IBCM on non domain computers - Client Cert: None

Similar Messages

• Exchange 2010 Autodiscocer for non-domain computers.

  Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration. 

  Hi,
  For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
  Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
  -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
  For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
  Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
  if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
  https://contoso.com/autodiscover/autodiscover.xml
  https://autodiscover.contoso.com/autodiscover/autodiscover.xml
  For more information about autodiscover service in Exchange 2010, please refer to:
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
  user using. If not, please create a new SRV record for your autodiscover service and pointed to
  mail.contoso.com. For more information about SRV record of autodiscover, please click:
  http://support.microsoft.com/kb/940881
  Regards,
  Winnie Liang
  TechNet Community Support

• Configure DHCP to add non domain computers to DNS

  Hi
  We would like to add non domain computers automaticallly to DNS through our DHCP server.
  The reason is that we actally use Linux and our Linux admins would like the machines automatically to DNS when receiving a IP.
  I assumed that it was just a matter of selecting "Always dynamically update DNS A and PTR records" on the IPv4 scope option, but it doesn't seem to work?
  Lasse
  /Lasse

  I started out changing that setting to "Dynamically update DNS records for DHCP clients that do not request updates" but it didn't seem to work.
  I then changed "Always dynamically update DNS A and PTR records" and it didn't work. Then I tried having both settings set and then it worked. I then removed "Always dynamically update DNS A and PTR records" since it shouldn't be necessary
  and then it still worked..... :-)
  Lasse
  /Lasse

• Scom monitoring non domain computers

  hello experts
  i have scom 2012 and want to monitor non domain computers (servers in dmz)
  i have created new template in ca server then create new certificates for dmz server and scom rms server.
  now i have connection between two servers but there is an authentication error.
  hear are logs.
  please help
  log from dmz computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 10:54:51
  Event ID:      20071
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-AB-WWW1.somebank.am
  Description:
  The OpsMgr Connector connected to scom.somebank.am
  , but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which
  indicate a failure to authenticate.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">20071</
  EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
      <EventRecordID>2163</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-AB-WWW1.somebank.am</Computer>
      <Security />
    </System>
    <EventData>
      <Data>scom.somebank.am</Data>
    </EventData>
  </Event>
  scom rms computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 11:18:57
  Event ID:      21010
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-SCOM1.somebank.local
  Description:
  The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">21010</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
      <EventRecordID>1269145</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-SCOM1.somebank.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>192.168.169.40:53552</Data>
    </EventData>
  </Event>
  telnet to 5723 port from dmz server to scom rms server is ok

  PS C:\Users\administrator.AMERIABANK>  C:\Users\administrator.AMERIABANK\Desktop\1.ps1
  This script will inspect Local Machine certificate
  store and registry settings. This will take several seconds...
  Script will check certificates to match the following requirements:
          Subject equals computer FQDN
          Certificate is time valid
          Certificate has private key and it supposed for computer certificate
          KeySpec is set to 1
          Certificate Application Policies (in former EKU) contains both Server and Client Authentication
  WARNING: OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in
  WARNING: LocalComputer store or not match all certificate requirements.
  To resolve this issue, obtain new certificate from trusted Certification Authority
  using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
  and install it by running the following command: MOMCertImport /Subject SRV-SCOM1.ameriabank.local

• Restrict non-domain computers

  Does anyone know if it is possible to restrict access based on domain membership or an AD Group?
  The purpose is to restrict non-domain computers even if the client has a legitimate domain credential to use for authentication.

  That is correct. The only way to restrict these computers would be to make a rule (above your auth group policies), that states the specific IPs / subnets are granted certain / no access.
  As long as the rule is above all your auth rules, it will trigger first and take precedence. Be sure to disable WBRS for this rule as well, since there is a potential for +6 sites to be allowed.

• Non Domain Computers Becoming Master Browser

  Hello,
  I am troubleshooting an issue with the master browser service when an external user connects his workgroup laptop to our domain network and wins the election.
  The network consists of a domain controller which has the following registry settings
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster = True
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList = Yes
  All the client computers that are connected to the domain have IsDomainMaster = False and MaintainServerList = No.
  When an external user connects to the network with a laptop that isn't part of the domain it causes a master browser election and wins. All the servers and client computers list only media devices instead of all the computers and servers on the network.
  Is there a way to prevent non domain computers from becoming the master browser without changing registry settings on that computer?
  Thanks
  Jon

  Hello,
  The TechNet Wiki Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
  Please note that this forum exists to discuss TechNet Wiki as a technology/application.
  As it's off-topic here, I am moving the question to the
  Where is the forum for... forum.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog: Unlock PowerShell
  My Book:
  Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

• Non-Domain computers via VPN

  I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

  Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
  IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
  With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
  If u r using an external server for validating the incoming users, u must go for aaa server externally.
  For a complete detail of deploying vpn with ipsec,
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

• Network Policy Server windows 7 non domain wireless clients could not connect (Event id 6273 reason code 265)

  Hi,
  We have successfully configured network policy server on windows server 2012 and all wireless clients could connect to our network except windows 7 and xp non domain clients.The clients that are successfully authenticated includes windows 8,mobile users
  (andriod + iOS) domain as well as non domain clients.If we join windows 7 pc to the domain it  successfully connects but non domain clients could not connect.We have large number of windows 7 users that have their own laptop machines and we dont want
  each laptop to join the domain.
  On server event 6273 generated with reason code 265 "The certificate chain was issued by an authority that is not trusted".Plz help how to resolve this issue.I have searched on the internet but no proper solution found.

  Hi,
  According to the error message, it seems that you used certificate-based authentication methods and the non-domain computers has no Trusted Root Certificate for the CA that enrolled the certificate for the NPS.
  For more detailed information, please refer to the links below:
  Certificates and NPS
  Manage Trusted Root Certificates
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SCSM 2012 Portal change from http to https to get silverlight to work on non domain computers?

  Hi
  Wanting to change our Self Service Portal from http to https and make it accessible from non domain computers.
  Non domain computers - the sharpoint parts load (the silverlight does not load). Domain computers can access the portal with no problem.
  Does this mean I need to reinstall the portal or can it be changed while in operation now?
  Would something like the below link be enough to get https going?
  http://blogs.technet.com/b/babulalghule/archive/2013/01/10/how-to-create-alternate-url-for-service-manager-self-service-portal.aspx
  Thanks!

  the silverlight part not loading due to SSL certification. import the certification into non domain computer will fix this issue.

• MBAM on Workgroup (non-domain) Computers

  Hi,
  is it possible to manage non-domain computers with MBAM to deploy bitlocker?
  assuming policy is set by local policy or registry settings.
  thanks ahead,

  I was thinking the same as it was pointed in this thread - you will not be able to store keys on SQL database, because it´s relied on AD:
  http://social.technet.microsoft.com/Forums/en-US/8eea1337-9cc7-47d4-87ca-83428abdce83/mbam-for-work-group-computers?forum=mdopmbam

• How to avoid none domain computers to login to the wireless

  Hi, please help its killing me! Its not pure Cisco but Im sure you guys might have some solution in your mind. 
  I want only domain computers plus one OU (Staff) be able to connect to our network. I am trying to restrict Mobile Phones (iphone and android) and personal laptops from connecting to our wireless network.
  We use a windows based NPS.  it is currently set to allow anyone to connect with their domain computer OR Domain username.
  So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.
  I tested to see if a laptop could still connect and it could not.
  I have tried many many different combinations within the conditions tab to try and get this working but to no avail.
  1. just having "domain computers" (either windows or machine groups)
  2. having domain users and domain computers (with all combinations of windows/machine/users groups)
  3. I even tried Operating system conditions
  These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.
  Regards?

  I have got somewhere!!! the problem is Im not so confidence about it! 
  Firstly thanks everyone. specially Scott. 
  now
  I set the NPS policy to be "Computer Domain" & "Staff OU" then on the Wireless group policy I set it only for " Computer domain". All authenticated users can logon to our domain laptops. no one can connect to the our network with phones or etc devices because they r not joined to the domain. those special people's phones and devices still can connect to the network if their user is in  "Staff OU" 
  I gave up on Cisco! I created a ghost Vlan and tried to use "Local Profiling" to put whatever android or iphone devices available on that ghost vlan and result in disconnecting them but the device is so stupid which couldn't recognize android and iphones! it worked for only ipads but the rest wasn't recognizable by Cisco WLC. 

• Websites will not open. Domain computers. Not Firewall, Not Cookies. Seems to be just domain computers cannot open 90% of websites.

  I have a few domain computers that cannot open any webpages, 90% will not open. MSN CBS ABC NBC none of these pages will open. nothing loads on the page, it says connecting to.. If I click work offline, the page will load minus and video or pictures. just a format and wording appears.
  I have cleaned cookies, reset to default, safe mode, rebooted, checked the firewall, checked the domain controller, re-installed, turned off IP V6, I followed every troubleshooting guide i can find. i check the network settings, check proxy, checked DNS, If i click help and try to get an update from Firefox, it just sits there at like 2.5 KB and says downloading forever.
  The pages will set there and spin for hours. no error, no timeout.. just says connecting to ....(which ever page).

  Hello, any luck in [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true windows safe mode] ?
  thank you

• Require client cert for just one servlet

  Hello
  I enabled SSL with mutual authentication in tomcat 5.5.x into Jboss like this:
  <Connector port="443" address="${jboss.bind.address}"
  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
  emptySessionPath="true"
  scheme="https" secure="true" clientAuth="true"
  truststoreFile="${jboss.server.home.dir}/conf/confiaveis.truststore"
            truststorePass="111111"
  keystoreFile="${jboss.server.home.dir}/conf/.keystore"
  keystorePass="111111"
            sslProtocol = "TLS" />
  It�s working perfectly and any servlet requires client certificate. But now, i would like that just one servlet require client cert.
  Does any body could help me ?

  Application and web servers base their authentication mode on Listeners and not Servlets. Since Listeners listen on ports, and and can direct client calls to any number of Servlets, all Servlets served by a Listener will default to the authentication mode of the Listener.
  If you want to have selective authentication based on Servlets, then you should use a non-ClientAuth port for most of your Servlets, and redirect the client request to port 443 for the one Sevlet that needs ClientAuth. As a result, you will get the same effect.

• Available Package Deployments not showing in Software Center of Domain Controller Clients

  We have a SCCM 2012 R2 environment and have a pretty weird issue. I have deployed multiple 'available' software packages to a collection. The non-domain controller client receives the deployments and I can run them successfully, however the domain controller
  shows nothing in the software center. But in the PolicyAgent.log of the domain controller I can see it getting the policy:
  Raising event:
  instance of CCM_PolicyAgent_PolicyDownloadSucceeded
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141002163132.946000+000";
  DownloadMethod = "BITS";
  DownloadSource = "https://XXXXXXXX.XXX.local/SMS_MP/.sms_pol?HHS20013-HHS0002D-XXXXXXXXX";
  PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\Machine\\RequestedConfig";
  PolicyPath = "CCM_Policy_Policy5.PolicyID=\"XXX20013-XXX0002D-8C28365A\",PolicySource=\"SMS:XXX\",PolicyVersion=\"1.00\"";
  ProcessID = 1484;
  ThreadID = 4632;
  PolicyAgent_PolicyDownload
  10/2/2014 12:31:32 PM 4632 (0x1218)
  What can I check?

  I am seeing the following in the PolicyEvaluator.log:
  Updating policy CCM_Policy_Policy5.PolicyID="HHS20018-HHS0002D-8C28365A",PolicySource="SMS:HHS",PolicyVersion="1.00"
  PolicyAgent_PolicyEvaluator 10/3/2014 11:42:40 AM
  7092 (0x1BB4)
  Applying policy HHS20018-HHS0002D-8C28365A PolicyAgent_PolicyEvaluator
  10/3/2014 11:42:40 AM 7092 (0x1BB4)
  Raising event:
  instance of CCM_PolicyAgent_PolicyRuleRevoked
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141003154242.730000+000";
  PolicyID = "HHS20018-HHS0002D-8C28365A";
  PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\Machine\\RequestedConfig";
  PolicySource = "SMS:HHS";
  PolicyVersion = "1.00";
  ProcessID = 5324;
  RuleCondition = "{6A383AEC-DA01-44CC-88AC-EE7CBBC9CA6F}";
  RuleID = "{59aae67e-4ae4-476a-8aa9-1e0fef74275d}";
  ThreadID = 7092;
  PolicyAgent_PolicyEvaluator
  10/3/2014 11:42:42 AM 7092 (0x1BB4)
  Raising event:
  instance of CCM_PolicyAgent_PolicyRuleRevoked
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141003154244.075000+000";
  PolicyID = "HHS20018-HHS0002D-8C28365A";
  PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\Machine\\RequestedConfig";
  PolicySource = "SMS:HHS";
  PolicyVersion = "1.00";
  ProcessID = 5324;
  RuleCondition = "{73EEC40F-921F-400C-8DAD-9985B6FF9EA0}";
  RuleID = "{a82507ac-d123-4e58-b7e8-e7e3e1c14ef9}";
  ThreadID = 7092;
  PolicyAgent_PolicyEvaluator
  10/3/2014 11:42:44 AM 7092 (0x1BB4)
  Raising event:
  instance of CCM_PolicyAgent_PolicyRuleApplied
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141003154245.460000+000";
  PolicyID = "HHS20018-HHS0002D-8C28365A";
  PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\Machine\\RequestedConfig";
  PolicySource = "SMS:HHS";
  PolicyVersion = "1.00";
  ProcessID = 5324;
  RuleCondition = "{735BB0FE-157C-4969-B253-413FB85A928C}";
  RuleID = "{4d354de9-ad9c-4588-b772-7d48405934f2}";
  ThreadID = 7092;
  PolicyAgent_PolicyEvaluator
  10/3/2014 11:42:45 AM 7092 (0x1BB4)
  Applied policy CCM_Policy_Policy5.PolicyID="HHS20018-HHS0002D-8C28365A",PolicySource="SMS:HHS",PolicyVersion="1.00"
  PolicyAgent_PolicyEvaluator 10/3/2014 11:42:45 AM
  7092 (0x1BB4)
  Raising event:
  instance of CCM_PolicyAgent_PolicyEvaluationComplete
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141003154245.470000+000";
  PolicyNamespace = "\\\\.\\ROOT\\ccm\\policy\\Machine\\RequestedConfig";
  PolicyPath = "CCM_Policy_Policy5.PolicyID=\"HHS20018-HHS0002D-8C28365A\",PolicySource=\"SMS:HHS\",PolicyVersion=\"1.00\"";
  ProcessID = 5324;
  ThreadID = 7092;
  PolicyAgent_PolicyEvaluator
  10/3/2014 11:42:45 AM 7092 (0x1BB4)
  Policy state for [CCM_Policy_Policy5.PolicyID="HHS20018-HHS0002D-8C28365A",PolicyVersion="1.00",PolicySource="SMS:HHS"] is currently [Active]
  PolicyAgent_PolicyEvaluator 10/3/2014 11:42:45 AM
  1820 (0x071C)
  Updating settings in \\.\root\ccm\policy\machine\actualconfig
  PolicyAgent_PolicyEvaluator 10/3/2014 11:42:45 AM
  1820 (0x071C)
  Raising event:
  instance of CCM_PolicyAgent_SettingsEvaluationComplete
  ClientID = "GUID:XXXXXXXXXXXXXXXXXXXXXXXX";
  DateTime = "20141003154302.533000+000";
  PolicyNamespace = "\\\\.\\root\\ccm\\policy\\machine\\actualconfig";
  ProcessID = 5324;
  ThreadID = 1820;
  PolicyAgent_PolicyEvaluator
  10/3/2014 11:43:02 AM 1820 (0x071C)
  Policies are downloaded and evaluated for the reply of correlation guid {9985950D-3E04-40E5-81FD-8E2BCBE0DB25}
  PolicyAgent_PolicyEvaluator 10/3/2014 11:43:02 AM
  1820 (0x071C)

• Lync 2013 credentials problems on domain computers

  Hi folks,
  We are having trouble with Lync 2013 and credentials on our domain computers. We have been using Office 365 and Outlook for our email for a couple years and it has worked well enough, so recently we decided we wanted to start using Lync as well. We deployed
  the Office 365 Pro Plus suite available to us through our Office 365 subscription and signed in. The first sign-in went as expected. It asked for a username and password, asks if it should remember those credentials for next sign-in (yes), then connects and
  everything with Lync itself functioned normally. Subsequent sign-ins have not been normal.
  When a user restarts their computer and launches Lync it remembers their user name but not their password. Once they type their password in it asks if it should remember those credentials for next sign-in again, then connects. If a user exits and re-launches
  Lync without restarting it remembers their credentials and signs in properly, but then immediately a popup box appears saying that "Credentials are required" in order for Lync to get calendar information from Outlook ( http://i.imgur.com/hqcK426.png
  We know the problem is only happening with computers on our domain, but we don't know why. I tested things out on my home desktop and network by installing Office 365 Pro Plus, setting up Outlook, and then Lync. Both Outlook and Lync auto-discovered everything
  normally after getting my credentials and Lync behaves as expected every time the program launches. I then brought my personal laptop in and tried the same thing on my work network to see if it is network related, but Lync behaves normally on that computer
  as well.
  I originally worked on the problem at the Office 365 Community Forums ( http://community.office365.com/en-us/f/166/t/246014.aspx ), but after we isolated the problem to something with the domain computes I was told that they could not help me any further
  and was referred here. Does anyone have any ideas as to what is keeping Lync from behaving properly on our domain computers? We have a mix of Windows 7 x64 and Windows 8.1 x64 computers, all joined to the same domain and with the same basic suite of software.
  Thanks,
  ~Misharum
  PS: How do I verify my account? The outlook.com email address has been verified, but I don't see anywhere to do verification in my TechNet profile here.

  Yeah, the clients are fully patched. I put a support ticket in through Office 365 and the rep there was able to help me. It ended up being two separate problems.
  Lync was not remembering my credentials to automatically log me in between restarts:
  Installed the latest version of the Microsoft Online Services Sign-In Assistant.
  After signing signing into Lync another popup appeared asking for credentials again to access calendar information. (two steps to solve this one).
  In Active Directory Users and Computers, open up the properties of each affected user, go to the Attribute Editor tab, find and double click the proxyAddress attribute, and add in
  sip:[email protected] where the userid is the user's login name and domain.com is your domain. I'd imagine this is scriptable in PowerShell but I don't know enough to do it.
  Then on the computer that the users will be using, while the user is logged in, add a dword of NoDomainUser = 1 in the registry at HKCU\Software\Microsoft\Office\15.0\Common\Identity. The most sensible way to do this in my mind is with a group policy so
  it will get written to each user's registry under their profile when they log in.
  After doing all of this Lync remembered my credentials between restarts, signed me in automatically, and only gave that credentials popup on the first sign-in after applying both changes in step 2.