FIFO across clock domains

Similar Messages

• Clock domain crossing FIFO sanity check

  Hi all,
     I am having an issue with producing a one clock cycle wide pulse output.  I have dealt with crossing clock domains before but I just want to make sure I am not doing anything wrong.
  I have two clock domains that are mesochronous, both are 250MHz from two different external devices that are deskewed in a DCM.
  I generate a 1 clock cycle wide pulse from clock domain 1 periodically.  I need this pulse to cross the domain coherently into clock domain 2 so that the period remains the same.  In other words the latency from crossing clock domains must have a a constant latency (the amount of latency does not matter as long as it is the same all the time).
  I am using a coregen generated asynchronous block RAM FIFO.  The write enable is the pulse output from clock domain 1 and the empty flag of the FIFO is the output pulse (except I negate it and register the output in an IOB FF clocked with clock domain 2s clock).  The output FF is actually a FDCPE, since it is necessary on power up to send an asynchronous '1' to the device.  Once the asynchronous '1' is outputted, it is cleared and never used again.  I am guessing that an FDCPE primitive will act the same as a FF.
  Here is the issue:
    On power up, if it works, it will continue to work at all temperatures for as along as the system is powered on.  If on power up it does not work, it will continue to not work for as long as the system is powered on.  I am assuming this is a power-on phase issue.  Would this have something to do with how I am crossing the clock domains or should I look elsewhere?
  When I say it does not work I mean:
  Clock domain 1 is from an ADC and clock domain 2 is from a device similar to a DAC.  The output of the DAC feeds back into the ADC.  When it does work, the output I create from the DAC is coherently read from the ADC.  When it does not work, it looks as if the DAC output is started at different clock cycles (multiple phase shifts).  This is why I am assuming that it is due to signal coherency, but we have used this scheme for crossing clock domains multiple times and it has always worked without any issues.
  Sorry if this is not enough information.
  Thanks

  I don't entirely understand the description of the problem you are seeing - we need more context for that. But I will address the clock crossing.
  I don't see anything fundamentally wrong with the clock crossing mechanism you are describing. However, it is VERY expensive for what you are using it for. In fact, even though you are using a clock crossing FIFO, you aren't actually using the storage of the FIFO - you are just using the address counters and full/empty flag generation (which is implemented in fabric logic), and completely ignoring/wasting the RAM.
  There are many simple circuits for doing this clock crossing. As long as you can ensure that you will never get one pulse less than 3 (maybe even 2) after the previous one, then the circuit shown below (a toggle event synchronizer) is simple cheap and effective
  This circuit takes your pulse event on the source clock domain, converts it into a toggle event, which is then synchronized through a two stage synchronizer and then edge detected in the destination domain.
  You don't say what tool you are using (Vivado or ISE) - in either tool it will need some constraints.
  In Vivado, you should set the ASYNC_REG property  on the two middle flip-flops
  set_property ASYNC_REG TRUE [get_cells {signal_meta_reg signal_dst_reg}]
  You will also need some sort of exception on the clock crossing (since all clocks in Vivado are related by default). My preferred one is
  set_max_delay -datapath_only 4 -from [get_cells event_toggle_reg] -to [get_cells signal_meta_reg]
  You should still use this even though both clocks are 4ns periods (so the requirement will end up being 4ns anyway) but the -datapath_only flag tells the tools not to analyze the clock insertion... Furthermore, on this synchronizer, a max_delay isn't technically needed (since there is only one signal being synchronized), so you could set the path as being false, but it is good habit to use this constraint anyway, since other synchronizers need it.
  If you can't guarantee that there are 2 clocks between events, then you can use a simple Gray code counter on the source domain to count events, and send the count to the destination side, which will generate one output pulse for each count received - this is basically what the logic in the FIFO is doing, but without carrying around the useless RAM.
  And, by the way, if you are going to stick to the FIFO, why not use a distributed RAM based FIFO - you won't need to waste the block RAM... If you make it 64x1, then you will only waste two LUTs for the useless RAM instead of an entire block RAM.
  Not that this matters, but you say that the clocks are mesochronous - are they really? To be mesochronous, they need to derive from the same oscillator; they may go through very different paths, but they must come from the same frequency source. Merely both being 250MHz does not make them mesochronous (but, as I say, that doesn't matter for this clock crosser ).
  As for the rest of it - I don't think the clock crossing is the source of your problem. Its vaguely possible that you are messing up the FIFO logic by giving it a pulse too close to the deassertion of the reset; the built-in FIFOs have a requirement that the WR_EN not be asserted within a handful of clocks after the deassertion of rst. But you say you are using the block RAM based one, which probably doesn't need this. So its probably not the clock crosser...
  Avrum
   

• LabVIEW FPGA: Multiple SCTL versus one SCTL (same clock domain)

  Hello NI forums,
  Question:
  See the attached picture from a modified version of the LabVIEW DRAM FIFO example. It probably explains my question more effectively than the paragraphs below.
  What is the difference to the LabVIEW / Xilinx compiliers, if any, between placing two independent branches of code in the same SCTL, versus placing them in individual SCTLs (in the same clock domain)?
  Misc. comments:
  I have briefly experimented with this concept using the included LabVIEW DRAM FIFO example (example finder >> Hardware Input and Output >> FlexRIO >> External Memory >> Simple External Memory FIFO.lvproj).
  I compiled the default example (the read and write interfaces are in separate 40MHz SCTLs) five separate times. Then I put the read and write interfaces in the same 40MHz SCTL and compiled another five times. The result (when both read and write interfaces were in the same SCTL) was a reduction in resource usage (according to the compilation summary).
  However, due to my lack of knowledge I'm hesitant to conclude that placing everything in one SCTL is always the best option. For example, I do not know what is created 'behind the scenes' with each SCTL. Perhaps putting independent branches of code in separate SCTLs makes it possible to route clock, reset, implicit enable, etc. signals more effectively.
  Background information:
  My task involves acquiring 2 channels of analog data using the NI 5772 and PXIe-7966. Data acquisition takes place in a 200MHz SCTL, and downstream processing is performed in a 100MHz SCTL.
  During a vast majority of the 100MHz SCTL processing stages of the FPGA VI, the 2 channels of data do not interact with eachother. So it would be easy for me to place them in separate 100MHz loops if doing so would somehow help the design (timing, resource usage, etc.).
  Thanks!
  Attachments:
  question.png ‏76 KB

  Intaris
  Trusted Enthusiast
  Posts: 3,264
  Re: LabVIEW FPGA: Multiple SCTL versus one SCTL (same clock domain)
  ‎10-28-2014 12:11 PM
  Just out of interest, what is the resource usage differential between the two versions?
  In response to the above comment,
  This is a little embarrassing, but it seems like the resource usage is similar than I initially thought for this particular example. I think the previous compilations that I based my assumption on coincidentally used more resources in the 2-SCTL loop case. I just compiled each version two additional times (see below).
  Here's the version with everything in one loop:
  Device Utilization
  Total Slices: 17.6% (2587 out of 14720)
  Slice Registers: 9.5% (5583 out of 58880)
  Slice LUTs: 8.2% (4855 out of 58880)
  DSP48s: 0.0% (0 out of 640)
  Block RAMs: 2.5% (6 out of 244)
  Device Utilization
  Total Slices: 16.9% (2493 out of 14720)
  Slice Registers: 9.5% (5583 out of 58880)
  Slice LUTs: 8.3% (4858 out of 58880)
  DSP48s: 0.0% (0 out of 640)
  Block RAMs: 2.5% (6 out of 244)
  Here's the version with the read and write in separate loops:
  Device Utilization
  Total Slices: 16.4% (2407 out of 14720)
  Slice Registers: 9.5% (5583 out of 58880)
  Slice LUTs: 8.2% (4852 out of 58880)
  DSP48s: 0.0% (0 out of 640)
  Block RAMs: 2.5% (6 out of 244)
  Device Utilization
  Total Slices: 19.4% (2859 out of 14720)
  Slice Registers: 9.5% (5583 out of 58880)
  Slice LUTs: 8.3% (4859 out of 58880)
  DSP48s: 0.0% (0 out of 640)
  Block RAMs: 2.5% (6 out of 244)

• Configuring Kerberos across 2 domains?

  Hi
  I am trying to set up a 3rd party application to use Single Sign On using Kerberos authentication across two Domains and am having troubles. DOMAIN1.COM is a W2K domain and DOMAIN2 is a Citrix farm. My application is a Solaris (5.9) hosted Java app (1.4.2_08) running under a Weblogic 8.1.
  I've generated the keytab files etc and can successfully authenticate using kinit. I can successfully sign in from my desktop when I configure my environment to use only just domain, either DOMAIN1.COM or DOMAIN2, but I am hitting this error when trying to authenticate with a user accouint on DOMAIN2 (it works fine for a user account on DOMAIN1):
  <000000> <Found Negotiate with SPNEGO token>
  *<000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))*
  The application uses the JAAS login framework to perform the authentication. The steps I have followed are:
  1. We have generated the keytab file for both domains and have tested that we can generate tickets using kinit command
  2. When I start my WL server I am using the DOMAIN1.COM domain credentials i.e.
  JAVA_OPTIONS="-ms1024m ...etc... -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=ldap-domain1.com -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
  3. I've configured my krb5Login.conf to use DOMIAN1.COM e.g.
  com.sun.security.jgss.initiate
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]" useKeyTab=true
  keyTab=krb5.keytab storeKey=true debug=true;
  com.sun.security.jgss.accept
  com.sun.security.auth.module.Krb5LoginModule required
  principal="HTTP/[email protected]" useKeyTab=true
  keyTab=krb5.keytab storeKey=true debug=true;
  4. I've configured my /etc/krb5/krb5.conf to use DOMAIN2 as default.
  [libdefaults]
  default_realm=DOMAIN2
  default_tkt_enctypes = des-cbc-md5
  default_tgs_enctypes = des-cbc-md5
  [realms]
  DOMAIN1.COM = {
  kdc=ldap-domain1.com:88
  admin_server=ldap-domain1.com
  DOMAIN2 = {
  kdc=kdc1.domain2:88
  kdc=kdc2.domain2:88
  admin_server=ADMINSERVER2
  [domain_realm]
  mydomain.com=DOMAIN2
  [appdefaults]
  kinit = {
  renewable = true
  forwardable= true
  autologin = true
  forward = true
  encrypt = true
  I am not a Java developer so this is all new to me so hopefully someone can give me some guidance. I've been told the reason I can't authenticate is because I don't have a trust relationship set up between the two domains. But our Active Directory team have stated that setting up a trust relationship is not an option.
  The software supplier has said that the application should work across both domains without the trust relationship but they are unwilling to assist (as they have been paid already!). The way I have been led to understand it is that when we try and access the app over the DOMAIN2 the app should default to the default domain set in the /etc/krb5/krb5.conf file. Am I misguided? I don't understand how the JAAS login framework works with Kerberos and I would greatly appreciate some guidance on a possible config or code change I can make to resolve this issue?
  Thanks

  Hi
  Thanks for the reply. I couldn't see krb5.conf in the logs so I added it to the JAVA_OPTIONS and re-ran a test but it failed with the same error. Here some output from my logs:
  ####<Nov 4, 2009 5:38:07 PM GMT> <Info> <Management> <aukobpcs> <aukobpcs_dd1> <main> <<WLS Kernel>> <> <BEA-141187> <Java system properties are defined as follows:
  java.security.auth.login.config = /opt/bea/user_projects/domains/onebill_online/krb5Login.conf
  java.security.krb5.conf = /etc/krb5/krb5.conf
  java.security.policy = /opt/bea/weblogic81/server/lib/weblogic.policy
  java.specification.name = Java Platform API Specification
  java.specification.vendor = Sun Microsystems Inc.
  java.specification.version = 1.4
  java.util.prefs.PreferencesFactory = java.util.prefs.FileSystemPreferencesFactory
  java.vendor = Sun Microsystems Inc.
  java.vendor.url = http://java.sun.com/
  java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi
  java.version = 1.4.2_11
  vde.home = ./aukobpcs_dd1/ldap
  weblogic.Name = aukobpcs_dd1
  weblogic.StdoutDebugEnabled = true
  weblogic.StdoutSeverityLevel = 64
  weblogic.management.server = http://aukobpcs.dc-dublin.de:7001
  weblogic.security.enableNegotiate = true
  ####<Nov 4, 2009 5:40:22 PM GMT> <Info> <HTTP> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=19509258,name=bpa,context-path=/bpa)] *.jsp: initialization complete>
  ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
  ####<Nov 4, 2009 5:40:23 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
       at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
       at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
       at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)
       at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:672)
       at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:617)
       at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
       at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)
       at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
       at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3823)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
  Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm DOMAIN1.COM
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
       at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
       ... 21 more
  Caused by: KrbException: Cannot get kdc for realm DOMAIN1.COM
       at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
       at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
       at sun.security.krb5.KrbAsReq.send(DashoA12275:300)
       at sun.security.krb5.Credentials.acquireTGT(DashoA12275:360)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
       ... 35 more
  If you have any other suggestions I could try that will be great, otherwise we'll look at implementing workaround to this issue (probably having a separate WL server for each domain)
  Thanks

• How to manage ApplicationDomain for loaded SWFs across different domains?

  I've been getting this following error -- when I'm loading a subsidiary SWF into a main one. The sub swf contains the overlays. OverlayOne is a subclass of Overlay.
  TypeError: Error #1034: Type Coercion failed: cannot convert OverlayOne@18684f89 to Overlay.
       at HSRawVideoPlayer/setCurrentOverLay()
       at HSRawVideoPlayer/showOverlay()
       at HSRawVideoPlayer/dotRoll()
  I googled and found that I should probably be setting the applicationDomain of the loader context of the loaded swf to be that of the loading SWF (as per Senocular's article on the subject) -- although I thought that in cases of conflict this would resolve to the loading SWFs ApplicationDomain, so not necessary.
  But I've also read that this won't work across different domains, and that's the situation here -- the client wants the urls of loading and loaded swf's to be fully qualified . Will setting the ApplicationDomain of the loaded SWF to be that of the parent solve the problem above, even if they are in different domains? Can someone show me a short code snippet? Thanks!

  Hi,
  DSS has inbuilt functionalities to compare the transactions against the in built rules.If the transactions take place not in accordance with the in-built rules,it is treated as a "violation" and is reporetd.
  Virsa is an example of DSS tool.Here you can build rules for access and process ;constantly compare the actuals Vs the rules;report the violations.
  In SAP R3 for example,the T/code:pfcg is tailored for access control,while the invoice parking [f-63] is tailored for process control.Using VIRSA,you can address to risks involved both,namely,access and process control.This is an example of how DSS can help in Risk integration.
  In these tools,we have an Engine for building the rules-based on this we build the rules.These rules are stored in a table.when a transaction-for which we have built a rule - takes place,the system compares the rules VS actuals.The inconsistencies if any are reported as violations.
  Hope this helps.
  Regards,
  Ramesh

• Clock Domain Crossing with FIFO

  Hi,
  I have a project for Spartan 6 xlx16. In this project I have:
  - clk_in: 20 MHz from an external Quart
  This clk_in (20 MHz) has the followin path:
  - 20 MHz -> Clock Wizard -> 20 MHZ -> Clock Wizard -> Out1: 22 MHz, Out2: 44 MHz.
  The 22 MHz is used to acquire data, and 44 MHz is used to transmit the data. So I used a FIFO: 
  en_fifo_nempty <= not en_fifo_empty;
  my_fifo : fifo_generator_v9_3
  Port map (
  rst => reset_ien,
  wr_clk => clk22,
  wr_en => '1',
  din => data_in,
  rd_clk => clk44,
  rd_en => en_fifo_nempty,
  dout => data_out,
  full => open,
  empty => en_fifo_empty);
  I have a analog channel where I can compare in parallel the original data with Acquired + Transmitted Data. I synthesize one and I notice that Data bit 7 is not stable. Make some changes Data bit 4 in not stable. Some more changes data bit 5.. and son on. 
  What am I missing here? What am I'm doing wrong? In *ucf file I have no special constrains (only clock constrains).
  There are no timing/setup errors. 
  PS: I'm not allowed to change the Acquisition and Transmission Modules so I have to stick to 22 MHz and 44 MHz.
  Thaks,
  Paul
   

  The input data is aquired synchronous from an ADC and processed with the 22 MHz (digital filtering, adder ...). ADC clock is generated dividing the 22 MHz clock with /2 ( simple clock divider). 
  With 20 MHz and 40 MHz everything is ok.
  I have to increase the dynamic of the system with 10% and not allowed to change some VHDL modules so I tried this overclocking (ADC can work at way higher frequencies). With 22 MHz and 44 MHz and absolutely no error from ISE Tool it doesn't work correctly any more.

• Auto-mapping across multiple domains

  I originally posted this in an O365 Exchange forum and was redirected here.  Any help is appreciated.
  Single E1/E3 O365 account with multiple domains having hosted email.  Automapping is working correctly only if the shared mailbox is from the first domain added to O365.  The other 4 domains that were added to O365 are not able to utilize automapping. 
  I have recreated Outlook profiles, removed and recreated permissions with PowerShell and the O365 GUI.  I also looked at the DNS settings required for O365 to work properly and everything looks correct.  Mail is being delivered, Lync is working,
  Example: [email protected] has full access to [email protected]'s mailbox.  Automapping does not work and UserA is prompted to provide credentials to log into UserB's mailbox.
  Any thoughts on why automapping would be failing across domains? 

  Hi,
  Generally, if the Automapping works, the msExchDelegateListLink value for the shared mailbox should contains all users who have full access permission to this shared mailbox. Please follow these steps to check this value:
  1. Open Active Directory Users and Computers.
  2. In Users, right-click the shared mailbox > Properties.
  3. In Attribute Editor tab, double click msExchDelegateListLink attribute.
  4. Make sure all users who have full access permissions are listed in the Values field.
  Regards,
  Winnie Liang
  TechNet Community Support

• Linked Server across the Domain

  Hi
  I have one problem encountering with Linked server connectivity.
  Have one of the server in Domain A and another server into other Domain B. Am able to connect and execute the sql query from Domain A to B. (Creating a linked server in Domain A and trying to access the database which is in Domain B). The problem is that vice
  versa am not able to achieve. Could you just help me in debugging this scenario?
  Also if you could throw me some light how to verify the IP is not blocked in firewall settings will be helpful to debug further.
  Some of the things which I have played around was to verify the remote connectivity was enabled, TCP/IP protocol was enabled, SQL service is up running etc
  Regards
  Srinivasan Baskaran
  Srinivasan, Sr. Software Engineer, India

  To verify firewall settings:
  Please refer -
  http://blogs.msdn.com/b/walzenbach/archive/2010/04/14/how-to-enable-remote-connections-in-sql-server-2008.aspx
  Try one more trick given in below similar thread:
  SQL2008r2 Linked Server fails across domains
  Cheers,
  Vaibhav Chaudhari
  [MCTS],
  [MCP]

• Can we share one single RDBMS security store across multiple domains ?

  Can we share one single RDBMS security store across multiple weblogic domains? The idea is to utilize the same set of users and group defined in Weblogic Security Realms across multiple weblogic domains. Is it possible ? are there any risk ?
  i am using Oracle WebLogicServer11gR1 (10.3.6) Generic with Coherence.

  Hi,
  The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
  The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
  Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
  It is just the replacement for Embedded LDAP.
  Thanks & Regards,
  Murali.
  ============

• Generic code in OSB across 2 domains

  Hi
  I have a requirement to maintain the same code base for a set of OSB domains.
  The difference in the domains is the ip address,ports of the Business Service and Proxy service and also,
  there are some checks done depending on the domain where the code is deployed.
  I understand that the customization file can be used to set the endpoint URI's of proxies and business services.
  But in my OSB code, I have routing options used where i override the endpoint URI's currently, I have hardcoded it as
  'concat(jms://<ipadress>:<port>/<picking the connection factory and queue name from the data coming in to the proxy.>)'
  Also, at some places, there are checks required. To make it more clear:
  if the code was to be deployed on domain1, I would need the xyz variable to be one of particular value say 'value1' or 'value2'
  and if the code was to be deployed on domain2, it would need the variable to be one of value3 or value4.
  One option is to: have a property file somewhere in the local directory and have a Java class(static methods) which reads the property from the file. And in the OSB code, we have a java callout to call this jar file and get the property. and based on the property value, we would do the checks.
  The basic purpose is to have a OSB code that does not need to change irrespective of the domain it is deployed.
  At the same time, the values of some variables in the OSB code should be decided based on the domain it is deployed.
  Can anyone please suggest what can be done in this case?
  Is there a way to achieve this, other than the option I have thought of?

  I would not be changing my DVM. I would have a single DVM having the data available for both domains
  eg
  <properties>
  <domain name='domain1'>
  <value1>test1</value1>
  <value2>test2</value2>
  </domain>
  <domain name='domain2'>
  <value1>test3</value1>
  <value2>test4</value2>
  </domain>
  </properties>
  regards
  Kshama

• Need to collect the Windows logon and logoff events across the Domain in a DC eviornment, for different machines and user accounts.

  Hello All,
  I am trying to build a Tool to collect the info about all the user's who login and logoff on daily basis in a domain network. I am using a windows 2008 server as a DC and have xp, win 7, win 8 , win 12 server as clients in the network.
  There are few questions in my mind which I am not able to answer.
  1> When a user tries to login to the DC network, he/ she gets authenticated using the kerberos protocol. does these authentication gets logged on the AD server by default? I have see a way to enable it from registry but even that's not giving me the expected
  output in the eventvwr.
  2> Do I have to use Audit policies to monitor all the user's log off and log on activities?
  3> Is there a way to collect these information from any place on the AD server other than the Eventvwr?
  Please help me in finding the solutions to these query's  of mine.
  Thanks.

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Administrative Tools → Group Policy Management.
  2. In the left pane, navigate to Forest: <domain_name>→ Domains → <domain_name>→ Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up
  menu. </domain_name></domain_name>
  <domain_name><domain_name>3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies → Windows Settings → Security Settings → Local Policies → Audit Policy. </domain_name></domain_name>
  <domain_name><domain_name>4. Set the Audit account management and the Audit directory service access policy to "Success". Set the Audit logon events policy to  "Success" and "Failure". </domain_name></domain_name>
  5. Navigate to Start → Run and type '"cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.
  Number of events could be excessive so you need to adjust size of Security log ( 1gb for example ) 
  Usage of EventCombMT Tool (part of
  MS ALtools )
   This tool gathers specific events from several different servers to one central location.
   Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search
   Click the Searches menu > replace Event ID field values with
  4624  LOGON / 4634  LOGOFF
   Click Search and wait for the process to complete the operation.
   After the search is done the output directory contains the log files for the domain controllers where events with the specified Event ID’s were found.
  Alternatively you can try Netwrix Auditor for Active Directory solution with 20 days of free trial to generate such reports.
  --- Jeff (Netwrix)

• SCCM MP Account from accessing across untrusted domain

  Hi,
  I am wondering if anyone has any suggestion on how to setup MP connection account from MP in untrusted domain (DMZ) to site server. I tried to create a user account in the domain where SCCM primary site exists and configured that account for MP to use but
  unfortunately I am getting following error..
    *** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  I have not tried using SQL replica yet but I thought if account works then I would refrain from using SQL replica.
  Thanks,

  ** Resolved **
  Instead of using DOMAIN\USER, I created a local account on site server and assigned EXECUTE right to DB.. Its now communicating from DMZ without any problem...

• Using Get-ADGroup Member recursively across multiple domains in a Forest

  Quick question for the gurus around here....
  We are using a script that is querying the Local Administrators group on a Server.   It will pull the Users as well as the Groups that are a member of the Local Admins group on a server/system and using the recursive parameter with Get-ADGroupMembers,
   it will also list the members of any groups.  However, we seem to hit a snag when a Group is a member of another domain or even if the group is a member of the parent domain/forest.
  For example...One of the Members of the Local Admin group on a server is the "Enterprise Admins".  This group lives in "Corp.Fabrikam.com" yet the server is one level deeper in "ChildDomain.Corp.Fabrikam.com". 
  So of course, when looking in the Child Domain there is no Enterprise Admins group for it to find and it gives us an error that it can not be found.  Samething for Groups that live in other child domains of the forest (ChildDomain2.corp.Fabrikam.com)
  I am trying to figure out how to get the command to distinguish between these differences of the Group accounts and return the results from the domain those accounts live in.   Any ideas if this is normal behavior or if there is a work around?
  Thanks!

  You have to chase the answer.  If you do not have permissions on those domains you cannot retrieve the info.  I suspect it is your script that is wrong and not AD because AD tends to work as required.
  In other words.  Without a script we cannot be of much help.
  ¯\_(ツ)_/¯

• AD FS Across Differing Domain Functional Levels

  My customer needs to implement AD FS for single sign on due to a cloud based email solution they recently implemented. The problem is, their domain controllers are Server 2003 (non-R2) at a functional level of 2003 mixed mode. They should be able to raise
  to 2003 native if necessary however. Their solution is to create a new 2008 domain and implement a two-way trust, running AD FS in the new domain serving the clients in the 2003 domain.  This way should be quicker than upgrading their current domain
  which would be a rather large project due to their size and complexity. 
  Are there any gotcha's I should know about with doing it this way?  I have verified that we can create the two-way trust between domains of these functional levels, and AD FS can service clients in a trusted domain, but I am not entirely sure if AD
  FS will care that the trusted domain is 2003 non-R2.  Can anyone confirm if this will be a feasible scenario? 
  Thanks very much!!
  Wraith

  Hi
  Wraith,
  In addition, if you are not using Windows Server 2012 or above as ADFS server, you will be fine with Windows 2003 mixed mode.
  “Since ADFS does not require Active Directory functional-level modifications to operate successfully. However, if you are using Windows NT token–based applications and
  you want a token to be generated using Kerberos Service-for-User (S4U), the domain functional level must be Windows 2000 native or Windows Server 2003”, quoted form below article:
  Appendix A: Reviewing ADFS Requirements
  http://technet.microsoft.com/en-us/library/cc778681(v=WS.10).aspx
  More information for you:
  ADFS and Domain Functional Level
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5cc0e898-eae2-46ce-8491-5ccf61380423/adfs-and-domain-functional-level?forum=winserverDS
  ADFS requirements
  http://technet.microsoft.com/en-us/library/cc727972(v=WS.10).aspx
  Best Regards,
  Amy

• How do I get certificate authentication working across multiple domains?

  Hi,
  I've got LC ES2 set up for certificate authentication and when there's only one domain (with a single certificate mapping set up), it works fine.
  However would like to have multiple domains (application specific), with a small set of administrator type users who manage all of the domains.
  To test, I've set up two domains, with the admin users in one and the normal users in the other.
  I've set up two certificate mapping rules (both for the same CA), one for each domain.
  However LC will only authenticate users who are matched using the first certificate mapping rule.
  Has anyone else seen/tried this?  Have I missed something obvious?
  For the moment I'm going to have to work with a single domain, which is a pain, but will have to do for now.
  Thanks
  Craig
  Here's the error I get when LC fails to match (or attempt to match?) on the second cert mapping rule:
  2010-05-11 11:23:41,331 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,835 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,885 ERROR [STDERR] 11/05/2010 11:36:38 AM com.adobe.rightsmanagement.webservices.rest.RestServlet doAction
  SEVERE: Unexpected exception in Rest Call
  com.adobe.idp.um.api.UMException| [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16423 errorCodeHEX:0x4027 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mappingcom.adobe.idp.common.errors.exception.IDPException| [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] errorCode:12805 errorCodeHEX:0x3205 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:251)
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:194)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:338)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:154)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:162)
  at com.adobe.idp.um.dsc.util.dscservice.UserManagerUtilServiceImpl.authenticateWithWSHeaderE lement(UserManagerUtilServiceImpl.java:173)
  at sun.reflect.GeneratedMethodAccessor1065.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(DefaultPOJOInvokerImpl.jav a:118)
  at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(InvocationInterceptor. java:140)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept(DocumentPassi vationInterceptor.java:53)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.doInTransaction(Transa ctionInterceptor.java:74)
  at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionBMTAdapterBean.doRequiresNew (EjbTransactionBMTAdapterBean.java:218)
  at sun.reflect.GeneratedMethodAccessor363.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionConta iner.java:237)
  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionI nterceptor.java:158)
  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
  at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:1 73)
  at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:77)
  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstance Interceptor.java:169)
  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor. java:138)
  at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  at org.jboss.ejb.Container.invoke(Container.java:960)
  at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:430)
  at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103)
  at $Proxy179.doRequiresNew(Unknown Source)
  at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute(EjbTransactionProvi der.java:145)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept(TransactionInt erceptor.java:72)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept(InvocationStra tegyInterceptor.java:55)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept(InvalidStateIntercep tor.java:37)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:165)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)
  at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:129)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage(AbstractMessage Receiver.java:93)
  at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessageDispatcher.java:22 5)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(AbstractMessageDispat cher.java:66)
  at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:208)
  at com.adobe.idp.um.dsc.util.client.UserManagerUtilServiceClient.authenticate(UserManagerUti lServiceClient.java:210)
  at com.adobe.edc.server.platform.UMHelper.authenticate(UMHelper.java:549)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.validateClientAuthenticationHeader (RestFacade.java:161)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getBusinessHandler(RestFacade.java :206)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getAuthenticationToken(RestFacade. java:226)
  at com.adobe.rightsmanagement.webservices.rest.RestDefaultRequestHandler.handleRequest(RestD efaultRequestHandler.java:29)
  at com.adobe.rightsmanagement.webservices.rest.RestSecureRequestHandler.handleRequest(RestSe cureRequestHandler.java:13)
  at com.adobe.rightsmanagement.webservices.rest.RestRequestRouter.routeRequest(RestRequestRou ter.java:10)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doAction(RestServlet.java:50)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doGet(RestServlet.java:37)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:179)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java: 157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
  a
  2010-05-11 11:36:38,886 ERROR [STDERR] t org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja va:580)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Unknown Source)

  Craig,
  The certificate mapping works in the following manner,
  First the User's certificate is validated.
  If the certificate is valid, the related Certificate mapping information is fetched.
  From the Certificate Mapping information, the domain is determined.
  Following this, the user is searched in the domain and checked for it's current/deleted status.
  If user exists or is a valid one, then return an AuthResult corresponding to that is returned to the client.
  The error log below says, "Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping"
  1. Please check if the concerned user exists in the domain registered in the second cert mapping.
  2. Also check if the concerned user satisfies the attribute mapping specified in the second cert mapping.
  3. Could you confirm whether the admin Users and the normal users are distinct in both the domains and not duplicate in any of them??
     Because if same user exists in 2 domains, then there is no way to find out which domain you are referring to. In that case the first domain which declares the user as valid will return the AuthResult.
  4. You are using LC ES2, so there is a Test Certificate utlity on the same Certificate Mapping page, which can help you confirm the validity of the user's certificate and then you can proceed.