Ironport don´t send request to Active Directory
Hi,
We need to configure an exception to allow the network 10.0.53.0/24 not require validation in Ironport WSA. however users of this network must pass through all content filters appropriate according to their AD group.
NOTE: I need that Ironport don´t send request to Active Directory, when users to network 10.0.53.0/24 need go to internet.
regards,
Yerko.
That is correct. This is not possible.
Correct me if I am wrong. It sounds like you do not want Authentication, but still would like to control them using the AD group.
You might want to look into using the Context Directory Agent. With a Context Directory Agent, the agent will scan the Active Directory security logs for logon events. It will build a User-to-IP mapping table. When the users in the 10.0.53.0/24 network access the internet, they will not need to authenticate. The WSA will query the Context Directory Agent and see who is on the IP address. If there is a user, then AD groups can be used. If there is no user, then the user will be a Guest.
The Context Directory Agent runs on CentOS. It will need to be hosted on a dedicated machine, or a virtual machine. The required disk space is 120gb.
-Vance
Similar Messages
-
Search Active Directory Entries without password authentication
JNDI, Active Directory
I am newbie to JDNI and Active Directory.
I am trying to create a Web Application
which provides domain users with the information
of the Active Directory group user are belonging.
I know how to access Active Directory and search Entries
with JNDI like below codes.
Hashtable env = new Hashtable();
env.put(Context.PROVIDER_URL, "LDAP://URL:389");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"none");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.version" , "3" );
env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
env.put(Context.SECURITY_CREDENTIALS, "secret");
.....But I want know how to search Entries without Active Directory password
because I don't tell users their Active Directory password.
I don't have any idea. Could you give me good idea?
Sorry for my English. Thank you.
DannoIt means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.) -
Synchronization with Active Directory issue - Error ID 1004
I found the Application Event Log error below.
Error ID 1004: The resource 'D:\SharePoint 2010\14.0\Service\Microsoft.ResourceManagement.Service.exe' does not exist.
This means, the Network Service account does not have rights to the %programfiles%\Microsoft Office Servers\14.0 folder so,
the User Profile Synchronisation with Active Directory does not run properly.
The solution is to grant read access to the Network Service account to the ...\14.0 folder.
https://support2.microsoft.com/kb/2473430?wa=wsignin1.0
But I cannot find %programfiles%\Microsoft
Office Servers\14.0 folder. Instead
there is a folder in D drive: 'D:\SharePoint 2010\14.0 and I granted read access to the Network Service account to this
folder and ran Full synchronization but still not a joy.
Could you please advise me?
ThanksThanks Victoria,
I granted full access to the user
NETWORK SERVICE:, which
is listed in the error message on the folder D:\SharePoint 2010\14.0.
Then reset IIS and ran a full
synchronization, but there are still some user accounts who are a member of an AD group (this AD group has contribute right to the Intranet) and when
I check permission for those users, it seems they don't inherit permission from that AD group.
For example :
AD group name: TeamMembers
TeamMembers has contribute
permission.
user1, user2, user3 and user4 are members of TeamMembers
user1 and user2 have contribute
permissionGiven through the "TeamMembers"
group.
user3 and user4 have no permission!!!
I don't know what the problem is. I don't have access to Active Directory but the people who have access to say all users are members of that AD group.
Could you please advise?
Thanks -
Hi,
We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=xxxxx.ourdomain.com. Additional information: Error Verifying Request Signature or Signing Certificate
A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
configuration.
Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
Thank you for your help
//Crishello,
let me recap first:
you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
issued and which are still valid, right?
The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
do not contain CRL paths at all.
So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
Just a clean self-signed REQUEST.
That will succeed.
You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
ondrej. -
Hello,
We have a multi domain parent child AD domain infrastructure and now we upgraded our exchange from Exchange 2007 to Exchange 2013. Since last few days, we see the below error on the mailbox server event viewer.
EVENT ID : 1121
The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error.
Request GUID: '93a7d1ca-68a1-4cd9-9edb-a4ce2f7bb4cd'
Database GUID: '83d028ec-439d-4904-a0e4-1d3bc0f58809'
Error: An Active Directory Constraint Violation error occurred on <domain controller FQDN>. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-0315286E, #1:
Our Exchange setup is in parent domain, but we keep on getting this error for various domain controllers in each child domain in the same site. We then configured one of the parent domain domain controller on Exchange. Still we are getting this error for
the configured parent domain DC.
Verified the AD replication and there is no latency or pending stuffs.
Any support to resolve this issue will be highly appreciated. Thank you in advance.
Regards,
Jnana R DashHi,
In addition to Ed's suggestion, I would like to clarify the following things for troubleshooting:
1. Please restart IIS at first.
2. If the issue persists, please ping your DC on your Exchange server to check if Exchange can communicate with DC.
Hope it helps.
Best regards,
Amy Wang
TechNet Community Support -
This active directory is a replica of master on 2nd Mac Mini server which still thinks replica is there (perhaps it is) and will not let us delete in order to recreate. Both servers are running 10.8.4. Nothing changed on either server, simply did a reboot. When we logged in, Active Directory was turned off and when trying to turn on or access received message "Unable to open the requested node. The node LDAPV3/127.0.0.1 could not be opened because of an unexpected error -14006".
Does any one have experience with this and how can we recover? Thanks in advance for your help.Hi again,
I've been able to run Reports by changing the "Reports_Tmp" key in the Registry under:
Hkey_local_machine\software\oracle\home0\
to the D:\ drive -
I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
What could be the problem, considering the items below :
- inheritance is not broken to the level of the distribution group object
- the account used to run the cmdlet is a member of the Organization Management group
- creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
shows no differences.
- adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
- there is no Deny permission on the group's ACL
- the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issuesAnyone ever come up with a solution to this? I get something similar when Activesync tries to create objects on user containers.
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3
So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment. You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes: check the "inherit permissions",
and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
I got to this point by following a Migrate to Exch2010 paper by MS. I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched. The Exch server is also a DC. I installed a new 2012r2 server and then patched
it. Installed Exch2010SP3Ru8 and all seems well.
The old Exch2003 server is still in production. My iPhone army connects remotely for mail, and all works great. I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit. It eventually shows up in the Server
Manager on the new 2010 Exch Server. I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works. I go to the SM on the 2010 box and migrate the mailbox to the new server. It works. I can connect with
outlook, send receive mail to other users in the org. I then try to connect with my iPhone and I get the message in Event Viewer over and over.
Went so far as to Promo the new 2012 server to a DC. seems to be fine. Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues.... -
ACS 5.3 WLC Certificates RADUIS Active Directory
Hi,
I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
I have setup ACS to connect to AD.
I have added the local certificate with my company's CA
acs.blah.com
acs.blah.com
SubCA3-1
09:50 28.09.2012
09:50 28.09.2018
EAP, Management Interface
I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
Authentication Summary
Logged At:
October 2,2012 3:06:37.996 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
blah\Eddy
MAC/IP Address:
18-3d-a2-26-7f-b9
Network Device:
L39-WC-5508-01 : 10.49.2.150 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
Wireless AD
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
any help would be great happy to send screen shots of my setup.
Cheers
EddyHi Guys,
Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
Logged At:
October 12,2012 2:50:17.866 PM
RADIUS Status:
Authentication failed : 15039 Selected Authorization Profile is DenyAccess
NAS Failure:
Username:
blah\eddy
MAC/IP Address:
00-21-6a-07-31-88
Network Device:
-WC-5508-01 : 10.10.2.10 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
DenyAccess
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24101 Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
24420 User's Attributes retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
any ideas guys?
thanks for the help. -
Active Directory Binding Problems
Hi all,
I'm trying to bind to Active Directory but keep on getting the "unknown error occurred" at step 5.
I captured the adplugin debug log, the only error I can see is the following:
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
Has anyone had the same problem? If so any ideas how to overcome it?
See Complete debug log below.
2006-03-30 15:33:07 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:07 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:35 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:35 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:35 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:35 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:36 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:36 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Something wrong, unable to determine domain information from Config container......
2006-03-30 15:33:36 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:36 BST - ADPlugin: Created KerberosClient record Generation ID 165422016
2006-03-30 15:33:36 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:36 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:36 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:37 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:41 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:41 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:41 BST - ADPlugin: Processing Site Search with found IP
2006-03-30 15:33:41 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:41 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:41 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:42 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:42 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:42 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:42 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:42 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:42 BST - ADPlugin: Created KerberosClient record Generation ID 165422022
2006-03-30 15:33:42 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:33:42 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:33:42 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:42 BST - ADPlugin: Verify called for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Verify successful for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:43 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Read Context information from server for schemaNamingContext of CN=Schema,CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Updating Mappings from Schema..........
2006-03-30 15:33:47 BST - ADPlugin: Doing Computer search for Ethernet address - 00:0a:95:e4:05:84
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:47 BST - ADPlugin: Looking for existing Record of testibook
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Attempting Add Record......
2006-03-30 15:33:47 BST - ADPlugin: Adding in OU = CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Added record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Setting Computer Password......
2006-03-30 15:33:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:35:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:37:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:39:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:41:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:43:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:45:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:47:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:49:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:51:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Existing connection too old in connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Deleting Record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk...
2006-03-30 15:53:48 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
2006-03-30 15:53:48 BST - ADPlugin: Updating Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Cleaning Previous Additions to Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Sending lookupd flushcache at request!
2006-03-30 15:53:49 BST - ADPlugin: Resetting memberd cache also!
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:53:49 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:53:49 BST - ADPlugin: Bind/Join failed - Launching kerberosautoconfig -u
2006-03-30 15:53:49 BST - ADPlugin: Calling CloseDirNode
Many Thanks
PaulHi Paul!
I've personally never seen this error message, but a quick search on Google (which you may have already done as well) for "Setting Computer Password FAILED Deleted Record" found someone else who had the same problem. His issue was firewall related and was fixed by opening some ports for AD. He also provides a link to a Microsoft KB article about this.
Hope this helps and good luck! bill
1 GHz Powerbook G4 Mac OS X (10.4.5) -
Exchange 2010 - #554 5.2.0 The Active Directory user wasn't found
We have migrated form Exchange 2003 to Exchange 2010 a year ago with no issues. All Exchange legacy servers uninstalled with no issues. We had an issue today were emails sent to mail-enabled public folder was returning NDRs. This happened on two or three
and then trickled down thorugh several public folders. This client has several public folders and uses them for business processes. There have been 100s of incidents now.
Symtoms:
E-mail messages that been sent to mail-enabled public folder in Exchange Server 2010 environment rejected with the following NDR:
#554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException; Failed to process message due to a permanent exception with message The Active Directory user wasn't found. ObjectNotFoundException: The Active Directory user wasn't found. ##
We are getting the following Event log messages on Hub transport servers.
Log Name: Application
Source: MSExchange Store Driver
Date: 5/29/2014 2:45:53 PM
Event ID: 1020
Task Category: MSExchangeStoreDriver
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxxx
Description:
The store driver couldn't deliver the public folder replication message "Backfill Request (xxxxxxx)" because the following error occurred: The Active Directory user wasn't found..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange Store Driver" />
<EventID Qualifiers="49156">1020</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-05-29T18:45:53.000000000Z" />
<EventRecordID>168407</EventRecordID>
<Channel>Application</Channel>
<Computer>xxxxxx</Computer>
<Security />
</System>
<EventData>
<Data>"Backfill Request (xxxxxxx)"</Data>
<Data>The Active Directory user wasn't found.</Data>
</EventData>
</Event>
Actions:
We have executed the following steps.
1. Start the ADSI Edit MMC Snap-in. Click Start, then Run, and type adsiedit.msc, and then click OK.
2. Connect & Expand the Configuration Container [YourServer.DNSDomainName.com], and then expand CN=Configuration,DC=DNSDomainName,DC=com.
3. Expand CN=Services, and then CN=Microsoft Exchange, and then expand CN=YourOrganizationName.
4. You will see an empty Administrative Group. Expand the CN=YourAdministrativeGroupName.
5. Expand CN=Servers.
6. Verify there are no server objects listed under the CN=Servers container.
7. Right click on the empty CN=Servers container and choose Delete.
8. Verify the modification, and try to send again the E-mail to the mail-enabled public folder.
To no avail the issue still exists.
We have not rebooted the servers and plan to in the early morning.
We have dismounted/mounted public folder DBs
Does anyone have any other suggestions?
Danny Kennedy, MCSE, MCITPI have already uninstalled legacy servers a year ago.
This was the solution:
I moved the public folder hierarchy to exchange 2010 using ADSIEdit.
If you don't know adsiedit tool that much check this
http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c03067450-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&sp4ts.oid=1840527&ac.admitted=1401455429281.876444892.492883150
Danny Kennedy, MCSE, MCITP -
Windows 2000/Active Directory - Gateway on none domain controller
I have been trying to configure a Gateway to run on a non member server and have it point to a domain. All attempts to work of the remote machine have failed and wonder what I am doing wrong. Here is an out line of what I have done:
Environment
All machines are Windows 2003 running in VMWare instances.
Machine 1: Gateway machine. IDM is installed but not running. Server name = USTRSDLMS009VM1, member of the workgroup IDM
Machine 2: AD machine, Gateway installed. IDM is installed but not running. Server Name = USTRSDLMS009VM2. Domain Name = IdMTestAd.IdMTest.com.
Machine 3: IDM is installed and running. Servername = USTRSDLMS009VM3 member of the workgroup IDM
Basic Tests:
All machines can ping each other by both computer name and ip address.
Easy step first
Connect to IDM on Machine 3 (IDM server) configure the Windows 2000/Active Directory RA to point to the Gateway on Machine 2 (AD server). All works perfect. Server is identified with IP address.
Remote server test
Connect to IDM on Machine 3 (IDM server) configure the Windows 2000/Active Directory RA to point to the Gateway on Machine 2 (Gateway machine). This does not work. Configuration of Resource Parameters is as follows:
Host: Configured using both IP or ServerName
TCP Port: 9278
User: Administrator
container: cn=users,dc=idmtestad,dc=idmlab,dc=com
LDAP HostName, DomainName, IP or Servername of Server 1 (standalone gateway server). This is the setting that should allow me to use a remote machine. NOTE: I have done tons of tests and they all indicate that this field is not working.
I get the following error message when I try and connect:
Test connection failed for resource(s):
AD-VM2DirectConnect: Error opening object 'LDAP://cn=users,dc=idmtestad,dc=idmlab,dc=com': ADsOpenObject(): 0X8007054B: , , The specified domain either does not exist or could not be contacted.
I have also tested connecting to the LDAP using an LDAP browser with the same credentials from the standalone gateway machine. Worked fine.
The following is the Gateway Trace log from the standalone gateway machine. I will post it as a seperate item in the thread (a little cleaner I think). But the basic error section is:
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,7352): buildBindOptions bind flag = 0x1
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5182): Error opening object 'LDAP://cn=users,dc=idmtestad,dc=idmlab,dc=com': ADsOpenObject(): 0X8007054B: , , The specified domain either does not exist or could not be contacted.The GW Log file from the stand alone GW server.
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/logging/WSTrace.cpp,146): trace active, level: 4, file: c:\gwtrace\gwtrace.txt, maxSize: 3500 KB
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/logging/WSTrace.cpp,201): Trace file set to 'c:\gwtrace\gwtrace.txt'
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,116): Enter: reply
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,74): Enter: sendBuffer
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,88): Sending buffer:
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <?xml version='1.0' encoding='UTF-16'?>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Response>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Result status='ok'>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <ResultItem type='message' status='ok'>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Text>Trace level set to 4</Text>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </ResultItem>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <ResultItem type='message' status='ok'>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Text>Trace file maximum size set to 3500</Text>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </ResultItem>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <ResultItem type='message' status='ok'>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Text>Trace file set to 'c:\gwtrace\gwtrace.txt'</Text>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Message>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </ResultItem>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Result>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Response>
02/28/2006 13.14.33.765000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,110): SendPrivate: count: 1100 pad: 8
02/28/2006 13.14.33.781000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,103): Exit: sendBuffer
02/28/2006 13.14.33.781000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,124): Exit: reply
02/28/2006 13.14.33.781000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,558): Exit: ProcessCommand
02/28/2006 13.14.33.781000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,695): Exit: handleRequest
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/client_handler.cpp,344): got 6564 bytes
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,260): ReceivePrivate: count: 6542, 6560 wrapped up rawlength 6558
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,269): Rightbefore decrypt:
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,34): KEY:[e8 92 1c 9c 05 78 d7 a0 d3 62 32 f8 46 0a 0d 3d 64 05 6a bd fe a9 34 57 ]
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/RAEncryptor.cpp,67): RAEncryptor::Decrypt3DES: input length (6552) moded to 819
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,110): SendPrivate: count: 0 pad: 4
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,563): Enter: handleRequest
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,583): Received buffer:
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <?xml version='1.0' encoding='UTF-16'?>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Request encrypted='true'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <cmd>test config</cmd>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Resource name='AD-VM2DirectConnect' class='com.waveset.adapter.ADSIResourceAdapter'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attributes>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='ADSI Search Page Size' type='string' value='1000'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Container' type='string' value='cn=users,dc=idmtestad,dc=idmlab,dc=com'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Create Home Directory' type='string' value='1'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Display Name Attribute' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Encryption Type' type='string' value='None'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Global Catalog Server' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Host' type='string' value='130.175.204.29'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Input Form' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='LDAP Hostname' type='string' value='130.175.204.38'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Log File Path' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Log Level' type='string' value='2'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Maximum Age Length' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Maximum Age Unit' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Maximum Archives' type='string' value='3'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Maximum Log File Size' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Object Class' type='string' value='User'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Poll Every' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Polling Start Date' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Polling Start Time' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Post-Poll Workflow' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Pre-Poll Workflow' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Proxy Administrator' type='string' value='Configurator'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Scheduling Interval' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Search Subdomains' type='boolean' value='false'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='TCP Port' type='string' value='9278'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='Update search filter' type='string' value='(objectCategory=person)'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='User Provides Password On Change' type='string' value='0'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='When reset, ignore past changes' type='string' value='1'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='activeSyncConfigMode' type='string' value='basic'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='activeSyncPostProcessForm' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='blockCount' type='string' value='100'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='confirmationRule' type='string' value='CONFIRMATION_RULE_NONE'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='connectionLimit' type='string' value='10'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='correlationRule' type='string' value='CORRELATION_RULE_NONE'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='createUnmatched' type='string' value='true'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='deleteRule' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='parameterizedInputForm' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='password' type='encrypted' value='H7fYWJq3kBs='/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='populateGlobal' type='string' value='false'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='processRule' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='resolveProcessRule' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='searchContext' type='string'>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attribute>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='useInputForm' type='boolean' value='true'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Attribute name='user' type='string' value='Administrator'/>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Attributes>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Resource>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Request>
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,632): command='test config'
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,463): Enter: ProcessCommand
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2403): Enter: testConfiguration
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2411): Enter: doCheck
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5090): Enter: openObject - 2
02/28/2006 13.16.42.125000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4666): Enter: login(wstring**,EncyptedData**,wstring**,WavesetResult&)
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4648): Enter: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,34): Enter: getRequiredResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,44): Exit: getRequiredResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4659): Login: 1
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4660): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4669): Login: 1
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,4670): Exit: login(wstring**,EncyptedData**,wstring**,bool,HANDLE*,TOKEN_TYPE,WavesetResult&)
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5104): ADsGetObject for LDAP://cn=users,dc=idmtestad,dc=idmlab,dc=com
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/connect/RAEncryptor.cpp,67): RAEncryptor::Decrypt3DES: input length (8) moded to 1
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5118): ADsGetObject
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,73): Enter: getOptionalResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/object/Extension.cpp,77): Exit: getOptionalResAttrValue
02/28/2006 13.16.42.140000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,7352): buildBindOptions bind flag = 0x1
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5182): Error opening object 'LDAP://cn=users,dc=idmtestad,dc=idmlab,dc=com': ADsOpenObject(): 0X8007054B: , , The specified domain either does not exist or could not be contacted.
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,5190): Exit: openObject - 2
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,116): Enter: reply
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,74): Enter: sendBuffer
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,88): Sending buffer:
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <?xml version='1.0' encoding='UTF-16'?>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Response>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Result status='error'>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <ResultItem type='message' status='error'>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Message>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): <Text>Error opening object 'LDAP://cn=users,dc=idmtestad,dc=idmlab,dc=com': ADsOpenObject(): 0X8007054B: , , The specified domain either does not exist or could not be contacted.
</Text>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Message>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </ResultItem>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Result>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,66): </Response>
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/connect/RASecureConnection.cpp,110): SendPrivate: count: 810 pad: 2
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,103): Exit: sendBuffer
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,124): Exit: reply
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2438): Exit: doCheck
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/adsi/ADSIExtension.cpp,2407): Exit: testConfiguration
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,558): Exit: ProcessCommand
02/28/2006 13.16.44.437000 [2540] (../../../../src/wps/agent/object/RequestHandler.cpp,695): Exit: handleRequest -
Third Party Load Balancing Active Directory
We have serveral applications that target individual Active Directory domain controllers for authentication. If the domain controller goes down then that service stops working.
I'm interested in using a Citrix Netscaler to load balance authentication requests.
What I want to know is, "Does Microsoft support the use of an external load balancer", not from the perspective of third party device support obviously, rather functionally. Will AD work and be supported when using the Netscaler.
IT ManagerIf you simply plan to use the Citrix NetScaler to load balance say, reading LDAP on port 389 as an example, you will be OK.
Rather than pointing the app to a single DC, why not create multiple DNS records with the same host name, different IPs and use Round Robin. Not as sophistacted, but it isnt going to cost you tens of thousands of dolllars in load balancing.
Visit: anITKB.com, an IT Knowledge Base.
Have you actually tested and used this in a production environment? If I understand correctly, what you are suggesting is to take existing (hypothetical) domain controller DNS entries:
A record: dc1.contosso.com, 10.1.1.10
A record: dc2.contosso.com, 10.1.1.11
And add the following entries to create quasi fault tolerance?
A record: dc3.contosso.com, 10.1.1.10
A record: dc3.contosso.com, 10.1.1.11
I honestly don't think it will work, because of a few things, such as DC registration occurs every 60 min, including the netlogon service overwriting whatever static entries created for the quasi load balancing, and possibly Kerberos auth failing due to a different
IP authenticating from a different SPN. I know the hardware load balancers have options to preserve session cookies, which work fine for IIS implementations, such as Exchange HUB, and especially for CAS access, otherwise Outlook will not accept it if it sends
an auth request on one IP and another backend responds, which the LB help preserve this, however with AD LDAP, RPC, etc, I *don't* think it will work, due to Kerberos failing it thinking it's a spoof. If you get it working, I would be very curious to see the
documented implementation, settings, results, etc.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
EFS operations occur on the computer storing the files.
EFS files are decrypted then transmitted in plaintext to the client's computer
This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
2) SOLVE by setting up WebDAV (efs files accessed through web folders)
EFS operations occur on the client's local computer
EFS files remain encrypted during transmission to the client's local computer where it is decrypted
This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
a) START ... CMD
b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
1 click START and type "Turn Windows Features On or Off" and open the link
a) scroll down to "Internet Information Services" and expand it.
b) put a tick in: "Web Management Tools" \ "IIS Management Console"
c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
f) click ok
g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
a) on the "Anonymous Authentication" and click "Disable"
b) on the "Windows Authentication" and click "Enable"
NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
It can be by changing registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
BasicAuthLevel=2
c) on the "Windows Authentication" click "Advanced Settings"
set Extended Protection to "Required"
NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
a) on the right side, under Actions, click "Add Allow Rule"
b) set this to "all users". This will control who can view the "Default Site" through a web browser
NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
a) on the right side, under Actions, click "Edit Feature Settings"
b) tick the box "Allow double escaping"
*THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
a) set the Alias to something sensible eg "D_Drive", set the physical path
b) it is essential you click "connect as" and set
this to a local user (on fileserver),
if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
NB: the user account selected here must have the required EFS certificates installed.
See
here and
here
NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
The work around is on the \\fileserver create an NTFS symbollic link
e.g. to share the entire contents of "D:\",
on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
in cmd in this folder create an NTFS symbolic link to "D:\"
so in cmd type "cd c:\inetpub\wwwroot"
then in cmd type "mklink /D D_Drive D:\"
NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
b) if some exist review existing allow or deny.
Take care to not only review the "allow access to" settings
but also review "permissions" (read/write/source)
NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
a) On Windows 7 you need only change one tiny registry value:
- click START, type "regedit", open link
-browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
-on the EDIT menu click NEW, then click DWORD Value
-Type "DisableEFSOnWebDav" to name it (no speech marks)
-on the EDIT menu, click MODIFY, type 1, then click OK
-You MUST now restart this computer for the registry change to take effect.
b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
It should show the default "IIS7" image.
If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
e.g. http://localhost/D_drive
If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
eg if your server's computer name is "fileserver" go to "http://fileserver:80"
It should show the default "IIS7" image. If not, check firewall and port blocking.
Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
a) click the "Connections" tab at the top
b) click the "LAN Settings" button at the bottom right
c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
a) click START, type "regedit", open link
b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
c) click on "FileSizeLimitInBytes"
d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
a) click on "Security" (top) and then "Custom level" (bottom)
b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
SUCH an easy fix. SUCH an annoying problem on a clientpc
NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
e.g. CMD: net use * "http://fileserver:80/C_drive"
If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
a) On a clientpc, map network drive to http://fileserver/
b) navigate to a folder you know on the \\flieserver is encrypted with EFS
c) create a new folder, create a new file.
IF it throws an error, check carefully you mapped to the WebDAV and not file share
i.e. mapped to "http://fileserver" not "\\fileserver"
Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
a) see the last comment at the very bottom of
this page:
Points to consider:
- NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
It is implimented above, see (11) above
Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
This one took me a long time to track down to "network location".
Win 7 uses network locations "Home" / "Work" / "Public".
If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
FIX = either set IP address manually and specify a gateway
FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?
-
Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)
hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&2', &3);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&4', &5);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
-- SSL bind
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&6', &7);
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&8', '&9', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&10', &11);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&12', '&13', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&16', &17);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&18', &19);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&20', &21);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&22', '&23', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&24', &25);
plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&26', '&27', 2);
IF (retval != 0) THEN
plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&29', &30);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&31', &32);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&33', &34);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&35', '&36', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&37', &38);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&43', &44);
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&45', &46);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
ELSE
IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
my_session := DBMS_LDAP.init('&47', &48);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.open_ssl(my_session,
'file:' || '&49', '&50', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
OIDADPSW2.AD_HANDLE := my_session;
ELSE
my_session := OIDADPSW2.AD_HANDLE;
END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
my_session1 := DBMS_LDAP.init('&51', &52);
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
tmp_session := my_session1;
retval := DBMS_LDAP.open_ssl(my_session1,
'file:' || '&53', '&54', 2);
IF (retval != 0) THEN
plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
retval := DBMS_LDAP.unbind_s(my_session1);
plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
result := 82;
RETURN;
END IF;
plg_debug( 'open_ssl: ' || TO_CHAR(retval));
retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
IF (retval != 52 AND retval != 53 AND retval != 81) THEN
OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
retval := DBMS_LDAP.unbind_s(tmp_session);
plg_debug( 'unbind_res result ' || TO_CHAR(retval));
END IF;
END IF;
END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONEHi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If -
Download issue when Windows 7 Pro joins a Windows Server 2008 Active Directory
Hi,
I purchased 2 new Dell OptiPlex 3010 desktop computers that came with Windows 7 Professional operating system with SP1.
There were no Microsoft updates installed yet. After I added one of these Dell computers to the Windows Server 2008 Active Directory, I was not able to download several items.
Below are several examples:
1) I downloaded the Norton anti-virus installation file. This file is not the full installation of Norton; it is more of a file where you execute it and it will download the full installation from the Internet like from their Norton web
site. So when I executed this installation file, it does not download the full installation files.
It just hung at the screen saying “Downloading” and it will finally stop with an error (don’t remember the error message).
Note: If I have the full Norton installation file then I am able to install it on this computer with no problems.
2) I downloaded the Adobe Reader installation file. This file is not the full installation of Adobe Reader; it is more of a file where you execute it and it will download the full installation from the Internet like from their Adobe web
site. So when I executed this installation file, it hung at the downloading part and then it will error out with a “Actionlist Not Found” message.
Note: If I have the full Adobe Reader installation file then I am able to install it on this computer with no problems.
3) I installed Microsoft Office 2010 Standard version on this computer.
I configured Microsoft Outlook to retrieve emails from my email provider (pop and smtp settings).
After configuring Microsoft Outlook, I was able to send emails through Microsoft Outlook successfully (and very quickly), but he was unable to retrieve my emails. The progress bar for the Receiving in the "Outlook Send/Receive Progress" box
shows no progress. The Progress bar is not moving. There is a message at the bottom of Microsoft Outlook stating "Receiving message 1 of 6 (x.xx KB of x.xx MB)" and it is very slow. My new emails were not being retrieved at all.
I tried various pop and smtp servers that was available for my email provider, but all had the same effect.
4) I can access certain web sites (e.g.
www.yahoo.com, www.cnn.com) while I cannot access other web sites like
www.usatoday.com, my web hosting email site.
Note: I had a Dell computer with Windows XP Professional operating system and this computer does not have any of the above issues.
The above are only a few examples that I have experienced.
If I removed this Dell OptiPlex 3010 computer from the Windows Server 2008 Active Directory then I still experience the same issue.
So as another test, I setup the other new Dell OptiPlex 3010 with the same Windows 7 Professional OS with SP1.
This time, I did not join the Windows Server 2008 Active Directory and I was able to successfully download the full Norton installation files, download the full Adobe Reader installation files, download my emails from Microsoft Outlook 2010, etc.
But once I joined this computer to the Windows Server 2008 Active Directory then I am not able to download these files and emails at all.
It seems like there might be some group policy or a security setting that is preventing these downloads so I disabled the group policy on the Windows Server 2008 AD and Windows 7 Profession OS, but it didn’t resolve the issue.
I disabled all of the firewall programs on this Windows 7 Professional OS, but it still did not resolve the issue.
Since the Windows Server 2008 AD did not have DHCP installed, I installed DHCP and setup a scope.
Then configured the Windows 7 Professional OS to obtain an IP address, but it didn’t resolve the issue.
If I move this Windows 7 Professional computer to another network where it did not have any Active Directory; it just had a wireless router serving DHCP then everything works on the Windows 7 Pro computer.
Any ideas what is the root cause when a Windows 7 Professional computer join a Windows Server 2008 AD?
Thanks,
wl_techHi,
Could you please tell some information for the AD environment and how it connect to the internet?
Regarding 3rd party installlers didn't work as expected, please also seek help in their offical website.
For outlook not receiving emails, could you please take a look in
Event Viewer and see if there are any special errors logged there?
And when trying to access the website like
www.usatoday.com, any special errors IE showed out?
Best regards
Michael Shao
TechNet Community Support
Maybe you are looking for
-
Hi
-
How to run VS2005/CR on Windows 8.1?
Hi I have a VS2005 forms app that produces reports using Crystal Reports (10.2). I can run the app on Windows 8.1, but when I try to display a report I get an error saying that the CR runtime cannot be found. I've run the CR2005_x86 installer, appa
-
Hello All, I am calling the method FILE_OPEN_DIALOG of the class CL_GUI_FRONTEND_SERVICES to display the pop up to select the file from the desktop.After i select the file and execute the program it displays the report and when i clcik the back but
-
The Imap command UID copy (to deleted messages) failed for the mailbox "bulk mail" with server error UID copy mailbox in use. PLease try again later
-
Indesign export pdf used preset include comment
Is there a way including the summary of the used preset as comment within the exported pdf? Within Acrobat Distiller you have an option called "save adobe pdf settings inside pdf file", is there also such an option available in Indesign? As a receive