ISE 1.2 patch 4 not retrieving groups

Similar Messages

• Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

  Hi all,
  When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
  My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
  Does anyone get this problem, please help.
  I have check into the ISE CLI Reference Guide 1.1.x
  You are about to configure Active Directory settings.
  Are you sure you want to proceed? y/n [n]: y
  Parameter Name: dns.servers
  Parameter Value: 10.77.122.135
  Active Directory internal setting modification should only be performed if approved by ISE
  support. Please confirm this change has been approved y/n [n]: y
  What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
  Please suggest for this too.
  Thanks and Regards,
  Pongsatorn M.

  Hi Pongsatorn,
  Thanks for the reply!
  I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
  It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
    Testing Active Directory connectivity:
      Global Catalog: pdascdc02.xyz.com
        gc:       3268/tcp - refused
  For some reason, the request to the controllers on port 3268 is being refused.
  Any thoughts you might have are greatly appreciated.
  Cheers,
  Greg

• ISE is unable to retrieve groups and attributes

  Hello guys,
  I have Cisco ISE installed on EXSi in a lab. I was able to join the ISE server to my test Active Directory server, and under the OU=Computers, I can see my ISE hostname.
  However, when I go to Administrator > External Identity Sources > Active Directory > Groups > Add > Select Group from Directory:
  I have my domain entered in Domain box and an * for filter. When I clicked the "Retrieve Groups" button, I always received "Number of Groups Retrieved: 0 (Limit is 100)"
  It seem like ISE is unable to retrieve the groups that I have on my AD. I checked the status of my ISE server and it says that it is still connected to the domain. When I search for attributes, it keep saying that the user is not found.
  I disabled my AD's firewall and still getting the same results. I ran the detailed test connection, and it was a success and the port connections are all good. At this point, I am pretty much stuck.
  Any help would be greatly appreciated.
  Thanks

  I am sorry Jatin. I have another question.  I am working on Motorola RFS7000 WLC and Cisco ISE v1.1.1.
  I am not sure if I should create a new thread about the new issue I am having now.  I have successfully added my RFS controller and one AP7131 to ISE Network Devices. And I am able to login to these devices using my AD account. However, it is not allowing me to manage these devices.  I believe I am at exec mode. I SSH to my RFS and I can't even get to enable mode.

• VBScript does not retrieve Member details if a Distribution/Security Group have only one Member

  Hi,
  VBScript does not retrieve Member details if a Distribution/Security Group have only one Member. I have tried several Scripts even changed the coding in it, also tried few External Script by created by other Scriptor's. Any suggestion on why this is happening. 

  Perfect... Thank you. I reworked on the Script and it is showing up. One more info required. I know my script is having another bug. Can you help me getting the member list of a User Group. When i pull it retrieves all the Group info for a user
  but no "Domain Users" Group.
  Sorry for the lame humor but it was getting late.
  As for you new request.  I do not understand what you are asking. Can you post your script and any error messages you are getting.
  ¯\_(ツ)_/¯

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• Ise 1.2 Device Registration not auto filling the MAC field

  Hello
  I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
  Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
  90% of the users doesnt know what a MAC adress is, or where to find it.
  Greetings
  Steven

  Peter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
  Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration.  This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address.  This was a very limited feature introduced in 1.0.
  This feature should not be confused with the DRW or NSP flows for device registration.  For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7.  However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users.  That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
  I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices.  This makes future cleanup easier and maintains them separately from employee RegisteredDevices.  ISE 1.2 ERS API can be used to programmatically  to delete these endpoints periodically.
  Hope that helps to clarify.

• Patch: command not found

  While trying to build freetype2-lcd with makepkg -c, I keep getting the following error:
  wiltell ~/build/freetype2-lcd  $ makepkg -c
  ==> Making package: freetype2-lcd 2.3.5-3  (Mon Mar 24 17:02:26 CET 2008)
  ==> Checking Runtime Dependencies...
  ==> Checking Buildtime Dependencies...
  ==> Retrieving Sources...
    -> Found freetype-2.3.5.tar.bz2 in build dir
    -> Found bytecode.patch in build dir
    -> Found freetype-2.3.0-enable-spr.patch in build dir
    -> Found freetype-2.2.1-enable-valid.patch in build dir
    -> Found freetype-2.2.1-memcpy-fix.patch in build dir
    -> Found freetype-2.2.1-subpixel-disable-quantization.diff in build dir
  ==> Validating source files with md5sums...
      freetype-2.3.5.tar.bz2 ... Passed
      bytecode.patch ... Passed
      freetype-2.3.0-enable-spr.patch ... Passed
      freetype-2.2.1-enable-valid.patch ... Passed
      freetype-2.2.1-memcpy-fix.patch ... Passed
      freetype-2.2.1-subpixel-disable-quantization.diff ... Passed
  ==> Extracting Sources...
    -> bsdtar -x -f freetype-2.3.5.tar.bz2
  ==> Removing existing pkg/ directory...
  ==> Entering fakeroot environment...
  ==> Starting build()...
  PKGBUILD: line 29: patch: command not found
  ==> ERROR: Build Failed.
      Aborting...

  When building packages, ensure you have the entire base-devel group installed:
  # pacman -S base-devel
  In particular for this specific case, what you want is the 'patch' program: 
  # pacman -S patch
  - but just install all of base-devel to prevent issues like this in the future.

• Claims debacle (error) with Term Store: "Could not retrieve a valid windows identity" for all sites in a particular web app.

  When I pull up the Term store in CA or any MySite collection, it works.
  When I do so in any other site collection (HNSCs, incidentally), It doesn't return any term stores.
  My ULS log immediately before and after the "/_vti_bin/taxonomyinternalservice.json/CheckPermission" POST on termstore .aspx triggers the WCF call:
  Claims Authentication af30y Verbose Claims Windows Sign-In: Successfully signed-in the the user 'contoso\domainUser' for request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
  Claims Authentication af30q Verbose Updating header 'LOGON_USER' with value '0#.w|contoso\domainUser' for the request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
  Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|contoso\domainUser, ClaimsCount=77
  Logging Correlation Data xmnv Medium Site=/
  Topology e5mc Medium WcfSendRequest: RemoteAddress: 'http://CONTOSOFE3:32843/00e6d55691824965ac223f1d1cfae6d2/MetadataWebService.svc' Channel: 'Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges2' MessageId: 'urn:uuid:590e916c-c89a-4f89-9819-a82c97fabcaa'
  Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'contoso\domainUser' with UPN '[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
  Claims Authentication g220 Unexpected No windows identity for contoso\domainUser.
  The "The caller is not authorized to access the service." message seems pertinent.
  Both web apps are using only NTLM auth.
  The url for both web apps ends in the same contoso.com domain. 
  I get the same errors no matter what account I use, including the install account.
  Things I've tried:
  Deleting and building a new HNSC root web app and site. Error happens in all sites in all web apps except the PBSC hosting MySites.
  Giving the root site app pool identity full control of the metadata service app (even though the MySite identitiy doesn't have it)
  Giving the root site app pool identity full permissions on the metadata service app.
  Comparing database and web app config permissions between dev (where everything works perfectly) and prod (where it does not).
  Made sure IIS auth settings on both sites are identical
  Both sites are using the same SSL certificate (though the call to the web service appears to be http)
  Reprovisioned the metadata service app with a new database and new app pool identity.
  Made sure C2WT is running. Tried it with the service stopped as well.
  Web.configs are identical between working and non-working apps.
  I'm stumped but still Googling. I'm hoping to avoid having to call Micrososft. Any help would be appreciated!
  UPDATE:
  Interestingly, when I restored the web application from backup (via CA), I ended up with 3 identical "Windows Authentication" authentication providers assigned to the problem web app. Since there was more than one, I was directed to the provider-chooser
  page when visiting the site. Upon choosing 1 of the 3, I was authenticated, and *poof*, no more authentication errors and the term store loaded term sets as expected.
  Of course, 3 providers was not an ideal state, so I grabbed the one that worked (#1) via get-spauthenticationprovider, and assigned it to the web app via set-spwebapplication, and my problem returned.
  I am currently updating the farm to SP1 from June 2013 CU. Fingers crossed.
  Update:
  The update to SP1 went smoothly, but did not resolve the issue. Also related (I believe) are the random authentication errors when trying to upload images to some libraries, and 401-errors on the accessdenied.aspx page itself.
  Update:
  The problem is resolved, seemingly after making 4 changes. I'm trying to narrow down which change was the cure, if any:
  I installed SP1 on all 6 servers, rebooted and upgraded. This appeared to have no effect.
  Removed an old login from SQL that no longer existed in AD because of this ULS error:
  System.Runtime.InteropServices.COMException: The user or group contoso\svc_xxxxxxxxx' is unknown., StackTrace:    at Microsoft.SharePoint.Utilities.SPUtility.GetFullNameFromLoginEx(String loginName, Boolean&
  bIsDL)
  This login was the identity of the application pool that used to run the web app in question.
  This login was the schema owner of a schema named after itself on every SharePoint database so I changed the schema owner to dbo but left the schema attached.
  The problem may have surfaced initially when the app pool identity was changed in CA, but went unnoticed?
  Note that the web app had been deleted and recreated many times with a new identity and pool to no avail, but the URL remained the same throughout each attempted fix. Relevant?
  Grasping at straws, I changed the app pool identity for this web app to the same one that runs the MySite web app pool as per this only slightly related problem: http://www.planetsharepoint.org/m/preview.php?id=372&rid=34764&author=Vlad+Catrinescu
  I changed the authentication method from NTLM to Negotiate.
  I am rolling back #3 and #4 to see if the issue resurfaces.
  Update:
  It doesn't appear to have been the NTLM/Negotiate setting. Web app is currently set to NTLM and all is well. No strange accessdenies, and term Store is still manageable from all sites.
  Update: Sorry for the delay. I am administering 6 farms these days. Will update as soon as the final phase of rollbacks happens.
  I think I can. I think I can.

  maybe that web app was accidentally created with classic auth?
  here's an example of how to create claims based, with classic, and then "doing 2013" claims
  #Create the example web application, as mentioned above, either with gui, and pick later, or
  New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
  5050
  -databaseName$contentDB-securesocketslayer
  #If doing for 2013
  New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
  5050
  -AuthenticationProvider(new-spauthenticationprovider)
  -databaseName$contentDB-secureSocketsLayer

• ISE 1.2 Patch 7 possible guest CWA bug

  Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
  In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
  If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

  Hi,
  I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
  The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

• ISE 1.2 Patch 12

  Hi all,
  I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
  None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
  "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
  Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
  I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
  Any info out there about 5441 before I log a TAC?????
  Thanks.

  Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
  It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
  Event
  5400 Authentication failed
  Failure Reason
  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
  Resolution
  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
  Root cause
  Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

• ISE 1.2 Patch 8

  Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3.  We are looking to upgrade to Patch 8.  We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

  So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

• SCCM 2012 R2 Clients are not retrieving policy

  Hi - I know this question has been asked many times before - but I have tried almost everything and a no closer to solving the problem.
  Background: Recently a SCCM 2012 SP1 single stand-alone site was upgraded to SCCM 2012 R2. The site is a single stand-alone primary site with a single DP, single MP, using mixed mode
  (HTTP). The R2 upgrade ran without any problem and all SCCM components are showing as healthy.
  A few test SCCM 2012 SP1 clients were upgraded to the R2 client using client-push.
  However the upgraded clients are not retrieving policy from the Management Point. In the Actions Tab of the SCCM client, only Machine Policy Retrieval and User Policy Retrieval are available. But kicking of those actions does not
  result in any of the advertised applications, Task Sequences becoming available. Infact Custom Client Settings are not being set either (e.g. Organisation Name in software Center).
  I have checked and rechecked the following:
  The upgrade of the client completed successfully (checked ccmsetup.log) and the version number went from 5.00.7804.1000 (SP1) to 5.00.7958.1000 (R2).
  The MP health in the SCCM console is showing healthy.
  The MP access URL's load correctly when run from SCCm client computers
  “http://<ServerName>/sms_mp/.sms_aut?mplist” is ok
  “http://<ServerName>/sms_mp/.sms_aut?mpcert” is ok
  The SCCM clients are assigned to the site correctly – verified via the SCCM client and
  ClientLocation.Log
  ClientIDManager.Log is not showing any errors
  CCMExec.log and ExecMgr.log don't show any advertisements being executed (Execmgr.log is almost empty and only has "Software ditrbution site settings policy does not yet exist on the client). If the client is not yest
  registered this is expected behaviour")
  The SCCM clients are Approved and NOT Blocked in SCCM
  I have attempted to upgrade the SCCM client and also completely removed and reinstalled - and both have the same result (no client policy dpwnloaded)
  I have also deleted the above clients completely from SCCM, Run divoery again and pushed the client to the machines again ...with the same result (SCCM client installs, assigns to correct site and then no policy downloaded)
  SCCM 2012 Boundaries are configured correctly and assigned to Boundary Groups correctly
  The SCCM client’s do not have the firewall enabled
  Changed boundary from AD Site to Subnet to IP Address Range: Same issue exists
  Uninstalled MP role and reinstalled it: same Issue exists
  Tried to connect to SCCm client using 3rd party SCCM Client center tool but cannot connect
  ??? Not sure what else to try ???

  Hi all - sorry for the late response.
  We managed to resolve the issue after logging a job with Microsoft Support.
  The issue was that the SCCM 2012 R2 upgrade corrupted 2 tables in the SCCM Database - leading to corrupt SCCM client policies.
  I am pasting the resolution email from Microsoft below:
  (NOTE: This may not be the exact sypmtoms you are experiencing so do not implement this fix assuming it will fix your problem!)
  ISSUE: 
  - All clients are unable to download policies from the server
  CAUSE:
  - Bad policies in the Database
  RESOLUTION: 
  -Issue with PADbID - Run below query against SCCM DB to verify corrupt entries:
  SELECT * FROM
  ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)
  Confirmed Bad policies entries in the SCCM database
  Run below query to delete the bad policy after which we resolved the issue:
  Delete FROM ResPolicyMap
  WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)"

• Error ADS: com.adobe.ProcessingException:Could not retrieve(200101)getting

  Hi,
  In our development system CD2(ECC backend system) when I am acessing t-code PHAP_CATALOG_PA->Category Group/Category/Template>Zero Harm>DRA JKSW2>Preview --->Print Layout giving below error.Here PD7( Dev portal ) is acting as frontend.
  Error :
  ADS: com.adobe.ProcessingException: Could not retrieve(200101)
  Message no. FPRUNX001
  Diagnosis
  An error occurred when Adobe Document Services (ADS) was launched.
  System Response
  Error message
  Procedure
  When troubleshooting, follow the steps described in SAP Note 944221.
  First check the connection to ADS. You can use the program FP_PDF_TEST_00 to do this. From SAP NetWeaver Release 7.0, the program FP_CHECK_DESTINATION_SERVICE must also run successfully (both with and without the checkbox selected on the selection screen). If this program does not run successfully, there is a error in the configuration.
  Please help in this case.
  Regards
  Nilesh

  Hi,
  Perform the ADS configuration check as specified in : http://help.sap.com/saphelp_nwmobile71/helpdata/en/43/f0638873b56bede10000000a11466f/frameset.htm
  You need to check all the configuration steps to makesure everything is setup right. Also, try after restarting your Java engine where ADS is installed. Check your ADS RFC connection using SM59 tcode, and check whether ADSUSER and ADS_AGENT are not locked.
  Try and let know.
  Regards,
  Shahid.

• MAKEPKG -c error - PKGBUILD: line 32: patch: command not found

  Hello all,
  Well I am getting the above error when running the makepkg -c as user in my local abs tree i am using
  [devnull@myhell chromium]$ makepkg -c
  ==> Making package: chromium 0.9.12-6  (Sun Mar 30 01:43:39 EDT 2008)
  ==> Checking Runtime Dependencies...
  ==> Checking Buildtime Dependencies...
  ==> Retrieving Sources...
    -> Found chromium-src-0.9.12.tar.gz in build dir
    -> Found chromium-data-0.9.12.tar.gz in build dir
    -> Found 0.9.12-gcc3-gentoo.patch in build dir
    -> Found 0.9.12-freealut.patch in build dir
    -> Found 0.9.12-configure.patch in build dir
    -> Found 0.9.12-png.patch in build dir
    -> Found chromium.sh in build dir
    -> Found chromium.png in build dir
    -> Found chromium.desktop in build dir
  ==> Validating source files with md5sums...
      chromium-src-0.9.12.tar.gz ... Passed
      chromium-data-0.9.12.tar.gz ... Passed
      0.9.12-gcc3-gentoo.patch ... Passed
      0.9.12-freealut.patch ... Passed
      0.9.12-configure.patch ... Passed
      0.9.12-png.patch ... Passed
      chromium.sh ... Passed
      chromium.png ... Passed
      chromium.desktop ... Passed
  ==> Extracting Sources...
    -> bsdtar -x -f chromium-src-0.9.12.tar.gz
    -> bsdtar -x -f chromium-data-0.9.12.tar.gz
  ==> Removing existing pkg/ directory...
  ==> Entering fakeroot environment...
  ==> Starting build()...
  PKGBUILD: line 32: patch: command not found
  ==> ERROR: Build Failed.
      Aborting...
  Here is a cut from PKBUILD file line 32:
  build(){
    cd $startdir/src/Chromium-0.9
    patch -p0 -i ../0.9.12-gcc3-gentoo.patch || return 1   <--- This is line 32 from pkbuild file
    patch -p0 -i ../0.9.12-freealut.patch || return 1
    #patch -p0 -i ../0.9.12-configure.patch || return 1
    patch -p0 -i ../0.9.12-png.patch || return 1
  Thanks you in advance for all your help

  Hello,
  /devnull.nsb wrote:
  Hello all,
  *snip*
  PKGBUILD: line 32: patch: command not found
  ==> ERROR: Build Failed.
      Aborting...
  *snip*
  It looks like you might not have patch installed.  What happens when you type
  pacman -Q patch
  If you get an error that the patch package is not found, install base-devel.

• Hyperion Hub 7.2.5 - Unable to retrieve groups

  Please can someone help with Hub...
  I have configured Hub I believe with MSAD, but when I click on the "Users and Groups" option from the website I get the message "Unable to retrieve groups" and it will not allow me any further.
  Please help... using Hub 7.2.5 - No other Hyperion products installed at present.
  Regards
  John

  Hi,
  first sysc the openLDAP and then create a new group and assign the users.
  thx
  sri