Lion 10.7.3 and Active Directory Bind

Hi Group!
I've searched high and low for this with no luck.
Hope someone can help.
After installing 10.7.3, we've noticed a new problem with joining the Macs to AD and creating mobile accounts now.
After the AD bind is successful, the check in 'Require confirmation before creating a mobile account' is there.
And we can't turn it off! It's almost like it's FORCED upon us.
Is there a way to turn this off permanently?!?
Beside just going into Directory Utility and unchecking it?
Because even when you do that, it comes right back on.
Half my folks here have no clue what to do with this prompt at login.

Whats up guys! Thanks for the response and sorry for the delay!
I tried that, Strontium90, no good! I was able to disable mobileconfirm using your command line, but we're still prompted with the same message when a new user logs in. See screenshots:
Thoughts?

Similar Messages

Problems with lion 10.7.3 and active directory ( windows 2008 )

Hi all,
Since LION 10.7.3 , i can't loggin my mac pro into a active directory ( windows server 2008 ).
The lion walk round and round but impossible to connect the AD ? !
In LION 10.7.2 , it was possible ......
What can i do ?
Thank in advance for help
BHT

Whats up guys! Thanks for the response and sorry for the delay!
I tried that, Strontium90, no good! I was able to disable mobileconfirm using your command line, but we're still prompted with the same message when a new user logs in. See screenshots:
Thoughts?

10.5.3 and Active Directory Binding

Hi gang!
Ever since I updated to 10.5.3, I am having all sorts of issues with AD binding to our domain now.
I'll try to keep it short...
It started with a Kerberos prompt from Entourage 2008. I was prompted with an update Kerberos window to enter my password. Entered my password but got an error that my password was invalid.
Navigated and opened the kerberos.app and noticed no ticket. Tried to create a new ticket. I was prompted with my account does not exist.
Opened directory utility and saw that my AD domain was red and my server was not responding.
Tried to unbind, got an error that the account and every other account I tried was invalid, again. Could not unbind even after restarting a few times.
So I decided to reset everything by deleting the DirectoryService directory from Library/Preferences and restarted.
Re-entered all my company information to now get an INVALID ERROR!
I cannot bind now no matter what information I enter.
And if it does pass all the steps and bind, the forest information and domain administration is not entered or received. Red dot server not responding.
I even reinstalled 10.5.3.
Still cannot bind.
Anyone know what gives?

Ok here is what I did to fix our AD/OD issues.
Login in as root.
Unbind both AD/OD and delete them.
On the Mac Server remove all three entries pertaining to machine in OD.
machine$, machine.local, LKDC......
from a terminal you can type with no quotes "dscl . -read /Users/Admin AuthenticationAuthority" to get the Hash value.
On AD delete the machine record for the computer your trying to bind (if it exists)
Delete contents of /Library/Preferences/DirectoryService (not the folder!)
Delete system keychain /Library/Keychain/System.keychain
Empty Trash
Open up Terminal Go > Utilities > Terminal
type with no quotes: "sudo rm -fr /var/db/krb5kdc"
Then type with no quotes: "sudo /usr/libexec/configureLocalKDC"
this will recreate the Hash value for the machine.
Reboot (Important)
Login as root.
Open directory Services.
Bind to OD, then to AD.
Under services make sure your "/Active Directory/All Domains" is higher than your OD record if you want authentication from AD.
Open up your Date & Time preferences and sync clock with your AD server.
Reboot.
Login. (It did take awhile before I could login, about 5-15 minutes)
I hope this helps.

Mountain Lion and Active Directory

Hi Group!
We recently moved our Macs to Mountain Lion in our domain, all with an Active Directory bind.
Since our deployment, we are noticing account AD lockouts typically from the login window.
We first noticed this with 10.8. Each deployment was upgraded and is now running 10.8.1. But the problem still prevails.
Anyone else experiencing this?

This is what I wrote to my IT today..
am I the only one?/
I am a Mac Based graphic designer in PC /AD environment. I need to access AD server through out the day.
I know it has been a while since I raised this issue. But Mac/OSX performance in AD world is getting worse and worse. It does affect our productivity and job progress.
Issues are:
1)      File access from Finder or within application. There is a constant spinning “beach ball” or turning dotted circles. Sometimes it takes up to 5 minutes for finder window to display the contents. (I believe top record has been over 30 minutes) Collapsing arrow to view the contents of the folder may take another minute.
2)      Unable to save e-mail attachments to local drive. I want to do this so that email attachment can be accessed faster if I access it locally. This could be a permission issue.
There is minor issue of…
3)      VPN.. I wanted to access server from home. And it worked for Leopard.. but ever since I upgraded to Lion I can’t log on.. and I am on Mountain Lion on my personal MacBook Pro and iMac at home.
4)      Not refreshing fast enough for updated/modified files to appear on the server.
My work around is that I use all my e-mails on PC.. but files created on Mac needs to be attached via email so.. Is upgrading our Mac to newer OSX ML an option? Do you think they have better integration with AD environment. Also, is it possible to have OSX dedicated shared server/drive mounted for easier access.
Any suggestion or help will be deeply appreciated.
Thanks.
ghj

Snow Leopard and Windows 2003 Active Directory Binding Issues

Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.

Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana

Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
james

Hi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay

Sun java directory server and Active Directory

We are using two different directory servers Sun java directory server and active directory.
My question is how we can have password synchronization between these two directory servers.
I have checked Sun Java[TM] System Identity Synchronization for Windows 1 2004Q3
http://www.sun.com/download/products.xml?id=41537425
It seems that it's supported platforms is only for solaris and windows , but I have installed my Sun java directory server on linux and obviously it doesn't work for me.
I would be grateful if anyone can suggest a solution to work around this situation.
I have checked identity manager , I would like to know that if I can do this using this product.
http://www.sun.com/software/products/identity_mgr/specs.jsp
--regards.
Sara

Yes RHEL 4 is a supported OS with DSEE 6.0.
Identity Synchronization for Windows is a part of DSEE that allows synchronization of users, passwords and groups between Sun Directory Server and Active Directory bi-directionally without altering the users environments, ie it does not require that users change their current habits.
Identity Manager is a complete identity management solution that is targetting enterprise work flow when it comes to user provisioning and de-provisioning, but also allows to build authentication and password change forms that will provision the passwords to many different systems including Sun Directory Server and Active Directory but also IBM mainframes, legacy applications, databases...
If you are implementing a complete identity management solution, then go with Identity Manager. If you need a lightweight and fast solution for just synchronizing users and passwords between Sun DS and MS AD, Identity Synchronization for Windows should be your choice.
Regards,
Ludovic.

### How to make integration between UCCX and Active Directory##

Hello,
I want to know what is the right procedure to perform a right integration between the UCCX and the Active Directory?
Waiting Yours Reply,,,,
Thanks a lot......

What version?
Assuming a current version (5.0 and higher): there is NO direct integration between CCX and Active Directory. The CCX server must not be joined to a domain.
CCX uses UC Manager End Users for synchronized usernames and passwords. If UC Manager is synchronized with an LDAP source, such as Active Directory, then this will carry forward to CCX. CCX would pass authentication requests to CCX through AXL. UCM would perform the LDAP authentication and inform CCX of the success/failure.

Cucm 9.1.2 and Active Directory(Windows Server 2003 Standart Edition SP2)

Hello!
Can CUCM 9.1.2 support an integration with Active Directory(Windows Server 2003 Standart Edition SP2)? How do I have to write down LDAP Manager Distinguished Name? I can find supporting only Active Directory 2003 in documentations without reference to Operation System.

Yes, it is possible.
Check this how-to if you have any doubts about the process.
http://blog.ipexpert.com/2010/04/28/cucm-and-active-directory-integration/
http://www.markholloway.com/blog/?p=1189

Difference between Windows NT domain registry and Active Directory registry

What are the difference(s) ?

Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

Step by step process to create domain name and active directory in windows 7 64 bit

Step by step process to create domain and active directory in windows 7 64 bit
I work in an organization
I want to create a domain name SBBYDP and make it server for other computers
I want that, all users’ have a personal account while they use any computer from this organization, even they use any computer from this network they use their own account to login to network.
And this may be in Active directory option.
I installed windows 7 professional edition 64 bit
Can any person help me? Step by step process, I always thanks full all of you

Hi,
You must use the Windows Server platform system for the AD service, you can refer the following KB first:
Active Directory
http://technet.microsoft.com/en-us/library/bb742424.aspx
AD DS Deployment Guide
http://technet.microsoft.com/zh-cn/library/cc753963(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Active Directory Binding Issues

I am having difficulties trying to rejoin a Mac Pro back to the domain.
It is currently running Lion 10.7.4 - some reason it dropped out of the domain
and now I can not rejoin it to the domain.
Every time I go thru Directory Utility to join it I get "unable to connect to server" or
I get "invalid credentials supplied for binding to the server" - I've gone thru terminal and also tried to
force the bind. Still nothing.
I've also done repair permissions and then try to rebind and nothing.
It's odd cuz I can ping the server from the Mac Pro - and when I launch Safari it wants proxy authentication
so it seems like it's on the domain but it isn't.
I go into Active Directory on Windows Server and can not find it in any OU's.
Pretty much at my witt's end.
Is there a way to remove all previous Active Directory Bindings and computer names from the Mac Pro and
then restart from scratch.

I am having difficulties trying to rejoin a Mac Pro back to the domain.
It is currently running Lion 10.7.4 - some reason it dropped out of the domain
and now I can not rejoin it to the domain.
Every time I go thru Directory Utility to join it I get "unable to connect to server" or
I get "invalid credentials supplied for binding to the server" - I've gone thru terminal and also tried to
force the bind. Still nothing.
I've also done repair permissions and then try to rebind and nothing.
It's odd cuz I can ping the server from the Mac Pro - and when I launch Safari it wants proxy authentication
so it seems like it's on the domain but it isn't.
I go into Active Directory on Windows Server and can not find it in any OU's.
Pretty much at my witt's end.
Is there a way to remove all previous Active Directory Bindings and computer names from the Mac Pro and
then restart from scratch.

Word 2013 and Active Directory attribut

Hi,
I'm working with WS2008R2 SP1 AD and Office standard 2013 and W7 SP1 x64. Our compagny wants to create .dotm/.dotx with automatic fields.
For example, we want that when a user opens a .dotx his name appears automatically. This one is easy it's the {AUTHOR \*MERGEFORMAT}.
But What we want to do is to do the same for the:
- street adress
- email adress
- the job title
All informations are in our Active Directory, but it seems that Word does not read directly the Active Directory info but some cached info on the computer.
So, is there a way or workaround to create some .dotx with the possibility to extrat some AD fields attribut attached with some user and at the end to build a semi automatic doc with the information of the user who has open this .dotx/.dotm?
So far, clues say that I have to write some vba script and 2 kind of solution/workaround:
The first lead is:
To retrieve the user account properties from Active Directory, we have to turn to some VBA scripts, no way to achieve this via any built-in features.
As far as I know, you can bind to the user account object by using the
GetObject function and the LDAP provider.
Then use the GetInfo method to initialize the local cache with attributes of the user account object. This step will ensure that the most up-to-date attribute values of the ADSI object are retrieved.
For example:
Set objUser = GetObject _
("LDAP://...")
objUser.GetInfo
If you want to get this attributes when you create a new document based on a template (.dotx/.dotm), you'll need to use the
AutoNew macro.
the second lead is:
http://heureuxoli.developpez.com/office/word/creermodele/#L2-G
Thank you in advance for any king od answer.
best regards

Hello,
Have you tried these two methods? What is the result and what is your decision?
If you're familiar with Visual Studio IDE and .Net Framework, I would recommend that you create a application-level or document-level Add-In for word. Because it's easy to access the AD with managed code, and it's suitable in your case. You can check the
MSDN document here for the related objects you need to use in .Net Framework to access AD:
https://msdn.microsoft.com/en-us/library/gg145037(v=vs.110).aspx
But if you just want to use VBA for Word, this kb article tells you how to do this via ADO connection:
https://support.microsoft.com/kb/187529/en-us?wa=wsignin1.0
If you want to know something about Active Directory itself, then it's not the correct forum, you can open up new thread in the AD forums for help.
Thanks for your understanding.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

DNS, Certificates, and Active Directory - School Setup Issues

Our school has been piloting a small iPad depolyment. I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
3. About 90 iPads, and a handfull of Mac desktops
In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
However, this is not the case. The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
a.) DNS service on the Mac server turns itself ON randomly. DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
c.) AD binding breaks randomly and I have to rebind the server to AD
d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

Yes, I am not giving the real domain name here.
No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
So you have set DNS forwarders on the Mac machine?
I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
Lookup has started…
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com.                   IN        ANY
;; ANSWER SECTION:
example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
example.com.     10800          IN         NS          server.example.com.
example.com.     10800          IN         MX          10 server.example.com.
;; ADDITIONAL SECTION:
server.example.com. 10800       IN          A          192.168.1.20
Received 145 bytes from 127.0.0.1#53 in 2 ms

Active Directory binding not working

Hi
I'm trying to bind to my active directory at work.
On tiger I used the following settings
serverdomain.ad
the servers name is machine
Which worked fine.
On leopard when I use either serverdomain.ad or machine.serverdomain.ad I get the following error message
(loosely translated from swedish)
An unknown combination of domain and treecollection was used. You should use a complete DNS-name for the domain and tree collection (i.e something.company.se)
Does anyone know what I should use..the FQDN is machine.serverdomain.ad - shouldnt that work?

The answer was dns.. my client was using the correct nameserver.
The binding worked after that..although I'm not sure its autenticating as it should

Lion 10.7.3 and Active Directory Bind

Similar Messages

Maybe you are looking for