Authenticate users from a trusted domain

Greetings,
I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
Domain B trusts Domain A (1 way)
Is this possible? How?
Thank you

Hello Trevor,
Thank you for your help.
I have run the People Picker Tester and found that I am able to connect to the following ports:
CONNECTED
tcp/389
tcp/686
tcp/135
tcp/139
tcp/3268
tcp/445
and FAILED to connect to
tcp/137
tcp/138
tcp/3269
tcp/53
tcp/749
tcp/750
The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
My next question is around the two stsadm commands.
The first command:
stsadm -o setapppassword -password "SomeValue"
1) What am I actually doing here? 
2) Where will this password be used?
3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
The second command:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
http://webAppUrl
1) is this command setting my default people picker domain search to Domain A accounts?
2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

Similar Messages

  • LDAP authentication in AD (users from other trusted domain)

    Hi
    I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
    I use LDAP authentication in AD for authentication users (AnyConnect).
    Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
    I do not want direct connect with the domain contoller in the trusted domain.
    My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
    But if I try to test aaa-server authentication from ASA
    I get error.
    I think, I must use username like "DOMAINB\userindomainb" but this not work.
    Help me please.
    Thanks!
    My config:
    aaa-server ADA protocol ldap
    aaa-server ADA (inside) host 10.0.0.1
     ldap-base-dn dc=domaina, dc=local
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
     server-type microsoft

    Hello!
    I see in console (debug LDAP):
    Request for [email protected] returned code (10) Referral
    Does ASA support authentication via LDAP referrals?
    I read old thread:
    https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
    And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
    But I use:
    Cisco Adaptive Security Appliance Software Version 9.2(3)
    Device Manager Version 7.3(3)
    Compiled on Mon 15-Dec-14 05:10 PST by builders
    System image file is "disk0:/asa923-smp-k8.bin"
    Thanks!

  • Authenticate Users from a different domain

    Hello,
    I have three domains; Domain A, Domain B & Domain C
    Domain A does not trust Domain B
    Domain C trusts both A and B
    Users login to Domain A
    SharePoint 2013 Enterprise lives in Domain C
    Users wanting to access SharePoint must authenticate to SharePoint with their Domin B accounts.
    Crazy... I know
    I have setup people picker to work with Domain B, Thank you Trevor (
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/9f805e2d-1b39-4e1d-b5ae-c5d7b83ca690/authenticate-users-from-a-trusted-domain?forum=sharepointadminprevious)
    My next issue is that I am now testing the initial login into the SharePoint 2013 server from a standard user (who logs into Domain A in the beginning of the day)
    I have added myself (Bob) to the owners group in root site collection.  owner = Domain_B\Bob
    When I browse to my new site using IE 9 I'm presented with a not so helpful page that says, "Sorry, this site hasn't been shared with you."  Thats it.. no chance to login as a different person.  Obviously SharePoint sees me as Domain_A\Bob
    and is letting me know that I have no access.
    What I would like to happen is for SharePoint to prompt me with the standard claims NTLM login screen so that I may login to SharePoint with my Domain_B\Bob account.  Is there a way to set this up without forms authentication?
    Oddly enough, using Firefox I am prompted for login credentials, but typing in Domain_B\Bob does not work.  If I do enter the farm service account setup in Domain_C, I am able to enter SharePoint with my farm service account credentials.
    Thanks for your help,
    -Bob

    The output of the stsadm -o getproperty -pn peoplepicker-searchadforests -urlhttp://sharePoint-dev.mydomain.com was successfully completed.
    capturing the LOG files as I'm trying to log in using by Domain B account I see the following: (listed below)
    ------------Event viewer:------------------------
    Failure Reason: The User has not been granted the requested logon type at this machine. 
      > This leads me to believe that I need to add DomainB\domain users to the "access this computer from the network" policy
    What do you think?
    Thanks,
    -Bob
    ----------------------------ULS LOG FILE---------------------------------------------------
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.11972750726699 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.60 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.60* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.3153208019455 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:05.87 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.21303545562355 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:06.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=2.68225430885769 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.02066044706799 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.76 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.1344640170748 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.80 OWSTIMER.EXE (0x07C8) 0x1490 SharePoint Foundation Health abire Medium Failed to Sql Query data XEvent collector on fv-sp13tst. The error is Object reference not set to an instance of an object.  
    12/30/2013 12:49:07.05 w3wp.exe (0x1C38) 0x1BF4 SharePoint Portal Server Runtime 8gp7 Medium Topology cache updated. (AppDomain: /LM/W3SVC/1720071765/ROOT-1-130328985568168782) 3570659c-6845-d0f1-8d12-00249d79cf0d 
    12/30/2013 12:49:07.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:07.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:08.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 164404b3-76ab-47cb-8fb4-a27f30d2498c 
    12/30/2013 12:49:08.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 164404b3-76ab-47cb-8fb4-a27f30d2498c 

  • How to use CSACS 3.3 to authenticate users from multiple windows domain?

    Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
    hello, here is my scenario:
    ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
    And adding those domains as trusted domains in domain1 is not an option.
    Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
    Any input is much appreciated.

    Hi Betcy,
    I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
    You can find more details on following SAP note:
    #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
    I hope it helps.
    Kind regards,
    Lisandro Magnus

  • Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

    I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
    I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

    If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
    Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
    You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
    Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
    The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

  • Adding user account from a trusted Domain - SCSM2012

    Hello ,
    the scenario am facing now that we have domain (A) that has SCSM 2012 management server.& Domain (B) in another forest.
    between Domain (A) and (B) there is two way transitive trust with Forest wide authentication .
    I need to add user from Domain (B) to UserRole in SCSM in domain (A) ,so I created an AD connector for Domain B
    then when i tried to add user from domain (B) to a userrole it gives the below error.
    but when i close the user role and reopen it i find this blank entry
    the Error
    Application: Edit User Role
    Application Version: 7.5.2905.0
    Severity: Error
    Message: Unable to resolve the user \ associated with the user role. Error code 0. Check your active directory configuration.
    Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user \ associated with the user role. Error code 0. Check your active directory configuration.
       at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
       at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults,
    ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
       at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
       at Microsoft.EnterpriseManagement.Security.UserRole.Update()
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.UserRoleWriteAdapter.WriteSdkObject(EnterpriseManagementGroup managementGroup, UserRole sdkObject, IDictionary`2 parameters)
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.WriteSdkObject(EnterpriseManagementGroup managementGroup, IList`1 sdkObjects, IDictionary`2 parameters)
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)
       at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e)
       at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)
    Would really appreciate your replies .
    Regards
    Amal Sami

    As a workaround, you can add the user by searching the user in the following format
    domain name\User name or User ID" instead of searching by "User name or User ID".
    I am not 100% sure of the technicalities involved but this way you would be able to add the user without any issue.

  • Cannot create MySites for accounts from a trusted domain

    I am trying to create the MySites on our development instance using my production domain login. I can login to the root site, and my name is rendered correctly in the drop down, but when I try to create the MySite, I am getting a user not found error. I
    am able to create a MySite using a dev domain account, but cannot use my production domain account. Does anyone know what security configuration needs to occur so that I can use my production account?
    The ULS log has this entry, which indicates I should be able to create the site:
    Call to PersonalSiteInstantiationState::Init for <domain\login> with IsUserSelf(): True, IsProfileAdmin: False, resulted in m_bCanUseStorage: True, m_bCanUseMicrobloggingAndFollowing: True, m_bCanPersonalize: True, m_bCanFollowTagsAndUsers: True,
    [MySiteHost Found?=True CompatLevel=15 Licensed?=True URL=http://<servername>:8080] StackTrace:   at Microsoft.Office.Server.UserProfiles.UserProfile.PersonalSiteInstantiationContext.Init(UserProfileManager objManager, UserProfile userProfile,
    SPSite mySiteHost)     at Microsoft.Office.Server.UserProfiles.UserProfile.PersonalSiteInstantiationContext..ctor(UserProfileManager objManager, UserProfile userProfile)     at Microsoft.Office.Server.UserProfiles.UserProfile.InitPersonalSiteInstantiationContext()    
    at Microsoft.Office.Server.UserProfiles.UserProfile.InitPersonalSiteContextAndDoUPAChecks()     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.CreatePersonalSite(UserProfile
    userProfile, Uri personalSiteUrl)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.RenderWebPart(HtmlTextWriter writer)     at Microsoft.SharePoint.WebPartPages.WebPart.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at Microsoft.SharePoint.WebPartPages.SPChrome.RenderPartContents(HtmlTextWriter output, WebPart part)    
    at Microsoft.SharePoint.WebPartPages.SPChrome.RenderWebPart(HtmlTextWriter output, WebPart part)     at Microsoft.SharePoint.WebPartPages.WebPartZone.RenderZoneCell(HtmlTextWriter output, Boolean bMoreParts, WebPart part)    
    at Microsoft.SharePoint.WebPartPages.WebPartZone.RenderWebParts(HtmlTextWriter output, ArrayList webParts)     at Microsoft.SharePoint.WebPartPages.WebPartZone.Render(HtmlTextWriter output)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter
    writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter
    adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)     at Microsoft.SharePoint.WebControls.AjaxDelta.RenderChildren(HtmlTextWriter output)    
    at System.Web.UI.WebControls.WebControl.RenderContents(HtmlTextWriter writer)     at System.Web.UI.WebControls.WebControl.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.AjaxDelta.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at System.Web.UI.HtmlControls.HtmlForm.RenderChildren(HtmlTextWriter writer)     at System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.SharePointForm.Render(HtmlTextWriter
    output)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter
    writer, ICollection children)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at Microsoft.SharePoint.Portal.WebControls.WebPartPage.RenderChildren(HtmlTextWriter writer)     at System.Web.UI.Page.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.DeltaPage.RenderToBase(HtmlTextWriter
    writer)     at Microsoft.SharePoint.WebControls.DeltaPage.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.Portal.WebControls.WebPartPage.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.Portal.WebControls.PersonalWebPartPage.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest()     at System.Web.UI.Page.ProcessRequest(HttpContext context)    
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)     at
    System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)     at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest
    wr, HttpContext context)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr
    rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr
    nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) 
    But the actual site instantiation fails with this error:
    Exception during creation of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite(). [SPWeb Url=http://<servername:8080>/Person.aspx?accountname=<domain\account>]  Message: The specified user <domain\account>
    could not be found.  Stack Trace:    at Microsoft.SharePoint.SPWeb.EnsureUser(String logonName)     at Microsoft.Office.Server.UserProfiles.MySiteInstantiationWorkItemJobDefinition.<>c__DisplayClass5.<AddWorkItem>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.CreatePersonalSite(UserProfile
    userProfile, Uri personalSiteUrl) 
    Exception during queuing of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite(). [SPWeb Url=http://<servername:8080>/Person.aspx?accountname=<domain\account>]  Message: The specified user <domain\account>
    could not be found.  Stack Trace:    at Microsoft.SharePoint.SPWeb.EnsureUser(String logonName)     at Microsoft.Office.Server.UserProfiles.MySiteInstantiationWorkItemJobDefinition.<>c__DisplayClass5.<AddWorkItem>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4() 

    Hi Susan,
    As my understanding, your development and production environments are two (two way) trusted domains in one forest, and the SharePoint instance was built on the development domain. If this is the truth, please first verify whether your production domain account
    profile has been imported into the user profile service application. If it is not, refer to the following article to check the configuration of your user profile synchronization.
    https://technet.microsoft.com/en-us/library/ee721049.aspx
    If your user profile can be searched correctly, the issue might be caused by fact that the people picker search was limited to the development domain. Please use the following command to configure the people picker search domains:
    stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <WebApp>
    More information can be found in
    https://technet.microsoft.com/en-us/library/cc263460.aspx
    Thanks,
    Reken Liu
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Migrate Users from a child domain to a root domain in different forest

    Hello,
    it supported to migrate users from child source doman to target root domain?
    I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

    You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
    nltest /DOMAIN_TRUSTS
    If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • I want to authenticate user from database

    hello
    im trying to authenticate the user from the data base but there after execute query i want to get no of rows using ocirowcount but there is no result in the ocirowcount it returns me 0 always there is no result in databae i also execute query the on sql prompt it work properly but in php it got some problem please help me for this slution ill be thankfull to all
    From farooq

    <p>
    If you want a count, you have to specifically use a count(*) query. As of PHP 5, this function is an alias to oci_num_rows, and to quote PHP.Net's documentation on oci_num_rows()
    <div style="margin-left:10px; font-size: 85%;">
    This function <span><i>does not</i></span> return number of rows selected!<br>
    For SELECT statements this function will return the number of rows, that were<br>
    fetched to the buffer with <b>oci_fetch*()</b> functions.
    </div>
    </p>
    <p>
    Further, to quote one of the users on PHP.Net's documentation on ocirowcount():
    <div style="margin-left:10px; font-size: 85%;">
    <span>
    It appears the easiest workaround if you want to get numrows without moving to the end of the result set is to use:
    numrows = OCIFetchStatement(...);
    OCIExecute(...);
    So that the execute re-executes the query. It's horribly inefficient to query twice, but it works.</span>
    </div>
    </p>

  • Users from a different domain cannot login

    Hello Everyone,
    We have a sharepoint 2010 in domain A. Users are in domain A and domain B and there is a bi-directional trust between the two domains (belonging to 2 different forests).
    Users in domain A have no problem accessing the SharePoint.
    Users in domain B keep having IE prompting them for credentials and after 3 attempts lead them to a blank page.
    The people picker tool can easily find users in domain B and then assign them permissions, but there seems to be an issue when authentication occurs.
    So far there is no DNS or network issue has the site name is well resolved and a nslookup of the site returns the good information (right IP address).
    Thank you for your help ! :)

    Can you confirm if you're using Constrained or Unconstrained delegation?
    FYI new cross-forest functionality was added with Server 2012, but all of your DCs must be running 2012 or higher:
    http://technet.microsoft.com/en-us/library/hh831747.aspx
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • [Server 2008R2] Filter event logs for logged in users from clients on domain

    Hi All,
    I am looking for a script which can be run on a domain controller to check which user accounts logged in on the domain. I am looking for both the username and client. Reason why I need this is to check where service accounts are used.
    Thanks.
    Kind regards,
    Bart
    Bart Timmermans | Consultant at inovativ
    Follow me @
    My Blog | Linkedin |
    Twitter
    Please mark as Answer, if my post answers your Question. Vote as Helpful, if it is helpful to you.

    Hi Bart,
    To parse the event log, you can refer to the cmdlet "Get-WinEvent", and how to use this cmdlet to parse event log, please check this article, you can also add the "-computername" to query event log from remote computers:
    Use PowerShell Cmdlet to Filter Event Log for Easy Parsing
    To monitor the logon history, please check this function to start:
    function Get-Win7LogonHistory {
    $logons = Get-EventLog Security -AsBaseObject -InstanceId 4624,4647 |
    Where-Object { ($_.InstanceId -eq 4647) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10")) }
    $poweroffs = Get-EventLog System -AsBaseObject -InstanceId 41
    $events = $logons + $poweroffs | Sort-Object TimeGenerated
    if ($events) {
    foreach($event in $events) {
    # Parse logon data from the Event.
    if ($event.InstanceId -eq 4624) {
    # A user logged on.
    $action = 'logon'
    $event.Message -match "Logon Type:\s+(\d+)" | Out-Null
    $logonTypeNum = $matches[1]
    # Determine logon type.
    if ($logonTypeNum -eq 2) {
    $logonType = 'console'
    } elseif ($logonTypeNum -eq 10) {
    $logonType = 'remote'
    } else {
    $logonType = 'other'
    # Determine user.
    if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
    $user = $matches[1]
    } else {
    $index = $event.index
    Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
    } elseif ($event.InstanceId -eq 4647) {
    # A user logged off.
    $action = 'logoff'
    $logonType = $null
    # Determine user.
    if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
    $user = $matches[1]
    } else {
    $index = $event.index
    Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
    } elseif ($event.InstanceId -eq 41) {
    # The computer crashed.
    $action = 'logoff'
    $logonType = $null
    $user = '*'
    # As long as we managed to parse the Event, print output.
    if ($user) {
    $timeStamp = Get-Date $event.TimeGenerated
    $output = New-Object -Type PSCustomObject
    Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
    Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
    Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
    Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $logonType -InputObject $output
    Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
    Write-Output $output
    } else {
    Write-Host "No recent logon/logoff events."
    Get-Win7LogonHistory
    Refer to:
    https://github.com/pdxcat/Get-LogonHistory/blob/master/Get-LogonHistory.ps1
    If there is anything else regarding this issue, please feel free to post back.
    If you have any feedback on our support, please click here.
    Best Regards,
    Anna Wang
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • How to authenticate users from SharePoint 2007 to the Web Dynpro platform

    Hi, I am working on integrating Share to Webdypro application. I want to implelement Single sign on from Sharepoint to SAP.
    So I can make use of Windows credentials for accesing my SAP application.
    So what all configurations need to be maintained at SAP side to achieve this thing.
    Can anyone please help me on this.
    Thanks,
    Betcy

    Hi Betcy,
    I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
    You can find more details on following SAP note:
    #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
    I hope it helps.
    Kind regards,
    Lisandro Magnus

  • AD Group Membership with User From Domain Outside of Forest

    Here's one to twist your brain around -
    I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
    I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
    Approach #1
    Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
    Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
    Approach #2
    Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
    Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
    adTHANKSvance
    Eric

    You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
    This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
    If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
    Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
    http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
    Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
    You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
    objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
    String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
    //Specify the Base for the search
    String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
    ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
    Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
    System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
    Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
    BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
    Good luck.

  • Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest

    I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?

    Well, I’ve made some encouraging progress.
    I’ve managed to log on!
    I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
    Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
    I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
    I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
    Re-bound it to AD and boom CPU shot right back up.
    I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
    If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
    Plan going forward:
    I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
    If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
    It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
    I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you.

  • SID only shows up when adding a domain user account from an external trusted domain

    This is sort of an interesting situation which may wind up being more of a network port not being open.
    There are two Windows 2008 R2 domains, AlphaCo and BravoCo, that have an external one-way trust setup between them where AlphaCo trusts BravoCo. The member servers on the AlphaCo domain have BravoCo users added to it's local groups. The problem is on one
    of the member servers (SRV-05) on the AlphaCo domain. When any user from the BravoCo domain is added to the local Administrators group it will show up when doing a search with the "friendly name" but when you click on "Apply" and/or "OK"
    it changes to the SID. This only happens on the SRV-05 server. The other member servers on the AlphaCo domain (SRV-01, 02, 03, 04, 06) are not having this issue.
    Any idea what may be causing this user identity crisis and what could be done to resolve it?

    There are no other differences between SRV-05 and the other members servers on the AlphaCo
    domain (SRV-01, 02, 03, 04, 06). I did download and run the PortQryUI tool to check the status of port 135 on SRV-05
    and the other servers which came back with the same results. I also checked the
    AlphaCo domain
    security settings (Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options) Network access: Allow anonymous SID/Name translation which was disabled. But I do not believe this is the cause since
    it would impact the other servers (SRV-01, 02, 03, 04, 06) in the domain.

Maybe you are looking for

  • USB Modem software installation failure on MAC OS X 10.8.5

    i have a USB Modem Device ( Tata Photon+) manufactured by Huawei .One fine day it failed to connect to the net (citing a need t. on my MacBook pro mid 2012 model(OS X 10.8.5). I then o contact the service provider)the device did work on windows 7. i

  • B&W PRESET

    Once I tried to bring in some images to LR utilizing the B&W conversion preset. Now every time I go to the library module all images on the screen automatically convert to B&W . How do I get rid of the B&W conversion?

  • Parental oversight and control apps

    Is there a program like "my mobile watchdog" for the iphone?  I have 2 14 yo daughters getting iphones from Santa and I'd like to make sure they play safe once they have the phones.  I was pretty excited until I realized MMW doesn't work on the iphon

  • Table Event Update Form?

    Hi, If anyone knows about the form "Table event Update",kindly reply or give URL regarding the documentation Thanks in advance Manoj M

  • IN A NATURAL JOIN THE ANSWER QUERY DEPENDS OF PROJECTION ??!!

    Hi, Related to this question Link: problems with natural join Does the answer query depend of projection in a complex NATURAL JOIN query? Thanks, Ion