IPS30SP4 and PDC authentication against non-default domain

Similar Messages

• Windows Server 2012 R2 non-default domain admin limitations

  Enivronment: Windows Server 2012 R2Problem: members of Domain Admins group are restricted in ways the default domain admin account is not. This is with or without UAC disabled; there are even more prompts with UAC enabled. Here are two examples:Attempt to copy to Public Desktop. Built-in domain admin or local admin account can do so without restriction; any other member of Domain Admins group is prompted for administrator permission (although clicking Continue proceeds without actually requiring further authentication/permission)Right-click -> Properties of hard drive in Explorer is missing Shadow Copies tab for non-default Domain Admin. Yes, I can simply right-click the drive and go to Configure Shadow Copies, so this one is not so important. But it is an inconsistency that means I have to access things just a bit differently...
  This topic first appeared in the Spiceworks Community

  I have already replied to that here: https://social.technet.microsoft.com/forums/windowsserver/en-US/b57abf72-90e6-44d7-93a5-0e57cb5404c9/nic-teaming-with-ws2012-ad
  I still do not see an MS statement saying that it is supported for DCs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to alow non-default domain users to set share folders.

  From Messanger Express, users who are in non-default domains cannot set any share folders, and only get an error message "You do not have permission for setting permission". However, Users in default domain can do it without any problem in same server[iMs5.2].
  Is there any specific permission to allow non-default domain users to do it ?
  If yes, how to give this permission to these users ?
  Thanks & regards,
  Takuto

  In deed it is fix in the GA.Another way to set the alias table is to do it in the Admin client. If you add a connexion to a user there is a new 6.5 button "set alias" that allow you to set the default alias table for this specific user. But, it does not exit on a user group level.

• Netlet and PDC-Authentication: a workaround

  Hello,
  maybe this is of interest by someone:
  Currently, If the Netlet is used when logged on via PDC-
  Authentication, the private key must be stored on the client's
  filesystem and some "Java Runtime Parameters" must be
  configured in the Java Control Panel.
  This is impractical for most users.
  Additionally, this doesn't work at all when you use PDC with
  Smartcards, because the Private Key are not exportable to the filesystem.
  We have two instances of the gateway running to use
  PDC-Authentication and SecurID at the same time
  (portal.domain.com and portalpdc.domain.com).
  The SecurID-Users can work with netlet, the PDC-users not.
  But we have found, that the PDC-users can simply switch to
  the SecurID-gateway, because they have a valid portal session
  cookie.
  (replacing
  https://portalpdc.domain.com/http://portalserver/portal/dt
  with
  https://portal.domain.com/http://portalserver/portal/dt)
  Then, the netlet works without problem!
  When the "Default Succes Login URL" is changed from
  %protocol://%host:%port/portal/dt
  to
  https://portal.domain.com/http://portalserver/portal/dt,
  and the second gateway-instance is included in the "URIs not to
  Rewrite" list in the gateway rewriter configuration, this works
  without further user-interaction.
  Additionally, this workaround solved some strange problems
  we had with the Citrix-Java Client and the SUN JVM, when the
  users logged on via PDC.
  Regards,
  Juergen Maihoefner

  Hi,
  Can u explain the problem elaborately
  Thanks,
  Raj_indts
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support"

• Anybody done USERID/PASSWORD authentication against aWindows NT Domain

  I think I'll have to write a C++ Program to the WinNT API to do it
  (LogonUser). Then I'll wrap it with a service object for authentication. Has
  it been done before? Or something similar? We want to validate users against
  a WindowsNT Server DOMAIN.
  -martin ([email protected])

  Hi Martin & All,
  Yes you are right, wrap the API in C++/C then write a PEX file for interface to Forté and use the method to invoke the WinNT API authentication. Do not forget to validate the return values from the methods. They are very crucial in handling exceptions etc., in forte.
  I've done the same to provide the mail user authentication in MAPI API wrapper for Forté.
  Is this what you looking for????
  Regards,
  Sivaram S Ghorakavi mailto:[email protected]
  International Business Corporation http://www.ibcweb.com/
  From: Martin G Nystrom
  Sent: Wednesday, November 26, 1997 1:53 PM
  To: [email protected]
  Subject: Anybody done USERID/PASSWORD authentication against a Windows NTDomain?
  I think I'll have to write a C++ Program to the WinNT API to do it
  (LogonUser). Then I'll wrap it with a service object for authentication. Has
  it been done before? Or something similar? We want to validate users against
  a WindowsNT Server DOMAIN.
  -martin ([email protected])

• -(Help!)Trying to have custom authentication against a NT domain

  Hi! I'm pretty much new to sun one and setting up realms for an app server, but here is my problem: We are developing a web-app and need users to login in against the NT machine instead of a DB server or flatfile. I've developed a java.rmi class that can take a username and password and a domain and return a boolean, but I have no way to have Sun One 7 take that as an authentication. I'm trying to have the authentication for the realm hit my class instead of whatever default it goes to and have my class return the required object back... any suggestions? Anyone?
  thanks.

  Thank you, that worked. but I still can't get the server to reconize my roles. I have a role being passed into the PasswordLoginModule and I have it defined in the "web.xml" as a auth-constraint, but I get this in the log files:
  FINE: Authenticator[]: Authenticated 'jeff.corbett' with type 'BASIC'
  FINE: Authenticator[]: Calling accessControl()
  FINEST: PRINCIPAL : jeff.corbett hasRole?: adminmember
  FINEST: PRINCIPAL TABLE: {}
  INFO: SEC1123: Audit: principal=jeff.corbett GET /XCSservices.jsp session=null DENIED
  FINE: Authenticator[]: Failed accessControl() test
  -if you have any ideas of what I may be missing, that would be a great help. Thank you again.

• Grid control and non-default listener

  I have oem 10.2.0.5 on linux redhat 5
  i have a series of databases with 2 oracle homes on solaris.
  1. we use virtual IPs instead of the host ip. so one IP for each database. This is due to our active/passive cluster. I have read the documentation on this. I was able to configure for this by taking the tnsnames file and using that in the target configration.
  My problem now is that the OEM sees my listener as being down. I think this is because it is looking for the default listener on port 1521. We have 1 listener per database and they are on non-default ports. This is for our active/passive failover.
  how do I configure the target to look for the correct listener? so I do not have a listener called listner.
  My listener has the same name as the database name and is on the same port as my database.

  Guess2 wrote:
  I have oem 10.2.0.5 on linux redhat 5
  i have a series of databases with 2 oracle homes on solaris.
  1. we use virtual IPs instead of the host ip. so one IP for each database. This is due to our active/passive cluster. I have read the documentation on this. I was able to configure for this by taking the tnsnames file and using that in the target configration.
  My problem now is that the OEM sees my listener as being down. I think this is because it is looking for the default listener on port 1521. We have 1 listener per database and they are on non-default ports. This is for our active/passive failover.
  how do I configure the target to look for the correct listener? so I do not have a listener called listner.
  My listener has the same name as the database name and is on the same port as my database.Your database isn't "on" a port, so the fact that you make a statement like "My listener . . . is on the same port as my database." indicates you don't yet have a clear understanding of the relationship of the listener to the database. The fact that you would name your listener the same as your database further indicates you don't yet have a clear understanding of the relationship of the listener to the database.
  The database (actually, we're talking about the instance) really has no inherent relationship to the listener. The listener is just a connection broker. One listener, listening on one port, can service requests for multiple databases, even multiple versions (9.x, 10.x) databases, even databases running out of different homes. For that reason alone, I consider it bad practice to name a listener the same as a database. That implies a relationship that simply doesn't exist. Only under extraordinary circumstances would it be necessary to have more than one listener running on a server, regardless of how many database instances may be on that server. And for that reason it really doesn't make much sense to name your listener anything but the default - "listener".
  You configure your listener to listen on a certain ip and port. You configure your clients (via tnsnames or other naming method) to send connection requests to the ip and port the listener was configured to listen for, requesting a connection to a service name the listener knows about. The listener knows about service names either through coding in the SID_LIST section of listener.ora, or through self-registration by the instance.
  I worked with active/passive clusters with virtual IP's a few years ago and there was really nothing special I had to do as far as the databases, clients, or listeners.

• Block Inheritance and Default Domain Policy

     Hello to all, I will run a cross-forest migration and target forest has a Default Domain Policy. Target domain is Windows 2003 Functional Level, but has almost all DCs on Windows 2008. As first level OUs represents country codes (USA, GBR, FRA,
  etc) and a new country will be created I want to block GPOs from Domain level. The task itself is very easy, just configure "Block Inheritance" on the new country OU. Important: Default Domain Policy is >> not set << to "Enforce"
  on target domain.
     Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
  certificates, etc) ?
     Regards, EEOC.

     Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
  certificates, etc) ?
  The Domain security policy for passwords etc, is domain-wide, and cannot be blocked.
  It applies to, and is controlled by, the Domain Controllers.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Problems with 802.1x MS PEAP machine and user authentication

  Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
  We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
  Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
  There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
  We are using MS-CHAPv2.

  Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
  However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
  I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
  Any idea how the domain\ can be ignored by ACS?

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• Windows 2012 R2 default domain controllers policy set to enforced

  Hi Guys,
  So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
  i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
  previously setup by someone else.
  I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
  on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
  it up at this stage.
  One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
  Any advise you guys have on this would be greatly appreciated.
  David

  > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
  > and so far everything is running ok.
  This does NOT touch any GPOs, so your GPOs are not "migrated" or
  something like that - they are still what they were before.
  > enforced on my newly migrated domain. At home on my test server i see it
  > is not enforced by default and am wondering why this is?
  "A sever misunderstanding of how group policy inheritance and link order
  works" is the closest reason I see for this. The DDCP is linked to
  "Domain Controllers", and as long as you do not create subordinate OUs
  there (which I've never seen) and block inheritance on them, there's no
  reason to enforce.
  To add my experience from the field: When I see enforced GPOs, in most
  cases this enforcement is not required. People simply use it because
  they do not understand "link order".
  > One thing that i did find odd is when i first opened up the GPO's, i was
  > prompted with a message which stated that the policies in the sysvol
  > folder where not consistent with the ones in AD so i followed its
  > recommendation to update.
  That's fairly ok and nothing to hassle about.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Windows 8 and Default Domain Policy modification issue

  Hi,
  I'm unable to edit the default domain policy from my new Windows 8 desktop.  It's the only Win8 in the environment so I'm not able to easily test another one unfortunately.  The error I receive is:
  Group Policy Error
  Failed to open the Group Policy Object.  You might not have the appropriate rights.
  Details: The volume for a file has been externally altered so that the opened file is no longer valid.
  I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account.  The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick
  out as having anything to do with AD management).
  It only occurs if I click edit on the GPO.  I'm able to successfully view the policy and edit the permissions etc.  Have rebooted and the machine is current with patches as of now.
  thanks
  Andy
  Cheers Andy

  Hi,
  According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:
  1. Check out whether the issue only occurred to Default domain policy object.
  2. Test on another new installed Windows 8 client with only RSAT installed.
  3. Create another new account and add it to domain admin group to test again.
  4. Run dcdiag on DCs to check out whether the replications work fine.
  Hope this helps.
  Regards,
  Yan Li
  If you have any feedback on our support, please click
  here
  Cataleya Li
  TechNet Community Support

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support