How to Implement ESSO in Active Directory
Hi All,
I'm Newbie and just installing LM Admin COnsole in Server WIndows 2003 (AD Server Too).
I tried following the instruction from manual Book to sync with AD Server. I tried add web application let's say yahoo mail login page and defined the fields.
After that, from repository AD, i configure sso support to add application that i have added.
and then, i login to the domain AD in another workstation that have installed the ESSO Agent. After login, i didnt see any application loaded in Logon Manager.
What configuration that i missed?
Please need help and please provide some example configuration.
Thank alot.
Hello there,
I just posted a response for another thread on the same topic:
Just for your information, do not expect to see all the applications pop-up on the client's list right away. They will appear each tim a user adds one, through the FTU Wizard or one by one at runtime.
My configuration works with the following settings:
- Global Agen Settings > (Your Registry Name) > Synchronization:
Enable role/group security support: "use role/group security"
- Global Agen Settings > (Your Registry Name) > Synchronization > (Your Synchronizer) > Required:
Set to connect without SSL for testing
- Global Agen Settings > (Your Registry Name) > Synchronization > (Your Synchronizer) > Advanced:
Configuration Objects Base Locations: set it to the branch where you store your eSSO config
Servers: type in the name and port of your server like "localhost:389"
I recommend you to check every setting one by one to see if they are relevant to your installation.
Once done, the easiest way to setup the Logon Manager, is to generate an MSI (Tools > Generate Customized MSI). Install the Agent and check the connectivity. To do that, simply double-click on the eSSO LM icon (in the windows bar). CLick refresh (upper right) and "Add". The list of configured apps should be displayed in the combo. If not, chek your agent settings again.
I think it comes close to what you are trying to do. Just in case you already installed the LM agent, I would suggest that you remove it completely if you want to reinstall. You may want to check if the registry was cleaned up: HKeyCurrent User/Software, delete the Passlogix entry if still there.
Good luck!
-s
Similar Messages
-
How to import your MS Active Directory users in an Oracle table
Hello,
I first tried to get a Heterogenous Connection to my MS Active Directory to get information on my Active Directory users.
This doesn't work so I used an alternative solution:
How to import your MS Active Directory users in an Oracle table
- a Visual Basic script for export from Active Directory
- a table in my database
- a SQL*Loader Control-file
- a command-file to start the SQL*Loader
Now I can schedule the vsb-script and the command-file to get my information in an Oracle table. This works fine for me.
Just to share my scripts:
I made a Visual Basic script to make an export from my Active Directory to a CSV-file.
'Export_ActiveDir_users.vbs 26-10-2006
'Script to export info from MS Active Directory to a CSV-file
' Accountname, employeeid, Name, Function, Department etc.
' Richard de Boer - Wetterskip Fryslan, the Nethterlands
' samaccountname Logon Name / Account
' employeeid Employee ID
' name name
' displayname Display Name / Full Name
' sn Last Name
' description Description / Function
' department Department / Organisation
' physicaldeliveryofficename Office Location Wetterskip Fryslan
' streetaddress Street Address Harlingerstraatweg 113
' l City / Location Leeuwarden
' mail E-mail adress
' wwwhomepage Web Page Address
' distinguishedName Full unique name with cn, ou's, dc's
'Global variables
Dim oContainer
Dim OutPutFile
Dim FileSystem
'Initialize global variables
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("ActiveDir_users.csv", True)
Set oContainer=GetObject("LDAP://OU=WFgebruikers,DC=Wetterskip,DC=Fryslan,DC=Local")
'Enumerate Container
EnumerateUsers oContainer
'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set oContainer = Nothing
WScript.Echo "Finished"
WScript.Quit(0)
Sub EnumerateUsers(oCont)
Dim oUser
For Each oUser In oCont
Select Case LCase(oUser.Class)
Case "user"
If Not IsEmpty(oUser.distinguishedName) Then
OutPutFile.WriteLine _
oUser.samaccountname & ";" & _
oUser.employeeid & ";" & _
oUser.Get ("name") & ";" & _
oUser.displayname & ";" & _
oUser.sn & ";" & _
oUser.description & ";" & _
oUser.department & ";" & _
oUser.physicaldeliveryofficename & ";" & _
oUser.streetaddress & ";" & _
oUser.l & ";" & _
oUser.mail & ";" & _
oUser.wwwhomepage & ";" & _
oUser.distinguishedName & ";"
End If
Case "organizationalunit", "container"
EnumerateUsers oUser
End Select
Next
End SubThis give's output like this:
rdeboer;2988;Richard de Boer;Richard de Boer;de Boer;Database Administrator;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Richard de Boer,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;
tbronkhorst;201;Tjitske Bronkhorst;Tjitske Bronkhorst;Bronkhorst;Configuratiebeheerder;Informatie- en Communicatie Technologie;;Harlingerstraatweg 113;Leeuwarden;[email protected];;CN=Tjitske Bronkhorst,OU=Informatie- en Communicatie Technologie,OU=Afdelingen,OU=WFGebruikers,DC=wetterskip,DC=fryslan,DC=local;I made a table in my Oracle database:
CREATE TABLE PG4WF.ACTD_USERS
samaccountname VARCHAR2(64)
, employeeid VARCHAR2(16)
, name VARCHAR2(64)
, displayname VARCHAR2(64)
, sn VARCHAR2(64)
, description VARCHAR2(100)
, department VARCHAR2(64)
, physicaldeliveryofficename VARCHAR2(64)
, streetaddress VARCHAR2(128)
, l VARCHAR2(64)
, mail VARCHAR2(100)
, wwwhomepage VARCHAR2(128)
, distinguishedName VARCHAR2(256)
)I made SQL*Loader Control-file:
LOAD DATA
INFILE 'ActiveDir_users.csv'
BADFILE 'ActiveDir_users.bad'
DISCARDFILE 'ActiveDir_users.dsc'
TRUNCATE
INTO TABLE PG4WF.ACTD_USERS
FIELDS TERMINATED BY ';'
( samaccountname
, employeeid
, name
, displayname
, sn
, description
, department
, physicaldeliveryofficename
, streetaddress
, l
, mail
, wwwhomepage
, distinguishedName
)I made a cmd-file to start SQL*Loader
: Import the Active Directory users in Oracle by SQL*Loader
D:\Oracle\ora92\bin\sqlldr userid=pg4wf/<password>@<database> control=sqlldr_ActiveDir_users.ctl log=sqlldr_ActiveDir_users.logI used this for a good list of active directory fields:
http://www.kouti.com/tables/userattributes.htm
Greetings,
Richard de BoerI have a table with about 50,000 records in my Oracle database and there is a date column which shows the date that each record get inserted to the table, for example 04-Aug-13.
Is there any way that I can find out what time each record has been inserted?
For example: 04-Aug-13 4:20:00 PM. (For my existing records not future ones)
First you need to clarify what you mean by 'the date that each record get inserted'. A row is not permanent and visible to other sessions until it has been COMMITTED and that commit may happen seconds, minutes, hours or even days AFTER a user actually creates the row and puts a date in your 'date column'.
Second - your date column, and ALL date columns, includes a time component. So just query your date column for the time.
The only way that time value will be incorrect is if you did something silly like TRUNC(myDate) when you inserted the value. That would use a time component of 00:00:00 and destroy the actual time. -
How to import Photos into Active Directory
Hi -
IT Director asked me to import employees pictures into Active Directory so that we can use them in Outlook, SharePoint, Lync etc.
Do you know how to import pictures into Active Directory?Thumbnailphoto Attribute in active directory is responsible for adding photos to Active directory.
By Default Replication of this attribute will be disabled to Global catalog server. To make use of this facility we will have to enable replication of this attribute to Global Catalog. ( To accomplish this you will have to edit the schema using Active directory
schema snap in).
Refer Below link which explains about enabling the replication of Thumbnailphoto attribute to Global catalog.
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/configuring-using-display-picture-exchange-server-2010.html
Requirements
Minimum requirement for your exchange enviornment to use this - Exchange 2010.
Exchange 2007 Don't support uploading photos AFAIK.
Domain controller should be running with atleast windows server 2008 or later. And
schema has to be windows server 2008
Additionally for your information,
How to remove the uploaded photos?
Either You can edit the Thumbnailphoto attribute using ADSIedit and remove the entry which is assocaited with Thumbnailphoto attribute.
Or,
Try this.
The Import-RecipientDataProperty and Export-RecipientDataProperty cmdlets allow you to import and export the photo blob to and from
thumbnailPhoto attribute, but there's no Remove-RecipientDataProperty cmdlet to remove it. You can use the
RemovePicture switch of Set-Mailbox cmdlet to remove a user's photo. For example:
Set-Mailbox "Bharat Suneja" -RemovePicture
Check out the below link which explains in and out of uploading photos,
http://blogs.technet.com/b/exchange/archive/2010/06/01/gal-photos-frequently-asked-questions.aspx
http://blogs.technet.com/b/ilvancri/archive/2009/11/17/upload-picture-in-outlook-2010-using-the-exchange-management-shell-exchange-2010.aspx
To know about uploading photo using powershell ask this question in powershell forum
http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
How do i use an active directory group for vpn and not all user
hi all,
i have an asa 5515x...
how do i use a particular group in active directory to have vpn/anyconnect access? right now i believe it's for all user on my current config,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!integrate with active directory
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
ldap-base-dn dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 12345678
ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
server-type auto-detect
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
thanks for any comment you may add.The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that. -
How to authenticate user in Active Directory for an Oracle report
Hey there,
We have users of 1 report all over the country.
Currently, when using the report, the user chooses a location as a parameter, then runs the report.
The problem is we don't want the user to be able to see data from other locations, only their own.
So how can I do this as all users are set up in Active Directory, but the only thing that distinguishes them apart is under the Properties of the user, under the General tab, the Office field says where they are located.
Thanks in advance!Hey there,
We have users of 1 report all over the country.
Currently, when using the report, the user chooses a location as a parameter, then runs the report.
The problem is we don't want the user to be able to see data from other locations, only their own.
So how can I do this as all users are set up in Active Directory, but the only thing that distinguishes them apart is under the Properties of the user, under the General tab, the Office field says where they are located.
Thanks in advance! -
How to create user in Active directory
Hello,
I'm trying to create a user in active directory via the following example:
String userName = "cn=Jef Klak,ou=Ps Users,ou=Users,ou=Managed,dc=xxx,dc=local";
Attributes attrs = new BasicAttributes(false);
Attribute oc = new BasicAttribute("objectClass");
oc.add("top");
oc.add("person");
oc.add("organizationalPerson");
oc.add("user");
attrs.put(oc);
attrs.put("cn","Jef Klak");
attrs.put("giveName","Jef");
attrs.put("sn","Klak");
attrs.put("displayName","Klak, Jef");
attrs.put("description","IR");
attrs.put("userPrincipalName","[email protected]");
attrs.put("mail","[email protected]");
attrs.put("company", "XXX");
attrs.put("sAMAccountName","jk666");
attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_DONT_EXPIRE_PASSWD+ UF_ACCOUNTDISABLE));
Context result = fctx.createSubcontext(userName, attrs);
As a result I'm getting the following error:
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
remaining name 'cn=Jef Klak,ou=Ps Users,ou=Users,ou=Managed,dc=xxx,dc=local'
Anybody any tips or advice on this one? Or maybe a working examples how to add users in AD?
Listing entries in the AD is no problem, so it's only adding them.
Many thanks,
Filipattrs.put("giveName","Jef");
javax.naming.directory.NoSuchAttributeExceptionSpelling error. -
How to create "folders" in Active Directory Users and Computers?
Hello Community
In Windows Server 2008R2 when you go to Active Directory Users and Computer
you will see icons of folders such as:
- Builtin has a folder icon
- Computers has a folder icon
- ForeignSecurityPrinicpals has a folder icon
- Domain Controller as a folder icon
- Managed Service Accounts has a folder icon
- Users has a folder icon
All of the above folders are visually identical.
If you right click and select “File” – “New”
on any of the selections the icon
will not look like the folder icon they have their own icons which look different
from the "Folder" icon.
I would like to create a “Folder” that looks just visually exactly like the ones
mentioned above, how can I create those types of Folders in Active Directory User
and Computers?
Note: I would like to put users in the folders.
Thank you
ShabeautHi,
you should use OUs (an OU is they type of object (folder) that is available for you to easily create.
The object type you are asking about is a "container", and there are various reasons why an OU is more flexible (applying GPO, etc).
Refer: Delegating Administration by Using OU Objects
http://technet.microsoft.com/en-us/library/cc780779(v=ws.10).aspx
and the sub-articles:
Administration of Default Containers and OUs
http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx
Delegating Administration of Account and Resource OUs
http://technet.microsoft.com/en-us/library/cc784406(v=ws.10).aspx
Also: http://technet.microsoft.com/en-us/library/cc961764.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
How to change password in Active Directory from a Mac
When loggin into Active Directory I can enter my password without a problem, but I am required to change it periodically and I can't see an option for changing the password. Does anyone have experience with this on their Mac when accessing Active Directory?
ThanksIn the accounts section of system preferences there should be a Change Password… button next to to your account picture. That's how we do it in Tiger, but it should work in Leopard too.
-
Hi,
I want to do provisioning in Active Directory multiple level Organization Unit(OU) from FIM 2010 R2 with country name basis.
Suppose i have Asia,Europe,UK,USA region OU and they have another OU in Asia OU like India,china etc if country name is India then Users should be go in India OU and if if country name is China then Users should be go
in China OU.so please give me any idea on this this would be very helpful for me
Regards
Anil Kumar
Do you have Region attribute in your user object? If yes, then you can do something like this
"CN="+displayname+
",OU="+country+
",OU="+region+
",DC=mycompany,DC=local"
If you don’t have region attribute, then you have to write own IIF statement for every county
IIF(Eq(contry,"China",",OU=China,OU=Asia","")
You can also parse your dn for synchronization rule in some other place (e.g. metaverse extension), but if you want to do it codeless, IIFs are the way to go. -
How to update users to Active Directory using Hyena Active Task List?
Kevin,
thanks for your input. I was able to firgured it out. It need the full path. with the CN=John Doe
Working like a charm!! thx!!http://www.systemtools.com/HyenaHelp/active_editor.htm"Each Active Directory object is identifiable by its directory path, called the ADsPath. A special symbol, %ADSPATH%, can be inserted in the field order list that can be associated with the directory path in the import file. The ADsPath doesNOThave to be one of the attributes for the directory objects in the Editor if the ADsPath is used as the Key Field in the import file.Using an ADsPath as a match field can be difficult, as it is a long and complex string, and if special characters are used in some directory fields, Active Directory will automatically insert additional special characters into the ADsPath. One method of getting the ADsPath into a file for directory objects is to use Hyena's Edit Copy dialog. A special symbol, %ADSPATH%, can be added to any Active Directory copied...
-
Hi Experts,
I am Deploying Exchange 2013 in an organization where currently Active Directory is handled and Administered by a different Admins and they want Exchange to be managed by another set of Admins. My customer wants to completely Isolate Administration and Management
of both AD And Exchange. i have gone through some technet articles and tested option for both RBAC and Active Directory Split permission model. I think Active Directory Split Permission model would be helpful but while testing i came to know that, via Split
permission Exchange admin can not create or delete User/Dist. Groups but still he can Edit or modify the details (City, office address, phone no. Department and display name etc.) which means that this is not fully separation of Roles between AD Admins and
Exchange Admins.
please help me to resolve below queries and Scenarios if supported by Exchange Split permission model -
(1) only AD Admins should be able to create, Delete or modify the Security principles property in Active Directory. Exchange Admin should only need to modify Exchange related property/attributes from exchange Control panel or shell. they should not be able
to change the Display name, and other AD related common attributes via Exchange Admin centre or management shell.
(2) similarly i want to restrict my AD Admins from modifying or changing exchange related attributes by any means (ADSIEDIT, ADUC,). i want to restrict my AD Admins from assigning organization management or recipient management rights to them-self and do
any modification on my exchange servers via Shell or Admin Centre and then Revoke the membership from Exchange Security groups. i want AD Admins and Exchange should do their respective tasks without any ability to change/edit or modify any settings of each
others??
(3) I Want to restrict to open Exchange Admin Centre (ECP) via some limited Systems only. i know we can block to open ECP via internet but i want to restrict it to open within internal network as well and from limited systems of my Exchange Admin.
Regards,
Aanand Singh Karki
Regards, Aanand SinghHi,
For Exchange privileges, I suggest use RBAC.
Regards,
Simon Wu
TechNet Community Support -
How to pull data from Active Directory in ABAP (non-CUA approach)?
All,
We have a requirement to pull information from AD into a WAS 6.20 system.
I know there is the standard CUA/UME LDAP synchronization discussed at length in this forum but this in not what we are looking for. We would like to connect from an ABAP program (BAPI/RFC) to AD and pull a specific field and store it in a custom table.
I found one thread that describes how to do this with WebDynpro in Java, but this would be our last resort since we wouldn't be able to do that from the actual 6.20 WAS but would have to use another 2004s system which would extend the architecture of the current design.
Any thoughts?
Thanks
GSHi,
1. First configure the LDAP properties in transaction LDAP
2.You can use the functions LDAP_SYSTEMBIND and LDAP_SEARCH to retrieve the info you want
you can read <a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906061c5-176b-2910-5091-e23baa4e7038">this document</a> for more help -
How to make clone of active directory security group
Hi
i am having one Security group in AD, i want to make copy or clone of that group with same members in different name in AD.
Anybody help me out...Hi Vino1985,
Just do it with ds-tools.
dsquery group -samid %SamidOfYourReferenceGroup% | dsget group -members | dsmod group %distinguishedNameOfYourNewGroup% -addmbr -c
This should work as
"dsquery group -samid " will return the distinguished name of your reference group and pipe it to dsget group
"dsget group -members" will return all distinguished-names of the members and pipe it to dsmod group
"dsmod group -addmbr" will all DN's to the membership-attribute of the new group the switch "-c" will continue on errors.
best regards
Switch
MCITP Enterprise Administrator
MCSA Windows Server 2012
MCTS Windows 7 Configuration
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. -
How to purchase Azure Active Directory Premium?
How do you purchase Azure Active Directory Premium?
I have had a trial, which has expired. I get an email saying to go to the Intune (?) portal:
Follow these easy steps to purchase a subscription:
1) Sign in to the Microsoft Intune Account Portal, with your User ID
2) On the Admin page, on the left pane, under Subscriptions, click Manage.
3) Find Microsoft Azure Active Directory Premium trial, and click on it.
4) On the Subscription details page click Buy now.
5) Follow the steps in the purchasing wizard to complete the purchase process.
There is no trial subscription and no way to purchase. There has been some discussion that you require an Enterprise Agreement to purchase it:
http://azure.microsoft.com/en-us/pricing/details/active-directory/Hi,
If you login to portal.office.com with your username and password and then click on 'Purchase Services' on the left hand side you should be able to go ahead and directly purchase AAD Premium. http://www.edutech.me.uk/active-directory/azure-ad-premium-now-available-via-direct-purchase/
Thanks,
James. -
How to integrate Active Directory with Oracle Weblogic
hi
is there any Oracle Document that descripes how to integrate the LDAP Active directory with Oracle Weblogic 10.3
Regards
Edited by: qasas on 28-Nov-2009 13:56weblogic docs (and there identity asserters) - http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
Maybe you are looking for
-
Shell Script or Applescript to run disk permissions repair
Tried doing this Applescript in Automator: do shell script "sudo diskutil repairPermissions /" ¬ password "yourAdminPassword" with administrator privileges This works, but the process appears to run without shutting down when it's done. Can anybody
-
After the latest update I did, 23Oct2013 7:30pm PT, my iTunes no longer opens up without the error message (-45054). I click "ok" to acknowledge the message and it immediately closes iTunes with no further information. Any help would be greatly appre
-
Hello, "It is unlikely that an end-user would ever experience Flash player error 1009" - but I do when trying to look some videos (youtube is no problem, but babelgum.com and videos on flickr don't work, for instance) I used the uninstaller and rein
-
Skewing in a 2D array manipulation
I have an application that forms a 256 x 256, 2D array arrangement of data measurement points from a 1D array bin 256 elements long.I use a rotate VI to shift the incoming points in and predefined 2D arrays which is initialized to zero at start-up. I
-
if my JAVA program contains the following: String function_call = "cotaken('BUSI0001')"; public boolean cotaken(String course_code) return true; when I try to write the following code: if (function_call == true) // do something here.. I have the