Dynamic Local User Issue

Similar Messages

• Dynamic Local User

  Hi,
  I have ZfD 3.2 working with a Dynamic Local User (DLU) setup to remove the
  Windows XP logon screen and to control student access to the workstation.
  The DLU is a member of the Windows group "Users"
  I have a full install of Office 2000 Pro (excluding Outlook). The problem I
  have is that when a student logs in and starts WORD they are asked to supply
  the Office 2000 CD to complete the installation, "The feature you want is
  not installed..."
  This fails as a "User" does not have rights to install programs. If I make
  the DLU a member of "Administrators" then the Install will finish but the
  same thing happens when the student logs in again. In any case I need to
  have students only members of the "Users" group.
  How can I stop this happening?
  Ian

  Ian,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses: http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• IPTV Content Manager and Novell 6 Zenworks Dynamic Local User

  We are running Cisco IPTV viewer 3.2.24 along with Windows 2000 Professional on Dell260 workstations. We run Novell, version 6 with Zenworks 4 and Dynamic Local User to create a new user on the workstation. Every time a new user is created we have to add the tcp/ip address for the Content Manager. Is there a way to retain the address of the Content Manager for any user that is created on the local workstation so that we don't have to enter the address each time a new user sign-on to the workstation?

  Unfortunately, it seems, there is no work-around for this problem in 3.2 version of the IPTV Viewer. The Content Manager address is stored in the registry setting in HKEY_USERS.
  The behavior is different for viewer 3.4 where the CM address is stored in HKEY_LOCAL_MACHINE and is common to all users.
  Solution is -
  a. Upgrade to IPTV 3.4 or 3.5 Viewer
  or
  b. Use the Web-based Program Guide
  You could also try playing around with setup.ini/iptv.ini {GuideServer= and GuideServerPort= } settings to see if there is any luck to hard-code this information while installing the software.
  More information is available at http://www.cisco.com/univercd/cc/td/doc/product/webscale/iptv/iptv32/admin_gd/chap4.htm

• Dynamically Identifying user issuing SQL statement

  Client wants to provide security to certain data by first capturing the identity of every user issuing a SQL statement, then, based on the user and a security table, allow access to certain data. Is this doable? TIA...

  Oracle has a whole product centered around this called "Label Seurity", which I'm guessing may be too much for your needs. Check out this marking shag for info about "virtual private databases" http://technet.oracle.com/deploy/security/oracle8i/pdf/vpd_wp6.pdf
  Basically, the idea is that the "old school", but still perfecly fine, way to do it is to create views for each group of users and grant permissions to the views for the appropriate users. Optionally using synomyms into their schemas to give users the same name for the different views.
  The virtual private database and similar stuff is hard to explain. I think of it as the db engine auto-adding a where clause to each sql statement based upon who you are. If that makes any sense.
  I've tried this a couple of different ways, but have yet to hit upon one that seems easy & generally applicable.
  Good Luck -d

• Windows 8.1 Dynamic Local User?

  Greetings
  I am running Zenworks 11.3
  I have 4 windows 8.1 desktops that I am testing the latest Novell Client and Zenworks Agent.
  Everything works great, I am able to authenticate with novell and zenworks creates the local user account on the desktop. The problem is.... Microsoft's Windows 8.1 does the "splash screen" for about 3 minutes while it "installs the applications" for the Windows 8 metro stuff. This happens for *Every* user that tries to login to that workstation. Once they login once they are fine, but... i can't have the kids wait 3 minutes while Windows 8 does the needfull....
  Is there anyway to prevent this? Can I have my students Authenticate with Novell as a unique student... but then utilize a generic "Student" profile that is already on the Device? that way they don't need to wait 3 minutes?
  I can install DeepFreeze which will reset the settings everytime they logout... so the next person gets a clean Student profile..... but something has to happen about the delay....
  Any suggestions?
  I am willing to pay^H^H donate money to somebody to help me out with all of this if required!
  Thanks!
  John

  Yes, you can configured the DLU policy to use a Specific Account.
  Make sure to enable "DLU Caching", otherwise it will be volatile.
  You can also try and tweak your Default User Profile, so that it is
  based on a profile that has already run that process.
  You may want to ask in the MS Forums if there is a way to turn that off
  for new users, but don't reference DLU or ZENworks as they will not know
  about that.
  On 7/30/2014 9:06 PM, johnatoswayo wrote:
  >
  > Greetings
  >
  > I am running Zenworks 11.3
  >
  > I have 4 windows 8.1 desktops that I am testing the latest Novell Client
  > and Zenworks Agent.
  >
  > Everything works great, I am able to authenticate with novell and
  > zenworks creates the local user account on the desktop. The problem
  > is.... Microsoft's Windows 8.1 does the "splash screen" for about 3
  > minutes while it "installs the applications" for the Windows 8 metro
  > stuff. This happens for *Every* user that tries to login to that
  > workstation. Once they login once they are fine, but... i can't
  > have the kids wait 3 minutes while Windows 8 does the needfull....
  >
  > Is there anyway to prevent this? Can I have my students Authenticate
  > with Novell as a unique student... but then utilize a generic "Student"
  > profile that is already on the Device? that way they don't need to wait
  > 3 minutes?
  >
  > I can install DeepFreeze which will reset the settings everytime they
  > logout... so the next person gets a clean Student profile..... but
  > something has to happen about the delay....
  >
  > Any suggestions?
  > I am willing to pay^H^H donate money to somebody to help me out with all
  > of this if required!
  > Thanks!
  > John
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• DLU with Windows 7 x64 & Existing local user

  Hi, I have a strange bug. I have a Windows 7 x64 Enterprise SP1 that I'm trying to configure a volatile user on it. I have also configured my Windows 7 to do an auto logon with a local Windows account which is "Usager". I also modified the registry to disable CASA.The auto logon work perfectly and CASA doesn't appear either. So I have configure my DLU with the "Use the credential specified below (Always volatile)", the "Use user source password and the "Manage existing user account (if any)" options. Finally, I add to the registry the "AllowDLUWithoutNovellClient" registry key under "HKEY_LOCAL_MACHINE\\SOFTWARE\\Novell\\Authenticat ion" since I dont have the Novell client install on the computer. Now each time I log off and logon again I can see that the volatile user never applies. Why does the DLU never delete the "Usager" profile? What am I missing here? We are running here 11 SP2.
  Thanks in advance for the help!

  Shaun, after rechecking everything I made some little progress. I'm now able to make it work but not always! I just can't find a pattern to the why it works now and not later on. Sometimes I just reboot and that's it. Other time I can reboot the computers 10 times in a row it just won't work. Is there something in the logs on the workstation that I could use to make sense here?!
  Note: I'm following the guide lines in the pdf "zen11_cm_policies.pdf" on page 30 in section "3.2.3 Implementing the Dynamic Local User Policy Without the Novell Client".
  Thanks again for the help!

• How to use different (not local) user for NTLM auth in Authenticator?

  Hi All,
  I use custom authenticator to provide user / passwords to connect to .NET Web Services. I overloaded function getPasswordAuthentication() that returns right user / password combination for the requested URL. It all works perfectly for many kinds of HTTP connections: basic, ntlm, ntlm-v2, through proxy, ssl, etc.
  My problem is that during NTLM authentication from Windows computers JVM uses credentials of the currently logged in domain user instead of calling Authenticator to get other user / password provided by the user. In case when local user credentials fail to authenticate, JVM calls my Authenticator but in case authentication is successful it does uses local domain user and never calls my Authenticator. The issue is when this local domain user does not have enough permissions but authenticated correctly there is no way to supply JVM with another user to begin with.
  What can I do to force JVM to ignore local domain user and to use Authenticator to collect credentials during NTLM authentication requested by the server in case the software runs on a Windows box with currently logged in domain user?
  I am looking for the answer for a long time already but found only questions and suggestions to switch server from NTLM authentication which is not an option for me. From the developer's view it has to be pretty simple change for Sun to do in Java networking API. Is there any way to escalate it to Sun support? Maybe there is some property in some JRE patch level that allows to do this?
  Thank you very much!
  Mark

  Thank you for the reply. I have kind of an opposite problem. I can perfectly connect from Linux computers to Microsoft IIS servers using NTLM or even NTLMv2 authentication. My problem is connecting from Windows client computer joined to the same domain as IIS server with the domain user logged in to this computer. In this case this user account will be used in any HTTP connections I initiate to this IIS server instead of the one that I want to supply in my custom Authenticator.
  I have graphical interactive application that connects to IIS Server. When user runs it and connects to IIS server I want to prompt for the user/password regardless whether JRE may correctly authenticate using current user account credentials. The current user may not have enough permissions in IIS application so I want to use different user to login to IIS application.
  Thank you anyway,
  Mark

• COREid Federation Error: A local user session could not be created for the

  Hi,
  I installed two instances of COREid Federation in my machine. Also installed SiteMinder and LDAP. Source Domain of COREid (8101) uses LDAP as IdMBridge and Destination Domain (9101) uses SiteMinder as IdMBridge. I am trying to access the resource protected by the SiteMinder from the source domain using the URL which is constructed using the pattern given in the PDF:
  http://mymachine.domain.com:8101/shareid/saml/ObSAMLTransferService?DOMAIN=DestinationDomain&method=POST&TARGET=http://mymachine.domain.com:8887/Source/Source.html
  Assertions are generated and I can see the assertion in the Source domain and transferred to the Destination Domain.
  I get the following error in the Destination Domain Shareid Log file:
  ERROR - [http10113-Processor3] - RECEIVER: ERROR: A local user session could not be created for the assertion
  Please help me to solve this issue?
  Note: The Web agent runs on the web server instance 8887.
  SiteMinder is able to protect the resource when accessed.

  Typically that error occurs when the destinations access management system can't find the user based on the SAML attribute. Check to make sure that the attribute that you are matching on matches exactly.

• SHAREid - A local user session could not be created for the assertion

  Problem: We have a client trying to federate to our environment using POST profile but we are getting the following error, "RECEIVER: ERROR: A local user session could not be created for the assertion".
  I verified that the user exist in the directory and I am able to execute a test successfully as that user.
  Thanks.

  There is a requirement that the client needs to send an attribute called "traveler" in the assertion. We found out that the problem occurs only when client sends a attribute in the assertion. When the assertion does not include the attribute, there is no issue. Not sure why that is the case as we have other clients sending the same attribute in the assertion.
  Here is the AttributeStatement.
  <saml:AttributeStatement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">XXXXXX</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName="XXXID" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>XXXXX</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
  It does not have <saml:SubjectConfirmation> and <ConfirmationMethod> element. Can that be a problem?
  Thanks,
  Vinay
  Edited by: user504421 on Jul 9, 2009 2:17 PM

• Local user account is trying to autenticating against domain controller

  Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account,
  rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
  the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there
  are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain. 
  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment? 
  Thank you.
  Below is a copy of the event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          13/06/2014 8:56:27 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      domaincontroller.mydomain.local
  Description:
  An account failed to log on.
  Subject:
      Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        dummy
      Account Domain:        l-sparet400sc
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc0000064
  Process Information:
      Caller Process ID:    0x0
      Caller Process Name:    -
  Network Information:
      Workstation Name:    L-SPARET400SC
      Source Network Address:    192.168.2.181
      Source Port:        60720
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
      <EventRecordID>299829083</EventRecordID>
      <Correlation />
      <Execution ProcessID="488" ThreadID="640" />
      <Channel>Security</Channel>
      <Computer>domaincontroller.mydomain.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">dummy</Data>
      <Data Name="TargetDomainName">l-sparet400sc</Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc0000064</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">NtLmSsp </Data>
      <Data Name="AuthenticationPackageName">NTLM</Data>
      <Data Name="WorkstationName">L-SPARET400SC</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">192.168.2.181</Data>
      <Data Name="IpPort">60720</Data>
    </EventData>
  </Event>

  its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
  Interesting log section is NULL SID which doesn't corresponds to any account name.
  Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  and the below section explains , the request is made over network, which is most of the times by the service
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
  can you disable
  a) Server service
  b) Workstation service
  c) Disable RPC dependent service and services which depend on RPC and test
  Question:
  What is the level of DC hardening you have in your environment ?

• Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!

  Hi,
  I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
  After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
  Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
  I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines. 
  First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
  Here are my exact steps of what I did to reproduce our problem:
  Complete format of HDD in preperation for a clean install
  Clean install performed
  Set up the machine initially with a local account
  Test metro apps - all working fine
  Open control panel from the desktop, click on System, change the system to join the domain, click reboot
  Log into the system using my domain account
  Test metro apps - all working fine
  Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
  I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
  In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
  I click add and then add my domain account - also giving it administrator access
  Sign off or reboot to ensure the new security is applied
  Sign back in to the domain account
  Test metro - ALL BROKEN
  Sign out
  Sign in as local account
  Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
  So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
  Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
  could fathom was a full re install and not giving the domain user admin access to the local  machine.
  Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
  Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
  I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
  soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
  Thanks

  Hi Juke,
  Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
  I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
  your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
  in event viewer.
  Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
  information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
  Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
  Under "Applications And Services Logs" --> "Microsoft" -->  "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
  Windows.Launch contract failed with error: The app didn't start."
  If you require any further information just let me know and I will provide as much as I can.
  Thanks

• Master Data Services - Can not add new User and MDS can not Identify LOCAL Users

  Team,
  We are using  SQL Server 2008 R2 and system working since long and suddenly we observed mentioned two issues. The server MyServer is already restarted but did not help.  The MDS installed and configured on SAME Machine (MyServer).
    I  have two issues here.
  1. MDM website can not Identify the local Users (MyServer\MyUser).
  The User created on local Machine (MyServer\MyUser). I logged into MDM website using Admin login and click on User and Permission. Then I click on add and Text box appears to type UserName. Here I type "MyServer\MyUser" (MyServer\MyUser is already
  exists and working since long). Then click checkName; I received a message "No exact Match was found for MyServer\MyUser". Where as User from OTHER domain identified in MDM but could not identify ONLY the local users like "MyServer\MyUser".
  2. Can not add new user in Existing working MDM.
  I created windows user on machine (MyServer\MyUser1) and add it in UserGroup having an access to MDM. and then I tried to login to MDM using newly created user (MyServer\MyUser1) ; I see error Access Is Denied. The Permission assigned to UserGroup (not
  to individual user). The new User (MyUser1) should automatically get added in MDM once logged in. This is working for existing users in UserGroup; BUT NOT ONLY for new user (MyUser1).

  Now I Solved this problem in my case.
  I just grant again all permissions according http://msdn.microsoft.com/en-us/library/ff486994.aspx. Now all work fine.
  Hope, it will help 

• Connecting Outlook 2013 for a local user

  We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
  However;
   The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
  The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
  The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
  We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
  With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
  Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
  Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
  So, with the autodiscover method out of the window, we turned to manually configuring the profile.
  The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
  In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
  The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
  Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
  msstd:<external FQDN name> being entered.
  Basic Authentication is selected for the proxy authentication settings section.
  The user is then prompted for credentials. The following formats have been attempted;
  Domain.local\username
  Email Address
  [email protected]
  The correct password is used, but nothing is accepted.
  How can we get Outlook 2013 configured for this non-domain joined PC?
  Many thanks.

  We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
  However;
   The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
  The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
  The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
  We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
  With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
  Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
  Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
  So, with the autodiscover method out of the window, we turned to manually configuring the profile.
  The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
  In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
  The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
  Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
  msstd:<external FQDN name> being entered.
  Basic Authentication is selected for the proxy authentication settings section.
  The user is then prompted for credentials. The following formats have been attempted;
  Domain.local\username
  Email Address
  [email protected]
  The correct password is used, but nothing is accepted.
  How can we get Outlook 2013 configured for this non-domain joined PC?
  Many thanks.
  The first problem is, if this Exchange 2013 then the server name in Outlook isn't really a server name, it is in actuality the ExchangeGUID of the mailbox.  
  Since you are trying to access the mailbox from a machine that is not on the domain you will need to make sure the externalURLs resolve properly internally.  Meaning either the user can access them by going out to the internet and getting routed back
  in (not ideal) or you configure them to resolve to the internal IPs on your internal DNS servers.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
  Thank you for your reply.
  As I mentioned, this machine can query internal DNS servers without issue. Autodiscover is working in a fashion, as the name of the mail server is hashed. 
  In an update to the post, I have exported a working profile from the registry of the machine for a domain user, and have imported for a local user. This actually works, but I'd still like to know the reason for not being able to configure it in the first
  instance.

• CUC 8 - converting local users with VM's to LDAP users - what is the best method?

  Evening all
  We are running a new Unity Connect 8.0 environment. Initially the users were either manually imported and created individually. The standard naming convention for the Alias names are first initial + surname.
  I have integrated LDAP synch so now I can see all the users in the users OU. I want to be able to utilise the LDAP synch to its full potential. I want to create new users from LDAP. But my primary objective is to convert all local users to domain users. The only main issue which we identified is that domain users Alias length is set to 8 characters max in length whereas the local accounts are full length.
  What would be the best way to migrate the users to LDAP, preserve the voicemails and update Alias names to be the same length as domain users?
  I was thinking of the following:
  Backup up system using COBRAS
  Delete all local users from CUC
  Do a bulk import of all users from LDAP into CUC as fresh accounts
  Use COBRAS import tool to load backup
  Amend the alias names manually to the correct length (8 letters)
  Import all users and VM's back in
  Pray it works!
  Any more efficient suggestions welcome
  Thanks in advance
  Mus

  There is a far easier way to do this using the Bulk Administration Tool in Connection.
  Perform an export operation to get everything into a CSV file.
  Delete all the columns except Alias, EmailAddress, MailName, and LdapCcmUserId.
  Populate the LdapCcmUserId to match the user's sAMAccountName attribute from AD.
  NOTE: Spot-check to be sure that you can find this user's account using the Import Users section. The account must have a Last Name value populated, be within the search base, and satisfy any filters you have applied to the syncrhoization agreement.
  Update the MailName to match the LdapCcmUserId. If you are using VMO or Single Inbox also set the EmailAddress to match the user's real email address. When you do the Update operation the Alias should get corrected to match the LdapCcmUserId if memory serves [read: test this!].
  NOTE: If you are setting the EmailAddress you also want the CreateSmtpProxyFromCorp column to be set to 1. This will ensure that the value is copied to the SMTP Proxy Address and can be utilized by the Unified Messaging integration.
  Save your modified CSV file and run an update operation. I suggest starting with a batch of only a few accounts at first to get comfortable with the process. Be sure to specify a filename for failed objects; you almost always have a few and this will give you a little guidence on what failed.

• Sending to local user gives too many hops

  I have set up Mavericks server for mail. Works perfectly for incoming and outgoing mail to other domains but fails when trying to send mail to a local user. Here are my settings:
  example.com is my primary domain, it provides DNS and Mail service
  there are other domains being hosted (web) with example.com providing mail service for them.
  Mail Server setting under "Provide Mails for...": Domain Name is example.com, Virtual domains: myotherdomain.com, example.com (included in list, is this correct?), and some more
  DNS settings: each domain has a machine record for the domain name (e.g. example.com has an A record, myotherdomain.com has its own A record), each domain has an MX pointing to example.com. Domain example.com has an alias (CNAME) record mail.example.com pointing to example.com. This is the only place where the name mail.example.com appears in the whole server.
  Last night I tried to reply to a mail I received from a user on myotherdomain.com. My receiving account is also on myotherdomain.com (myotherdomain.com is one of my domains with MX pointing to example.com). When I simply hit reply the mail server eventually reported back that the mail was not delivered due to too many hops.
  Here are the headers from the mail I received. I simply hit reply and got the too many hops. WHY?
  Return-Path: <[email protected]>
  Delivered-To: [email protected]
  Received: from localhost (localhost [127.0.0.1])
            by miniserver.example.com (Postfix) with ESMTP id 9EE9C4DA4D7
            for <[email protected]>; Wed,  5 Mar 2014 17:09:10 +0100 (CET)
  X-Virus-Scanned: amavisd-new at example.com
  Received: from miniserver.example.com ([127.0.0.1])
            by localhost (miniserver.example.com [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id 3oDO8uq8aS6W for <[email protected]>;
            Wed,  5 Mar 2014 17:09:10 +0100 (CET)
  Received: from miniserver.example.com (localhost [127.0.0.1])
            by miniserver.example.com (Postfix) with ESMTPA id 628CD4DA4BE
            for <[email protected]>; Wed,  5 Mar 2014 17:09:10 +0100 (CET)
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
  boundary="=_50c5075d15c85c7a43995d47cd97c851"
  Date: Wed, 05 Mar 2014 17:09:10 +0100
  From: anita <[email protected]>
  To: [email protected]
  Subject: Hello
  Message-ID: <[email protected]>
  X-Sender: [email protected]
  User-Agent: Roundcube Webmail/RCMAIL_VERSION
  Here is what the mail server reported back after trying to reply:
  This is the mail system at host miniserver.example.com.
  I'm sorry to have to inform you that your message could not
  be delivered to one or more recipients. It's attached below.
  For further assistance, please send mail to postmaster.
  If you do so, please include this problem report. You can
  delete your own text from the attached returned message.
                    The mail system
  <[email protected]>: host 127.0.0.1[127.0.0.1] said: 554 5.4.0 id=78365-11
     - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025):
     554 5.4.0 Error: too many hops (in reply to end of DATA command)
  Reporting-MTA: dns; miniserver.example.com
  X-Postfix-Queue-ID: 98CF04DB967
  X-Postfix-Sender: rfc822; [email protected]
  Arrival-Date: Wed,  5 Mar 2014 18:52:58 +0100 (CET)
  Final-Recipient: rfc822; [email protected]
  Original-Recipient: rfc822;[email protected]
  Action: failed
  Status: 5.4.0
  Remote-MTA: dns; 127.0.0.1
  Diagnostic-Code: smtp; 554 5.4.0 id=78365-11 - Rejected by next-hop MTA on
     relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.4.0 Error: too many hops
  Thanks for your help

  Invoke the following diagnostic by launching Terminal.app from Applications > Utilities and see if there are any network or DNS issues reported:
  sudo changeip -checkhostname
  Also post the internal and external DNS translations of the following:
  dig +short miniserver.example.com
  dig +short mail.example.com
  dig +short MX myotherdomain.com
  dig +short MX example.com
  dig +short @8.8.8.8 miniserver.example.com
  dig +short @8.8.8.8 mail.example.com
  dig +short MX @8.8.8.8 myotherdomain.com
  dig +short MX @8.8.8.8 example.com
  I'd look for a bogus or missing MX record for myotherdomain.com, to start with.
  FWIW, myotherdomain.com is a real and registered domain.    Probably not yours, I'm guessing.  The example.net and example.org domains are also available for obfuscation, in addition to the example.com domain.