ISE and MS Active Directory Integration Issue
It appears that our ISE 1.2 solution is having issues with nested MS AD Groups. The first login attempt always fails, the second occasionally works and the third always works. Has anyone else experience this login issues with ISE 1.2 and MS AD?
Sent from Cisco Technical Support iPhone App
Rick,
I am a little lost in the screenshots you posted. In your AD groups that you have pulled I dont see an authorization policy mapped to the first group. In the authentication report it looks like authentication is successfull.
I have seen that ISE will only display a few of the groups now in ISE 1.2 can you build a policy based on the the group you want it to show and then try your authentication again? That is when ISE will show the specific group as opposed to ise pre 1.2 where it would show more groups.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
OIM 11gR2 Active Directory integration issue
Hi,
I am trying to install AD connector on OIM 11gR2 and have successfully performed all the necessary and relevant steps according to the deployment guide.
When i am trying to test the connector though, by running the "Active Directory Organization Lookup Recon" scheduled job i am getting the following error:
Exception Message oracle.iam.connectors.icfcommon.exceptions.Integration
Exception: The value for a key [Host] is not defined in the provided map.
Kindly help me out with this
Best Regards,
VarunHi,
i hope you are using the AD New connector(i.e. ICF based ) and your connector server key is not set properly. Most of the cases this is arises because of connector parameters. So verify the connector parameters and also have you put the AD connector jars on connector server side.
_Saurabh -
OAM and MS Active Directory Integration on Non-Windows Server envrionment
I will start by saying that I am dealing with a heterogeneous environment here where multiple systems are run by different levels of management. Our Oracle systems chose to go all *nix (Oracle Solaris and Red Hat Linux) and hence we do not have a single Windows Server in our Oracle services area and would really like to keep it that way as we prefer to keep a uniform platform across our Oracle servers. However, the desktop side of our department has chosen to use Microsoft Active Directory and now we wish to integrate and perform authentication against it for our OAM protected sites. We are in the initial setup phase but we have no desire to implement a critical server such as OAM on the Windows platform and would rather tie OAM running on a Red Hat Linux server to Active Directory. We will also be using OID as we run Portal but do not want to use it as our authentication authority for Oracle Products (local policy is that Active Directory is the only valid credential authority on site as we are moving to true Single Sign On across our desktops and web applications). I have a few questions.
1. Can it be done natively or would we have to run the Windows version of OAM?
2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth?
3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?Hi David,
Answers in-line
1. Can it be done natively or would we have to run the Windows version of OAM?
You can run all of the OAM Servers on *nix, and simply point to AD as an OAM data source on the machine:port that AD is running on. There is no need for the OAM components to be on Windows.
2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth
As above, this is not necessary.
3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?
Yes, this is entirely possible. Even though it is not necessary in your situation, it often provides more flexibility to front-end the user store with OVD, for example when adding/renaming Windows domains, or specifying specific branches for users and so on.
Regards,
Colin -
OID and MS Active directory integration in 9ias
How to integrate OID with MS Active directory ?
We have 9ias and Portal . How to use the username/password in MS AD for Portal authentication ? As far as I know 9ias is using OID , so the question comes down to how to replicate MS AD information to OID ?Hi, I have the same question.
Thanks,
Malin -
Cisco CSC SSM to Active directory integration issue
Hi,
I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
Please suggest solution for this issue. Thank you.
With Regards,
Madhan kumar G.Hi,
Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
Ø Verify the following
Ø 1. The client machines should be part of the windows domain
Ø
Ø 2. File Sharing should be enabled on the client machine
Ø
Ø 3."Remote Registry" Service should be enabled
Ø
Ø 4. On the windows firewall, select "Windows Management Instrumentation
Ø
Ø (WMI)" as exception program to allow in bound WMI calls.
Ø
Ø Also, make sure the "File and Printer Sharing" is part of the exception list.
Ø
Ø 5. The client is able to ping the Agent and the Domain Controllers. -
Integration of sap R/3 (4.7) and Microsoft active directory (2003)
Hi All,
I would like to know integration of sap R/3 (4.7) and Microsoft active directory (2003) and also SAP EP and Microsoft active directory. I have been working as a ep consultant with a local bank. I am new for this integration work, So please kindly provide me the steps for integrating these both directories.
Pls help me with this issue.
Thanks in advance,
Regards,
Raghav.Hi,
First You should read:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
Regards,
Jarek -
Issue with Reset Password from Active Directory Integration Pack
I seem to be having some issues with a subscription in the Reset Password activity from the Active Directory Integration Pack. The "User Password" field refuses to take a value from a subscription provided earlier in a Generate Random
Text activity. As you will see in the screenshot below, when the Reset Password activity runs, the User Password value is blank.
Any idea why this might be happening? It looks like a possible bug with the Active Directory Integration Pack.Hi John,
I think this is not a bug, this should be by design because the password is a secure string. If you look for the Published data for Reset User Password activity at
http://technet.microsoft.com/en-us/library/hh553463.aspx it is not listed there as well.
If you need the the string (e.g. to send it via email) use the
data from the "Generate Random Text" Activity.
Regards,
Stefan
www.sc-orchestrator.eu ,
Blog sc-orchestrator.eu -
Help with Active Directory Integration and kerberos
Hello,
Im encountering a bug preventing me to use Active Directory integration with kerberos :
Our domain name is CORP.DOMAIN.COM.
When we request the GC in this domain :
bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
Server: 1.2.1.6
Address: 1.2.1.6#53
** server can't find gc.tcp.corp.domain.com: NXDOMAIN
there is no answer.
But when we request without corp, we find the servers :
bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
bash-3.00#
Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
Thank you.Hello
the domain.com domain exist, but it's not our domain.
so, when I put domain.com, it search with no result (nothing appends).
our kdc.conf :
[kdcdefaults]
kdc_ports = 88,750
[realms]
CORP.DOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
krb.conf
[libdefaults]
default_realm = CORP.DOMAIN.COM
default_checksum = rsa-md5
[realms]
CORP.DOMAIN.COM = {
kdc = dc01.corp.domain.com
kdc = dc02.corp.domain.com
[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM
in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
Thank you, -
Active Directory integration: Invalid Token Error in Verification Service
I'm having problems with Active Directory integration. I'm able to browse users in the task routing slip in JDeveloper. But I'm unable to login to the worklist application.
Getting an "Invalid Token Error in Verification Service" error. Any pointers?
<2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration error.
<2007-06-12 21:40:36,843> <ERROR> <default.collaxa.cube.services> <PCException::<init>> Identity Service Configuration file has error.
<2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration error.
<2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <PCRuntimeException::<init>> Identity Service Configuration file has error.
<2007-06-12 21:40:36,859> <ERROR> <default.collaxa.cube.services> <::> WorkflowService:: VerificationService.destroyContext: invalid token: c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8=
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> ORABPEL-30503
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service.
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Invalid Token Error in Verification Service. Received invalid token c9pHcmBFtc4q7/EY3xGAv/6hhfa6Hf5tllCb8ZYKtdSA/8/y0exRcwpjy0vWiWGgBPzuIh5Ur+l+ZHDNe0PKb9KiFScsKAG3JK1y+nIJtC827Rljhn8E+/BoF+ZIN6GFYn/iyo/6Mrlmz02Pg4QtetftO7eHJ01rEV5MmZFTXsg8iV6LQPnkAPjqmmsq+5bVYGGfSFpHX7FXk/0FrSabClKy6DKiwt/1Kp2Ldbj2RY8= in destroyContext
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Check the underlying exception and correct the error. Contact oracle support if error is not fixable.
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at oracle.bpel.services.workflow.verification.impl.VerificationService.destroyContext(VerificationService.java:667)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at oracle.bpel.services.workflow.query.impl.TaskQueryService.destroyWorkflowContext(TaskQueryService.java:161)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at worklistapp.servlets.Logout.handleRequest(Logout.java:66)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at worklistapp.servlets.BaseServlet.doGet(BaseServlet.java:142)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at java.security.AccessController.doPrivileged(Native Method)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> at java.lang.Thread.run(Thread.java:595)
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Caused by: BPEL-10555
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::>
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration error.
<2007-06-12 21:40:36,890> <ERROR> <default.collaxa.cube.services> <::> Identity Service Configuration file has error.Hi Adina,
thank you for your answer (questions)!
We use 10.1.3.1 SOA Suite and the default jazn.com Security Provider and what we set at java.naming.security.principal property is oc4jadmin.
It is interesting, we deployed again out EAR and now it works again! There is not Invalid Token Error exception, but we didn't change almost anything...
Can we debug it somehow?
Where does this bug come from?
Thanks!
ric -
Tutorial: Azure Active Directory integration with Igloo Software
Click reply and tell us what you think:
Tutorial: Azure Active Directory integration with Igloo Software
Markus Vilcinskas, Knowledge Engineer, Microsoft CorporationHello
Can you be little clear, what you have tested with Airwatch MDM cloud?.. which scenarios?..
1) Device Enrollment ?
2) Access to Airwatch console?
3) Access to Airwatch self service portal?
By following the steps We do not get it working at all. by the way some of the steps in this tutorial are unclear and outdated;
I finally personally figured out how things should look like, and make it work but only with Device Enrollment scenarios from the mobile devices itself. not from the pc and browsers or from the Access panel. -
Oracle Discoverer 10G and mapping Active Directory to use SSO/OID
Could anybody point me please to the right direction?
1. I've setup Oracle 10gIAS but turned off SSO and my users running discoverer /portals with no SSO.
2. My goal is to turn on SSO and synchronize it with Active directory on the windows box.
Thanks you in advanceHi Randy;
As you mention all notes refer to SSO&OID for Active Directory integration.AFAIK there is no way to do it, please log a Sr and confirm this wiht oracle support
Regard
Helios -
Active directory Integration with OBIEE
Hi all,
Can any one send me a link for active directory integration with OBIEE.
I have imported the users succesfully and I was able to login to analytics as an AD user.
But SSO is not possible. Kindly help me over this.
Thanks,
Haree.Thanks for reply veeravalli.
Me too followed the same link and successfully imported all the users from AD into OBIEE and login in is also possible.
But my requirement is to have Single Sign On ie.., users may log on to their Windows PCs and access Oracle BI EE via a standard web browser with no further authentication required on their part.
Thanks,
Haree -
OID and MS Active Directory LDAP information Synchronization
Do you know have to do the integration between OID and MS active Directory? How to synchronize the LDAP information between two?
Hi, I have the same question.
Thanks,
Malin -
Can Microsoft active directory integrated with Oracle Applications
Hi,
Can anyone provide me any document on Microsoft Active Directory Integration with Oracle Applications(12.0.6)
ManishHi,
It is possible, please refer to the following documents for details.
Note: 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
Note: 415007.1 - Oracle Application Server with Oracle E-Business Suite Release 12 FAQ
Regards,
Hussein -
Oracle database and Windows Active directory authentication
Hello,
Our developers have created a couple of web apps which look at our oracle database. Presently they use the APPS user and the user/password is hard coded into the config files.
Is it possible to authenticate these using Windows Active Directory instead? Is it possible to use AD authentication for all developer access to the database?
I'm trying to research this on the web but getting very confused. Would a lot of work be involved to get this up and running?
Is anyone able to offer and advise?
Thank you very much
SarahI don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
Perhaps the following links are useful:
http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
http://www.linuxmail.info/active-directory-integration-samba-centos-5/
http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/
Maybe you are looking for
-
How can i share a file using a bluetooth
I cant pair my ipad with some other devices, and i cant share files.
-
Ordered the Airport Extreme Base Station - some questions if you can help?
I have a Windows 7 Home Premium 64 bit IBM ThinkPad T500 laptop I need to connect, and a Windows Vista PC. The ThinkPad has a built-in wirless N card and the Vista has a Belkin N+ USB wireless adapter. Can these both find and connect to the Airport w
-
Hi, I had to restore my computer to factory setting. When I was finished and reinstalled itunes. None of my music showed up. Where is it and why didn't it show up when I reinstalled itunes? I even plugged in my apple shuffle and it didn't appear.
-
Hi, I'm getting the following error when running wscompile from the command line (it also occurs when I run it from the Utilities GUI): error: Unknown QName of member 'name' error: java.lang.NullPointerException When I run the same WSDL file through
-
Camera Raw and Canon S95 Not Recognised
Hi, I have bought the extremely expensive Photoshop CS5 in summer and I have been waiting Camera Raw opens Raw files shooted with my compact camera Canon Powershot S95 (on the market since August). Can you please fix the problem or should I wait till