Integration of ACS with two different Domain in different forest

Similar Messages

• Lync 2010 server and UM role on different domains in different forests

  Hello 
  I have a Lync 2010 environment running on domain A, with exchange 2010 UM also running in Domain A.  We are in the process of migrating users and mailboxes from domain A to domain B.  Once we reach our enterprise voice users with exchange UM enabled
  we will need to install the exchange UM role on the exchange server in Domain B.  
  There is a 2-way trust relationship between domain A and domain B.
  All the users from are running Lync on a PC located in Domain B, using Lync credentials from Domain A.
  Are there any issues running Lync 2010 and Exchange UM from different domains in different forests?  Is it as simple as creating a new UM DialPlan and UM IP Gateway to the domain A Lync FQDN?
  Thanks

  Hi,
  Each UM forest must be configured to trust the forest in which Lync Server is deployed, and the forest in which Lync Server 2013 is deployed must be configured to trust each UM forest. If Exchange UM is installed in multiple forests, the Exchange
  Server integration steps must be performed for each UM forest or you’ll have to specify the Lync Server domain.
  Here is a link about for UM of Lync server 2013 but similar for Lync server 2010:
  http://technet.microsoft.com/en-us/library/jj966276(v=exchg.150).aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Send email to different domain using different address

  hi
  I want to set my exchange recipients have 2 email address.
  1=[email protected] 2=[email protected]
  1.how can I set this setting? (I know I can use something called policy but I don't know how can use that for exchange 2013; please tell me how can do this)
  2.how can set my exchange server to send email to different domain with different account? (after question 1; my recipients has 2 email address (***@domain.com,
  ***@domain.co) I want my recipients when send email to "company.com" using domain.com address and for other domains using domain.co)
  thanks

  1.  Add an accepted domain.  Add the e-mail address to your e-mail address policy.  Update the e-mail address policy.
  2.  http://www.ivasoft.biz/choosefrom2007.shtml  This has been the traditional answer for Exchange 2010 and earlier.  You might contact him to see if it works for Exchange 2013. 
  I don't know of a native way to do this except to create separate mailboxes for each address.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Can i use single node manager with two weblogic domain?

  I am very new to weblogic and node manager.
  i had created two domains in weblogic. (single node manger).
  Can i connect both domains with same nodemanger?
  How to do this?

  The node manager uses a nodemanager.domains file to determine which domains it manages, for example,
  domain_name=/path_to_domain/domain_name
  other_domain_name=/path_to_other_domain/other_domain_name
  This file can be found in the NODEMANAGER_HOME, that you specified when starting the node manager (startNodeManager - NODEMGR_HOME="${WL_HOME}/../oracle_common/common/nodemanager")
  When you are running the domain on multiple machines you have to enroll the node manager into the domain (http://docs.oracle.com/cd/E23943_01/web.1111/e13813/reference.htm#i1065827)
  A scripted example can be found here: Middleware Snippets: Automate WebLogic Installation and Configuration. The Node Manager administration guide can be found here: Oracle® Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server 11g Release 1 (10.3.6) -….

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• I have different domains in different folders. why it opens the same domain always?

  this is crazy. I have different folder for the domais and avery time I want to open one of them, it opens always the same domain. After I upgraded to OS X 10.8.2 I do not know... did they change the way iWeb works?

  In Lion and Mountain Lion the Home/Library folder is now invisible. To make it permanently visible enter the following in the Terminal application window: chflags nohidden ~/Library and hit the Enter button - 10.7: Un-hide the User Library folder.
  To open your domain file in Lion or Mountain Lion or to switch between multiple domain files Cyclosaurus has provided us with the following script that you can make into an Applescript application with Script Editor. Open Script Editor, copy and paste the script below into Script Editor's window and save as an application.
  do shell script "/usr/bin/defaults write com.apple.iWeb iWebDefaultsDocumentPath -boolean no"delay 1
  tell application "iWeb" to activate
  You can download an already compiled version with this link: iWeb Switch Domain.
  Just launch the application, find and select the domain file in your Home/Library/Application Support/iWeb folder that you want to open and it will open with iWeb. It modifies the iWeb preference file each time it's launched so one can switch between domain files.
  WARNING: iWeb Switch Domain will overwrite an existing Domain.sites2 file if you select to create a new domain in the same folder.  So rename your domain files once they've been created to something other than the default name.
  OT

• ACS Two Windows Domains

  The ACS server can be configured to work with two windows domains? to authenticate users that belong to the domain called "a" and "b", the protocol to authentificate it is 802.1X in a Wireless Enviroments (WLC4400+ACS4.2+Two Windows Domain).

  Hello,
  Under certain conditions, yes. You have to have trust between the domains, and depending on whether you are running the ACS on an appliance or a server, there's certain configurations you have to do to make it work with multi-domain authentication.
  Here are a few links to get you started:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011301
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353805
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Integration of weblogic with obiee:: please help

  I/O error while reading domain directory
  Posted: May 11, 2011 9:58 PM Edit Reply
  I have created a server under admin server. Actually i was trying to integrate weblogic server with obiee.. as i am very new to weblogic i cudn't find the reason for the error.
  I have created a server under admin server. Actually i was trying to integrate weblogic server with obiee.. as i am very new to weblogic i cudn't find the reason for the error.
  while i am starting the server which i created i am getting this error
  error details i will give below.. Thanks for any help and i will highly appreciate it.
  Description: Starting OBIEE server ...
  Status: FAILED
  Begin Time: 5/12/11 10:14:36 AM IST
  End Time: 5/12/11 10:14:37 AM IST
  Exception: I/O error while reading domain directory
  While starting node manager iam getting this error
  SEVERE: Fatal error in node manager server
  java.net.BindException: Address already in use: JVM_Bind
  at java.net.PlainSocketImpl.socketBind(Native Method)
  at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:383)
  at java.net.ServerSocket.bind(ServerSocket.java:328)
  at javax.net.ssl.impl.SSLServerSocketImpl.bind(Unknown Source)
  at java.net.ServerSocket.<init>(ServerSocket.java:194)
  at java.net.ServerSocket.<init>(ServerSocket.java:150)
  at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:84)
  at javax.net.ssl.impl.SSLServerSocketImpl.<init>(Unknown Source)
  at javax.net.ssl.impl.SSLServerSocketFactoryImpl.createServerSocket(Unkn
  own Source)
  at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:76)
  at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
  at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)
  Thank you.

  Hi Lavnya,
  Please can you have a look at the URL's
  /people/jayakrishnan.nair/blog/2005/03/10/integration-of-sap46c-with-bea-weblogic-server
  Provides different options to connect:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adc7c390-0201-0010-ebb2-c8687bbb7bfc
  regards
  Vijaya

• 2 ACS with 2 CRA

  Hi All,
  We have installed 2 ACS with two CRA installed in AD1 & AD2.
  The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
  But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
  Can anyone help in this regard? I have the logs if required I can upload the same.
  Thanks in advance
  Sachi

  Most likely this is a permission issue.
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
  If you are already using admin account to run it then try using local system.
  Regards,
  ~JG

• Syncing two video clips from different cameras.

  When both video clips are on the timeline filmed with two cameras to get different angles, is there a a keyboard shortcut to move either clip one frame at a time, or while listening to the audio a way to move the clips incremently until both videos are in sync. Some of the filming I used a 'clap' method, but wasn't able to always do this. Basically I think I am asking for fine adjustments along the timeline via the keyboard, frame by frame.

  You can select the clip in the timeline and press:
  "." (dot) to move right by 1 frame
  "," (comma) to move left by 1 frame
  ":" (colon) to move right by 5 frames
  ";" (semicolon) to move left by 5 frames
  If you keep the key pressed the clip will slowly move either wy.
  You can also select one clip in the timeline and type a number n: this will appear in a small window labeled Move; when you press Enter the selected clip will move n frames to the right. For example type 8 and Enter and the clip will move right by 8 frame. To move left by 8 frames type 8, left arrow, "-", Enter (to enter negative numbers (to move left) first enter the value and then add a "-" in front of the number).
  Make sure the tool is the Selection Tool (arrow) otherwise instead of moving the clip you apply other actions (slip, roll, etc.).
  Piero

• Two public listeners for two destination domains : usefull or useless ?

  Hi,
  I'm reviewing an ironport architecture, and especially an incoming relay (ESA C370, AsyncOS 8.0.1). I have two domains, hosting by two different mail servers. The relay only accept mails from Internet and can only send to the two mail servers.
  The current configuration is two public listeners, one for each domain. As incoming policies apply to both, I am asking myself if I really need two listeners.
  What is your opinion about advantages and inconvenients having two listeners instead of one ?
  Thank you for your help
  Best Regards
  Quentin

  You don't have to have 2 listeners if the lisenter config can be the same.
  Can you use the same IP and MX record for the domains?
  Do use seperate certs for the TLS config?  Do you need seperate accept queries (eg seperate AD's)?
  If different domains need different IPs (a listener can only be on one Interface), or configs you'll need seperate listeners.

• RDS 2012 Connection Broker and Web Access in different domains

  Hello!
  I'm trying to add Web Access (WA) server to RDS 2012 Deployment. WA server and other servers in Deployment are in different domains (in different forests with 2-way forest trust).
  WA server was added to Deployment
  successfully without any warnings.
  We have many applications published but in this new WA server there are no application icons in Rdweb page at all.
  There is nothing interesting in logs on WA server as well as on Connection broker servers. 
  Is this design
  acceptable? Which additional actions are needed to make application icons visible?

  Hi,
  Please refer below links and cross verify the Web Acess server settings.
  http://blog.kristinlgriffin.com/2010/03/rd-web-access-is-emply.html
  http://social.technet.microsoft.com/wiki/contents/articles/5974.the-case-of-invisible-remoteapp-programs-a-k-a-no-remoteapp-programs-listed-on-rd-web-access-site.aspx
  Regards,
  Manjunath Sullad

• Display problem from different domain

  Hi
  I am not able to make my display(DISPLAY variable). When I m exporting the display variable from the same domain as the linux box is present. It is working fine but when I trying to export the DISPLAY variable from different domain and use the GUI. it is throwing error. Please help. Also I am able to ping from my window machine to Sun Solaris
  operating system: sun solaris 9 (5.9).
  Error Message:
  (gnome-calculator:5511): Gtk-WARNING **: cannot open display:
  Can anybody tell me how and what all we need to check to configure DISPLAY.
  I mean the software required and firewall configuration.

  I trying to export the DISPLAY variable from different domain and use the GUI.Different domain or different network?
  I am able to ping from my window machine to Sun SolarisPing means nothing in this case because:
  1. ICMP =! TCP
  2. You need to have allowed connection from Solaris to your local machine (port 6000) and ping is not capable to check that.
  3. You need to check this on/from server (Solaris)
  Or you can use X11Forwarding so you don't need to allow connection as mentioned above.
  I mean the software requiredDo you mean client SW or what?

• Two "From"-Addresses with different domains

  Hi Forum,
  what is your best practice to setup two available sender-addresses for one Account?
  My first thought was to create a new PO with a new domain.
  Then I can setup all users which are already existing in the first PO.
  After that I give every user proxy rights to its corresponding user in the second PO.
  Now every User can click on the "From"-field an choose the other address.
  For sure they also have to choose the correct signature!
  IMHO that should work?!
  Any other suggestions would be appreciated :)
  Cheers,
  Pascal

  Uwe,
  that's correct. and if I remember correct, you have to create the second domain via c1 and allocate it to an account.
  After that the account will use the second email address/domain as sender address. Unfortunately the user can't switch on demand between two addresses as you need c1 with appropriate rights...
  You second solution would be one way to make the user able to switch easy and fast between two sender addresses without the need for a second licence.
  However I have to add an pop3/imap account to be able to set up a smtp account.
  (Besides: as a default you can only add such accounts ins the caching mode and I don't know if this settings are persistent if you move a user to a different workstation or something else)
  No offence but that seems more like a workaround than a feature to me ;)
  I was hoping novel offers a easy/better way to use a second sender address... maybe I expected too much :)
  I guess in that case your second solution would be the best way...
  Wonder how other mail clients would handle such demands....
  Anyway, thanks!
  Pascal

• A problem with Win 7 Pro, Outlook Web Access based on Exchange Server 2003, and two different domains

  Dear Microsoft Support,
  As mentioned in the title,
  I have two domains. One is Domain A at HQ. The other one is Domain A at branch office. A laptop having Win 7 Pro OS is a client of Domain A. The Domain A has Exchange Server 2003. Users of Domain B get connected to Exchange Server for email services. In
  all clients of the Domain B, IP address of the email server added in C:\Windows\System 32\drivers\etc\host file.
  Whereas in the clients of Domain A it was not done, because all the servers including the email server belong to the Domain A.
  Now, a user with Domain A's client (it is a laptop) came to Branch office and wanted to access the Outlook (using Outlook Web Access). since there is no IP address added in the Host file of the laptop, connectivity to email is not possible. When I try to
  add the IP address, I was not able to do so due to Domain A's security reasons.
  So, let me know, is there a way out to add the IP address in the host file of the Domain A's client.
  Thanks in advance.
  Ravi Sekhar Modukuru

  I would suggest adding the mailserver address in Domain B's DNS. Would that be possible?
  I agree. The correct solution in this case (since it appears you already have a two-way Domain Trust in place) is to properly configure DNS in Domain 'B' to be a secondary of Domain 'A' and completely eliminate the need to maintain the HOSTS file.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.