Kerberos and Alternative UPN's

Similar Messages

• Alternative UPN & Forest Trust.

  Hi all!
  I have 3 domain:
  main.local
  child.main.local (child of main.local)
  test.local (new forest)
  In "main.local", under Active Directory Site & Services, i defined 2 UPN:
  "mycorp.com" & "child.mycorp.com"
  I used "mycorp.com" as alternative upn for users in "main.local"
  Then I used "child.mycorp.com" as alternarive upn for users in "child.main.local"
  Now I'd like to trust "main.local" with "test.local" and use users in "*.main.local" with their alternative upn.
  Example:
  [email protected] should login in test.local with it's upn.
  [email protected] shoud login in test.local with it's upn.
  * 02/26/2014 correction.
  I made a Forest Transitive Trust with one direction and all routed UPN suffix are  enable and don't have conflict, but I can't logon using *.mycorp.com Alternative UPN.
  Where I had my mistake?

  Hi, Vivian,
  I'm sorry, I should post my question after sleeping...
  Just few hints.
  I'm working with Windows Server 2012 R2 and it's a lab/test environment.
  I read both articles you link about hundred time in last few days and all my configuration are like described.
  I'l try to recap my situation and be more clear:
  Forest A:
  Domain: main.local (Parent)
  Alternarive UPN: mycorp.com, child.mycorp.com
  Domain: child.main.local (Child)
  Alternative UPN: *came from parent domain"
  Forest B:
  Domain: test.local
  Alternarive UPN: none.
  Transitive Forest Trust between A & B Onedirection (Users in A can login/authenticate in B).
  user1 is in Forest A/main.local
  user2 is in Forest A/child.main.local
  If I try to logon in "Forest B/test.local"as: MAIN\user1 or [email protected] everything it's ok and I can logon.
  If I try to logon as: [email protected] it return me that user do not exist or password is wrong.
  If I try to logon as: [email protected] it return me that user do not exist or password is wrong.
  In "Active Directory Domain & Trust" under the propertie of the trust, under "Name Suffix Routing":
  *.main.local (Enabled)
  *.mycorp.com (Enabled)
  But as I wrote, I can't logon using "*.mycorp.com" as suffix in truster domain, only "*.main.local" or "DOMAIN\user".

• Kerberos and 10.5.8

  Hello all,
  I'm in the process of binding the Macintoshes to the AD environment and I'm running into a bit of an anomaly. I have the process scripted and I'm using local MCX settings with a LaunchD that determines the users OU at login and then will run the appropriate script, depending upon their department that will do a mount of the network drive. This works fine, except for a couple of 10.5.8 snow laptops.
  The login and mount script work fine from my machine (10.6.6) but not the users (10.5.8) and then not all 10.5.8 machines are having this issue.
  The command I'm running is this:
  cifs://dns.name.of.server/volume/dept/data
  On 10.6, it simply passes the Kerberos ticket and mounts the network mount. On 10.5.8, I enter the password and it says the password is incorrect.
  I've deleted the keychain, the preferences and have destroyed the current Kerberos ticket and got a new one. I've repaired permissions and I've repaired the keychain.
  Can anyone help me out here?
  Thank you in advanced.

  Try the OS X Server forums. There should be one dealing with directory services, etc. Alternatively, search these forums for Kerberos and SSHD

• Alternative UPN suffix exists for all users except new user

  Hello,
  I am updating AD based on how it was setup by an outside IT company.  I am not an IT professional myself.  When I view the current user properties on the account tab, each user has 2 options in the UPN drop box; namely, mydomain.local & mydomain.com. 
  All users are set to mydomain.com.  I've added a new user to the same group in AD but there is only the mydomain.local option in the drop down.  Does anyone know why or how I can get the two options so I can choose the mydomain.com?

  Hi,
  If you add the Alternative UPN suffix correctly in
  Active DIrectory Domains and trusts, you could choose the UPN suffix even for the new user account.
  As other said, please make sure the Alternative UPN suffix is added, and create test user account to check the result.
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Report for material and alternative UOM

  Hi Guru's
  is there ant transaction/standard report where i can see the list of materials and alternative UOM
  Thankyou

  Hi,
  No such standard report available in SAP to see for many materials. in MM03 under Additional Data, you can see but material wise.
  Better use table MARM to see the same and create an ABAP Query of Report using this table.

• I can not purchase from the iTunes store because of the security question I am I do not know your security question and alternative mail has been hacked

  I can not purchase from the iTunes store because of the security question I am I do not know your security question and alternative mail has been hacked

  You need to contact Apple. Click here, phone them, and ask for the Account Security team.
  (87808)

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• Country chart of accounts and alternative account No.

  Hello Experts
  we're using country chart of accounts and alternative account No. to fullfill FICO China localization, now I have below questions:
  1, In manual FI posting in company code of china, eg. by transaction code FB01, which account number is used for this posting? Account number in operational chart of accounts or account number in country chart of accounts?
  2, The alternative account No. in country chart of accounts also needs to be created with compnay code level master?
  Or we just need create account in operational chart of accounts with company code level master?
  3, If we use account in operational chart of accounts for FI posting  by company code of China, after posing, two accounting documents are generated, one with account in operational chart of accounts? Another one with account in country chart of accounts?
  4. Country chart of accounts is used for consolication purpose? Is there some difference with group chart of accounts?
  Thanks,
  Nicole

  Hi Nicole,
  1, In manual FI posting in company code of china, eg. by transaction code FB01, which account number is used for this posting? Account number in operational chart of accounts or account number in country chart of accounts?
  > Account No. in Operation Chart of Accounts is always used for FI posting. Alternative Account No. is always for information purpose.
  2, The alternative account No. in country chart of accounts also needs to be created with compnay code level master?
  Or we just need create account in operational chart of accounts with company code level master?
  > You only create Operational Chart of Accounts for posting. Alternative Account No. can be of two types 1):-is a freely definable text and you don't have any chart of Account for that, for example say legacy No. 2) The Account No. from a country Chart of Accounts, in this case you create a GL in Country Chart of Accounts.
  3, If we use account in operational chart of accounts for FI posting by company code of China, after posing, two accounting documents are generated, one with account in operational chart of accounts? Another one with account in country chart of accounts?
  > Not True. Only Operation Chart of Accounts will get posted. In the Alternative Account No., the Alternate Account No. will get populated.
  4. Country chart of accounts is used for consolidation purpose? Is there some difference with group chart of accounts?
  > No. Country Chart of Account is used for External reporting.. Group Chart of Account is used for Consolidation.
  Regards,
  SAPFICO

• TS3694 Hi I am trying to update my I Tunes to 10, the message I get is ,, The feature you are trying to use is on a network that is unavailable,, click ok to try again, or enter and alternative path to program I Tunes.msi ....HELP

  Hi I am trying to update my I Tunes to 10, the message I get is ,, The feature you are trying to use is on a network that is unavailable,, click ok to try again, or enter and alternative path to program I Tunes.msi ....HELP

  What computer OS and version do you have?
  If you have windows try:
  Removing and reinstalling iTunes, QuickTime, and other software components for Windows Vista or Windows 7
  or
  Removing and Reinstalling iTunes, QuickTime, and other software components for Windows XP

• Spl gl and alternative recon acc

  hi,
  kindly let me know point 1 and also let me know my question below correct or not.
  1)may i know where and how to create spl gl acc and alternative recon acc?
  2) spl gl acc = prepaid acc?
  3) 100 will be posted in alternative recon acc. this recon acc act like normal recon acc where all the related spl gl acc will be posted here as well, right?
  4) other account below besides prepaid acc, are main account?
  5) mix of account (main + spl gl) below is correct?
  6) when clear, prepaid is cleared like below? what about alternative recon acc?
  for example  vendor ask for prepayment
  the goods 10000usd, prepay 100usd
  Dr prepaid asset  100
  Cr bank   100
  When receive goods
  Dr inv   10000
  Cr creditor 10000
  When make payment to vendor
  Cr prepaid asset 100
  Dr creditor   100
  Dr creditor 9000
  Cr bank 9000
  thanks

  Create in FS00 a recon account for Down Payment or Bills of Exchange. You can copy from the existing recon account for vendor or customer.
  Go to OBYR and choose the special G/L indicator. Click on the magnifier. Then enter the main recon account for vendor or customer and in the field of special G/L account, give the special recon account created above.
  For example vendor ask for prepayment the goods $ 10,000, prepay $ 1,000
  Dr Vendor A/c (posting to special recon a/c) 1,000
  Cr    Bank 1,000
  When receive goods
  Dr Inventory 10,000
  Cr GR/IR a/c  10,000
  When vendor invoice received
  Dr. GR/IR a/c $ 10,000
  Cr. Vendor a/c $ 9,000
  Cr. Vendor a/c $ 1,000 (down payment adjustment, from special recon account)
  When make payment to vendor
  Dr Vendor 9,000
  Cr Bank 9,000

• Payment setoff between Vendor and Alternative payee vendor

  Hi
  It is assumed that if a vendor account points to another vendor account for payment i.e Alternate Payee vendor, the two account balances will be combined into one payment.  This is currently not happening. 
  A separate payment is issued under each vendor account.(i.e Original vendor and the Alternative payee vemdor).
  For an example a vendor that is linked to another for payment but there is a credit sitting on the Payee account that is not getting offset against the other invoices paid to the vendor.
  Note: Both Original vendor and Alternative payee vendor are created as vendors and payments are due to both the vendors.
  Regards

  Hi,
  Your assumption does work in our system (604). 
  This was the test I ran.
  Created main vendor.
  Created invoices and credit memo.
  Went back and updated vendor record to add an Alternative Payee.
  Then created additional invoices but still used the main vendor number.
  Ran F110 and all invoices and credit memo entered above paid to the Alternative Payee - non to Main Vendor but clearing docs are still under the Main Vendor under FBl1n.
  I think that is what you were wanting to work in yours?  Correct?
  Some questions for you:
  1. Did you check to see if there are any OSS notes?  like 1449061 or 1432181 that may apply?
  2. Did you confirm that both the main vendor and the alternative payee have the same payment methods??
  3. Have you analyzed the invoices/credit memos that the system is still paying on the main vendor to see what may be different about those?  For example are you using payment method supplement?

• Reconciliation and alternative reconciliation

  Hi all.
  Can any one tel me what is purpus of Reconciliation and alternative reconciliation.
  what are all the banefits for creating them in sam.
  please explain me clearely...
  Thanku

  Recon account: Every customer and vendor account will be assigned to a Recon account. You cannot post to a recon account directly. When ever a customer/ vendor account is posted in sub ledger , recon account is also getting posted in GL.
  Consider the following entry:
  Customer     Dr (Sub ledger )  10000 USD
  REcon a/c Dr (GL)                 10000 USD
  Revenue    Cr (GL)                 10000 USD
  While recon account will give you the total receivables or payables at any point of time, the individaul account will show you the details of the customer account. Recon account will always be in summarized form.
  Alternate recon account:
  There are some reporting requirements like down payments received or paid. These transactions should not shown along normal transactions and they need to be shown separately. They are called in Sp GL transaction in SAP. Every recon account is assigned to a alternate recon account with Sp GL indicator in the configuration. Whenever a transaction using the Sp GL is posted to the customer/ vendor a/c, they will be posted to the alternate recon account instead of normal recon account.
  Special G/L transactions are special transactions in accounts receivable and accounts payable that are displayed separately in the general ledger and the subledger. This is achieved by posting to alternative reconciliation accounts, instead of posting to the reconciliation accounts for receivables and payables

• Financial Statement and Alternative Account Number (China)

  Hi all,
  I have created a nice financial statement based on "normal" GL account number, and through this I can have a nice formatted balance sheet and profit and loss account.
  For china, I need the financial statement with the alternative account number displayed.  For example: My normal GL Account is 181000, and alternative account number is 10010101 .
  During running the F.01 - Balance sheet, I check the options of "alternative account number" under the tab of special evaluations, but the output of the balance sheet and profit and loss does not give me a nice format.
  All of the accounts are displayed under section Account not assigned (This is because alternative account number is 10010101 is not assigned to the financial statement version).
  Could anyone advise how to overcome this problem?
  Thanks.

  Ok ...
  I half way solve my problem with the following reference:
  http://sap.ittoolbox.com/groups/technical-functional/sap-acct/country-specific-coa-1453275
  There is another issue of my Financial statement:
  The following is my scenario:
  I have Operational Chart Of Account, OCA1, and GL's are as followings:
  GL1000 linked with alternative GL account (GL9001 - Chart of account - ACA1)
  GL2000 linked with alternative GL account (GL9002 - Chart of account - ACA1)
  GL3000 linked with alternative GL account (GL9003 - Chart of account - ACA1)
  GL4000 No link to any alternative GL (because does not use or need this)
  My Financial statement version is FSV9, made up (must be, based on my testing) using GL Account (which are GL9001 and GL9002) and chart of account is ACA1.
  During the financial statement F.01, the GL4000 ends up with the following message at the bottom of the financial statement: <b>No alternative acct no.maintained for G/L acct 4000 in co.code ....</b>
  Note: GL4000 does not have any balances.
  Note: If GL4000 has balances, it is displayed under un-assigned section, and the value does not affect the profit and loss od the statement.
  Question: How can I solve the issue:
  1) Do not display the GL4000, which does not have alternative GL account.

• Will the Power BI Analysis Services Connector work if AD and AAD UPN suffixes don't match?

  We are using Azure Active Directory, AD FS, and DirSync with
  Alternate Login IDs, which means that our on-prem usernames have a different UPN suffix from our AAD usernames.
  Will the Power BI Analysis Services Connector work in this setup? Or do the AD and AAD UPN suffixes absolutely have to match?

  Hey Adam,
  From SSAS, we simply query AD by passing the UPN we receive from AAD. As long as AD can find a match, it'll work.
  So if there is a way in AD to map a particular UPN to another value, it'll work.
  For example: For a user A, her on premises UPN is
  '[email protected]' but she uses '[email protected]' as her email address. From AAD we'll receive
  '[email protected]' & since AD knows that this is same as
  '[email protected]' effective user name will work.
  Hope this clarifies! let me know if you have more questions.
  -mini

• Inbound Queue blocked: Parallel and alternative sequences are not supported

  Hi,
  Just now, I checked the Inbound Queue in SCM system through SMQ2 and found which was blocked by error message "Parallel and alternative sequences are not supported". Could you please tell me what does it mean? How to fix it?
  Thanks,
  Quanyin Su

  Hi Quanyin Su,
  Parallel and Alternative sequences are used in routing.
  I believe you are trying to CIF PPM/PDS from ECC to APO and you are getting this queue stuck at inbound of APO.
  Both the alternative and parallel sequences are supported in APO.
  Alternative sequence is used as alternative modes in APO.
  I can think of this as a master data issue.
  At least one of your work center used in either of the sequences is not available in APO or is not APO relevant.
  Could you please check your master data such as all the work centers used and make sure your parallel and alternative sequences are consistent.
  Once you made sure that master is available in ECC, you can CIF it to APO by using CURTO_CREATE transaction in ECC.
  Please see below link for Routing and its usage in APO:
  http://help.sap.com/saphelp_apo/helpdata/en/99/ed3a981d0f11d5b3fc0050dadf0791/content.htm
  You also need to activate a BADI in order to sent alternative sequences to APO.
  Below thread has all the details regarding this.
  Re: /SAPAPO/CURTO 103 : Mode .. is not assigned to an activity
  Regards,
  Abhay Kapase
  Edited by: AbhayKapase on Aug 5, 2011 2:24 PM