Delegation with BO BUS2078

Similar Messages

• IPv6 prefix delegation with AVPair ipv6:delegated-prefix

  Dear all
  I have a LNS running c7200-adventerprisek9-mz.124-24.T4.bin.
  I am trying to delegate IPv6 prefixes to vpdn users as described in
  http://www.cisco.com/en/US/customer/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602131.html#wp9000270
  From this whitepaper: "When the delegating provider edge router supports  RFC 4818, only one user profile is stored for the RADIUS server. In  addition the RADIUS server may be configured with a DNS server per user,  which overwrites the providers edge router's default DNS server address  configured in the DHCP pool"
  Our Freeradius has the following user entry according to the mentioned whitepaper:
  user@foobar Auth-Type = Local, Password == "foo"
     Service-Type = Framed-User,
     Framed-Protocol = "PPP",
     Framed-IP-Address = "10.0.0.1",
     Framed-IP-Netmask = "255.255.255.255",
     Framed-MTU = "1492",
     Framed-Compression = "Van-Jacobson-TCP-IP",
     Cisco-AVPair = "ipv6:prefix#1=201:DB8:F1:0::/64",
     Cisco-AVPair += "ipv6:delegated-prefix=201:DB8:AAAA::/48",
     Cisco-AVPair += "lcp:interface-config=mtu 1460"
  If I try to connect this user I get the PPP-Link established with prefix 201:DB8:F1:0::/64 as expected. But instead of providing the delegated prefix from the AVPair the router queries the radius server again for the user user@foobar-dhcpv6pd which I have not configured since I assume that this router "supports RFC 4818", right?
  So why does it as for user@foobar-dhcpv6pd ?
  Thanks for any hint,
  Grischa

  Hi,
  RFC4818 is supported starting with 15.1(1)T or later. 151-2.T2a seems to have an issue though.
  HTH
  Laurent.

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• SharePoint 2013 - Asking for password with NTLM

  Hi All,
  We have deployed a web application using NTLM with single sign on. It’s a secure site and in IIS bindings we have SSL certificate attached with this web application. However, many users are keep getting windows authentication prompt as shown:
   There are lot of blog posts that solve the issue by adjust IE settings >> Security >>
  Sites >> Advanced >> and added the site URL and
  Security
  >>   Local Intranet >> Custom Level >> At bottom choose “Automatic logon with current username and password”
  http://blog.fpweb.net/sharepoint-credentials-prompt-quick-tip/#.VPBz3vmUdUW http://www.sharepointdiary.com/2012/04/sharepoint-keeps-asking-for-password.html
  https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/ (IE, Chrome, Firefox)
  http://social.education.purdue.edu/edit/2011/03/sharepoint-pw-prompts/
  I have tested the blogs posts and change the settings in our development environment
  and no windows authentication was shown with my username on the SharePoint 2013 environment. But, all related to change IE settings. In our organization, we have around
  2000 users. It be impractical to set for users for these IE settings and network team regularly pushes group polices.
  Q: Is some configuration has to be set on IIS or
  some settings on SharePoint that users don’t get windows authentication? I have tried most of options but could not resolve this issue.
  Any pointers would be greatly appreciated.    
  Cheers,    
  Aroh Shukla

  Sites go into the Intranet Zone, not the Trusted Zone. Only Intranet is configured, by default, to automatically pass credentials to SharePoint.
  Yes, there are scenarios where this may not work, e.g. if you've configured the Web Application with Kerberos but didn't configure the SPN. Or if you're using Kerberos Constrained Delegation with Domain Controllers older than Server 2012 and your users are
  in a different forest, etc.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Delegated Object's event not appearing in the "start event" tab

  Hi,
  I have created a object type say Y00Mara( copy of BUS1001) ....then created a subtype from it  ...called Ymara00.
  then I created a deleegation ...if I test the supertype i can now see the new objects/attributes etc...
  I also added one event "old_material_changed"  in the subtype and changed the status on both the subtype and delegted obj to "implemented".
  when i am trying to use this delegated obj in the "start event" tab of a WF ...the new event "old_material_changed" is not appearing...
  what maay be thhe reason

  HI,
  Please maintain the delegation with the subtype ( Y00Mara)  and supertype ( BUS1001 ) by using transaction SWE_SET_DELEGATION. Now run the above transaction.
  Click on new entres.
  Enter the follwoing values...
  Object type  :  BUS1001
  Person responsible : your sap user id
  Delegation type :  Y00Mara
  Save it.
  Now whenever you use BUS1001, all the custom mentod, events will be available there.
  Thanks and regards,
  SNJY

• Delegation in the WD framework.

  Hi,
  I am trying to understand modus operandi of WDF.So few doubts to start with:
  1.How exactly Private Controller which is a facade achiving the delegation with the internal classes I understand the implementation inheritance over here which is quite evident but still to conceptualize it.Please have a look at the following piece of code that belongs to the private view controller:
  public static class IContextElement extends com.sap.tc.webdynpro.progmodel.context.NodeElement
      private InternalXMLControllerView gen_delegate;
      public IContextElement(InternalXMLControllerView delegate,com.sap.tc.webdynpro.progmodel.gci.IGCINodeInfo info) {
        super(info);
        gen_delegate = delegate;
  Looking at the following code one would only realize that private controller as facade.So to get a better understanding of the same I would be interested in knowing the following.
  Relevance of making the context a static class.
  & Relevance of the generic component Interface /its role in this pattern.

  Anumit,
  You might want a have a look at this thread.
  Re: WD Project iView to another WD Project IView navigation
  Hope this helps.
  Cheers,
  Sandeep Tudumu

• AE 5.2 Approver Delegation working after valid to date

  We have a user that set up an approver delegation with a valid to date of 06/03/2008 and as of 6/20/2008 it is still working.
  Has anyone else seen this and know of a fix, besides deactivating the delegation.

  Clark-
  Yes, this is a bug that SAP will address in SP 9 or 10, not sure.
  Right now, you have to manually make the delegation inactive or delete it...
  Ankur
  GRC Consultant

• ClassLoader delegation and instanceof

  Hi there !
  I have a framework with an sdk allowing people to develop some kind of plugins.
  I provide a generic framework in a package (A).
  Independently, I provide an sdk which basically consist in a package (B) including the class CXXX.
  The customer then can implement its own class CXXXImpl which inherits from CXXX (CXXX also implements IXXX).
  At runtime:
  - in the manifest of my app (A) I have an entry pointing to (B)
  - so I'm using my default class loader to access CXXX
  - one of my customer gives me an external jar including the class CXXXimpl_n which inherits from CXXX
  - I can use an URLClassloader to load CXXXImpl_n
  - all of this works fine
  ...BUT...
  Then, I want to:
  1) first ensure that CXXXImpl_n inherits properly from CXXX
  but this does not work because CXXX and CXXXImpl_n are not loaded using the same classloader
  2) cast CXXXImpl_n as CXXX and access the CXXX known methods (I could use also interfaces but the problem would be the same)
  I do not really understand very well the delegation mecanism.
  Here is my (pseudo)code:
  File totoImplJarFile = new File("toto/" + jarName);
  URL totoImplURL = totoImplJarFile.toURI().toURL();
  URLClassLoader jarLoader = URLClassLoader.newInstance(new URL[] {totoImplURL}); // should normally delegate first to the default classloader as far as I understood !?
  String mainClassName = this.getMainClassName(totoImplURL);
  Class launcherMainClass = jarLoader.loadClass(mainClassName);
  Object launcherMainClassObject = totoMainClass.newInstance();
  if (totoMainClassObject instanceof CXXX) {
     CXXX xxx = (CXXX)totoMainClassObject;
     xxx.doThings();
     xxx.doThings();
  }Currently, the instanceof returns false even if the class is a child of CXXX. This is because both are not loaded using the same classloder... but what would you recommend to get it working ??? I though the delegation would have allowed to do so... but it sounds it's not the case :(
  Could you explain please ?
  Cheers,
  Eg\\*

  No idea about a possible change in the package structure...
  I added some traces with the following code:
                          System.out.println("- - - classloader plugin           = " + launcherMainClassObject.getClass().getClassLoader());
                 System.out.println("- - - classloader plugin's parent  = " + launcherMainClass.getSuperclass().getClassLoader());
                 System.out.println("- - - classloader CLauncher        = " + CLauncher.class.getClassLoader());
                 System.out.println("- - - classloader this             = " + this.getClass().getClassLoader());
                 /********** Double-check that it is really a launcher *********/
                 if (launcherMainClassObject instanceof CLauncher) {
                      System.out.println("- - - - - thread good instance");
                      CLauncher launcher = (CLauncher)launcherMainClassObject;
                 } else {
                      System.out.println("- - - - - thread incorrect cast !!!!! " + launcherMainClassObject.getClass());
                      return;
                 } This gives the following result:
  - - - classloader plugin           = java.net.URLClassLoader@1982fc1
  - - - classloader plugin's parent  = sun.misc.Launcher$AppClassLoader@df6ccd
  - - - classloader CLauncher        = sun.misc.Launcher$AppClassLoader@df6ccd
  - - - classloader this             = sun.misc.Launcher$AppClassLoader@df6ccd
  - - - - - thread incorrect cast !!!!! class com.toto.titi.tutu.CLauncherImplSo it is verified that the superclass is well loaded using the default class loader. Only the plugin is loaded through the URLClassLoader using:
  jarLoader = new URLClassLoader(new URL[] {launcherImplURL}, CLauncher.class.getClassLoader());Hum... it sounds like delegation does not work or I'm using something incorrectly. Any experience with classloader delegation with Jdk 1.6.0 ?
  Eg\\*

• Cannot sort in file/folder access control list in 8 or Server 2012

  I use Windows 8 and Server 2012 Datacenter (with GUI).  In 7/2008R2, I was formerly able to get properties on a file or folder, go to Security tab, click Advanced, and sort the access control list by type, access, inherited from, etc.  Now, it
  doesn't do anything when I click on the headings.   I know I did not find this during the Beta or Release Preview periods, but I do wish this feature would be added back.
  I tried to send this through MS Connect, but they said it was a Server 2008 issue.  Does that mean that it was never supposed to sort?  But I argue that 8 and Server 2012 have the bug.  Here is an image of the window I am referring to, for
  clarification:

  This is really frustrating. Just got 2012 R2 management server and a week after, I noticed the same issue. The only difference is that I'm sorting AD delegation, with 150+ ACEs. While having huge lists of ACEs, it is a must of being able to sort them
  by different columns. Sad that it is considered a bug - it's usually an opposite, when a bug is offered as a feature...
  I still hope this will be fixed with time to come, else - it will be more practical to use PowerShell than such handicapped GUI.
  MCSE, MCITP

• Unpaid Leave Configuration in Oracle HRMS

  Hi Champs,
  I have requirement to configure Unpaid Leave. We want to follow the approach where one recurring standard link element will be attached to all the employees to check if leave is existing or not. If leave is existing then all the deductions will be consolidated and made as one deduction element. If leave is not existing then formula will just return the message.I am looking for setup steps for this.
  If someone has any setup type document mentioning the steps and sample formula, please do provide.
  Thank You in advance.
  Cheers,
  Sandip Jadhav
  [email protected]

  Hi Arun,
  Can the HR not use the normal Absence screens(PUI) for the CEO ?
  Approvals can be delegated with Vacation rules, but with MSS, only a manager can enter absence for employees and not the other way around.
  You could create a custom self-service responsibility with the absence pages and have a custom security profile(to view only a select few). Does that help ?
  Thanks,
  Vignesh

• Account Operators couldn't reset their own passwords

  We have new admin accounts created for the L1 admins and they're supposed to have the ability to unlock accounts, reset user passwords, create, delete and modify groups and membership, manage print servers and add/remove computers to domain.
  These admin accounts are part of Account Operators, Print Operators and another security group (delegated in OU level for managing the workstations in the domain like adding/removing).
  We're using Windows 2012 R2 Standard.
  The issue is the new admin accounts have the ability to perform all their tasks other than resetting their own passwords. Appreciate your response on this as this is creepy and lingering for a week and still couldn't figure out the cause.

  They can change their own passwords, but they can't reset them. It's a limitation of the group.
  By default, that ability to reset (not change) a password, is reserved for the administrators group or a group delegated with the ability.
  Securing Active Directory Administrative Groups and Accounts
  http://technet.microsoft.com/en-us/library/cc700835.aspx
  Issues with members of account operators group in Active Directory inability to reset their own passwordhttps://social.technet.microsoft.com/Forums/en-US/4d3ff82c-38de-4f0f-b516-d32bfb9aa050/issues-with-members-of-account-operators-group-in-active-directory-inability-to-reset-their-own?forum=winserverDS
  Account Operators cannot change their Own passwords
  http://www.winvistatips.com/threads/account-operators-cannot-change-their-own-passwords.552783/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Small DNS host has not replied in days, how can I transfer my domain?

  I guess I'm not clear if your issue is with the domain registrar, the DNS provider, or the web host?
  In general the answer is to simply choose someone decent.
  If your issue is with the DNS provider it's easy enough to change, just go sign up with a new provider, put your DNS records in place, then update the delegation with your domain registrar so that the new servers are being referenced.

  Hello all, our company has a few domains hosted at a small company, who have hosted it for years, but it seems I can never get a hold of them when I need to. It took a few days last time for them to setup a cpanel with some basic DNS entry editing, but it is only for one of the domains. We have a major change that needs to be made asap to a subdomain, and I have not heard from them since I contacted them Friday.I called the number, submitted their contact form on their site, did a whois on the domain and it listed some other company information I had not heard of as well, so I contacted them as well, yet still nothing from anyone. Is there any way to get our domains off of there, and on to a bigger, trusted company? We have many hosted with dreamhost, and they have been very easy to deal with, and I would like to keep them all in one...
  This topic first appeared in the Spiceworks Community

• Why does my Fieldpoint OPC server time out?

  I'm using Fieldpoint Explorer 3.01 with 1600 ethernet modules. I'm using Wellspring Solutions' Object Automation as an OPC client to read and write to I/O. Everything works fine on one computer running Win NT 4.0. Another computer, however, is running NT Server 4.0, and the OPC reads/writes from Object Automation work for exactly 1759 seconds (or approx. 121 minutes), and then the Fieldpoint Server "times out", and the only way to get it to work again is by shutting down and restarting Object Automation, assumedly this somehow reinitializes communication with the server. This is a repeatable error that occurs at exactly the same time, every time. This only happens with the National Instruments Fieldpoint OPC server (I'm
  using several) on one of the machines. I tried reinstalling the Fieldpoint OPC Server several times to no avail. I've used other OPC clients (from OPTO22, or Rockwell, Matrikon, Kepware) and can't communicate until Object Automation is shutdown and restarted. Any help or ideas on how to further troubleshoot would be appreciated, thanks.

  Aaron, attached are 3 log files generated in a test that I ran. The test used Object Automation to turn on and off a relay channel (OPC item: Common FP Res\FP-RLY-420 @4\Channel 1) every 10 seconds. I used the Matrikon OPC delegator with the OPTO22 Test Client (written by Rockwell) to monitor the channel at the same time (the delegator would NOT work with Object Automation directly). The OPCDelegatorOPTO22TestClient.txt file is the log file for this client. Basically, the test started around 13:07 and lasted the usual 121 minutes. Then the OPC writes stopped around 15:08, at which time I tried to manually read and write to the channel using the OPTO22 client, generating the errors towards the end of the logfile. Incidentally, I don't k
  now what the errors at the beginning of the file are, but there are no noticable problems until after 121 minutes. I then tried to use the Kepware OPC test client with delegator to read and write to the channel but this also did not work, and the logfile OPCDelegatorKepwareTestClient.txt is for that test. The other logfile (OAlogfile.txt) is the logfile generated by OA, see the end of file for the error. They should all be text files, not sure why one of them is listed as binary below. Let me know if this helps or if there is anything else I can provide.
  Attachments:
  OAlogfile.txt ‏526 KB
  OPCDelegatorKepwareTestClient.txt ‏50 KB
  OPCDelegatorOPTO22TestClient.log ‏517 KB

• Asr9k dhcp proxy

  Hi.
  There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
  An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
  I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
  Is there any way to workaround this?
  Thanks!
  Diego

  hi vikas,
  yeah that is the current existing limitation we have whereby the Prefix-Delegation with a local server is tied to all subscriber access interfaces.
  If you need more granularity we can provide that by using radius and an offbox dhcp server if that is an option for you.
  This way you have the ability also to load a dhcp class from radius to signal to the dhcp server this class so a more selective pool can be used.
  Mixing local dhcp server with offbox is currently not available.
  I would like to do this functionality, but it is not a quick fix unfortunately. So if that on a per access interface bases local DHCP pool is a requirement, I would need to redirect you to your account team and facilitate a discussion with our eng group to see what can be done when.
  Today; (using) radius (for pool selection on an OFF-box server) is your best option.
  cheers!
  xander

• Trying to create a linked server to a remote 3rd party server using an AD group

  I am the DBA at our organization so I have full authority to all of our local SQL Server databases but we have data in a remote 3rd party SQL Server database that is only read-only.  The 3rd party has granted the read only privileges to one of our AD
  groups - let's call it mydomain\adgroup1.  I would like to create a linked server from one of our local SQL Servers to the remote database.  I'm not sure how to do this. 
  I have set the AD group up as a login and a user in my local database.  When I try to create the link, I used the mydomain\adgroup1 as the local login and, since the same credentials exist in the remote server, I checked the impersonate box and click
  OK but I get "mydomain\adgroup1 is not a valid login or you do not have permission".  Is it possible to create a linked server using an AD group?  As of now, we only have the AD group permissions in the remote database.  We could probably
  request a single SQL Server account to be created on the remote side and we could create the same on our side, but we are trying to keep things as simple and transparent as possible (and we would really like to move more toward AD security and away
  from individual users in the db).
  Can anyone give me advice on how to get these two SQL Servers linked?

    From your description, you likely want to implement Windows authentication for linked server, which requires to implement Kerberos constrained delegation.
   I would recommend the following link to get started: 
  How to Implement Kerberos Constrained Delegation with SQL Server 2008 (https://msdn.microsoft.com/en-us/library/ee191523%28SQL.100%29.aspx?f=255&MSPPError=-2147217396
    -Raul Garcia
     SQL Server Security
  This posting is provided "AS IS" with no warranties, and confers no rights.