LEAP - ACS Authen. against active directory for users of another domain

Similar Messages

• Adding a listener to Active directory for user creation using Java

  Hi,
  I would like to add a listener to active directory such that when a user is created to the "Users" container, I should be notified or informed. I would like to do this with Java. What should I do ?
  Regards,
  Anand Kumar D

  You should add a NamingListener or a NamespaceChangedListener.

• Creating a New Email address policy for users in another Domain with Exchange 2013 powershell?

  Hi
  Everyone
  Is it possible to create a new-emailaddress policy with Exchange
  2013 Powershell, for users within OU´s located on another different
  domain/forest than where Exchange 2013 is installed?
  There
  is a Transitive, two way trust between the domain/forest where the users are
  located - and the Exchange 2013, multi tenant domain.
  Further
  more, and if possible, I need to create linked mailboxes to all these users as
  well.
  Í have been struckling with this issue for weeks, so please anyone -
  advice - and comment.
  Best
  Regards
  Peter
  A-ONE Solutions

  Hi Siddharth
  I want to create a new e-mailaaddress policy - and after that create linked mailboxes/users in my account domain with powershell.
  Can you help me achieve that ?
  I have a powershell CMDlet, but i doesn´t work. (Cannot fint user OU in my account domain)
  CMDlet is as follows:
  New-EmailAddressPolicy -Name $CustomerName   -RecipientContainer "OU=$CustomerName, OU=kunder, DC=Domain, DC=local" -IncludedRecipients 'AllRecipients' -ConditionalCustomAttribute1 $CustomerName -Priority '1' -EnabledEmailAddressTemplates SMTP:%2g%1s@$AcceptedEmailDomain
  Where $Customername = test.dk
  and Account domain is = OU=kunder, DC=Domain, DC=local
  But the command fails with:
  New-EmailAddressPolicy : Couldn't find organizational unit "OU=Test.dk, OU=kunder, DC=Domain, DC=local". Make sure you have typed the name correctly.
  At line:52 char:1
  + New-EmailAddressPolicy -Name $CustomerName   -RecipientContainer "OU=$CustomerNa
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [New-EmailAddressPolicy], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : [Server=HE-MBX03,RequestId=2cbe1b51-4af2-4c04-9f7e-e440000975e6,TimeStamp=24-03-2014 12:58:19] 2D00FD2A,Mi 
     crosoft.Exchange.Management.SystemConfigurationTasks.NewEmailAddressPolicy
  So, I cannot find the OU on the Account forest/Domain, even though the OU do exists in the Account domain. 
  Verifying with this: 
  Get-ADOrganizationalUnit -Identity "OU=$CustomerName,OU=kunder,DC=Domain,DC=local" –Server ‘DC01.domain.local’| FL
  This works fine, Can you please help/assist?
  Peter

• Integrating 10g and MS Active Directory for user authentication

  Can anyone point me towards a good document describing how to do this?

  There is a good description on metalink.
  Note:267153.1
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=267153.1

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• User login report in Active Directory for specific date and time

  I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
  Is any query, script or any tool available?
  Waiting for reply please

  You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
  I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Impact on roaming profile accounts if we Change User logon Name to Employee Number format in Active Directory for all User accounts

  I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal
  session.
  As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).
  Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.

  Hi,
  What if we change the user name of user account, will it have impact on roaming profiles.
  Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
  Here is an related article below for you:
  How to Rename a Windows 7 User Account and Related Profile Folder
  http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
  Best Regards,
  Amy

• Sharepoint 2013 - Active Directory Import User Profile Property manager fields

  Hi there,
  I juste encountered actually a little issue regarding the Active Directory Import User Profil.
  Importation seems to work well but I have a little problem regarding the Manager field.
  When I verify a user profil through the sharepoint admin page ("Manage user profil") , I can see the manager field is correctly populated, but if I want to check my profil as a user (personal information), the manager field is not visible.
  With Sharepoint Admin and Manage Profil Properties, I haven't the possibility to modify some settings for the manager.
  For example, Policy parameters is greyed.
  The only way I found to show this field in a user profil is to give the permission "allow users to Edit values ...".... setting I don't want to set.
  Have you already this sort of issue ?
  Thanks for your help/idea.

  Hi Michael,
  I don't remember well what I did exactly regarding this issue because I played a lot with user profil.
  I know I used this powershell script from Sheyia which in fact help me a lot to clean and create a good profil setting.
  http://blogs.technet.com/b/sheyia/archive/2013/10/09/sharepoint-2013-another-way-to-change-order-for-user-profile-properties-via-powershell.aspx
  For example, this script help me to resolve some double entries.
  Let-me know if it help you (or not of course)

• How to authenticate user in Active Directory for an Oracle report

  Hey there,
  We have users of 1 report all over the country.
  Currently, when using the report, the user chooses a location as a parameter, then runs the report.
  The problem is we don't want the user to be able to see data from other locations, only their own.
  So how can I do this as all users are set up in Active Directory, but the only thing that distinguishes them apart is under the Properties of the user, under the General tab, the Office field says where they are located.
  Thanks in advance!

  Hey there,
  We have users of 1 report all over the country.
  Currently, when using the report, the user chooses a location as a parameter, then runs the report.
  The problem is we don't want the user to be able to see data from other locations, only their own.
  So how can I do this as all users are set up in Active Directory, but the only thing that distinguishes them apart is under the Properties of the user, under the General tab, the Office field says where they are located.
  Thanks in advance!

• How to set up authentication against Active Directory using custom account

  Hi All,
  Our development BPC server (version 7.0.112, MSSQL Server 2005) was installed using a local user in domain X. It is a single-server installation (meaning all services were installed on that server). The dev server always has the latest data/users by restoring the production backup on the dev server. For testing purpose, I need to allow a user of domain X to log in and do a testing.
  Is there a way to configure the dev server to authenticate against an Active Directory in domain X using a special user in the domain X? If yes, how can I configure the dev server?
  Thanks.

  The installation user must be a domain user with rights to browse domain X.
  Otherwise you are not able to add users fom domain.
  In your case installation was done with a local user which means you willnot be able to use domain users.
  It can be an workaround if you will change the identity for 2 COM+ components to be a domain user instead to be that local user.
  Any way I don't advice you to do this. It will be better to reinstall the dev using a domain user.
  The COM+ which has to be changed are:
  OsoftAdminServer
  OsoftUserManage
  Attention domain user used must be added into administartor group of BPC server and also to have sys admin right to SQL Server.
  I hope this will help you.
  Regards
  Sorin Radulescu

• Integration Of Cisco ACS and MS Active Directory !!!

  Hi all,
  We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
  Thanks for your help
  Regards!!!
  Rafael Turriago

  Hi,
  If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
  The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
  The Remote Agent is the application responsible to exchange data with the DCs.
  You can find detailed information in the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• LEAP, ACS 3.1 Active Dir username changes

  We have an active directory domain.
  We have users with 350 pcmcia cards in their thinkpads connecting to 1200 APs set to allow authentication to an external DB (the AD domain).
  Everything was happy until a user got married.
  Her name changes.
  My day is ruined.
  Now, when she logs in the ACS server flags it as a failed attempt instantly. I can replicate this perfectly. It doesn't allow her to login. When she sits down at a wired machine she can login with no problems. So we know the account is good. What I can't understand is why, if we're set to pass unknown users and all authentication to the external DB (AD domain), this doesn't work? Surely the ACS server should just treat this new username as unknown and bounce it to the AD domain?
  Anyone seen this before? Or perhaps more importantly anyone fixed this yet? I've posted over at CCO on the cisco site and no luck there yet. I've also googled extensively and nothing of use. Lots of info on password changes but nothing on username changes.
  many thanks
  J
  note: edited for clarity

  What does the error in the "Failed Attempts" log say on the ACS server?
  Is there a single AD domain in your org? If there are multipel domains, could there be a user with the same username in another domain that ACS is checking first?

• Authentication against Active Directory Forest

  Hello Everyone,
  I am new to JNDI programming and would appreciate any help in the following problem.
  I am planning to write a program using JNDI APIs to authenticate users against an Active Directory (AD) forest.
  Target AD forest contains multiple domains with two-way transitive trust between them. There are several users created in each of these domains.
  I would like to know what should be the general approach for authenticating users against such a topology.
  I have a working program which uses JNDI APIs to authenticate users against single Domain.
  A sample topology would contain domains like these.
  - abc.corp.net
  - xyy.corp.net
  - pqr.xyz.corp.net
  - hrdev.xyz.corp.net
  - lmn.corp.net
  Thanks in advance for any help
  Sandeep

  Hi,
  How does this relate to Sun Directory Server ?
  Regards,
  Ludovic

• Cisco ACS 4.2 + Active directory + peap

  Hello guys!
  We have acs 4.2 SE + remoteAgent which is located on our DC. WLAN with wpa+wpa2[802.1x auth] has been configured and all working perfectly - domain users trying to connect and gets user\pass prompt, after it auth succesfull and wireless access granted. But its a bit complicated with non-domain users, when they trying to connect to this network they get windows security alert because machine authentication not passed(PC not in domain so ACS can't auth this users). So, if i enable machine authentication under external windows database setting, acs succesfully authenticated station but wont promt for user\password. How can we enable prompting for user\pass while still maintain machine auth ?
  Thank you!

  I have a scenario for you in active directory when two passwords may be valid:
  Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
  Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
  The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
  User1 decides to call the helpdesk and changes his password to "456".
  The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
  valid.
  If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
  emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
  Regards,
  ~JG
  Do rate helpful posts