LDAP authentication in AD (users from other trusted domain)

Hi
I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
I use LDAP authentication in AD for authentication users (AnyConnect).
Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
I do not want direct connect with the domain contoller in the trusted domain.
My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
But if I try to test aaa-server authentication from ASA
I get error.
I think, I must use username like "DOMAINB\userindomainb" but this not work.
Help me please.
Thanks!
My config:
aaa-server ADA protocol ldap
aaa-server ADA (inside) host 10.0.0.1
 ldap-base-dn dc=domaina, dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
 server-type microsoft

Hello!
I see in console (debug LDAP):
Request for [email protected] returned code (10) Referral
Does ASA support authentication via LDAP referrals?
I read old thread:
https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
But I use:
Cisco Adaptive Security Appliance Software Version 9.2(3)
Device Manager Version 7.3(3)
Compiled on Mon 15-Dec-14 05:10 PST by builders
System image file is "disk0:/asa923-smp-k8.bin"
Thanks!

Similar Messages

  • Authenticate users from a trusted domain

    Greetings,
    I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
    I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
    Domain B trusts Domain A (1 way)
    Is this possible? How?
    Thank you

    Hello Trevor,
    Thank you for your help.
    I have run the People Picker Tester and found that I am able to connect to the following ports:
    CONNECTED
    tcp/389
    tcp/686
    tcp/135
    tcp/139
    tcp/3268
    tcp/445
    and FAILED to connect to
    tcp/137
    tcp/138
    tcp/3269
    tcp/53
    tcp/749
    tcp/750
    The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
    With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
    My next question is around the two stsadm commands.
    The first command:
    stsadm -o setapppassword -password "SomeValue"
    1) What am I actually doing here? 
    2) Where will this password be used?
    3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
    The second command:
    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
    http://webAppUrl
    1) is this command setting my default people picker domain search to Domain A accounts?
    2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

  • Authenticate Users from a different domain

    Hello,
    I have three domains; Domain A, Domain B & Domain C
    Domain A does not trust Domain B
    Domain C trusts both A and B
    Users login to Domain A
    SharePoint 2013 Enterprise lives in Domain C
    Users wanting to access SharePoint must authenticate to SharePoint with their Domin B accounts.
    Crazy... I know
    I have setup people picker to work with Domain B, Thank you Trevor (
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/9f805e2d-1b39-4e1d-b5ae-c5d7b83ca690/authenticate-users-from-a-trusted-domain?forum=sharepointadminprevious)
    My next issue is that I am now testing the initial login into the SharePoint 2013 server from a standard user (who logs into Domain A in the beginning of the day)
    I have added myself (Bob) to the owners group in root site collection.  owner = Domain_B\Bob
    When I browse to my new site using IE 9 I'm presented with a not so helpful page that says, "Sorry, this site hasn't been shared with you."  Thats it.. no chance to login as a different person.  Obviously SharePoint sees me as Domain_A\Bob
    and is letting me know that I have no access.
    What I would like to happen is for SharePoint to prompt me with the standard claims NTLM login screen so that I may login to SharePoint with my Domain_B\Bob account.  Is there a way to set this up without forms authentication?
    Oddly enough, using Firefox I am prompted for login credentials, but typing in Domain_B\Bob does not work.  If I do enter the farm service account setup in Domain_C, I am able to enter SharePoint with my farm service account credentials.
    Thanks for your help,
    -Bob

    The output of the stsadm -o getproperty -pn peoplepicker-searchadforests -urlhttp://sharePoint-dev.mydomain.com was successfully completed.
    capturing the LOG files as I'm trying to log in using by Domain B account I see the following: (listed below)
    ------------Event viewer:------------------------
    Failure Reason: The User has not been granted the requested logon type at this machine. 
      > This leads me to believe that I need to add DomainB\domain users to the "access this computer from the network" policy
    What do you think?
    Thanks,
    -Bob
    ----------------------------ULS LOG FILE---------------------------------------------------
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.11972750726699 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.60 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.60* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.3153208019455 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:05.87 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.21303545562355 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:06.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=2.68225430885769 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.02066044706799 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.76 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.1344640170748 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.80 OWSTIMER.EXE (0x07C8) 0x1490 SharePoint Foundation Health abire Medium Failed to Sql Query data XEvent collector on fv-sp13tst. The error is Object reference not set to an instance of an object.  
    12/30/2013 12:49:07.05 w3wp.exe (0x1C38) 0x1BF4 SharePoint Portal Server Runtime 8gp7 Medium Topology cache updated. (AppDomain: /LM/W3SVC/1720071765/ROOT-1-130328985568168782) 3570659c-6845-d0f1-8d12-00249d79cf0d 
    12/30/2013 12:49:07.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:07.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:08.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 164404b3-76ab-47cb-8fb4-a27f30d2498c 
    12/30/2013 12:49:08.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 164404b3-76ab-47cb-8fb4-a27f30d2498c 

  • Org Tech Admin can add user from other org?

    We are currently on a trial run with CIAC, and I am testing User Management with a Organization Tech Admin account (OTA).
    To my suprise, when adding user and select "existing user", I can see every account currently on Cloud Portal, and even successfully add user from other organization to my orgnization.
    Is there anyway so that OTA can see only the users in their own organization?

    I've been able to remove the admin role from a site administrator with an OTA.
    I know there are issues when you log with an user then logout and relog with another user, CIAC considers that you are still the previous user (I've encountered the issue several times in portlets in the nsapi requests). I don't know if/how those issues are related, but I'd say that logout/login issue were an user has the same rights than the previous users should be fixed.
    Changing OTA rights will not change that particular issue.
    For the moment, what we've done is create our own servlet for requests to the sql DB, and our own roles for most services.
    Let's see what v4 has in store for us.

  • Migrating users from other partitions

    I'm dealing with "Epic Stupid" in how Apple handles something in 10.4.
    My hard drive developed a few bad blocks. It's becoming unusable because apparently those bad blocks are directly under certain key files, because it's hard to do much without getting "stun locked" by the gorram beach ball.
    Anyway, my disk has a second partition on it which was unused. I went ahead and formatted that partition, wrote the partition with zeros (which I hope had the effect of flagging all bad blocks), and installed OS X 10.4.10 from the DVD's.
    Naturally the system comes up and treats me like I'm a completely new user of MacOS. It allows me to import users from other partitions -- but here's the problem. It wants to migrate the users, which would be great for preserving disk permissions - but then it wants to COPY ALL THEIR DATA. That's ridiculous. Their data is already on the other partition. I want to copy the identities but not all their data.
    How am I supposed to do that? Import the user identities and tie it back to the UID that's on the other partition so <user X> can access <user X>'s data?
    By the way, other than that, putting the boot OS on the new partition is working great. No beach balls unless I touch the other partition.

    Yeah I know Virtually all of my data is copied off already. I say "virtually" because the backup was piecemeal, and I'm
    a) not 100% sure I got everything and
    b) not looking forward to hand-reassembling my entire environment from scratch. I.E. I don't relish reloading all my songs into iTunes and resetting play counts to zero, having it forget which podcasts I've listened to, etc. etc.
    I would prefer if possible to get one "coherent" backup and it appears the problem partition is no longer reliably bootable.

  • How to use CSACS 3.3 to authenticate users from multiple windows domain?

    Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
    hello, here is my scenario:
    ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
    And adding those domains as trusted domains in domain1 is not an option.
    Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
    Any input is much appreciated.

    Hi Betcy,
    I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
    You can find more details on following SAP note:
    #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
    I hope it helps.
    Kind regards,
    Lisandro Magnus

  • LDAP authentication not minding user set

    I have a publishing rule for an internal website setup with LDAP authentication setup for two different domains, the domain the TMG 2010 is joined to (domain1) and another external domain (domain2).  I want users from either domain to be able to authenticate
    and I thought it was working perfectly, but found that anyone from domain2 can authenticate successfully (anyone can authenticate from domain1, but that's okay).
    I have a LDAP user set with the AD group from domain2 that I want to allow access, but the TMG doesn't seem to adhere to this and lets any authenticated user from that domain in.  I have added both user sets for domain1 and domain2 to the "This
    rule applies to requests from the following user set:" under the Users tab in the publishing rule.
    Any clues?

    Hi,
    Based on my experience,
    Server Authentication Certificates
    should exist on DCs that you want TMG to use for authentication and
    TMG must trust issuer of the Server Authentication Certificate. You can check that in
    Trusted Root Certification Authorities on TMG.
    In addition, when you add LDAP server Set for LDAP user authentication, you need to add the DCs and type the AD domain name. Please note that the domain name
    is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
    More information:
    Configuring LDAP authentication on AD LDS
    Setting Up and Troubleshooting LDAPS
    Authentication in Forefront TMG 2010
    Best regards,
    Susie

  • Custom ldap authenticator to retrieve user bean ldap profile

    Hi,
    Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
    This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
    Any input on this ?
    Thank you

    Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

  • Adding user account from a trusted Domain - SCSM2012

    Hello ,
    the scenario am facing now that we have domain (A) that has SCSM 2012 management server.& Domain (B) in another forest.
    between Domain (A) and (B) there is two way transitive trust with Forest wide authentication .
    I need to add user from Domain (B) to UserRole in SCSM in domain (A) ,so I created an AD connector for Domain B
    then when i tried to add user from domain (B) to a userrole it gives the below error.
    but when i close the user role and reopen it i find this blank entry
    the Error
    Application: Edit User Role
    Application Version: 7.5.2905.0
    Severity: Error
    Message: Unable to resolve the user \ associated with the user role. Error code 0. Check your active directory configuration.
    Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user \ associated with the user role. Error code 0. Check your active directory configuration.
       at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
       at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults,
    ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
       at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
       at Microsoft.EnterpriseManagement.Security.UserRole.Update()
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.UserRoleWriteAdapter.WriteSdkObject(EnterpriseManagementGroup managementGroup, UserRole sdkObject, IDictionary`2 parameters)
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.WriteSdkObject(EnterpriseManagementGroup managementGroup, IList`1 sdkObjects, IDictionary`2 parameters)
       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)
       at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e)
       at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)
    Would really appreciate your replies .
    Regards
    Amal Sami

    As a workaround, you can add the user by searching the user in the following format
    domain name\User name or User ID" instead of searching by "User name or User ID".
    I am not 100% sure of the technicalities involved but this way you would be able to add the user without any issue.

  • Using LDAP group to autenticate users from inside network to Internet

    Hi team, I got an asa 5510 version 7.2.3 and i need to autenticate my users from inside network to internet using a security group in the Active Directory, anyone can help me with these?

    This might not be complete for your needs but it may give you enough of what you need without having to purchase full url filtering etc.
    Authenticate with LDAP as shown earlier in this thread, then use this aaa ldap with cut-through proxy -
    PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
    then do some filtering -
    ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

  • LDAP Authentication Listing the users

    Hi,
    Iam new to OBIEE. I have LDAP authentication added to my repository.Please let me know how i can get the list of users in LDAP on to my OBIEE Presentation Catalog and Users so that I can classify them into various groups and add security feature.

    If your user groups are held in LDAP you can pull them in as part of the authentication block my mapping the attribute to the GROUP variable.
    Basic principle of using those groups and how the RPD interacts with presentation catalogue is explained well here :
    http://obieeblog.wordpress.com/category/obiee/obiee-security/

  • LDAP query to fetch users from Two different OU

    I am looking for an AD query to get AD enabled users from two different OU Stores & ServiceOffice under root domain.
    Using below syntax to fetch it simultaneously but not succeeding. Please help me.
    (&(objectCategory=person)(|(ou=Stores)(ou=ServiceOffice)))

    Hi Thanks for the revert. Actly i am setting this syntax in application not running powershell script to fetch users.
    So i need query in Ldap filter format only...
    i.e.
    (&(objectCategory=person)(|(OU=Stores,DC=Mumbai,DC=Users,DC=ABC,DC=com)(ou=ServiceOffice,DC=Chennai,DC=users,DC=ABC,DC=com)))
    Please correct my above query.

  • Cannot create MySites for accounts from a trusted domain

    I am trying to create the MySites on our development instance using my production domain login. I can login to the root site, and my name is rendered correctly in the drop down, but when I try to create the MySite, I am getting a user not found error. I
    am able to create a MySite using a dev domain account, but cannot use my production domain account. Does anyone know what security configuration needs to occur so that I can use my production account?
    The ULS log has this entry, which indicates I should be able to create the site:
    Call to PersonalSiteInstantiationState::Init for <domain\login> with IsUserSelf(): True, IsProfileAdmin: False, resulted in m_bCanUseStorage: True, m_bCanUseMicrobloggingAndFollowing: True, m_bCanPersonalize: True, m_bCanFollowTagsAndUsers: True,
    [MySiteHost Found?=True CompatLevel=15 Licensed?=True URL=http://<servername>:8080] StackTrace:   at Microsoft.Office.Server.UserProfiles.UserProfile.PersonalSiteInstantiationContext.Init(UserProfileManager objManager, UserProfile userProfile,
    SPSite mySiteHost)     at Microsoft.Office.Server.UserProfiles.UserProfile.PersonalSiteInstantiationContext..ctor(UserProfileManager objManager, UserProfile userProfile)     at Microsoft.Office.Server.UserProfiles.UserProfile.InitPersonalSiteInstantiationContext()    
    at Microsoft.Office.Server.UserProfiles.UserProfile.InitPersonalSiteContextAndDoUPAChecks()     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.CreatePersonalSite(UserProfile
    userProfile, Uri personalSiteUrl)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.RenderWebPart(HtmlTextWriter writer)     at Microsoft.SharePoint.WebPartPages.WebPart.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at Microsoft.SharePoint.WebPartPages.SPChrome.RenderPartContents(HtmlTextWriter output, WebPart part)    
    at Microsoft.SharePoint.WebPartPages.SPChrome.RenderWebPart(HtmlTextWriter output, WebPart part)     at Microsoft.SharePoint.WebPartPages.WebPartZone.RenderZoneCell(HtmlTextWriter output, Boolean bMoreParts, WebPart part)    
    at Microsoft.SharePoint.WebPartPages.WebPartZone.RenderWebParts(HtmlTextWriter output, ArrayList webParts)     at Microsoft.SharePoint.WebPartPages.WebPartZone.Render(HtmlTextWriter output)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter
    writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter
    adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)     at Microsoft.SharePoint.WebControls.AjaxDelta.RenderChildren(HtmlTextWriter output)    
    at System.Web.UI.WebControls.WebControl.RenderContents(HtmlTextWriter writer)     at System.Web.UI.WebControls.WebControl.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.AjaxDelta.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at System.Web.UI.HtmlControls.HtmlForm.RenderChildren(HtmlTextWriter writer)     at System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.SharePointForm.Render(HtmlTextWriter
    output)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at System.Web.UI.HtmlControls.HtmlContainerControl.Render(HtmlTextWriter writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter
    writer, ICollection children)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)    
    at Microsoft.SharePoint.Portal.WebControls.WebPartPage.RenderChildren(HtmlTextWriter writer)     at System.Web.UI.Page.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.WebControls.DeltaPage.RenderToBase(HtmlTextWriter
    writer)     at Microsoft.SharePoint.WebControls.DeltaPage.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.Portal.WebControls.WebPartPage.Render(HtmlTextWriter writer)     at Microsoft.SharePoint.Portal.WebControls.PersonalWebPartPage.Render(HtmlTextWriter
    writer)     at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)     at System.Web.UI.Page.ProcessRequest()     at System.Web.UI.Page.ProcessRequest(HttpContext context)    
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)     at
    System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)     at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest
    wr, HttpContext context)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr
    rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr
    nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) 
    But the actual site instantiation fails with this error:
    Exception during creation of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite(). [SPWeb Url=http://<servername:8080>/Person.aspx?accountname=<domain\account>]  Message: The specified user <domain\account>
    could not be found.  Stack Trace:    at Microsoft.SharePoint.SPWeb.EnsureUser(String logonName)     at Microsoft.Office.Server.UserProfiles.MySiteInstantiationWorkItemJobDefinition.<>c__DisplayClass5.<AddWorkItem>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.CreatePersonalSite(UserProfile
    userProfile, Uri personalSiteUrl) 
    Exception during queuing of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite(). [SPWeb Url=http://<servername:8080>/Person.aspx?accountname=<domain\account>]  Message: The specified user <domain\account>
    could not be found.  Stack Trace:    at Microsoft.SharePoint.SPWeb.EnsureUser(String logonName)     at Microsoft.Office.Server.UserProfiles.MySiteInstantiationWorkItemJobDefinition.<>c__DisplayClass5.<AddWorkItem>b__4()    
    at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback
    secureCode, Object param)     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Portal.WebControls.MySitePersonalSiteUpgradeOnNavigationWebPart.<>c__DisplayClass6.<CreatePersonalSite>b__4() 

    Hi Susan,
    As my understanding, your development and production environments are two (two way) trusted domains in one forest, and the SharePoint instance was built on the development domain. If this is the truth, please first verify whether your production domain account
    profile has been imported into the user profile service application. If it is not, refer to the following article to check the configuration of your user profile synchronization.
    https://technet.microsoft.com/en-us/library/ee721049.aspx
    If your user profile can be searched correctly, the issue might be caused by fact that the people picker search was limited to the development domain. Please use the following command to configure the people picker search domains:
    stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <WebApp>
    More information can be found in
    https://technet.microsoft.com/en-us/library/cc263460.aspx
    Thanks,
    Reken Liu
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Migrate Users from a child domain to a root domain in different forest

    Hello,
    it supported to migrate users from child source doman to target root domain?
    I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

    You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
    nltest /DOMAIN_TRUSTS
    If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • How to Restrict same portal user from other node

    Hi
    In my application, we charge customers for each portal user logins. But, i found that, they can share same user logins amongs number of people.
    I don't want to allow the same portal user login into the application if that user is already logged in and it's session is still active.
    Here is the Scenario :
    User A is logged in to the portal from terminal AA. Now, User A agin tries to logg in to the portal from terminal BB. I don't wnat to allow user A to log in from terminal BB bcuz user A has active session from terminal AA.
    Can anyone know how to implement this??
    thanks in advance.
    Srini

    Hi Srini!
    We have solved this problem with our own login portlet. Before the final login we've got to check (from the certain table) how many logins there are currently with that username.
    But there is a problem. If the user closes the browser without logoff, the session remains active. There is a cleanup job, which removes those session in some hours. Still it is not very elegant.
    Regards,
    Jari

Maybe you are looking for