CreateJavaSchema throws exception on active directory
Hello,
I'm attempting to follow the jndi tutorial using win2k active directory. I'am using a clean installation but every time i run the program I get the following error:
Starting application C:\java\CreateJavaSchema.class
[updating Active Directory schema ...]
[locating the schema]
[inserting new attribute definitions ...]
javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - 0000207E: AtrErr: DSID-0315096E, #1:
0: 0000207E: DSID-0315096E, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 3 (cn)
]; remaining name 'CN=javaCodeBase'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2848)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2810)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2616)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:740)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
at CreateJavaSchema.insertADAttributes(CreateJavaSchema.java:416)
at CreateJavaSchema.updateADSchema(CreateJavaSchema.java:353)
at CreateJavaSchema.updateSchema(CreateJavaSchema.java:191)
at CreateJavaSchema.run(CreateJavaSchema.java:107)
at CreateJavaSchema.main(CreateJavaSchema.java:92)
Interactive Session Ended
Anybody out there got anny ideas? Even if it is a stupid question, please do answer! I'am stuck.
The answer is simple. Your program wants to define a new attribute definition, but the name you want to use for it is already used. (Perhaps it was done previously by your own program ;-)). You can give another (not used)name for the new attribute, or delete the old one from the attribute definitions in your directory. How you can do the later depends on the directory server you use. But you always can do it with a java program, and writing it is a good excercise. :-)
BR,
don
Similar Messages
-
CachedOpenCommunityInfo throws exception on Knowledge Directory pages
I have built custom nav that calls the CachedOpenCommunityInfo method. This method throws an exception with a message suck as "*** ERROR *** Could not access the community." when I click on the Knowledge Directory of my community.
Any ideas why this is throwing an exception and how to avoid the exception?
Ideas are greatly appreciated.The answer is simple. Your program wants to define a new attribute definition, but the name you want to use for it is already used. (Perhaps it was done previously by your own program ;-)). You can give another (not used)name for the new attribute, or delete the old one from the attribute definitions in your directory. How you can do the later depends on the directory server you use. But you always can do it with a java program, and writing it is a good excercise. :-)
BR,
don -
Active Directory Not Syncing Correctly in ES2
Hello,
We had our Active Directory 2003 synced up using Adobe Livecycle ES. There would be around 30,000 users that would be synced and this would take around 3 - 4 1/2 minutes to run. This worked perfectly for us for the past half of a year or so.
Last week we upgraded to ES2 and moved all of our processes over. We removed ES and did a fresh install of ES2. Everything seems to be working fine now except the Active Directory isn't syncing properly. When we run the sync, different numbers of users will be fetched. Sometimes it's around three thousand, sometimes seven thousand, sometimes ten thousand, but it never seems to get through them all. In the server log it does say that the directory synchronization completed successfully though even though the number fetched is changing. We made sure the settings are exactly the same as they were before, and we even tried a few different settings, but it still doesn't get all the users. For testing purposes, we tried changing the search filter to pick specific people that aren't showing up during the normal sync and it will show up fine, so I'm wondering if there is something stopping it from going all the way through?
We also have another enterprise domain connected which has around 2,000 users on it and have not had this problem with it.
Here are some of the sync statistics from the past few syncs: (The active directory name has been stripped for security purposes). If you need any more information please feel free to ask. We would like to have this resolved as soon as possible.
2010-05-30 21:02:51,366 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 5633
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 110 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 110,375 ms, Max 110359 ms, Min 16 ms, Avg 55187 ms
--[99.99%] [99.99%]User and group phase(1 runs) : Total 110,359 ms, Max 110359 ms, Min 110359 ms, Avg 110359 ms
----[95.78%] [95.80%]Users synch from (6 runs) : Total 105,719 ms, Max 19141 ms, Min 14281 ms, Avg 17619 ms
------[1.18%] [1.23%]Provider (31 runs) : Total 1,298 ms, Max 109 ms, Min 31 ms, Avg 41 ms
--[0.01%] [0.01%]Memberhsip phase(1 runs) : Total 16 ms, Max 16 ms, Min 16 ms, Avg 16 ms
-------Persistence Statistics-------
Users ->
added = 8
removed = 2568
updated = 5625
unchanged = 0
renamed = 0
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 8515
removed = 106
unchanged (In changed Principals) = 16784
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 113
Failed User Batches = 0
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================
2010-06-02 21:03:43,692 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 7140
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 165 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 164,781 ms, Max 164750 ms, Min 31 ms, Avg 82390 ms
--[99.98%] [99.98%]User and group phase(1 runs) : Total 164,750 ms, Max 164750 ms, Min 164750 ms, Avg 164750 ms
----[96.78%] [96.79%]Users synch from (8 runs) : Total 159,469 ms, Max 26719 ms, Min 3500 ms, Avg 19933 ms
------[1.01%] [1.05%]Provider (42 runs) : Total 1,667 ms, Max 109 ms, Min 15 ms, Avg 39 ms
--[0.02%] [0.02%]Memberhsip phase(1 runs) : Total 31 ms, Max 31 ms, Min 31 ms, Avg 31 ms
-------Persistence Statistics-------
Users ->
added = 8
removed = 5
updated = 7132
unchanged = 0
renamed = 1
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 3340
removed = 105
unchanged (In changed Principals) = 33761
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 142
Failed User Batches = 1
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================
2010-06-03 08:56:43,286 INFO [com.adobe.idp.um.businesslogic.synch.DomainSynchronizer]
========== Synch Statistics for ============
Total User Fetched - 2960
Total Group Fetched - 0
Total Members Fetched - 0
Total time taken is 68 sec
[100.00%] [100.00%]Domain Synchronizer(2 runs) : Total 67,984 ms, Max 67921 ms, Min 63 ms, Avg 33992 ms
--[99.91%] [99.91%]User and group phase(1 runs) : Total 67,921 ms, Max 67921 ms, Min 67921 ms, Avg 67921 ms
----[96.37%] [96.46%]Users synch from (3 runs) : Total 65,516 ms, Max 23016 ms, Min 19766 ms, Avg 21838 ms
------[4.00%] [4.15%]Provider (17 runs) : Total 2,719 ms, Max 844 ms, Min 31 ms, Avg 159 ms
--[0.09%] [0.09%]Memberhsip phase(1 runs) : Total 63 ms, Max 63 ms, Min 63 ms, Avg 63 ms
-------Persistence Statistics-------
Users ->
added = 2
removed = 6632
updated = 2958
unchanged = 0
renamed = 0
failed = 0
UniqueId changed = 0
Groups ->
added = 0
removed = 0
updated = 0
unchanged = 0
failed = 0
UniqueId changed = 0
Emails ->
added = 3
removed = 1
unchanged (In changed Principals) = 10035
Group Members ->
added = 0
removed = 0
unchanged = 0
unknown = 0
failed = 0
-------Batch Statistics-------
Successful User Batches = 60
Failed User Batches = 0
Successful Group Batches = 0
Failed Group Batches = 0
Successful Member Batches = 0
Failed Member Batches = 0
======================================We do have quite a few that are missing an attribute, specifically:
2010-06-06 21:05:47,579 WARN [com.adobe.idp.um.businesslogic.synch.LdapHelper] Record [xxxx] is missing required attribute [objectSID] for canonicalName i.e uniqueIdentifier field
This is something that was on our old system as well:
2010-05-25 03:02:35,559 INFO [com.adobe.idp.um.provider.directoryservices.LDAPDirectoryPrincipalProviderImpl] UserM:: [Thread Hashcode: 3010887] This record is missing a required attribute and cannot be used. Specifically CanonicalName is null. Common Name: xxxx
We have many users in our active directory with just email accounts so that users are able to search for a name and find the email address in outlook. I have checked through these and they look fine (though there are fewer entries in ES2 since there are fewer users being fetched).
As for the locked users, here is what we received:
2010-06-06 21:05:47,579 INFO [com.adobe.idp.um.businesslogic.synch.LdapPrincipalProvider] Found [1257] locked users while synching. These users were ignored
This sounds about right for the amount of users that were fetched.
If you have any more questions or ideas, please let us know. We would like to have this resolved as soon as possible. Thanks. -
Hide all except one object in Active Directory Users and Computers.
Hello,
I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
d.I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830
Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Operation Not Supported Exception in JNDI/Active Directory
Hi all,
When i am trying to change password or create user from JNDI program
on Active Directory i am getting OperationNotSupported Exception.
I wonder i am doing a common mistake in both functions.just when the execution comes to
ctx.createSubcontext("cn=surendra,cn=Users,DC=ABSI,dc=pcs",attrs);
in createUser method and
ctx.modifyAttributes(userString, ctx.REPLACE_ATTRIBUTE, testAttrs);
in changePassword method i am getting the below exception.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT
_PERFORM), data 0
]; remaining name 'cn=surendra,cn=Users,DC=ABSI,dc=pcs'
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Exception.java:42)
at javax.naming.NamingException.<init>(NamingException.java:106)
at javax.naming.OperationNotSupportedException.<init>(OperationNotSupportedException.java:50)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:657)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:258)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
Your help is needed to go ahead......
Thanks in advance
NagaHi!
I just happened to stumble across your post today looking for something else, but...
Are you aware that you can only update a password ActiveDirectory/LDAP with a secure network connection? A certificate must be installed on the domain controller and tied to AD, and then the client must support an SSL connection to AD for LDAP. The other attributes in the schema do not have this restriction and can be updated without a secure connection.
Joel Mussman
Smallrock Internet Services -
How to avoid duplicate DN exception when creating Active Directory Account
I am using OIM 9.1.0.2 to provision Active Directory accounts.
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
Here is an example.
User 1 exists already and their DN: cn=john smith, cn=users, dc=company,dc=org
New user joins the company and his name is also john smith and he has no middle name: so system attempts to create his account as cn=john smith, cn=users, dc=company,dc=org
how can I accomplish this by making the account say cn=john smith_1, cn=users, dc=company,dc=org855640 wrote:
I run into issues when the DN of the user to be created already exists and I would like to know if anyone has some logic I can use to generate a different DN for new user by adding a number or something like that to the DN
There are two different questions:
1. How to generate a sequence of candidates for the name attribute
2. How to check if a record with the given name candidate already exists in the Active Directory, and hence try the next candidate from the sequence.
The answer for the first part is usually defined by the policy existing in your organization, in the simplest case you can append sequential integer numbers to the end of the original name.
The answer for the second question is not so simple if you use are provisioning with MSAD connector.
There are two places you can put the check:
-- in the pre-populate adapter for the UD_ADUSER_COMMONNAME field
-- in the adpADCSCREATEUSER event handler, which is responsible for new AD user record creation.
Both cases need some coding, since you have to obtain the AD connection and search AD for matching records.
Pros & cons
Placing check code in the pre-populate adapter:
Pros:
the result is visible in the form, administrator can change the pre-calculated value if he wishes
Cons:
you need to have all access to connection parameters, and establish one extra connection
this is not the way OIM is supposed to work :-(
Placing check code in the AD user creation task:
Pros:
you have all access to connection parameters, and open a connection here anyway
Cons:
the result is not present in the form, so no way for manual interaction by administrator here
BTW: this problem is not only related to DN generation, some other AD attributes (e.g. sAMAccountName, mailNickName, userPrincipalName, mail) should be unique in the AD domain scope.
Edited by: madhatter on Sep 7, 2012 12:02 AM -
Active Directory as readonly UME except of user's password
Hi there,
we would like to configure the portal-datasource to connect to the active directory read-only. However, (LDAP) users must be able to change there passwords. How could the xml file look like.
We checked out http://help.sap.com/saphelp_nw70/helpdata/de/46/07a02c920f4f0fe10000000a114a6b/frameset.htm, but this doesn't work. Here the portal tries to create ldap users and fails as no mandatory fields are writeable.
Also we tried to dsitriubte the active directory in one writeable and one readable. However according to help.sap.com (http://help.sap.com/saphelp_nw70/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm) it is not possible to assign users from one source to groups of another.
Does anybody know a solution or a hint?
Thanks a lot and regards
StephanHi Michael,
thanks for your help. We finally solved the issue using the "homefor"-approach:
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="team" />
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<notResponsibleFor/>
<attributeMapping />
<privateSection/>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principal type="account"/>
<principal type="user"/>
</homeFor>
<notHomeFor>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
</notHomeFor>
<responsibleFor>
Thanks and regards
Stephan -
SharePoint Foundation Active Directory Problem
Hey,
I have a problem with the Active Directory connection to SharePoint Foundation.
My Situation looks like this:
I'm working on a kind of project controlling plattform. Each of our customers has its own site. Also each customer has an account in our Active Directory. For the administrative part, we have a list which contains some infos of the customer, the url to its
site and the contact person.
I wrote an import-script which creates a site and a new item in the list. To put the contact person in the list-item, I use a code-snippet like this:
try
user = web.EnsureUser(loginName);
catch (Exception ex)
throw new Exception("LoginName " + loginName + " not found");
Now the problem is, that the try/catch block fails too often which means: SharePoint doesn't know the loginNames of some of our customers.
Why does SharePoint not know maybe 1/5 of all our customers? All of them have an account in our active directory, none of them ever logged in the SharePoint (at the time they even doesn't know, that they have a SharePoint site for this project).
I searched the internet for the problem but all I found where questions related to the synchronization of ad-properties to SharePoint Foundation. But I don't want to sync the phone-number or something like that - I want SharePoint only to know all the loginNames
of our customers, not only 1/5 of them.
How do I achive this, what am I doing wrong?
Thank you!web.EnsureUser has nothing to do with the UPS at all. This has nothing to do with synchronisation (it does have a role but it's a maintenance one and nothing to do with authentication.
The simplest answer is that the login names are being entered wrongly. Having said that there are a few areas you can look at to try to identify the problem:
Does it fail repeatedly for the same username? Can you add that user to the site manually using a people picker control and if so will the script work afterwards? Are there any trends in the user accounts that SharePoint cannot find? -
This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
EFS operations occur on the computer storing the files.
EFS files are decrypted then transmitted in plaintext to the client's computer
This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
2) SOLVE by setting up WebDAV (efs files accessed through web folders)
EFS operations occur on the client's local computer
EFS files remain encrypted during transmission to the client's local computer where it is decrypted
This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
a) START ... CMD
b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
1 click START and type "Turn Windows Features On or Off" and open the link
a) scroll down to "Internet Information Services" and expand it.
b) put a tick in: "Web Management Tools" \ "IIS Management Console"
c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
f) click ok
g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
a) on the "Anonymous Authentication" and click "Disable"
b) on the "Windows Authentication" and click "Enable"
NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
It can be by changing registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
BasicAuthLevel=2
c) on the "Windows Authentication" click "Advanced Settings"
set Extended Protection to "Required"
NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
a) on the right side, under Actions, click "Add Allow Rule"
b) set this to "all users". This will control who can view the "Default Site" through a web browser
NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
a) on the right side, under Actions, click "Edit Feature Settings"
b) tick the box "Allow double escaping"
*THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
a) set the Alias to something sensible eg "D_Drive", set the physical path
b) it is essential you click "connect as" and set
this to a local user (on fileserver),
if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
NB: the user account selected here must have the required EFS certificates installed.
See
here and
here
NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
The work around is on the \\fileserver create an NTFS symbollic link
e.g. to share the entire contents of "D:\",
on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
in cmd in this folder create an NTFS symbolic link to "D:\"
so in cmd type "cd c:\inetpub\wwwroot"
then in cmd type "mklink /D D_Drive D:\"
NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
b) if some exist review existing allow or deny.
Take care to not only review the "allow access to" settings
but also review "permissions" (read/write/source)
NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
a) On Windows 7 you need only change one tiny registry value:
- click START, type "regedit", open link
-browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
-on the EDIT menu click NEW, then click DWORD Value
-Type "DisableEFSOnWebDav" to name it (no speech marks)
-on the EDIT menu, click MODIFY, type 1, then click OK
-You MUST now restart this computer for the registry change to take effect.
b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
It should show the default "IIS7" image.
If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
e.g. http://localhost/D_drive
If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
eg if your server's computer name is "fileserver" go to "http://fileserver:80"
It should show the default "IIS7" image. If not, check firewall and port blocking.
Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
a) click the "Connections" tab at the top
b) click the "LAN Settings" button at the bottom right
c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
a) click START, type "regedit", open link
b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
c) click on "FileSizeLimitInBytes"
d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
a) click on "Security" (top) and then "Custom level" (bottom)
b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
SUCH an easy fix. SUCH an annoying problem on a clientpc
NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
e.g. CMD: net use * "http://fileserver:80/C_drive"
If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
a) On a clientpc, map network drive to http://fileserver/
b) navigate to a folder you know on the \\flieserver is encrypted with EFS
c) create a new folder, create a new file.
IF it throws an error, check carefully you mapped to the WebDAV and not file share
i.e. mapped to "http://fileserver" not "\\fileserver"
Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
a) see the last comment at the very bottom of
this page:
Points to consider:
- NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
It is implimented above, see (11) above
Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
This one took me a long time to track down to "network location".
Win 7 uses network locations "Home" / "Work" / "Public".
If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
FIX = either set IP address manually and specify a gateway
FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?
-
I have Sharepoint Foundation installed with the latest CU updates. It is running on a VMware box (Windows Server 2008 R2 Standard) with its backend on a SQL Server 2008 R2 vmware box. The farm account is a domain user and has been given all appropriate
replication rights, etc to active directory.
Everything seems to be working fine except for security integrated with AD groups. When I go to edit permissions I can add individual AD users just fine and remove them just fine and their access is taken away right away or given to them right away.
I can also find AD groups in the people picker and add them to the site. When I add new groups to AD, they are found immediately within Sharepoint, and when I delete groups from AD, they are taken out of the people picker right away. Now comes
the weird part. When I add an AD group to the site, all users currently within that AD group are given access to the Sharepoint Site. This works for the first time only. Now when I add or remove users from the AD groups, it does not update
in SharePoint. For example, I have an AD testuser1 in the AD Group "All Users". testuser1 does not have access to SharePoint. So I add the AD group to the Sharepoint group "Visitors". testuser1 now has read access to the sharepoint
site. Now, I remove testuser1 from the AD group, but testuser 1 still has access to the site even though he is not part of the AD group, nor does he have any individual permissions to the site. Now, I add testuser2 to the ad group. testuser2
does not have access to the site, even though he is part of the ad group.
It seems that the only time AD group security is working for me is when I first initially add the AD group to the site. From then on, it's like sharepoint is caching the members of the group and not updating any new adds or deletes from the groups.
Any ideas? I am lost on where to go from here as I have tried everything from clearing cache files, rebooting servers, iisresets....I think I have at least cornered the problem, but am not 100% sure yet that it is the correct answer. I think it could be 1 of the following 2 scenarios.
Scenario 1: We have 3 web applications setup on our web server ports 80 - Our sharepoint Web app, 2020 - Our My Site Web App, 2040 - Our Search Web app. We are using host headers (http://sharepoint.***.com) instead of a server name. So
we setup our access mappings (Central Admin -> Application Management -> Configure Alternate access mappings) to use the host header (http://sharepoint.***.com) as the default mapping and the server name as the intranet access mapping. By
setting the default access mapping to host headers, i noticed that Sharepoint automatically assumes that all web apps are on port 80. You can see this by going to (Central Admin -> Manage Web Applications). The port listed all 3 web apps on
port 80. So I think when I was doing a profile sync and using mysites, it was messing with my AD security because of this. What I did was the following. I went to Central Admin -> Manage Service Applications -> [Name of your user profile
service] -> Setup my sites. I made sure that my preferred search center had the correct port number on it (mine originally had no port number), that my my site host had a port (again no port number originally), as well as the personal site location.
I then saved this.
Scenario 2: Our user profile sync had 2 BDC connections that were corrupt and throwing errors. I rebuilt the connections, remapped them to the proper user profile property.
I did both of these scenarios above around the same time. I then restarted all my servers, and at last the AD Group security is now functioning appropriately. I have done multiple IIS resets and server restarts. The issue has only reappeared
once. After restarting the machine again, we were back to the AD groups functioning correctly. Because we had the issue reappear once after doing the above, I still do not feel 100% sure that either one of the above corrected the issue completely.
As long as we are up and running currently, I am moving on to other tasks with this project. My only concern that it will break again and I will have to revisit it is when we restart the servers....which is never fun. I will update as I find
a "true" answer to this issue.... Let me know if any of the above helped you or if you find something I may not have thought of. -
What am I trying to do?
I have tried installing Microsoft Exchange Server 2013 Cumulative Update 7 Setup on a fresh install of Windows Server 2012 R2 but it gets stuck when running the setup exe on Step 8 of 14 “Mailbox Transport Service” I have included full
error logs at the bottom of the page but the basics are in order it will throw which loop around are:
[01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
Exchange is currently running in the envirmonet on 2010 Sp3 I am installing 2013 CU7 fresh so I can migrate the databases over.
What am I running?
2 X DC on domain and forest functional level 2008R2 both writable
1 X fresh install of Windows 2012 R2 which is domain joined
What have I tried?
Checked Ipv6 is enabled on all DC NICS and Existing Exchange Servers
Rebooted every server
Run setup as Administrator
My account is part of the domain Enterprise Admin group
Tried adding "Exchange Server" or "Exchange Enterprise Servers" to the group policy and doing the relevant gpupdate /force and reboot :
Computer Configuration Windows Settings
Security Settings + Local Policies
User Rights Assignment Mange auditing and security log
Turned off firewall on DC and Exchange Server even stopped the service
Turned off all AV on the DC and Exchange Server
Checked I could telnet to global catalog servers on port 3268 which I can
Checked the global catalog records existed in DNS which they all do
Done the obvious ping tests all round which confirms connectivity
Schema has been prepared using appropriate commands before running the setup exe
setup.exe /PrepareSchema /IacceptExchangeServerLicenseTerms
Making sure the following path has full permissions:
EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
Restarted Microsoft Exchange Active Directory Topology service
DcDiag all looks good
What have I noticed that is suspicious?
Microsoft Exchange Transport service will not start even though both of its dependences services have started:
Microsoft Filtering Management Service
Microsoft Exchange Active Directory Topology Service
It will eventually error with
“Windows could not start the Microsoft Exchange Transport Service on local computer
Error 1053: This Service did not respond to the start of control request in a timely fashion”
This error is from the GUI wizard itself:
Error:
The following error was generated when "$error.Clear();
$maxWait = New-TimeSpan -Minutes 8
$timeout = Get-Date;
$timeout = $timeout.Add($maxWait);
$currTime = Get-Date;
$successfullySetConfigDC = $false;
while($currTime -le $timeout)
$setSharedCDCErrors = @();
try
Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
$successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
if($successfullySetConfigDC)
break;
Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
catch
Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
Start-Sleep -Seconds 30;
$currTime = Get-Date;
if( -not $successfullySetConfigDC)
Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
" was run: "System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Exchange logs which have been written:
**The error will loop around for 8 minutes on trying to set-sharedconfig DC whatever this is trying to do ??
[01/20/2015 17:13:20.0084] [2] Active Directory session settings for 'Set-SharedConfigDC' are: View Entire Forest: 'True', Configuration Domain Controller:mydomain.com', Preferred Global Catalog: 'mydomain.com', Preferred Domain Controllers:
'{ mydomain.com}'
[01/20/2015 17:13:20.0084] [2] User specified parameters:
-DomainController:mydomain.com' -ErrorVariable:'setSharedCDCErrors' -ErrorAction:'SilentlyContinue'
[01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
[01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
[01/20/2015 17:13:20.0178] [2] Ending processing Set-SharedConfigDC
[01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] An error ocurred while setting shared config DC. Error: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details
No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites..
[01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:20.0193] [2] Waiting 30 seconds before attempting again.
[01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0195] [2] Beginning processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [2] Ending processing Write-ExchangeSetupLog
[01/20/2015 17:13:50.0288] [1] The following 1 error(s) occurred during task execution:
[01/20/2015 17:13:50.0288] [1] 0. ErrorRecord: Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [1] 0. ErrorRecord: System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[01/20/2015 17:13:50.0288] [1] [ERROR] The following error was generated when "$error.Clear();
$maxWait = New-TimeSpan -Minutes 8
$timeout = Get-Date;
$timeout = $timeout.Add($maxWait);
$currTime = Get-Date;
$successfullySetConfigDC = $false;
while($currTime -le $timeout)
$setSharedCDCErrors = @();
try
Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
$successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
if($successfullySetConfigDC)
break;
Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
catch
Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
Start-Sleep -Seconds 30;
$currTime = Get-Date;
if( -not $successfullySetConfigDC)
Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
" was run: "System.Exception: Unable to set shared config DC.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[01/20/2015 17:13:50.0288] [1] [ERROR] Unable to set shared config DC.
[01/20/2015 17:13:50.0288] [1] [ERROR-REFERENCE] Id=AllADRolesCommonServiceControl___ee47ab1c06fb47919398e2e95ed99c6c Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/20/2015 17:13:50.0288] [1] Setup is stopping now because of one or more critical errors.
[01/20/2015 17:13:50.0288] [1] Finished executing component tasks.
[01/20/2015 17:13:50.0304] [1] Ending processing Install-BridgeheadRole
Windows Event Viewer:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5276) Forest mydomain.com. Exchange Active Directory Provider couldn't find minimal required number of suitable Global Catalog servers
in either the local site 'Default-First-Site' or the following sites:Hi apl228,
1. Please make sure the IPv6 is enabled.
2. Please make sure the account that install Exchange server has Administrator permission.
3. Please make sure DNS has been configured correctly.
Thanks
Mavis Huang
TechNet Community Support -
Change (or add) a password to Active Directory with Java and JNDI
I've create a new account in LDAP with attributs, It's ok. But a can't initialize the password, i've tryed some samples without result.
Maybe it's a SSL problem (i don't know why, i read it somewhere).
my code :
import java.util.*;
import java.io.*;
import java.net.*;
import javax.naming.Context;
import javax.naming.NameAlreadyBoundException;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.ModificationItem;
public class addUser {
private static final String UNICODE = "Unicode";
private static final String UNICODE_PASSWORD = "unicodePwd";
public addUser() {}
private Hashtable env;
private DirContext ctx;
private void _initialize()
String jndiURL = "ldap://DOMAINSRV:389/";
String initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
String authenticationMode = "simple";
String contextReferral = "ignore";
String principal = "[email protected]";
String credentials = "oce";
env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
env.put(Context.PROVIDER_URL, jndiURL);
env.put(Context.SECURITY_AUTHENTICATION, authenticationMode);
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
env.put(Context.REFERRAL, contextReferral);
public boolean createUser()
try
ctx = new InitialDirContext(env);
ctx.destroySubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr");
BasicAttributes attrs = new BasicAttributes();
BasicAttribute ocs = new BasicAttribute("objectclass");
ocs.add("user");
attrs.put(ocs);
BasicAttribute sa = new BasicAttribute("sAMAccountName", "FBXX");
attrs.put(sa);
BasicAttribute na = new BasicAttribute("name", "FRANCOIS BERTOUX");
attrs.put(na);
BasicAttribute sn = new BasicAttribute("sn", "BERT");
attrs.put(sn);
BasicAttribute up = new BasicAttribute("userPrincipalName", "[email protected]");
attrs.put(up);
BasicAttribute ua = new BasicAttribute("userAccountControl", "512");
attrs.put(ua);
BasicAttribute dn = new BasicAttribute("displayName", "FRA BERT");
attrs.put(dn);
BasicAttribute gn = new BasicAttribute("givenName", "FRA");
attrs.put(gn);
BasicAttribute des = new BasicAttribute("description", "CECI EST MON TEST");
attrs.put(des);
BasicAttribute cp = new BasicAttribute("codePage", "0");
attrs.put(cp);
BasicAttribute cc = new BasicAttribute("countryCode", "0");
attrs.put(cc);
BasicAttribute it = new BasicAttribute("instanceType", "4");
attrs.put(it);
ctx.createSubcontext("cn=FBXX,cn=users,DC=gedeon,DC=fr", attrs);
changePassword ("cn=FBXX,cn=users,DC=gedeon,DC=fr", "TOTO" , "FBX");
ctx.close();
catch (NameAlreadyBoundException nex)
System.out.println("User ID is already in use, please select a different user ID ...");
catch (Exception ex)
System.out.println("Failed to create user account... Please verify the user information...");
ex.printStackTrace();
return true;
public final void changePassword(
String argRDN,
String argOldPassword,
String argNewPassword)
throws NamingException
ModificationItem modificationItem[] = new ModificationItem[2];
try
modificationItem[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argOldPassword)));
modificationItem[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,new BasicAttribute("unicodePwd",(byte[])this.encodePassword(argNewPassword)));
catch (UnsupportedEncodingException e1)
System.out.println("changePassword(String argOldPassword, String argNewPassword)" +
"Passwordchange failed: " + e1.toString());
throw new RuntimeException(e1.toString());
try
ctx.modifyAttributes(argRDN, modificationItem);
catch (NamingException e1)
System.out.println(
"changePassword(String argOldPassword, String argNewPassword)" +
"Passwordchange failed : " + e1.toString());
throw e1;
private byte[] encodePassword(String pass) throws UnsupportedEncodingException
final String ATT_ENCODING = "Unicode";
// Agree with MS's ATTRIBUTE_CONSTRAINT
String pwd = "\"" + pass +"\"";
byte bytes[] = pwd.getBytes(ATTENCODING);
// strip unicode marker
byte bytes[] = new byte [_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0,_bytes.length - 2);
return bytes;
public static void main(String[] args)
addUser testUser = new addUser();
testUser._initialize();
testUser.createUser();
And the result is :
changePassword(String argOldPassword, String argNewPassword)Passwordchange failed : javax.naming.OperationNotSupportedException: [LDAP: erro
r code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
Failed to create user account... Please verify the user information...
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190ADF, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=FBXX,cn=users,DC=gedeon,DC=fr'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2804)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2677)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2483)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1285)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:253)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:170)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:159)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:144)
at addUser.changePassword(addUser.java:129)
at addUser.createUser(addUser.java:92)
at addUser.main(addUser.java:167)
And with "userPassword" no error but no change.
Please, help.
ThanksHello!
I have a new variant of the set password problem, and as i did not get any longer with a big running application i wrote a small standalone program to connect to an Active Directory server, and, hm, it works! I can login with a account which has administrator priveledges, i can set passwords, works fine, unless, and now it gets a little bit curious, unless i change the VM.
Everything works fine with a jdk 1.5.0_07, but if i switch over to the fine new 1.6.0_16, the login works still but the change of a password leads to a not so fine javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0.
As i use the same cacerts file, i do not really understand what is failing here, anyone who has an idea? -
Accessing ACTIVE DIRECTORY FROM JAVA CODE
I am trying to access the Active DIrectory user through a java code.
Kindly let me know the steps apart from creating the user in ADS to be followed so that the following java code may work.
presently it is giving the following error.
problem serching the directory
//package com.axa;
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
public class AdHelper
public static void main(String args[])
System.out.println("1");
Hashtable env = new Hashtable();
String adminName = "CN=user,CN=Users,DC=BDC4AXA.CO.IN";
String adminPassword = "user";
String ldapURL = "ldap://10.1.242.51:636";
System.out.println("2");
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
env.put(Context.PROVIDER_URL,ldapURL);
System.out.println("3");
try {
// Create the initial directory context
DirContext ctx = new InitialLdapContext(env,null);
System.out.println("4");
SearchControls searchCtls = new SearchControls();
System.out.println("5");
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
System.out.println("6");
//Specify the Base for the search
String searchBase = "DC=ANTIPODES,DC=COM";
System.out.println("7");
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
System.out.println("8"); //Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println("9");
System.out.println(">>>" + sr.getName());
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
catch(Exception e)
System.out.println("Unhandled Exception: " + e);
}This is what I have for my LDAP connection.
public Hashtable<String, String> env = null;
public LdapContext ldapContext = null;
public Control[] connCtls = null;
Context ctx;
DirContext dirContext;
public LDAPAuth(String ldapurl) {
ldapurl = "ldap://" + serverIP + ":389";
try {
env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, ldapurl);
env.put(Context.SECURITY_PRINCIPAL, "cn=username,cn=users" + baseName);
env.put(Context.SECURITY_CREDENTIALS, "password" + baseName);
env.put(Context.SECURITY_PROTOCOL, "ssl");
ctx = new InitialContext(env);
} catch (Exception e) {
System.out.println(" bind error: " + e);
e.printStackTrace();
try {
ldapContext = new InitialLdapContext(env, connCtls);
} catch (AuthenticationException e) {
System.out.println("Authentication exception " + e);
} catch (NamingException e) {
System.out.println("Naming exception " + e);
public Attributes fetch(String username) throws NamingException {
DirContext ctx = new InitialDirContext(env);
Attributes attributes = ctx.getAttributes(username);
try {
System.out.println("fetching: " + username);
Object obj = ctx.lookup("cn=" + username
+ baseName);
System.out.println("cn=" + username + baseName + "is bound to: " + obj);
//attributes = obj.getAttributes("");
for (NamingEnumeration<?> ae = attributes.getAll(); ae
.hasMoreElements();) {
Attribute attr = (Attribute) ae.next();
String attrId = attr.getID();
for (NamingEnumeration<?> vals = attr.getAll(); vals.hasMore();) {
String value = vals.next().toString();
System.out.println(attrId + ": " + value);
} catch (NamingException e) {
System.out.println(" Problem looking up " + username + baseName + ". " + e);
return attributes;
Now, I'm sure it has something to do with how I'm passing in the username and the groups. But I want to have ANY user log in, not just this test. I may be a little confused on how this works, but if anyone could explain to me why what I am trying to do doesn't work, I would greatly appreciate it.
Thanks in advance,
Tetsuya.
Edited by: tetsuyamasamune on Sep 8, 2008 3:55 PM -
Unable to connect to Active directory from obiee 11g
Hi Gurus,
I was trying to integrate Active directory into OBIEE 11g. Followed the Oracle documentation and Rittman Mead too but cannot get past a connection issue. I create a new provider,provide the connection details,use bissytemuser in AD as the Principal but when WLS is bounced/restarted, it fails to connect and throws the below error:
"Cannot initialize identity store, cause: oracle.security.idm.ConfigurationException: javax.naming.CommunicationException: <hostname>:389 [Root exception is java.net.UnknownHostException: <hostname>]".
Not sure if this makes a difference but admin and managed server come up but not analytics.
Please help me out with scenarios to test if my bi server is connecting to AD or not?
Thanks,
DanTo answer this need more details.
btw: I would suggest to check these
Property Name=virtualize
Value=true
and
Control Flag list to OPTIONAL
you may send me email -
Active Directory Error(error code 53 - 0000001F)
Hello,
We got a webapp writing to AD, that is throwing the following error:
Root exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0We are using 'unicodePwd', ssl is enabled and the account that is writing to AD is domain administrator account. Also, our webapp is on a different domain(Linux) than Active Directory, though this has not caused us problems in the past.
Our previous version of the code was working, and the only change made in the code is that we allow dot(.) character in the user name. However, the test case that failed does not have a dot(.) in the user name.
Any ideas? I haven't found anything on google that helpedused to work, but now you've moved the web application somewhere else, and now it doesn't work ?
Well the obvious question is what exactly have you changed ? What is the difference between when it used to work and now ?
-- Not much has changed! (I can't debug the code that actually makes the call, all I have is a jar by another group that does all the "low-level" stuff. ) I know for a fact that we are now allowing the user name to contain a dot character. But, the test case that failed does not contain the dot character. It is possible that other changes have been made, but after scanning a few of the files the code looks the same.
-- Forget, the domains part, it's only confusing. My fault mentioning it.
Does the password meet the complexity requirements. Is it performed over a secure connection such as SSL or TLS ?
-- Yes, I checked the password policy --we have disabled most requirements
-- Yes, I believe so
-- The attributes
userAccountControl=66048
scriptPath=Logon.bat
ldap.first.name.property=John
ldap.email.property=[email protected]
homeDirectory=\\10.10.10.10\Users\b216
ldap.last.name.property=Smith
profilePath=\\10.10.10.10\Users\b216
cn=b216I guess I'll have to wait for the developer who wrote the code to help me out, because it seems like something changed in the code below me. Our test cases are the same.
However, if you do know what this error usually indicates, it could help us solve the problem faster.
Thanks!
Maybe you are looking for
-
Trying to Locate Email Address For HP LaserJet Pro P1606DN
I am trying to locate my HP LaserJet Pro P1606dn email address for e-printing. The HP site says to use the two-line screen, but my printer has no screen. Please help.
-
Ipad won't sync all my photos from new mac
I have an original i-pad which used to sync all photos from my old mac - now I have a new mac and only some of the photos will sync with ipad - some photos are old and some are recent so it;s not an age thing. Have updated ipad software and that has
-
How do I get my gallery photo pages in iweb to publish on my site ?
HI I have recently upgraded to iweb 09 from iweb o6. I have also upgraded from tiger to snow leopard and now have a terabite size hard drive. Iweb was working great before , but now i cannot get my website to upload correctly using ftp fetch. fetch i
-
Printing QR codes and Barcodes together
Dear All, I have referred the following link to print QR code as a post script: http://scn.sap.com/people/robert.russell/blog/2010/10/25/barcodes-in-sap-with-the-barcode-writer-in-pure-postscript While printing my SAP Script/ SMARTFORM output on any
-
How can I find my themes that I've tried already?
I wanted to try a theme, keep it on for a little, and then go back to the other one I had earlier. I did it once, but I don't remember/understand how. Please help!