ISE 1.2 patch 4 not retrieving groups
Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
Anyone else experiencing this issue?
Regards,
Mathieu
The issue you are referring to is documented in the following CDETS:
CSCul84544: Retrieval of AD groups or attributes is failing
This is not yet resolved. May be resolved in a future patch
The workaround given in the CDETS is
Fix the DNS server so that the reverse DNS lookup matches
I believe there are other steps that can be taken to mitigate this but would need intervention from TAC
Similar Messages
-
Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"
Hi all,
When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
Does anyone get this problem, please help.
I have check into the ISE CLI Reference Guide 1.1.x
You are about to configure Active Directory settings.
Are you sure you want to proceed? y/n [n]: y
Parameter Name: dns.servers
Parameter Value: 10.77.122.135
Active Directory internal setting modification should only be performed if approved by ISE
support. Please confirm this change has been approved y/n [n]: y
What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
Please suggest for this too.
Thanks and Regards,
Pongsatorn M.Hi Pongsatorn,
Thanks for the reply!
I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
Testing Active Directory connectivity:
Global Catalog: pdascdc02.xyz.com
gc: 3268/tcp - refused
For some reason, the request to the controllers on port 3268 is being refused.
Any thoughts you might have are greatly appreciated.
Cheers,
Greg -
ISE is unable to retrieve groups and attributes
Hello guys,
I have Cisco ISE installed on EXSi in a lab. I was able to join the ISE server to my test Active Directory server, and under the OU=Computers, I can see my ISE hostname.
However, when I go to Administrator > External Identity Sources > Active Directory > Groups > Add > Select Group from Directory:
I have my domain entered in Domain box and an * for filter. When I clicked the "Retrieve Groups" button, I always received "Number of Groups Retrieved: 0 (Limit is 100)"
It seem like ISE is unable to retrieve the groups that I have on my AD. I checked the status of my ISE server and it says that it is still connected to the domain. When I search for attributes, it keep saying that the user is not found.
I disabled my AD's firewall and still getting the same results. I ran the detailed test connection, and it was a success and the port connections are all good. At this point, I am pretty much stuck.
Any help would be greatly appreciated.
ThanksI am sorry Jatin. I have another question. I am working on Motorola RFS7000 WLC and Cisco ISE v1.1.1.
I am not sure if I should create a new thread about the new issue I am having now. I have successfully added my RFS controller and one AP7131 to ISE Network Devices. And I am able to login to these devices using my AD account. However, it is not allowing me to manage these devices. I believe I am at exec mode. I SSH to my RFS and I can't even get to enable mode. -
VBScript does not retrieve Member details if a Distribution/Security Group have only one Member
Hi,
VBScript does not retrieve Member details if a Distribution/Security Group have only one Member. I have tried several Scripts even changed the coding in it, also tried few External Script by created by other Scriptor's. Any suggestion on why this is happening.Perfect... Thank you. I reworked on the Script and it is showing up. One more info required. I know my script is having another bug. Can you help me getting the member list of a User Group. When i pull it retrieves all the Group info for a user
but no "Domain Users" Group.
Sorry for the lame humor but it was getting late.
As for you new request. I do not understand what you are asking. Can you post your script and any error messages you are getting.
¯\_(ツ)_/¯ -
ISE / Active Directory: issue to get users group
Hello,
We have a strange issue:
- ISE 1.2 patch 8
- no WLC, autonomous AP
In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
In one more rules to grant authentication from APs to register in WDS: user in local database.
In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
(so 3 rules), and one more to authorise the internal base for WDS.
We have something strange:
- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
Exemple:
1- OK:
Authentication Details
Source Timestamp
2014-05-15 11:43:19.064
Received Timestamp
2014-05-15 11:43:19.065
Policy Server
radius
Event
5200 Authentication succeeded
All the GROUPS of user are seen:
false
AD ExternalGroups
xx/users/admexch
AD ExternalGroups
xx/users/glkdp
AD ExternalGroups
x/users/gl revue écriture
AD ExternalGroups
xx/users/pcanywhere
AD ExternalGroups
xx/users/wifidata
AD ExternalGroups
xx/informatique/campus/destinataires/aa informatique
AD ExternalGroups
xx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroups
xx/informatique/campus/destinataires/aa campus
AD ExternalGroups
xx/users/aiga_creches
AD ExternalGroups
xx/users/admins du domaine
AD ExternalGroups
xx/users/utilisa. du domaine
AD ExternalGroups
xx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroups
xx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroups
xx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/administrateurs
AD ExternalGroups
xx/builtin/utilisateurs
AD ExternalGroups
xx/builtin/opérateurs de compte
AD ExternalGroups
xx/builtin/opérateurs de serveur
AD ExternalGroups
xx/builtin/utilisateurs du bureau à distance
AD ExternalGroups
xx/builtin/accès dcom service de certificats
RADIUS Username
xx\cennelin
Device IP Address
172.25.2.87
Called-Station-ID
00:3A:98:A5:3E:20
CiscoAVPair
ssid=CAMPUS
ssid
campus
2- NO OK later:
Authentication Details
Source Timestamp
2014-05-15 16:17:35.69
Received Timestamp
2014-05-15 16:17:35.69
Policy Server
radius
Event
5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause
Selected Authorization Profile contains ACCESS_REJECT attribute
Only 3 Groups of the user are seen:
Other Attributes
ConfigVersionId
5
Device Port
1645
DestinationPort
1812
RadiusPacketType
AccessRequest
UserName
host/xxxxxxxxxxxx
Protocol
Radius
NAS-IP-Address
172.25.2.80
NAS-Port
51517
Framed-MTU
1400
State
37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port
51517
IsEndpointInRejectMode
false
AcsSessionID
radius/189518899/49890
DetailedInfo
Authentication succeed
SelectedAuthenticationIdentityStores
AD1
ADDomain
xxxxxxxxxxx
AuthorizationPolicyMatchedRule
Default
CPMSessionID
b0140a6f0000C2E15374CC7F
EndPointMACAddress
00-xxxxxxxxxxxx
ISEPolicySetName
Default
AllowedProtocolMatchedRule
MDP-PC-PEAP
IdentitySelectionMatchedRule
Default
HostIdentityGroup
Endpoint Identity Groups:Profiled:Workstation
Model Name
Cisco
Location
Location#All Locations#Site-MDP
Device Type
Device Type#All Device Types#Cisco-Bornes
IdentityAccessRestricted
false
AD ExternalGroups
xx/users/ordinateurs du domaine
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/accès dcom service de certificats
Called-Station-ID
54:75:D0:DC:5B:7C
CiscoAVPair
ssid=CAMPUS
If you have an idea, thanks so much,
Regards,To configure debug logs via the Cisco ISE user interface, complete the following steps
:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
You can use the Filter button to search for a specific node, particularly if the node list is large.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750 -
Ise 1.2 Device Registration not auto filling the MAC field
Hello
I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
90% of the users doesnt know what a MAC adress is, or where to find it.
Greetings
StevenPeter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration. This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address. This was a very limited feature introduced in 1.0.
This feature should not be confused with the DRW or NSP flows for device registration. For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7. However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users. That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices. This makes future cleanup easier and maintains them separately from employee RegisteredDevices. ISE 1.2 ERS API can be used to programmatically to delete these endpoints periodically.
Hope that helps to clarify. -
Patch: command not found
While trying to build freetype2-lcd with makepkg -c, I keep getting the following error:
wiltell ~/build/freetype2-lcd $ makepkg -c
==> Making package: freetype2-lcd 2.3.5-3 (Mon Mar 24 17:02:26 CET 2008)
==> Checking Runtime Dependencies...
==> Checking Buildtime Dependencies...
==> Retrieving Sources...
-> Found freetype-2.3.5.tar.bz2 in build dir
-> Found bytecode.patch in build dir
-> Found freetype-2.3.0-enable-spr.patch in build dir
-> Found freetype-2.2.1-enable-valid.patch in build dir
-> Found freetype-2.2.1-memcpy-fix.patch in build dir
-> Found freetype-2.2.1-subpixel-disable-quantization.diff in build dir
==> Validating source files with md5sums...
freetype-2.3.5.tar.bz2 ... Passed
bytecode.patch ... Passed
freetype-2.3.0-enable-spr.patch ... Passed
freetype-2.2.1-enable-valid.patch ... Passed
freetype-2.2.1-memcpy-fix.patch ... Passed
freetype-2.2.1-subpixel-disable-quantization.diff ... Passed
==> Extracting Sources...
-> bsdtar -x -f freetype-2.3.5.tar.bz2
==> Removing existing pkg/ directory...
==> Entering fakeroot environment...
==> Starting build()...
PKGBUILD: line 29: patch: command not found
==> ERROR: Build Failed.
Aborting...When building packages, ensure you have the entire base-devel group installed:
# pacman -S base-devel
In particular for this specific case, what you want is the 'patch' program:
# pacman -S patch
- but just install all of base-devel to prevent issues like this in the future. -
When I pull up the Term store in CA or any MySite collection, it works.
When I do so in any other site collection (HNSCs, incidentally), It doesn't return any term stores.
My ULS log immediately before and after the "/_vti_bin/taxonomyinternalservice.json/CheckPermission" POST on termstore .aspx triggers the WCF call:
Claims Authentication af30y Verbose Claims Windows Sign-In: Successfully signed-in the the user 'contoso\domainUser' for request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
Claims Authentication af30q Verbose Updating header 'LOGON_USER' with value '0#.w|contoso\domainUser' for the request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|contoso\domainUser, ClaimsCount=77
Logging Correlation Data xmnv Medium Site=/
Topology e5mc Medium WcfSendRequest: RemoteAddress: 'http://CONTOSOFE3:32843/00e6d55691824965ac223f1d1cfae6d2/MetadataWebService.svc' Channel: 'Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges2' MessageId: 'urn:uuid:590e916c-c89a-4f89-9819-a82c97fabcaa'
Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'contoso\domainUser' with UPN '[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
Claims Authentication g220 Unexpected No windows identity for contoso\domainUser.
The "The caller is not authorized to access the service." message seems pertinent.
Both web apps are using only NTLM auth.
The url for both web apps ends in the same contoso.com domain.
I get the same errors no matter what account I use, including the install account.
Things I've tried:
Deleting and building a new HNSC root web app and site. Error happens in all sites in all web apps except the PBSC hosting MySites.
Giving the root site app pool identity full control of the metadata service app (even though the MySite identitiy doesn't have it)
Giving the root site app pool identity full permissions on the metadata service app.
Comparing database and web app config permissions between dev (where everything works perfectly) and prod (where it does not).
Made sure IIS auth settings on both sites are identical
Both sites are using the same SSL certificate (though the call to the web service appears to be http)
Reprovisioned the metadata service app with a new database and new app pool identity.
Made sure C2WT is running. Tried it with the service stopped as well.
Web.configs are identical between working and non-working apps.
I'm stumped but still Googling. I'm hoping to avoid having to call Micrososft. Any help would be appreciated!
UPDATE:
Interestingly, when I restored the web application from backup (via CA), I ended up with 3 identical "Windows Authentication" authentication providers assigned to the problem web app. Since there was more than one, I was directed to the provider-chooser
page when visiting the site. Upon choosing 1 of the 3, I was authenticated, and *poof*, no more authentication errors and the term store loaded term sets as expected.
Of course, 3 providers was not an ideal state, so I grabbed the one that worked (#1) via get-spauthenticationprovider, and assigned it to the web app via set-spwebapplication, and my problem returned.
I am currently updating the farm to SP1 from June 2013 CU. Fingers crossed.
Update:
The update to SP1 went smoothly, but did not resolve the issue. Also related (I believe) are the random authentication errors when trying to upload images to some libraries, and 401-errors on the accessdenied.aspx page itself.
Update:
The problem is resolved, seemingly after making 4 changes. I'm trying to narrow down which change was the cure, if any:
I installed SP1 on all 6 servers, rebooted and upgraded. This appeared to have no effect.
Removed an old login from SQL that no longer existed in AD because of this ULS error:
System.Runtime.InteropServices.COMException: The user or group contoso\svc_xxxxxxxxx' is unknown., StackTrace: at Microsoft.SharePoint.Utilities.SPUtility.GetFullNameFromLoginEx(String loginName, Boolean&
bIsDL)
This login was the identity of the application pool that used to run the web app in question.
This login was the schema owner of a schema named after itself on every SharePoint database so I changed the schema owner to dbo but left the schema attached.
The problem may have surfaced initially when the app pool identity was changed in CA, but went unnoticed?
Note that the web app had been deleted and recreated many times with a new identity and pool to no avail, but the URL remained the same throughout each attempted fix. Relevant?
Grasping at straws, I changed the app pool identity for this web app to the same one that runs the MySite web app pool as per this only slightly related problem: http://www.planetsharepoint.org/m/preview.php?id=372&rid=34764&author=Vlad+Catrinescu
I changed the authentication method from NTLM to Negotiate.
I am rolling back #3 and #4 to see if the issue resurfaces.
Update:
It doesn't appear to have been the NTLM/Negotiate setting. Web app is currently set to NTLM and all is well. No strange accessdenies, and term Store is still manageable from all sites.
Update: Sorry for the delay. I am administering 6 farms these days. Will update as soon as the final phase of rollbacks happens.
I think I can. I think I can.maybe that web app was accidentally created with classic auth?
here's an example of how to create claims based, with classic, and then "doing 2013" claims
#Create the example web application, as mentioned above, either with gui, and pick later, or
New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
5050
-databaseName$contentDB-securesocketslayer
#If doing for 2013
New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
5050
-AuthenticationProvider(new-spauthenticationprovider)
-databaseName$contentDB-secureSocketsLayer -
ISE 1.2 Patch 7 possible guest CWA bug
Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.Hi,
I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7. -
Hi all,
I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
Any info out there about 5441 before I log a TAC?????
Thanks.Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
Event
5400 Authentication failed
Failure Reason
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution
Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause
Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late. -
Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3. We are looking to upgrade to Patch 8. We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?
So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.
-
SCCM 2012 R2 Clients are not retrieving policy
Hi - I know this question has been asked many times before - but I have tried almost everything and a no closer to solving the problem.
Background: Recently a SCCM 2012 SP1 single stand-alone site was upgraded to SCCM 2012 R2. The site is a single stand-alone primary site with a single DP, single MP, using mixed mode
(HTTP). The R2 upgrade ran without any problem and all SCCM components are showing as healthy.
A few test SCCM 2012 SP1 clients were upgraded to the R2 client using client-push.
However the upgraded clients are not retrieving policy from the Management Point. In the Actions Tab of the SCCM client, only Machine Policy Retrieval and User Policy Retrieval are available. But kicking of those actions does not
result in any of the advertised applications, Task Sequences becoming available. Infact Custom Client Settings are not being set either (e.g. Organisation Name in software Center).
I have checked and rechecked the following:
The upgrade of the client completed successfully (checked ccmsetup.log) and the version number went from 5.00.7804.1000 (SP1) to 5.00.7958.1000 (R2).
The MP health in the SCCM console is showing healthy.
The MP access URL's load correctly when run from SCCm client computers
“http://<ServerName>/sms_mp/.sms_aut?mplist” is ok
“http://<ServerName>/sms_mp/.sms_aut?mpcert” is ok
The SCCM clients are assigned to the site correctly – verified via the SCCM client and
ClientLocation.Log
ClientIDManager.Log is not showing any errors
CCMExec.log and ExecMgr.log don't show any advertisements being executed (Execmgr.log is almost empty and only has "Software ditrbution site settings policy does not yet exist on the client). If the client is not yest
registered this is expected behaviour")
The SCCM clients are Approved and NOT Blocked in SCCM
I have attempted to upgrade the SCCM client and also completely removed and reinstalled - and both have the same result (no client policy dpwnloaded)
I have also deleted the above clients completely from SCCM, Run divoery again and pushed the client to the machines again ...with the same result (SCCM client installs, assigns to correct site and then no policy downloaded)
SCCM 2012 Boundaries are configured correctly and assigned to Boundary Groups correctly
The SCCM client’s do not have the firewall enabled
Changed boundary from AD Site to Subnet to IP Address Range: Same issue exists
Uninstalled MP role and reinstalled it: same Issue exists
Tried to connect to SCCm client using 3rd party SCCM Client center tool but cannot connect
??? Not sure what else to try ???Hi all - sorry for the late response.
We managed to resolve the issue after logging a job with Microsoft Support.
The issue was that the SCCM 2012 R2 upgrade corrupted 2 tables in the SCCM Database - leading to corrupt SCCM client policies.
I am pasting the resolution email from Microsoft below:
(NOTE: This may not be the exact sypmtoms you are experiencing so do not implement this fix assuming it will fix your problem!)
ISSUE:
- All clients are unable to download policies from the server
CAUSE:
- Bad policies in the Database
RESOLUTION:
-Issue with PADbID - Run below query against SCCM DB to verify corrupt entries:
SELECT * FROM
ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)
Confirmed Bad policies entries in the SCCM database
Run below query to delete the bad policy after which we resolved the issue:
Delete FROM ResPolicyMap
WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)" -
Hi,
In our development system CD2(ECC backend system) when I am acessing t-code PHAP_CATALOG_PA->Category Group/Category/Template>Zero Harm>DRA JKSW2>Preview --->Print Layout giving below error.Here PD7( Dev portal ) is acting as frontend.
Error :
ADS: com.adobe.ProcessingException: Could not retrieve(200101)
Message no. FPRUNX001
Diagnosis
An error occurred when Adobe Document Services (ADS) was launched.
System Response
Error message
Procedure
When troubleshooting, follow the steps described in SAP Note 944221.
First check the connection to ADS. You can use the program FP_PDF_TEST_00 to do this. From SAP NetWeaver Release 7.0, the program FP_CHECK_DESTINATION_SERVICE must also run successfully (both with and without the checkbox selected on the selection screen). If this program does not run successfully, there is a error in the configuration.
Please help in this case.
Regards
NileshHi,
Perform the ADS configuration check as specified in : http://help.sap.com/saphelp_nwmobile71/helpdata/en/43/f0638873b56bede10000000a11466f/frameset.htm
You need to check all the configuration steps to makesure everything is setup right. Also, try after restarting your Java engine where ADS is installed. Check your ADS RFC connection using SM59 tcode, and check whether ADSUSER and ADS_AGENT are not locked.
Try and let know.
Regards,
Shahid. -
MAKEPKG -c error - PKGBUILD: line 32: patch: command not found
Hello all,
Well I am getting the above error when running the makepkg -c as user in my local abs tree i am using
[devnull@myhell chromium]$ makepkg -c
==> Making package: chromium 0.9.12-6 (Sun Mar 30 01:43:39 EDT 2008)
==> Checking Runtime Dependencies...
==> Checking Buildtime Dependencies...
==> Retrieving Sources...
-> Found chromium-src-0.9.12.tar.gz in build dir
-> Found chromium-data-0.9.12.tar.gz in build dir
-> Found 0.9.12-gcc3-gentoo.patch in build dir
-> Found 0.9.12-freealut.patch in build dir
-> Found 0.9.12-configure.patch in build dir
-> Found 0.9.12-png.patch in build dir
-> Found chromium.sh in build dir
-> Found chromium.png in build dir
-> Found chromium.desktop in build dir
==> Validating source files with md5sums...
chromium-src-0.9.12.tar.gz ... Passed
chromium-data-0.9.12.tar.gz ... Passed
0.9.12-gcc3-gentoo.patch ... Passed
0.9.12-freealut.patch ... Passed
0.9.12-configure.patch ... Passed
0.9.12-png.patch ... Passed
chromium.sh ... Passed
chromium.png ... Passed
chromium.desktop ... Passed
==> Extracting Sources...
-> bsdtar -x -f chromium-src-0.9.12.tar.gz
-> bsdtar -x -f chromium-data-0.9.12.tar.gz
==> Removing existing pkg/ directory...
==> Entering fakeroot environment...
==> Starting build()...
PKGBUILD: line 32: patch: command not found
==> ERROR: Build Failed.
Aborting...
Here is a cut from PKBUILD file line 32:
build(){
cd $startdir/src/Chromium-0.9
patch -p0 -i ../0.9.12-gcc3-gentoo.patch || return 1 <--- This is line 32 from pkbuild file
patch -p0 -i ../0.9.12-freealut.patch || return 1
#patch -p0 -i ../0.9.12-configure.patch || return 1
patch -p0 -i ../0.9.12-png.patch || return 1
Thanks you in advance for all your helpHello,
/devnull.nsb wrote:
Hello all,
*snip*
PKGBUILD: line 32: patch: command not found
==> ERROR: Build Failed.
Aborting...
*snip*
It looks like you might not have patch installed. What happens when you type
pacman -Q patch
If you get an error that the patch package is not found, install base-devel. -
Hyperion Hub 7.2.5 - Unable to retrieve groups
Please can someone help with Hub...
I have configured Hub I believe with MSAD, but when I click on the "Users and Groups" option from the website I get the message "Unable to retrieve groups" and it will not allow me any further.
Please help... using Hub 7.2.5 - No other Hyperion products installed at present.
Regards
JohnHi,
first sysc the openLDAP and then create a new group and assign the users.
thx
sri
Maybe you are looking for
-
Memory arrangements in iMac i5 quad core (mid 2010)
I used to run 8 GB of ram in 4 modules. The upper two slots were occupied with the 2 samsung 2GB modules that came with the computer. The lower two slots I filled with 2 more 2 GB ram modules from corsair. These 8 Gb of RAM worked fine until one of t
-
Dynamic text - newbie question
hello, i'm reviewing a lesson on Lynda.com. The subject is loading dynamic text from an external text file. Every time I try to access the dynamic text i've placed on the stage, I get an error: "Cannot access a property or method of a null object ref
-
Query on sap locks(ENQUEUE/DEQUEUE)
Hi All, should the sap locks ENQUEUE/DEQUEUE need to be used for all the updation/insertion of records ino the table? Please confirm.Should this locking technique be used even for insertion of records into the table? Regards, Pra.
-
Webinvoke put complex structure
Hi, I have the following declaration: [OperationContract] [WebInvoke(Method = "PUT", UriTemplate = "svcrVCIPutBellImages? images_in={images_in}")] String svcrVCIPutBellImages(VCI_Bell_Images[] images_in); Where the array is defined as: #region VCI_Be
-
I corrupted my USB at school somehow... when I came home I tried to plug it into my mac to see if it would work but nothing happened. It didn't show up on my desktop at all. I googled and googled how to fix it and came across a few tips that I tried,