Enable-WSManCredSSP do not configure policy for delegation

Similar Messages

• Could not deploy policy for resource: type= url , application=MySecurex,

  Hi
  My situation :
  I have 2 managed weblogic portal 10.3.0 managed servers in a cluster and 1 admin server. All are running as a service.
  Deployments of new versions of applications are submitted by an automated script.
  The steps in the script are :
  - stop the services of the managed servers
  - undeploy the previous version by using ant task
  <target name="undeploy_old" description="undeploy old application" depends="downloadFiles">
                 <java classname="weblogic.Deployer" output="./temp/${buildProject}_${deployEnv}/${buildVersion}/undeploy.txt" fork="yes">
                      <arg value="-adminurl" /> <arg value="${adminurl}" />
                      <arg value="-username" /> <arg value="${weblogic_user}" />
                      <arg value="-password" /> <arg value="${weblogic_pwd}" />
                      <arg value="-undeploy" />
                      <arg value="-name" />
                      <arg value="${buildProject}" />
                      <arg value="-verbose" />
                      <classpath refid="project.class.path"/>
                 </java>     - deploy the new version by using ant task
       <java classname="weblogic.Deployer"
                 output="./temp/${buildProject}_${deployEnv}/${buildVersion}/deploy.txt"
                 fork="yes"
                 maxmemory="512m"
                 inputstring="" >
           <arg value="-adminurl" /> <arg value="${adminurl}" />
           <arg value="-username" /> <arg value="${weblogic_user}" />
           <arg value="-password" /> <arg value="${weblogic_pwd}" />
           <arg value="-stage" />
           <arg value="-verbose" />
            <arg value="-upload" />
           <arg value="-deploy" />
           <arg value="-name" /> <arg value="${buildProject}" />
           <arg value="-source" /> <arg value="./temp/${buildProject}_${deployEnv}/${buildVersion}/${buildProject}.ear" />
           <arg value="-targets" /> <arg value="${deploytargetinstances}" />
            <classpath refid="project.class.path"/>
       </java>- start the services of the managed servers
  Problem:
  When the managed servers are restarting and the new version is going to prepared status, an error occurs for the new version of the application :
  ####<27-dec-2011 13.42 u. CET> <Info> <Deployer> <S40BEAPORTACC1> <s40beaportacc1p9106> <[STANDBY] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1324989758076> <BEA-149059> <Module MySecurexEarAdmin of application MySecurex is transitioning from STATE_NEW to STATE_PREPARED on server s40beaportacc1p9106.>
  ####<27-dec-2011 13.42 u. CET> <Error> <Security> <S40BEAPORTACC1> <s40beaportacc1p9106> <[STANDBY] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1324989758779> <BEA-090064> <The DeployableAuthorizer "myrealm_weblogic.security.providers.xacml.authorization.XACMLAuthorizationProviderImpl" returned an error: weblogic.security.spi.ResourceCreationException: [Security:090310]Failed to create resource.>
  ####<27-dec-2011 13.42 u. CET> <Error> <HTTP> <S40BEAPORTACC1> <s40beaportacc1p9106> <[STANDBY] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1324989758779> <BEA-101199> <Could not deploy policy for resource: type=<url>, application=MySecurex, contextPath=/MySecurexEarAdmin, uri=/campaigns/emails/*.
  weblogic.security.service.ResourceCreationException: weblogic.security.spi.ResourceCreationException: [Security:090310]Failed to create resource
       at com.bea.common.security.internal.service.PolicyDeploymentServiceImpl$DeploymentHandlerImpl.deployPolicy(PolicyDeploymentServiceImpl.java:173)
       at weblogic.security.service.WLSPolicyDeploymentServiceWrapper$DeploymentHandlerImpl.deployPolicy(Unknown Source)
       at weblogic.security.service.AuthorizationManager$HandlerAdaptor.deployPolicy(Unknown Source)
       at weblogic.security.service.AuthorizationManager.deployPolicy(Unknown Source)
       at weblogic.servlet.security.internal.ResourceConstraint.deploy(ResourceConstraint.java:108)
       at weblogic.servlet.security.internal.WebAppSecurityWLS.deployPolicies(WebAppSecurityWLS.java:253)
       at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityConstraints(WebAppSecurity.java:140)
       at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1189)
       at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1121)
       at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
       at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
       at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
       at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
       at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
       at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
       at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
       at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
       at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
       at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
       at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
       at weblogic.deploy.internal.targetserver.AppDeployment.prepare(AppDeployment.java:141)
       at weblogic.management.deploy.internal.DeploymentAdapter$1.doPrepare(DeploymentAdapter.java:39)
       at weblogic.management.deploy.internal.DeploymentAdapter.prepare(DeploymentAdapter.java:187)
       at weblogic.management.deploy.internal.AppTransition$1.transitionApp(AppTransition.java:21)
       at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:233)
       at weblogic.management.deploy.internal.ConfiguredDeployments.prepare(ConfiguredDeployments.java:165)
       at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:122)
       at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:173)
       at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:89)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  weblogic.security.spi.ResourceCreationException: [Security:090310]Failed to create resource
       at weblogic.security.providers.xacml.DeployableAuthorizationProviderV2Helper.deployPolicy(DeployableAuthorizationProviderV2Helper.java:119)
       at weblogic.security.providers.xacml.DeployableAuthorizationProviderV2Helper.deployPolicy(DeployableAuthorizationProviderV2Helper.java:162)
       at weblogic.security.providers.xacml.authorization.XACMLAuthorizationProviderImpl.deployPolicy(XACMLAuthorizationProviderImpl.java:281)
  weblogic.management.utils.CreateException:
       at com.bea.security.providers.xacml.entitlement.PolicyManager.setPolicy(PolicyManager.java:241)
       at com.bea.security.providers.xacml.entitlement.PolicyManager.setPolicy(PolicyManager.java:165)
       at weblogic.security.providers.xacml.DeployableAuthorizationProviderV2Helper.deployPolicy(DeployableAuthorizationProviderV2Helper.java:112)
  com.bea.security.xacml.PolicyStoreException: <openjpa-1.1.0-r422266:657916 fatal store error> kodo.jdo.FatalDataStoreException: The transaction has been rolled back.  See the nested exceptions for details on the errors that occurred.
       at com.bea.security.providers.xacml.store.BasePolicyStore.setPolicy(BasePolicyStore.java:684)
       at com.bea.security.providers.xacml.store.BasePolicyStore.setPolicy(BasePolicyStore.java:576)
       at com.bea.security.providers.xacml.entitlement.PolicyManager.setPolicy(PolicyManager.java:222)
       at com.bea.security.providers.xacml.entitlement.PolicyManager.setPolicy(PolicyManager.java:165)
  <openjpa-1.1.0-r422266:657916 nonfatal store error> kodo.jdo.ObjectNotFoundException: The instance "netscape.ldap.LDAPException: error result (32)" does not exist in the data store.
  FailedObject: netscape.ldap.LDAPException: error result (32)
       at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:370)
       at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277)
       at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
       at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:554)
       at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
       at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2007)
  ....>
  My workaround:
  Delete the <domain>\servers\s40beaportacc1p9106\data\ldap directory on the managed servers and restart
  Does anyone knows what causes the error and how to solve it?
  The goal is to be able to deploy our application by automation.

  You must use not the original bean that you coded. You must use the bean generated by axis-wsdl2java.
  The bean generated by axis-wsdl2java is:
  - in the first beanMapping: MSPCSService.SMSMO
  - in the second beanMapping: MSPCSService.SMSMOResponse
  As you can see, the bean the axis-wsdl2java will generate is build with the namespace + "." + qname. If you use an domain like java.sun.com in namespace, then the package name you will use is inverted (in the sample, com.sun.java). Look at the code generated.
  You client must use this beans, not the original coded by you.
  This must work, worked for me :)

• Measurement Computing USB-SSR24 error 42 Digital Port not configured correctly for requested operation

  Using LV 2012 and ULx 2.02 LV driver:
  LV is throwing an error 42 (Digital Port not configured correctly for requested operation) from the ULx write VI but only on PortCH.  All my configurations are correct on the hardware and Instacal tests the ports OK.  I've reinstalled everything and still see the same issue.
  Since PortA is configured identical to PortCH, and PortA is functioning fine, I'm stumped.  This is occuring on two different SSR24 DAQs so I don't think it's the hardware, plus I've already mentioned that the Instacal isn't having a problem with it.
  I've attached my VI I'm using for debug. 
  Jeff
  Attachments:
  test of Wilmington.vi ‏19 KB

  I worked with Measurement Computing and they agreed that there is a bug with certain DI/DO configurations.  There are a possible 16 different DI/DO configurations with the hardware and apparently mine (PortA - DO, PortB- DI, PortCL-DI, and PortCH-DO will throw this error for PortCH.  I'm currently using .net calls to work around the issue until the ULx driver is updated.  I'll post that when I see it.  Attached are the .net VI's that I'm using for simple static IO.
  Attachments:
  USB SSR DOT NET Write Bit.vi ‏20 KB
  USB SSR DOT NET Read Bit.vi ‏21 KB

• Enabling CredSSP Authentication Protocol - not configured correctly.

  Hello,
  I am trying to use CredSSP to delegate my user credentials to a server running Windows server 2012 to issue invoke-commands to a Network Storage Location.
  I have tried the following on the client machine:
  Ran these commands on an Administrative PowerShell (Windows 7):
  1) Enable-PSRemoting 
  2) winrm quickconfig
  3) Winrm set winrm/config/client '@{TrustedHosts="*.mydomain.com"}'
  4) Enable-WSManCredSSP -Role Client -Delegate *.mydomain.com
  5) PS C:\Windows\system32> Get-WSManCredSSP
      The machine is not configured to allow delegating fresh credentials.
      This computer is not configured to receive credentials from a remote client computer.
  Since it did not succeed I looked in the settings:
  1) Active Directory User and Computer -> [my computer] -> properties -> delegation tab. Changed "Do not trust this computer for delegation" to "Trust this computer for delegation to any service (Kerberos only).
  2) Local Group Policies Editor -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
           - Double-Click the setting "Allow Delegating Fresh Credentials" made sure that it is enabled and click "Show".
  There              was WSMAN/*.mydomain.com in the list. 
           - I also enabled the setting "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" as well but it  
           did not change the outcome. 
  3)  Local Group Policies Editor -> Computer Configuration
  -> Administrative Templates -> Windows Components ->      Windows Remote Management (WinrRM) -> WinRM client
           - Enabled the setting, "Allow CredSSP authentication".
  4)  Computer Configuration -> Windows Settings ->
  User Rights Assignment
           - Double-Click  the setting "Enable computer and user accounts to be trusted for delagation"
           - Added my user and computer to the delegation list.
  I re-ran the commands from above but still got the same output. 
  Is there a setting that I am missing? Is there any suggestion to change any settings? or just any ideas with regards to getting it to configure correctly.
  Thanks!

  Hello,
  I am trying to use CredSSP to delegate my user credentials to a server running Windows server 2012 to issue invoke-commands to a Network Storage Location.
  I have tried the following on the client machine:
  Ran these commands on an Administrative PowerShell (Windows 7):
  1) Enable-PSRemoting 
  2) winrm quickconfig
  3) Winrm set winrm/config/client '@{TrustedHosts="*.mydomain.com"}'
  4) Enable-WSManCredSSP -Role Client -Delegate *.mydomain.com
  5) PS C:\Windows\system32> Get-WSManCredSSP
      The machine is not configured to allow delegating fresh credentials.
      This computer is not configured to receive credentials from a remote client computer.
  Since it did not succeed I looked in the settings:
  1) Active Directory User and Computer -> [my computer] -> properties -> delegation tab. Changed "Do not trust this computer for delegation" to "Trust this computer for delegation to any service (Kerberos only).
  2) Local Group Policies Editor -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
           - Double-Click the setting "Allow Delegating Fresh Credentials" made sure that it is enabled and click "Show".
  There              was WSMAN/*.mydomain.com in the list. 
           - I also enabled the setting "Allow Delegating Fresh Credentials with NTLM-only Server Authentication" as well but it  
           did not change the outcome. 
  3)  Local Group Policies Editor -> Computer Configuration
  -> Administrative Templates -> Windows Components ->      Windows Remote Management (WinrRM) -> WinRM client
           - Enabled the setting, "Allow CredSSP authentication".
  4)  Computer Configuration -> Windows Settings ->
  User Rights Assignment
           - Double-Click  the setting "Enable computer and user accounts to be trusted for delagation"
           - Added my user and computer to the delegation list.
  I re-ran the commands from above but still got the same output. 
  Is there a setting that I am missing? Is there any suggestion to change any settings? or just any ideas with regards to getting it to configure correctly.
  Thanks!
  See
  Secrets of Powershell Remoting book by Don Jones
  Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________
  Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

• Configure clustering for OIM

  Hi Experts,
  We have not configured clustering for OIM during installation. Just wanted to check on whether it is possible to configure clustering and add servers to the cluster post installation. If yes could you please share a link or document which tells us how to achieve this.
  Thanks

  Thanks for the reply but even after making the modification I am getting the same error as earlier.
  tcSignatureMessage moSignature = tcCryptoUtil.sign("xelsysadm","PrivateKey");
  The above line is throwing error. It is unable to create the object it seems.
  The current code looks like this
  System.setProperty("XL.HomeDir", "E:/oracle/xlclient");
  System.setProperty("java.security.policy","E:/oracle/xlclient/Config/xl.policy");
  System.setProperty("log4j.configuration","E:/oracle/xlclient/Config/log.properties");
  // Get connection to OIM Server
  ConfigurationClient.ComplexSetting config = ConfigurationClient.getComplexSettingByPath("Discovery.CoreServer");
  Hashtable env = config.getAllSettings();
  tcSignatureMessage moSignature = tcCryptoUtil.sign("xelsysadm","PrivateKey");
  factory = new tcUtilityFactory(env, moSignature);
  userOper = (tcUserOperationsIntf) factory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
  And the error message remains the same as in the earlier post.
  @Rajiv: I dont have access to MetaLink. But thanks for the reply.

• "Error: PLL is not configured on Oracle server." appears on some computers

  Hello,
  We configured the custom.pll file so that we can capture UPK with context IDs.
  We can capture UPKs just fine and it records all available context IDs on MOST computers. However, we have a couple of people that get the custom.pll error (Error: PLL is not configured on Oracle server.), and obviously, their UPK captures do not capture the context IDs.
  We all use the same version (UPK Client 3.6.1) and we all are capturing in the same instance where custom.pll has been configured.
  Why are some computers getting the error?? How can we resolve this error?
  Can somebody help?
  Here are some of our specs:
  UPK: Client 3.6.1
  EBS: 12.1.2
  Computer: Windows XP Professional SP3
  Thank you.

  Hello,
  You are correct that the document describes configuring the PLL for help menu integration, but it is necessary that this configuration be done before recording, which is why you're seeing the messages. We do not want customers to record content and later find out that the PLL was not configured properly for deploying via the help menu.
  If you follow the steps in this document, the error messages should go away.
  I hope this is helpful.
  Best regards,
  Marc

• Added additional user. How do I configure password for this user?

  Have two different accounts. Second accound added but don't understand how to cinfigure password for this account.

  A bit confused by your query, so can you clarify a few points.
  re: added additional user
  You do not add additional users to Thunderbird, so I presume you mean you have tried to create another mail account for someone else in your own profile.
  You do not configure passwords for other peoples email addresses as that would be a privacy issue and only they should do it.
  Lets start at the begining.
  If more than one person is using a computer, they should have their own User Account which they access via a password they choose. This gives them their own desktop view and access to programs installed on computer, such as Thunderbird.
  Thunderbird will be available for them to use.
  When you run it for the first time in their User Account, it will create a Profile in their User Account.
  Thunderbird will also then ask you to create a mail account in that Profile.
  The details you enter will ask for Name. email address and a password.
  That password is the same password they use to access their email in their webmail account using a browser, so only they should know that password and they should not divulge it to anyone - however in some cases, eg: spouses, they may know each others password.
  You can choose whether Thunderbird remembers the password or not before creating the account, but the password would still be required to configure the mail account.
  This method means that no one can see that persons emails nor access their password details because they do not know the password to the computer User Account.
  If you have only the one admin User Account which several people use, then anyone has access to anything on that computer. This may be fine if eg; spouses share the computer, but it is not a practise that should be used in any other environment.
  If you have mail accounts created in the same Thunderbird profile, then all mail and passwords are freely available for anyone to see and this may not be desired.
  Some people use only the one User Account, but they have their own Profile created in Thunderbird.
  When Thunderbird was initially run, it created a defult Profile, but you can add additional Profiles using the Profile Manager.
  The mail account is created in that Profile and then they can apply a Master Password in Thunderbird.
  This means that anyone can still see anyone's emails as on startup as anyone can select any Profile.
  But, the access to passwords is locked and removal of Master Password will remove all stored paswords to safe guard privacy.
  Some info on Master Passwords:
  * http://kb.mozillazine.org/Master_password
  Some info on creating additional Profiles using Profile Manager:
  * http://kb.mozillazine.org/Profile_Manager

• Error 610 Database location policy is not configured.

  Hello,
  I'm running ZENworks 6.5 sp1(a).**I*have*an*Inventory*Service*object **called
  "Inventory Service_servername".**Should*I*be*renaming*t his*to*the*older
  configuration (which I don't have anymore) or try to configure it as is.
  startinv no longer will start inventory.**I*had*this*working*since*the
  upgrade (a long time ago) but it's no longer working.**I*had*checked*a
  number of the TID's on this error but I have not been able to resolve the
  problem.**Please*tell*me*where*I*should*be gin*to*look.
  Thanks in advance, Oksana

  It's now fixed. Looks like it was configured both in the Server Package and
  the Service Location Policy, so I removed the settings from the Server
  Package, and voila it works!
  Oksana wrote:
  > With debugging increased:
  >
  > 12/9/05 12:55:55.537] ZENInv - Server Config: getAttributes of DB Loc.
  > Policy returned: 104
  > [12/9/05 12:55:55.537] ZENInv - Server Config: DB Location Policy not
  > configured properly...
  > [12/9/05 12:55:55.537] ZENInv - Server Config: The
  > getConfigurationFromDirectory() returned610
  > [12/9/05 12:55:55.639] ZENInv - Server Config: Inv Server not configured
  > properly. Error code: 610
  > [12/9/05 12:55:55.639] ZENInv - Server Config: Error Type 15 Error 610
  >
  > and later on
  >
  > [12/9/05 12:55:55.927] ZENInv - Status Reporting: Number of modified
  > [records
  > are: 0 for DN=CN=Inventory Service_BOREALIS.OU=ARDELT.O=FACS
  > [12/9/05 12:55:55.927] ZENInv - Server Config: Error Type 15 Error 610
  > [12/9/05 12:55:55.927] ZENInv - Server Config: clearScope() return value 1
  >
  >
  > The db location is specified, so I'm not sure what the problem is, maybe
  > the
  > correct rights to acces the db aren't in place. Everything else seems to
  > be working.
  >
  > TIA, Oksana
  >
  > Marcus Breiden wrote:
  >
  >> On Fri, 02 Dec 2005 16:30:27 GMT, Oksana wrote:
  >>
  >>> We installed sp1 before sp1a came out and I fixed it and it has been
  >>> working
  >>> since. However, recently it is not working and I'm not sure why.
  >>
  >> in that case I would enable debug logging for inventory and take a look
  >> at the log file..
  >>
  >> Try enable debugging....
  >>
  >> http://www.novell.com/documentation/...rts/zdprts.pdf

• How to configure group policy for emet via a command line

  I have been tasked with installing emet on 50 servers that I only have access to with our patching server (so I can't remote in and open the gpedit gui). I can get it to install, but now the problem that I'm facing is I need to enable 6 of the group policies
  for emet. Is there a way to do this while installing it? or a way to do it after the install?

  cmd line you need to deal with is in the C:\Program Files (x86)\EMET 4.1 folder
  specifically emet_conf --refresh would tell the systems to pull in the settings from a GPO they have already applied.
  In a non - SCCM environment I would probably recommend using group policy preferences and create a task scheduler item on your servers that runs emet_conf --import
  \\fileserver\settingsfile.xml on some sort of automated basis. Then you can just configure a client like you need and run the emet_conf --export
  \\fileserver\settingsfile.xml whenever you need to change a mitigation etc and the clients will pick up on the change on their next run of the task scheduler item.
  In general installing on servers isn't a great idea and is not the intended use case for emet however if you are DoD/Gov then DISA has mandated it so won't argue there.  There's also the people that still have Internet access from servers so then it
  would make sense in that environment as well.
  CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

• Software Updates Failing - Group Policy Overwritten - Server and Policy NOT CONFIGURED

  I have seen a few posts about this issue and group policy overwriting the settings needed by SCCM with the wrong WSUS server. I checked the wuahandlerlog and found this error but it didnt have the server information.
  "Group policy settings were overwritten by a higher authority (Domain Controller) to: Server  and Policy NOT CONFIGURED"
  The only coputer policy that applies to this system does not have WSUS entries in it.  Windows update runs ok, and I deleted the WSUS registry keys that were set by a script and reinstall the client still getting the same error. I dont see any GPO local or domain, or reg keys that are setting anything. I have 10 other servers is the same AD container that this is working perfecly on.......
  Suggestions????

  Check out this GPO:
  Computer Configuration -> Administrative Templates -> System -> Group Policy: 
  "Turn off Local Group Policy Objects processing"
  The help text:
  "This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.
  By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only
  domain-based GPOs are applied.
  If you enable this policy setting, the system does not process and apply any Local GPOs.
  If you disable or do not configure this policy setting, Local GPOs continue to be applied.
  Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting  in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup."
  Rolf Lidvall, Swedish Radio (Ltd)

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• "Error [10151] The LCP Port on CCM Admin for Mobile Agent is not Configured or misconfigured"

  We are running into a problem which we have noticed on UCCE 8.5 and havent seen on earlier 7.5 release.
  If we setup a CTI port as agent device target and if we try to login the agent using Cisco Desktop (Not CAD, just CTI OS Client) then we get following error:
  "Error [10151] The LCP Port on CCM Admin for Mobile Agent is not Configured or misconfigured"
  But this wasnt the issue with 7.5 and we were able to do agent login with CTI Port as device target. We dont intend to use Mobile Agent feature but just login UCCE agent to CTI port as the device.
  Do we know if this is a known issue or if something has changed between 7.x and 8.x release which could be is causing this?

  So you can ping and nslookup from your ms to these agents and vice versa right?  I wouldn't do a manual install, I would push the agent from the management server.  You can uninstall the agent manually, or use cleanmom to get rid of them.  Then
  do an install from the console.  When you initiate the install from the console (management server), should it run into any issues it will dump out an error which will give you an idea of where the problem may be.
  From Holmans post on this:
  e MOM Server could not execute WMI Query "Select * from Win32_OperatingSystem" on 
  computer “servername.domain.com” 
  Operation: Agent Install 
  Install account: DOMAIN\account 
  Error Code: 800706BA 
  Error Description: The RPC server is unavailable.
  The MOM Server could not execute WMI Query "(null)” on 
  computer “servername.domain.com” 
  Operation: Agent Install 
  Install account: DOMAIN\account 
  Error Code: 800706BA 
  Error Description: The RPC server is unavailable.
  8004100A 
  800706BA
  1.  Ensure agent push account has local admin rights 
  2.  Firewall is blocking NetBIOS access.  If Windows 2008 firewall is enabled, ensure “Remote Administration (RPC)” rule is enabled/allowed.  We need port 135 (RPC) and the DCOM port range opened for console push through a firewall.  
  3.  Inspect WMI service, health, and rebuild repository if necessary 
  4.  Firewall is blocking ICMP  (Live OneCare) 
  5.  DNS incorrect 
  http://blogs.technet.com/b/kevinholman/archive/2009/01/27/console-based-agent-deployment-troubleshooting-table.aspx
  Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

• Sharepoint 2013 : Server was unable to process request. --- Site is not configured for Claims Forms Authentication.

  In our java web application trying  establish the connection for sharePoint 2013
  using  Windows claims authentication (NTLM ), I am getting error message "Server was unable to process request. ---> Site is not configured for Claims Forms Authentication". But In the Sharepoint 2013 our Site is is configured for Windows
  claims only.
  In the Sharepoint 2013 server in the IIS manager settings for authentication it is  enabled for both Windows claims and Forms authentication,
  but if I disable Forms authentication that I will be able to connect it through my application but with the direct access i.e., by running the URL in the browser I am not able to connect getting error message "sorry this site has not been shared with
  you" in the browser  Kindly help me on this.

  Hi,
  This issue is always caused that you had missed FBA configuration in web config of your web application.
  You can configure the FBA authentication then check whether it works.
  http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx
  http://chrisbarba.com/2013/07/16/sharepoint-2013-forms-based-authentication-fba/
  more reference:
  http://stackoverflow.com/questions/5686378/sharepoint-2010-claim-base-authentication-error
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/2d82dcd4-0e57-4de5-81bc-60ffc3cb9a9f/sharepoint-2010-claim-authentication-and-authenticationasmx?forum=sharepointgeneralprevious
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Site is not configured for Claims Forms Authentication

  Hi All
  I have one custom login page for my Sharepoint 2013 site where i am trying to use
  SPClaimsUtility.AuthenticateFormsUser(uri, strUserName, strPwd);
  But i am getting this exception ---> Site is not configured for Claims Forms Authentication
  I checked ULS long and there it is --> Not in claims forms auth for url 'https://domain/sitecollection/'.
  Web.config enteries are 
  <authentication mode="Forms">
        <forms loginUrl="/_layouts/TarsForwardLogin.aspx" />
      </authentication>
  <membership defaultProvider="i">
        <providers>
          <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
          <add name="membership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" connectionUsername="cn=sharepointadmin,ou=GSP,ou=Applications,o=TOYOTA"
  connectionPassword="spad1n2" server="10.100.5.119" port="389" useSSL="false" userDNAttribute="entryDN" userNameAttribute="cn" userContainer="o=toyota" userObjectClass="Inetorgperson"
  userFilter="(ObjectClass=Inetorgperson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,fullname,language,mail" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear"
  requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />
        </providers>
      </membership>
      <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
        <providers>
          <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
   <add name="rolemanager" connectionUsername="cn=sharepointadmin,ou=GSP,ou=Applications,o=TOYOTA" connectionPassword="spad1n2" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=15.0.0.0,
  Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="10.100.5.119" port="389" useSSL="false" groupContainer="ou=groups,ou=GSP,ou=Applications,o=toyota" groupNameAttribute="cn" groupMemberAttribute="member"
  userContainer="o=toyota" userNameAttribute="cn" userDNAttribute="entryDN" dnAttribute="entryDN" groupFilter="(ObjectClass=groupOfNames)" userFilter="(ObjectClass=Inetorgperson)" scope="Subtree"
  />     
  </providers>
      </roleManager>
  Can
  someone please help/Guide
  Manoj Gangwar | Sharepoint MCPD | Sharepoint MCTS |

  Hi All
  I tried like this and it worked...
  SPIisSettings iisSettings = SPContext.Current.Site.WebApplication.IisSettings[SPUrlZone.Internet];
  SPFormsAuthenticationProvider formsClaimsAuthenticationProvider = iisSettings.FormsClaimsAuthenticationProvider;
  SecurityToken token = SPSecurityContext.SecurityTokenForFormsAuthentication(new Uri(SPContext.Current.Web.Url),
  formsClaimsAuthenticationProvider.MembershipProvider, formsClaimsAuthenticationProvider.RoleProvider, strUserName, "", SPFormsAuthenticationOption.PersistentSignInRequest);
  if (null != token)
  base.EstablishSessionWithToken(token, SPSessionTokenWriteType.WriteSessionCookie);
  base.RedirectToSuccessUrl();
  Manoj Gangwar | Sharepoint MCPD | Sharepoint MCTS |

• ERROR: user is not configured for keystore 'service_ssl'

  hi experts:
  System environment:
  pi7.0  j2ee sp09
  ECC6.0 patch level11
  Here is my scenarios..
  ECC6.0-->(IDOC)XI(CIDX)--
  >External system.
  External system-->(CIDX)XI(IDOC)--
  >ECC6.0
  1.we have got there certificates from external system (rootCA.DER,intermedia.DER,Server.DER), imported the 3 certs files to TrustedCAs view using VA tool after we configured the SSL enable.
  2.We generated the CSR file and got the response from CA. we import the CSR response to SERVICE_SSL service
  3.I have assigned the role(keystoreadministrator) to user(PIAFUSER,PIAPPLUSER) in security provide service.
  4.I configured the IR and ID for the first sceniro. I Selected the "service_ssl" view and "TrustedCAs" view in received agreement in ID, and selected the "service_ssl" view in comunication channeland. actived all of them.
  issue :
  as soon I trigger the message to external. It is OK in monitor for processed XML Message.
  BUT I got the error message in runtime workbench/adapter engine/communication channel mornitoring.
  Channel Name: Buyer_Send_OrderChange
  Receiver Agreement: |com_sap_abap_r3_200|Sell_elemic|CIDX_E45_20_seller|OrderChange
  Security Settings > Current certificate configured for signing:
  ERROR: user is not configured for keystore 'service_ssl'
  Security Settings > Partner certificate configured for signing:
  ERROR: user is not configured for keystore 'TrustedCAs'
  Thanks!!.

  The question have been solved ..
  thanks!
                       xixi