the data base but there after execute query i want to get no of rows using ocirowcount but there is no result in the ocirowcount it returns me 0 always there is no result in databae i also execute query the on sql prompt it work properly but in php it got some problem please help me for this slution ill be thankfull to all
  From farooq

  <p>
  If you want a count, you have to specifically use a count(*) query. As of PHP 5, this function is an alias to oci_num_rows, and to quote PHP.Net's documentation on oci_num_rows()
  <div style="margin-left:10px; font-size: 85%;">
  This function <span><i>does not</i></span> return number of rows selected!<br>
  For SELECT statements this function will return the number of rows, that were<br>
  fetched to the buffer with <b>oci_fetch*()</b> functions.
  </div>
  </p>
  <p>
  Further, to quote one of the users on PHP.Net's documentation on ocirowcount():
  <div style="margin-left:10px; font-size: 85%;">
  <span>
  It appears the easiest workaround if you want to get numrows without moving to the end of the result set is to use:
  numrows = OCIFetchStatement(...);
  OCIExecute(...);
  So that the execute re-executes the query. It's horribly inefficient to query twice, but it works.</span>
  </div>
  </p>

• How to migrate AD users with two different Domain.

  Hi 
  I want to test in LAB.I have installed win 2008 server on Comp1 and domain name xyz.com & IP 192.168.1.1.and i have installed win 2008 on comp2 and domain name abc.com.ip is 192.168.1.100,and i have created trust relationship between.
  Now i want to migrate Ad uesr Account from xyz.com to abc.ocm.
  How will we do???
  Pls help...
  Thanks
  Anil

  Hi Anil,
  After configuring trust, you can use ADMT to migrate users, computers etc between domains.
  To export the password of AD User Accounts from xyz.com to abc.ocm, you need to install Password Export Server(PES) on the source domain (xyz.com).
  Checkou the below link on ADMT and PES installation,
  http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx
  Checkou the below link on AD user account migration,
  http://social.technet.microsoft.com/wiki/contents/articles/16621.interforest-migration-with-admt-3-2-part-3.aspx
  Regards,
  Gopi
  www.jijitechnologies.com

• Different Risk Analysis Results with the same user from 2 different RAR

  Hi..
  I've loaded the same Risks, Rules, etc, into 2 GRC RAR environments (Sandbox and Quality systems); both of them are connected with the same SAP ECC system. But when I do a User Risk analysis (authorization level), the result from Sandbox is different from Quality system. I donu2019t have users or roles mitigated yet, users are synchronized, rules are exactly the same and I donu2019t know what happen??... Please, help me.
  Thanks...

  Hi...
  If I do a Full Sync of users to the same ECC system from both RAR boxes, I got different number of users loaded (i.e. 18757 vs. 18141), similar case with the full sync of roles. (13100 vs.  13150).
  If I load exactly the same set of functions to both RAR systems and I generate the rules, I got the same problem, different number of rules is generated.
  I've verified both RAR configuration and they are the same (excluded users, roles mitigated, etc.)
  Is it a normal behavior? What could be wrong?
  Thanks in advance!!