How to display active directory users through weblogic portal Application?
Hi,
Does anyone has faced this situation?
I configured the activedirectory and able to see the users and group in the weblogic console at Security->Realms->Myrealm->users. when I run my portal application,I am able to see only the users that are configured in embedded weblogic LDAP ie, I can see only the users weblogic,portaladmin and yahooadmin that are of defaultauthenticator provider.I need to display the active directory users also in our portal.
I have two doubts on this?
1)Is it I need to write custom code to view the active directory users in our portal?
2)Does I need to use any jars that supports active directory authenticator?
I would appreciate if any one can reply on this with helpfull docs/information.
We are using BEA 8.1 SP4.
Windows 2000.
Surendra
Hi,
I too have a similar kind of requirement, i use a jsp to do this activity, but i get an exception, i have shown the entire jsp code below,
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%@ page import="java.util.Set" %>
<%@ page import="javax.naming.Context" %>
<%@ page import="weblogic.jndi.Environment" %>
<%@ page import="weblogic.management.MBeanHome" %>
<%@ page import="weblogic.management.configuration.DomainMBean" %>
<%@ page import="weblogic.management.configuration.SecurityConfigurationMBean" %>
<%@ page import="weblogic.management.security.RealmMBean" %>
<%@ page import="weblogic.management.security.authentication.AuthenticationProviderMBean" %>
<%@ page import="weblogic.management.security.authentication.UserPasswordEditorMBean" %>
<%@ page import="weblogic.security.providers.authentication.LDAPAuthenticatorMBean" %>
<%@ page import="weblogic.management.configuration.EmbeddedLDAPMBean" %>
<%@ page import="weblogic.management.security.authentication.UserEditorMBean" %>
<%@ page import="weblogic.management.security.authentication.UserReaderMBean" %>
<%@ page import="weblogic.management.security.authentication.GroupReaderMBean" %>
<%@ page import="weblogic.management.utils.ListerMBean" %>
<%@ page import="javax.management.MBeanException" %>
<%@ page import="javax.management.modelmbean.RequiredModelMBean" %>
<%@ page import="examples.security.providers.authentication.manageable.*" %>
<%@ page import="weblogic.security.providers.authentication.ActiveDirectoryAuthenticatorMBean" %>
<%@ page import="weblogic.management.utils.InvalidParameterException" %>
<%@ page import="weblogic.management.utils.NotFoundException" %>
<%@ page import="weblogic.security.SimpleCallbackHandler" %>
<%@ page import="weblogic.servlet.security.ServletAuthentication"%>
<%!
private String makeErrorURL(HttpServletResponse response,
String message)
return response.encodeRedirectURL("welcome.jsp?errormsg=" + message);
%>
<html>
<head>
<title>Password Changed</title>
</head>
<body>
<h1>Password Changed</h1>
<%
// Note that even though we are running as a privileged user,
// response.getRemoteUser() still returns the user who authenticated.
// weblogic.security.Security.getCurrentUser() will return the
// run-as user.
System.out.println("------------------------------------------------------------------");
String username = request.getRemoteUser();
System.out.println("User name -->"+username);
// Get the arguments
String currentpassword = request.getParameter("currentpassword");
System.out.println("Current password -->"+currentpassword);
String newpassword = request.getParameter("newpassword");
System.out.println("New password -->"+newpassword);
String confirmpassword = request.getParameter("confirmpassword");
System.out.println("Confirm password -->"+confirmpassword);
// Validate the arguments
if (currentpassword == null || currentpassword.length() == 0 ||
newpassword == null || newpassword.length() == 0 ||
confirmpassword == null || confirmpassword.length() == 0) {
response.sendRedirect(makeErrorURL(response, "Password must not be null."));
return;
if (!newpassword.equals(confirmpassword)) {
response.sendRedirect(makeErrorURL(response, "New passwords did not match."));
return;
if (username == null || username.length() == 0) {
response.sendRedirect(makeErrorURL(response, "Username must not be null."));
return;
// First get the MBeanHome
String url = request.getScheme() + "://" +
request.getServerName() + ":" +
request.getServerPort();
System.out.println("URL -->"+url);
Environment env = new Environment();
env.setProviderUrl(url);
Context ctx = env.getInitialContext();
MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.LOCAL_JNDI_NAME);
System.out.println("MBean home obtained....");
DomainMBean domain = mbeanHome.getActiveDomain();
SecurityConfigurationMBean secConf = domain.getSecurityConfiguration();
// Sar
EmbeddedLDAPMBean eldapBean = domain.getEmbeddedLDAP();
System.out.println("Embedded LDAP Bean obtained...."+eldapBean );
RealmMBean realm = secConf.findDefaultRealm();
System.out.println("RealmMBean obtained....");
AuthenticationProviderMBean authenticators[] = realm.getAuthenticationProviders();
System.out.println("AuthProvMBean obtained....");
// Now get the UserPasswordEditorMBean
// This code will work with any configuration that has a
// UserPasswordEditorMBean.
// The default authenticator implements these interfaces
// but other providers could work as well.
// We try each one looking for the provider that knows about
// this user.
boolean changed=false;
UserPasswordEditorMBean passwordEditorMBean = null;
System.out.println("UserPwdEdtMBean obtained....");
//System.out.println("Creating MSAI....");
//ManageableSampleAuthenticatorImpl msai =
// new ManageableSampleAuthenticatorImpl(new RequiredModelMBean());
//System.out.println("Done....");
for (int i=0; i<authenticators.length; i++) {
System.out.println("### Authenticator --->"+authenticators);
if (authenticators[i] instanceof ActiveDirectoryAuthenticatorMBean)
ActiveDirectoryAuthenticatorMBean adamb =
(ActiveDirectoryAuthenticatorMBean)authenticators[i];
System.out.println("### ActiveDirectoryAuthenticatorMBean .....");
String listers = adamb.listUsers("*",0);
while(adamb.haveCurrent(listers))
System.out.println("### ActiveDirectoryAuthenticatorMBean user advancement.....");
adamb.advance(listers);
if (authenticators[i] instanceof UserPasswordEditorMBean) {
passwordEditorMBean = (UserPasswordEditorMBean) authenticators[i];
System.out.println("Auth match ...."+passwordEditorMBean);
try {
// Now we change the password
// Sar comment
System.out.println("Password changed....");
//passwordEditorMBean.changeUserPassword(username,
// currentpassword, newpassword);
changed=true;
// Sar Comment
catch (InvalidParameterException e) {
response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
return;
catch (NotFoundException e) {
catch (Exception e) {
response.sendRedirect(makeErrorURL(response, "Caught exception " + e));
return;
// Sar code
LDAPAuthenticatorMBean ldapBean = null;
UserReaderMBean urMBean = null;
UserEditorMBean ueMBean = null;
GroupReaderMBean gMBean = null;
//ListerMBean lBean = null;
try
if (authenticators[i] instanceof LDAPAuthenticatorMBean)
ldapBean = (LDAPAuthenticatorMBean) authenticators[i];
String userFilter = ldapBean.getAllUsersFilter();
System.out.println("userFilter ="+userFilter);
if (authenticators[i] instanceof UserEditorMBean)
try
System.out.println("UserEditorMBean...");
ueMBean = (UserEditorMBean) authenticators[i];
System.out.println("List users..."+ueMBean);
boolean b = ueMBean.userExists("webuser");
System.out.println("User Exists->>>"+b);
String cursor = ueMBean.listUsers("webuser", 2);
System.out.println("List User ----->"+cursor);
catch(InvalidParameterException e)
response.sendRedirect(makeErrorURL(response, "ERROR InvalidParameterException:" + e));
catch(java.lang.reflect.UndeclaredThrowableException e)
response.sendRedirect(makeErrorURL(response, "ERROR UndeclaredThrowableException :" + e));
e.printStackTrace();
catch(Exception e)
response.sendRedirect(makeErrorURL(response, "ERROR LBean:" + e));
catch(Exception ex)
ex.printStackTrace();
response.sendRedirect(makeErrorURL(response, "ERROR:" + ex));
return;
if (passwordEditorMBean == null) {
response.sendRedirect(makeErrorURL(response, "Internal error: Can't get UserPasswordEditorMBean."));
return;
System.out.println("pwd changed ->"+changed);
if (!changed) {
// This happens when the current user is not known to any providers
// that implement UserPasswordEditorMBean
response.sendRedirect(makeErrorURL(response,
"No password editors know about user " + username + "."));
return;
%>
User <%= username %>'s password has been changed!
<br>
<br>
</body>
</html>
Here is the console log
User name -->webuser
Current password -->i
New password -->u
Confirm password -->u
URL -->http://localhost:7011
MBean home obtained....
Embedded LDAP Bean obtained....[Caching Stub]Proxy for mydomain:Name=mydomain,Type=EmbeddedLDAP
RealmMBean obtained....
AuthProvMBean obtained....
UserPwdEdtMBean obtained....
### Authenticator --->Security:Name=myrealmDefaultAuthenticator
Auth match ....Security:Name=myrealmDefaultAuthenticator
Password changed....
UserEditorMBean...
List users...Security:Name=myrealmDefaultAuthenticator
User Exists->>>true
java.lang.reflect.UndeclaredThrowableException
at $Proxy1.listUsers(Unknown Source)
at jsp_servlet.__updatepassword._jspService(__updatepassword.java:411)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.jav
a:1006)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:419)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:463)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:315)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletC
ontext.java:6718)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:37
64)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
Caused by: javax.management.MBeanException
at weblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:551)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.j
ava:988)
at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
at weblogic.management.commo.CommoProxy.invoke(CommoProxy.java:365)
... 14 more
### Authenticator --->Security:Name=myrealmDefaultIdentityAsserter
pwd changed ->true
Can u pls let me know how to get all the entries from LDAP.
Thanx
Sar
Similar Messages
-
Hi My self Arun in my current project i have a task on that active directory user need to automatically populate in share point list drop down please help me. is that any out of box feature in share point 2010 ?
Thanking You
ArunArun,
If you plan to implement the "Querying the Active Directory" based on my code snippet,
and if you do not have permission [your account must be the part of domain admin] to do so,
Then still you can do it in least effort through code,
string usersInXml = SPContext.Current.Web.AllUsers.Xml;your xml string look like this.
<Users><User ID="2" Sid="" Name="Administrator"
LoginName="i:0#.w|murugesan\administrator" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1" Sid="" Name="Murugesa Pandian" LoginName="i:0#.w|murugesan\murugesan" Email="" Notes="" IsSiteAdmin="True" IsDomainGroup="False" Flags="0" /><User ID="1073741823" Sid="S-1-0-0" Name="System Account" LoginName="SHAREPOINT\system" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0" /></Users>
You can user Linq to XML to filter the "LoginName,Name and Email and then populate your drop down list.
* User must be logged into the site at least once.
Murugesa Pandian.,MCTS|App.Devleopment|Configure -
How to integrate Active Directory with Oracle Weblogic
hi
is there any Oracle Document that descripes how to integrate the LDAP Active directory with Oracle Weblogic 10.3
Regards
Edited by: qasas on 28-Nov-2009 13:56weblogic docs (and there identity asserters) - http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
-
How to Add Active Directory user to Admin Role
Hi All,
I am trying to figure out how to add a AD user to the Admin Role..
I am connected to AD and can see the user (myself), however, when I try to add myself to the admin role, it says user not found.
I go to Security Realms > myreals > Roles and Policies > Global Roles > Roles > Admin > View Role Condition.
I see that the Administrators Group is already added. Now I click "add Conditions" and select "User" from the Predicate List and type in the user " Doe' John".
On the next screen I get "user: John or Dow" does not exist.
Another option could be to add the user to the Administrator group, but I couldnt figure out how to do that as well. When I navigate to the user under Users or Groups, I dont see an option to add that user to the Administrator group.
Is it that you can only add users created in Weblogic to the Admin group?
Any help on this will be very appreciated.
Thanks in advance.I think I got it. I had to add the AD group the user is part of to the Admin role.
-
How to integrate active directory users(credentials) to Open Directory LDAPv3?
-I don't want to have a separate directory anymore.
Hi RM,
It would require that you setup your Portal in such a way being able to handle Windows Integrated Authentication via Kerberos. This is already very well explained in the following blogs:
/people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source
http://wiki.sdn.sap.com/wiki/display/EP/SingleSignOntotheJ2EEEnginefromWindows
After setting up your datasource, in your case the ADS, you will need to run SPNego Wizard in NWA to have it integrated with SSO.
Best regards,
Andre -
How to import your MS Active Directory users in an Oracle table
Hello,
I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
This doesn't work so I used an alternative solution:
How to import your MS Active Directory users in an Oracle table
- a Visual Basic script for export from Active Directory
- a table in my database
- a SQL*Loader Control-file
- a command-file to start the SQL*Loader
Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
Just to share my scripts:
I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
'Export_ActiveDir_users.vbs 26-10-2006
'Script to export info from MS Active Directory to a CSV-file
' Accountname, employeeid, Name, Function, Department etc.
' Richard de Boer - Wetterskip Fryslan, the Nethterlands
' samaccountname Logon Name / Account
' employeeid Employee ID
' name name
' displayname Display Name / Full Name
' sn Last Name
' description Description / Function
' department Department / Organisation
' physicaldeliveryofficename Office Location Wetterskip Fryslan
' streetaddress Street Address Harlingerstraatweg 113
' l City / Location Leeuwarden
' mail E-mail adress
' wwwhomepage Web Page Address
' distinguishedName Full unique name with cn, ou's, dc's
'Global variables
Dim oContainer
Dim OutPutFile
Dim FileSystem
'Initialize global variables
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
'Enumerate Container
EnumerateUsers oContainer
'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set oContainer = Nothing
WScript.Echo "Finished"
WScript.Quit(0)
Sub EnumerateUsers(oCont)
Dim oUser
For Each oUser In oCont
Select Case LCase(oUser.Class)
Case "user"
If Not IsEmpty(oUser.distinguishedName) Then
OutPutFile.WriteLine _
oUser.samaccountname & ";" & _
oUser.employeeid & ";" & _
oUser.Get ("name") & ";" & _
oUser.displayname & ";" & _
oUser.sn & ";" & _
oUser.description & ";" & _
oUser.department & ";" & _
oUser.physicaldeliveryofficename & ";" & _
oUser.streetaddress & ";" & _
oUser.l & ";" & _
oUser.mail & ";" & _
oUser.wwwhomepage & ";" & _
oUser.distinguishedName & ";"
End If
Case "organizationalunit", "container"
EnumerateUsers oUser
End Select
Next
End SubThis give's output like this:
rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
CREATE TABLE PG4WF.ACTD_USERS
samaccountname VARCHAR2(64)
, employeeid VARCHAR2(16)
, name VARCHAR2(64)
, displayname VARCHAR2(64)
, sn VARCHAR2(64)
, description VARCHAR2(100)
, department VARCHAR2(64)
, physicaldeliveryofficename VARCHAR2(64)
, streetaddress VARCHAR2(128)
, l VARCHAR2(64)
, mail VARCHAR2(100)
, wwwhomepage VARCHAR2(128)
, distinguishedName VARCHAR2(256)
)I made SQL*Loader Control-file:
LOAD DATA
INFILE 'ActiveDir_users.csv'
BADFILE 'ActiveDir_users.bad'
DISCARDFILE 'ActiveDir_users.dsc'
TRUNCATE
INTO TABLE PG4WF.ACTD_USERS
FIELDS TERMINATED BY ';'
( samaccountname
, employeeid
, name
, displayname
, sn
, description
, department
, physicaldeliveryofficename
, streetaddress
, l
, mail
, wwwhomepage
, distinguishedName
)I made a cmd-file to start SQL*Loader
: Import the Active Directory users in Oracle by SQL*Loader
D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
http://www.kouti.com/tables/userattributes.htm
Greetings,
Richard de BoerI have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
Is there any way that I can find out what time each record has been inserted?
For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
First you need to clarify what you mean by 'the date that each record get inserted'. A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time. -
How to create "folders" in Active Directory Users and Computers?
Hello Community
In Windows Server 2008R2 when you go to Active Directory Users and Computer
you will see icons of folders such as:
- Builtin has a folder icon
- Computers has a folder icon
- ForeignSecurityPrinicpals has a folder icon
- Domain Controller as a folder icon
- Managed Service Accounts has a folder icon
- Users has a folder icon
All of the above folders are visually identical.
If you right click and select “File” – “New”
on any of the selections the icon
will not look like the folder icon they have their own icons which look different
from the "Folder" icon.
I would like to create a “Folder” that looks just visually exactly like the ones
mentioned above, how can I create those types of Folders in Active Directory User
and Computers?
Note: I would like to put users in the folders.
Thank you
ShabeautHi,
you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
Refer: Delegating Administration by Using OU Objects
http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx
and the sub-articles:
Administration of Default Containers and OUs
http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
Delegating Administration of Account and Resource OUs
http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Active Directory Users and Computer not displaying column data?
I am running Windows 8.1 Enterprise with RSAT installed. My Domain controllers are Server 2008 R2.
I am having and issue with Active Directory Users and Computers. Typically I will turn on Advanced Features and then add Columns for Email address and Display Name. This for example allows me to easily export lists of users and there email
addresses among other things.
The issue is that on my Windows 8.1 client, the columns for Email and Display Name are empty. It simply will not display this information. It only displays Name, TYpe and Description.
If I use a Windows 7 client, the information displays correctly.
Has anyone run into this issue or heard of this problem when using ADUC on Windows 8.1?ADUC is an AD tool that is no longer being improved, with Microsoft now focusing on ADAC (Administrative Center). In 8.1, it has improved quite a bit since 7. You can also just try using the
ActiveDirectory PowerShell Module, which is easy to use and fairly powerful. It can be simple to export lists, and the module for AD is included with RSAT tools.
Example:
Import-Module ActiveDirectory
Get-ADUser -Filter {Manager -eq "John.Smith"} -Properties DisplayName,Mail | Export-Csv dump.csv -NoTypeInformation
So, recommendation: either use ADAC, or PowerShell -- ADUC is part of the wave of deprecation. -
Logging into weblogic console using Active directory users?
Hi,
We developed a portal application using BEA 8.1 by getting users from embidded LDAP provided with the weblogic server.Now we need to access the users accounts stored in active directory.we configured new active directory authenticator and able to see the user and group names in the weblogic console. when we try to login to the console using one of the active directory user names, we are unable to login.
I would be thankful if any one can help on this.
Thanks & Regards
Surendranath ReddyHi Surendranath,
I am trying to attempt the same task, but have been unsuccessful so far. If you have had any luck with this, please let me know.
I can get MS AD to work just fine in the Security Provider and it works via the developers application, but I cannot login using the Active Directory users from the Admin Console.
Thanks,
Kevin. -
Active directory users and computers wont start on a dc, "the server is not operational"
In our environment, we have 3 dc's
two which run server 2008 (they work perfectly)
and one never off branch dc that runs server 2008 r2.
We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
We have a third party DNS solution.
How do i troubleshoot this issue?dc01 (which replicates perfectly with dc02, and vise versa)
dcdiag /test:dns
C:\Users\adminuser>dcdiag /test:dns
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Hostingpartner\ourdc01
Starting test: Connectivity
......................... ourDC01 passed test Connectivity
Doing primary tests
Testing server: Hostingpartner\ourdc01
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : int
Running enterprise tests on : int.domain.com
Starting test: DNS
Test results for domain controllers:
DC: ourdc01.int.domain.com
Domain: int.domain.com
TEST: Delegations (Del)
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
Summary of test results for DNS servers used by the above domain controllers:
DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
2 test failures on this DNS server
Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: int.domain.com
ourdc01 PASS PASS PASS FAIL n/a PASS n/a
......................... int.domain.com failed test DNS
dcdiag on dc01(which can replicate with dc02)
C:\Users\adminuser>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: hostingpartner\ourdc01
Starting test: Connectivity
......................... OURDC01 passed test Connectivity
Doing primary tests
Testing server: hostingpartner\ourdc01
Starting test: Replications
[Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
Win32 Error 8453.
......................... OURDC01 failed test Replications
Starting test: NCSecDesc
......................... OURDC01 passed test NCSecDesc
Starting test: NetLogons
[OURDC01] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... OURDC01 failed test NetLogons
Starting test: Advertising
......................... OURDC01 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... OURDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... OURDC01 passed test RidManager
Starting test: MachineAccount
......................... OURDC01 passed test MachineAccount
Starting test: Services
......................... OURDC01 passed test Services
Starting test: ObjectsReplicated
......................... OURDC01 passed test ObjectsReplicated
Starting test: frssysvol
......................... OURDC01 passed test frssysvol
Starting test: frsevent
......................... OURDC01 passed test frsevent
Starting test: kccevent
......................... OURDC01 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:04:50
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:10:56
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 04/04/2013 15:11:17
(Event String could not be retrieved)
......................... OURDC01 failed test systemlog
Starting test: VerifyReferences
......................... OURDC01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : int
Starting test: CrossRefValidation
......................... int passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... int passed test CheckSDRefDom
Running enterprise tests on : int.domain.com
Starting test: Intersite
......................... int.domain.com passed test Intersite
Starting test: FsmoCheck
......................... int.domain.com passed test FsmoCheck
The problematic dc03:
Dcdiag gives the same output as dcdiag /test:dns
C:\Users\adminuser>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = OURDC03
Ldap search capabality attribute search failed on server NTSDC03, return
value = 81
We have an infoblox dns server on ip address xxx.y.y.251.
first error in event logs on dc03:
error 1863
This is the replication status for the following directory partition on this directory server.
Directory partition:
CN=Configuration,DC=int,DC=domain,DC=com
This directory server has not received replication information from a number of directory servers within the configured latency interval.
Latency Interval (Hours):
24
Number of directory servers in all sites:
2
Number of directory servers in this site:
2
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
i have also go several warning 2088, 2093, 2087.
And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones -
Active Directory Authentication in Weblogic 8.1
Hi,
We want to do authentication from Microsoft Active Directory using weblogic 8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working. Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me know how
to proceed.
2. Is there any tool by which I can get to know the different attribute asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind. Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit TyagiAmit,
We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
and downs though.
|
|
1) First, make sure you are sending right LDAP queries to AD. To verify this,
we used free 3rd party LDAP browser from Softerra. There is also java based free
browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
Play with your LDAP settings using this and make sure AD is returning the right
data.
|
2) AD has some default settings that makes it return only the top 1000 users.
Use ntdsutil.exe to modify these default settings
|
3) AD needs to have the right set of users and groups. To configure this, refer
to WLS docs. This is very well documented in WLS docs. Also refer to this article
http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
reference
|
4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
another product AD/AM (AD in Application Mode) in combination with MIIS server.
But if you are using sp2, you shouldn't be worry about this.
|
5) In your providers, you might want to get rid of the DefaultAuthentication provider,
once you are able to establish a connection with your ActiveDirectoryAuthentication
provider. The DefaultAuthentication provider causes some problems and does not
let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
investgated the root of this prob. When we deleted DefaultAuthentication provider,
everything worked normally - so we didn't really care that much :-)
|
6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
your are able to authenticate talk to your AD.
|
These are the ones I could think of. Hope this helps..
Regards,
Anant
"Amit" <[email protected]> wrote:
>
Hi,
We want to do authentication from Microsoft Active Directory using weblogic
8.1.
I have created a Active directory and
configured weblogic from console to use it. But it is still not working.
Your
help with these question would be highly
appreciated.
1. Is there anyone in group who have tried this before. Please let me
know how
to proceed.
2. Is there any tool by which I can get to know the different attribute
asked
for configuration in Weblogic?
3. I am not able to login to my application after configuration. Is there
any
other way to come to know whether it is working
or not?
There could be plethora of reason but nothing which can come to my mind.
Everything
seems to be configured correctly. Here is
portion of my config.xml related with authentication:
<FileRealm Name="wl_default_file_realm"/>
<PasswordPolicy Name="wl_default_password_policy"/>
<Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
<Security GuestDisabled="false" Name="vendavo-dev"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
ControlFlag="SUFFICIENT"
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
=myrealmADAuthenticator"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper"
UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
<weblogic.security.providers.pk.DefaultKeyStore
Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
DisplayName="ADAuthenticator" FollowReferrals="false"
GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
Name="Security:Name=myrealmADAuthenticator"
Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
</Security>
First, of all is it possible to use Active Directory authentication in
Weblogic
without writing any custom code. If yes, how?
Thanks in advance,
Amit Tyagi -
Hide all except one object in Active Directory Users and Computers.
Hello,
I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
d.I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830
Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Cannot log into DTR with Active Directory User
Greetings,
I have set up and installed JDI correctly. I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user. I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
500 Internal Server Error
SAP J2EE Engine/6.40
Application error occurred during the request procession.
Details: Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!]. The ID of this error is
Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error.
Any help is greatly appreciated.
Thanks,
MartyHi Marty,
In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
Regards,
Manohar -
Windows 2008 Server - Cannot run Active Directory Users and Computers
Hi,
I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
I attempt to open Active Directory Users and Computers tool and I get a;
Microsoft Visual C++ Runtime Library error;
"The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
I click ok, then get the following debug info;
Problem signature:
Problem Event Name: APPCRASH
Application Name: mmc.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47919524
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.6001.18000
Fault Module Timestamp: 4791ad6b
Exception Code: 40000015
Exception Offset: 0000000000029b06
OS Version: 6.0.6001.2.1.0.272.7
Locale ID: 3081
Additional Information 1: 43aa
Additional Information 2: cf3a46656318492c1997480001b6b0e0
Additional Information 3: 3837
Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
If someone could please assist, it would be very much appreciated.
Regards
B
Hi,
To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
However, I am also glad to share my research.
Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
Also, please follow the article below to perform necessary steps to see how it's going?
FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
http://support.microsoft.com/kb/190536/en-us
Hope this helps.
Best wishes
Morgan Che -
Report on Active Directory User Attributes in SCCM 2012
I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
SELECT v_FullCollectionMembership.ResourceID,
v_R_User.Windows_NT_Domain0,
v_R_User.Distinguished_Name0,
v_R_User.Full_User_Name0,
v_R_User.Mail0,
v_R_User.User_Name0
FROM v_FullCollectionMembership, v_R_User
WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
AND v_FullCollectionMembership.CollectionID = 'SMS00002'
If possible I need to add:
Last logon timestamp
User account status (enabled or disabled)
I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
the values do not match those found in Active Directory.
Thanks.Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
More info on the attribute can be found from here
http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
account is enabled = 512
account is disabled = 514
account is enabled with smart card = 262656
Maybe you are looking for
-
Find the installation path of the addon
Hi Can anyone tell me a way to find out the installation path of the current addon please. I would like to reference the xml files that are in there in my application I am using SP01 PL36 Many thanks Regards Andy
-
Opening Balance of Investment/Equity.
As we are migrating to BCS system the investment by one entity is not match with equity in another intercompany. I understand when we execute the COI function initially after loading the opening balance ,the balancing entry goes to Goodwill. But can
-
Screen layout for Service Entry Sheet.
Hi All, I need to make some fields in SES as display. I checked different Field Selection options in SES screen layout; like ML81, ML82, PT9, 4, 5, etc; but nothing has any effect in service entry sheet. Please advise. Regards Alexandro
-
My shuffle is blinking orange and won't charge
My ipod shuffle is blinking orange and won't charge.
-
Not seeing all photos in library
I have iphoto 11 on a new macbookpro mid2012. In the setup procedure I transferred my old photo library to my macbook pro. There are photos in my library ( looking in MASTERS directory in the finder) that do not show in the iphoto application. They d