Location of Service Accounts in SP 2013 Extranet

Greetz!
I'm planning a 2013 Enterprise farm in a back-to-back topology. All of SharePoint will be installed on the DMZ. The Extranet will have it's own AD for clients. Internally, we have an AD for corporate users and we'll use ADFS for SSO. There is a one
way trust between the two forests wherein the extranet trusts our internal AD.
Is it possible to create the service accounts for SharePoint on our internal AD? My hunch is that it is not and they need to be on the domain where SP is installed but thought I'd ask anyway.
Love them all...regardless. - Buddha

No, it isn't possible with that direction of trust.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Similar Messages

  • Service Accounts in Sharepoint 2013

    Ok in SharePoint 2013, we have an intranet set up. Ok so on the central administration page, under Security, and configure service accounts, I selected Farm Account for the drop down menu at the top. We have 3 managed accounts for the intranet, which are
    sp_farm, sp_serviceapp, and sp_webapp. Now by mistake, I selected the sp_serviceapp for the (select an account for this component) and clicked ok. Now when I go to change it back to sp_farm, it gives me an error page, it says the website declined to show this
    webpage, and most likely causes: this website requires you to login. And it doesn't change it back. Would someone please let me know how I can change the component account for my farm account from sp_serviceapp to sp_farm? Thank you.

    If i understand this correctly you created a web application using the sp_farm account as the managed account for that application pool. WHen you tried to change it to another account the web application fails to load.
    If you've done it through Central Admin then that should just work, as described here:
    http://blog.morg.nl/2011/07/changing-the-identity-for-a-sharepoint-2010-application-pool-2/
    Or have i misunderstood what you've changed the various accounts for?

  • Network Service account and Exchange 2013 services

    I installed Exchange 2013 CU8 on two 2012 R2 machines, but the services that run under Network Service for Exchange won't start. If I put Network Service in the local admin group, the services start. Prior to putting it in the admin group, I gave it full
    permission on all Exchange folders, but that didn't help...thanks.

    Hi,
    Please run “setup.com /preparedomain” and see if the permission are set to default and the issue persists.
    Please add Read permission for NT AUTHORITY\Network Service to all Exchange servers in ADSIEdit to have a try:
    Expand CN=Configuration,DC=domain,DC=.com > CN=Services > CN=Microsoft Exchange > CN=Domain > CN= Administrative Groups > CN=(Group name) > CN=Servers. Right-click all Exchange service, and add Read permission for NT AUTHORITY\Network Service
    account.
    Regards,
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Winnie Liang
    TechNet Community Support

  • Cannot connect to an Exchange account in Outlook 2013 using "Microsoft Exchange Server or Compatible Service"

    Dear All,
    I cannot connect to my Exchange account in Outlook 2013 using "Microsoft Exchange Server or Compatible Service".
    First I would like to present my network environment, I have 4 physical servers;
    The first one is holding the Domain Controller 1, IP@: 192.168.1.10
    The second server is holding the additional Domain Controller which it is DC2, IP@: 192.168.1.11
    The third server is holding the Exchange 2013 Mailbox, IP@: 192.168.1.15
    And the last server is holding the Exchange 2013 CAS-HT, IP@: 192.168.1.16
    I am doing the steps below:
    1-Creating a new profile in outlook and start configuring the exchange account by entering the IP address of the Exchange-CAS Server, 192.168.1.16
    2-entering the account name: [email protected]
    3-Go to "More Settings" > "Connection" > "Connect to Microsoft Exchange using HTTP" > and entering the "Exchange Proxy Settings"
    4-type the exchange CAS Server URL, https://192.168.1.16
    5-Check the "Connect using SSL Only"
    6-Authentication Settings: "NTLM Authentication", and pressing Apply
    7-When I press the "Check Name" button, a message occurred> "The action cannot be completed. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action".
    8-I go back to the "Exchange Proxy Settings" and I Uncheck the "Connect using SSL Only" and pressing Apply
    9-i press the "Check Name" Button, a small window occurred to enter a Username and Password, so I enter the Administrator username and the administrator password and pressing "OK", but nothing is changed, I tried to enter my
    username and password in the small window and I still got the same result.
    I cannot verify the account name and I cannot complete the process.
    I appreciate you kind assistance.

    Hi,
    To narrow down the cause, I’d like to recommend the following troubleshooting:
    1. Try to login the test account through OWA.
    2. Check the Autodiscover settings: get-clientaccessserver |fl autodiscoverserviceinternaluri
    3. Check the result of directly accessing the following URL:
    https://autodiscover.domain.com/autodiscover/autodiscover.xml
    Thanks,
    Angela
    Angela Shi
    TechNet Community Support

  • Sharepoint 2013 Service accounts

    Hi,
    My current client has SharePoint 2010 and 2013, for all the web application and service application they have been using only one account, which is think is not suggested by Microsoft (correct me if i am wrong)
    i agree that each admin have their own point of view, but will the below explanation suffice and can this be suggested to the client and suggest them to use dedicated applications pools for different web applications.
    As all the web-application pools are running under the same account there is a possibility that the account might get locked due to which the other site collection, which are running under the same application pool ID,  will also be getting the error
    message "Service unavailable" by maintaining different application pools, other web applications/site collections will not be effected.
    Please advise.
    Satyam.

    The accidental locking of an account is probably the LAST concern, since that suggests that lockout policies are effectively blocking attackers.
    The primary concerns focus around the permissions granted to the accounts, and how they're used... this is why different architectures and environments will have different service account use/reuse/isolation requirements.
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

  • Do we need separate Unattended service account for each SharePoint Server 2013 BI service applications?

    SharePoint 2013 - I'm planning to use 'unattended service account' method of Secure Store Service - for Excel, Performance Point and Visio services. I'm about to create Active directory accounts for them.
    Question: Do we need separate Active directory accounts for each service
    DomainName\ExcelUnattendedAccount
    DomainName\PPSUnattendedAccount
    DomainName\VisioUnattendedAccount
    (or)
    Can I have just one Active Directory account DomainName\SharePointUnattendedAccount ?
    Are there any drawbacks having a single account? Any best practice around this? For all the three services the data sources are going to be the same. 
    Subash.S

    Security is the only reason you would separate accounts (as these accounts must have access to the source data). There should be no other drawbacks.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Microsoft Business Contact Manager 2013, addiiton MSSQL NT Service accounts and Sysprep deployment on WIndows 7

    Hi all,
    I'm running into a problem when trying to sysprep and deploy a Windows 7 image with Business Contact Manager pre-install during the audit mode. Before anyone shouts, I have posted the main question in the Windows 7 deployment forum, but I would like some
    additional help as to what the "NT Service" Accounts are for with regards to the BCM insatalltion
    During the installation of BCM, we get an installation of MSSQL, and during this installation MSSQL creates three user accounts used by the "NT Service" account:
    MSSQL$MSSMLBIZ
    MSSQLFLDLauncher$MSSMLBIZ
    ReportServer$MSSMLBIZ
    When you run 'sysprep' with generalise option, and use the CopyProfile in the Specialise pass, sysprep copies the profile information from the last 'changed' profile. Whilst this should be the Administrator profile (as far as I can see), what is happening
    is that the profile from 'ReportServer$MSSMLBIZ' is being used.
    The rule of thumb when using the CopyProfile option is to ensure that only ONE account is present - i.e. the current administrator profile. The easy option is therefore just to delete the MSSQL accounts.
    In the current state of play, even after I deploy the generalized image (with the copied 'ReportServer$MSSMLBIZ' account), I end up with only three users when looking at
    "Manage --> Local User and Groups" (the Administrator, Guest (disabled) and HomeGroupUser$ user), so all the above "NT Service\MSSQL" accounts disappear during the sysprep process in any case.
    I'm not sure what the effect will be on BCM for the end user. Does anyone have any suggestions as to what might be the best course of action.
    Cheers
    Chris
    Chris

    I don't suppose anyone has got any cluse about these users, what they do and how best to then deploy BCM as part of an image?
    Chris

  • Error occurred while accessing application id Excel services application unattended service account from secure store service

    Hi,
      I follow up the book "Professional SharePoint 2013 Administration" to build the SharePoint 2013 BI include Excel Services. and created the Secure Store services to save the user SP_Install for member.
    For Now, I can upload the worksheet and open it in browser, but when I tried to refresh it, the SP 2013 show error "Error occurred while accessing application id Excel services application unattended service account from secure store service".
     does anybody can help ? and do I need to turn on C2WTS ? 
    Thanks
    James Liang

    Hi James,
    Excel Services can be used with Secure Store in three primary scenarios:
    Unattended Service Account
    Embedded Connections
    External Data Connections
    If you haven't configure unattended service account yet, you could refer to the article below:
    http://technet.microsoft.com/en-us/library/hh525344(v=office.15).aspx
    More information:
    http://technet.microsoft.com/en-us/library/ff191191(v=office.15).aspx
    Regards,
    Rebecca Tu
    TechNet Community Support

  • Service Accounts being crawled

    Dear all,
    I have just setup a SP2013 search center.  In the people search, I am able to search out managed service users (e.g. sp_search, which I created to run the search application) are being searched out as a normal users. Of course, they can create a blog
    (since I have My Site Host site collection created) if someone login with it.
    I think I have missed something in Active Directory configuration? How can I mark sp_search as a service account not a Sharepoint or Windows users? Thanks.
    (Sorry that I am not sure I should ask in this forum section.)
    Mark

    Hi Mark,
    Also check if you have imported the service accounts to SharePoint User service profile database from AD due to the Synchronization Connection.
    Please go to user profile service application and click "Configure Synchronization Connection", make sure the connection is connected to your Organizational Unit (which doesn't contain the service accounts) containing required users from AD, then start a
    full synchronization to make sure these service accounts profile don't exist in User profile service db, then start a full search crawl and check results again.
    http://blog.sharedove.com/adisjugo/index.php/2012/07/23/setting-user-profile-synchronization-service-in-sharepoint-2013/
    Thanks,
    Daniel Yang
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected] 
    Daniel Yang
    TechNet Community Support

  • "Sorry, something went wrong" when accessing Configure service accounts under Security in SP2013

    I have come across an interesting error which appears when accessing the Configure service accounts setting under Security>General Security.
    Has anyone come across this problem? I would appreciate some help with this as I am still fairly new to SP2013.
    Thank you in advance.

    It is part of the log entry when an error occurs (usually). Basically what you need to do is watch the current log file (using ulsviewer.exe), repeat the error and then capture the error in the log file.
    http://www.wservernews.com/archives/2013-10-28.htm#EC
    http://archive.msdn.microsoft.com/ULSViewer
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • What permission does the Service account requires on AD for the Workflow manager 1.0 to be configured in SharePoint Farm?

    What permission does the Service account requires on AD for the Workflow manager 1.0 to be configured in SharePoint Farm?
    The workflow manager configuration wizard crashes with the below error when used a domain account (setup account with full prvilige on sql and server). It requires some specific permissions on AD ? I couldnt see any documentation stating what permission
    it requires.
    Can anyone help ?
    Problem signature:
      Problem Event Name:                        CLR20r3
      Problem Signature 01:                       AUTRTV22OQMI5JWSVNDSSNCH0E5DQ2L1
      Problem Signature 02:                       1.0.20922.0
      Problem Signature 03:                       505e1b30
      Problem Signature 04:                       System.DirectoryServices.AccountManagement
      Problem Signature 05:                       4.0.30319.17929
      Problem Signature 06:                       4ffa5bda
      Problem Signature 07:                       3ef
      Problem Signature 08:                       348
      Problem Signature 09:                       KCKGYE1NBUPA2CLDHCXJ0IFBDVSEPD1F
      OS Version:                                          6.2.9200.2.0.0.272.7
      Locale ID:                                             1044
      Additional Information 1:                  8e7b
      Additional Information 2:                  8e7b3fcdf081688bfcdf47496694f0e4
      Additional Information 3:                  c007
      Additional Information 4:                  c007e99b2d5f6f723ff4e7b990b5c691
    Log Name:      Application
    Source:        Application Error
    Date:          27.08.2014 11:47:54
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      OSS01-MAP-226.global.corp
    Description:
    Faulting application name: Microsoft.Workflow.Deployment.ConfigWizard.exe, version: 1.0.20922.0, time stamp: 0x505e1b30
    Faulting module name: KERNELBASE.dll, version: 6.2.9200.16864, time stamp: 0x531d34d8
    Exception code: 0xe0434352
    Fault offset: 0x0000000000047b8c
    Faulting process id: 0x23a0
    Faulting application start time: 0x01cfc1dbe703a8ac
    Faulting application path: C:\Program Files\Workflow Manager\1.0\Microsoft.Workflow.Deployment.ConfigWizard.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: 36f30eb4-2dcf-11e4-9415-005056892fae
    Faulting package full name:
    Faulting package-relative application ID:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-08-27T09:47:54.000000000Z" />
        <EventRecordID>7471545</EventRecordID>
        <Channel>Application</Channel>
        <Computer>OSS01-MAP-226.global.corp</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Microsoft.Workflow.Deployment.ConfigWizard.exe</Data>
        <Data>1.0.20922.0</Data>
        <Data>505e1b30</Data>
        <Data>KERNELBASE.dll</Data>
        <Data>6.2.9200.16864</Data>
        <Data>531d34d8</Data>
        <Data>e0434352</Data>
        <Data>0000000000047b8c</Data>
        <Data>23a0</Data>
        <Data>01cfc1dbe703a8ac</Data>
        <Data>C:\Program Files\Workflow Manager\1.0\Microsoft.Workflow.Deployment.ConfigWizard.exe</Data>
        <Data>C:\Windows\system32\KERNELBASE.dll</Data>
        <Data>36f30eb4-2dcf-11e4-9415-005056892fae</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    Log Name:      Application
    Source:        .NET Runtime
    Date:          27.08.2014 11:47:54
    Event ID:      1026
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      OSS01-MAP-226.global.corp
    Description:
    Application: Microsoft.Workflow.Deployment.ConfigWizard.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.DirectoryServices.AccountManagement.MultipleMatchesException
    Stack:
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(System.Type, System.String, System.String, System.DateTime, Boolean)
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(System.Type, System.String, System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(System.DirectoryServices.AccountManagement.PrincipalContext, System.Type, System.Nullable`1<System.DirectoryServices.AccountManagement.IdentityType>, System.String,
    System.DateTime)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsUserValid(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsDomainUserValid(System.String, System.String)
       at Microsoft.ServiceBus.Commands.Common.ValidateUserAttribute.Validate(System.String)
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsViewModel.ValidateDomainUser()
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsControl.UserIdTextBox_LostFocus(System.Object, System.Windows.RoutedEventArgs)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.Controls.Primitives.TextBoxBase.OnLostFocus(System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.IsFocused_Changed(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.Controls.TextBox.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.ClearValueCommon(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata)
       at System.Windows.DependencyObject.ClearValue(System.Windows.DependencyPropertyKey)
       at System.Windows.Input.FocusManager.OnFocusedElementChanged(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.SetValueCommon(System.Windows.DependencyProperty, System.Object, System.Windows.PropertyMetadata, Boolean, Boolean, System.Windows.OperationType, Boolean)
       at System.Windows.DependencyObject.SetValue(System.Windows.DependencyProperty, System.Object)
       at System.Windows.FrameworkElement.OnGotKeyboardFocus(System.Object, System.Windows.Input.KeyboardFocusChangedEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.KeyboardDevice.ChangeFocus(System.Windows.DependencyObject, Int32)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.DependencyObject, Boolean, Boolean, Boolean)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.IInputElement)
       at System.Windows.UIElement.Focus()
       at System.Windows.Documents.TextEditorMouse.MoveFocusToUiScope(System.Windows.Documents.TextEditor)
       at System.Windows.Documents.TextEditorMouse.OnMouseDown(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.UIElement.OnMouseDownThunk(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.InputProviderSite.ReportInput(System.Windows.Input.InputReport)
       at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr, System.Windows.Input.InputMode, Int32, System.Windows.Input.RawMouseActions, Int32, Int32, Int32)
       at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr, MS.Internal.Interop.WindowMessage, IntPtr, IntPtr, Boolean ByRef)
       at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
       at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
       at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
       at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
       at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
       at System.Windows.Application.RunInternal(System.Windows.Window)
       at System.Windows.Application.Run()
       at Microsoft.Workflow.Deployment.ConfigWizard.App.Main()
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name=".NET Runtime" />
        <EventID Qualifiers="0">1026</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-08-27T09:47:54.000000000Z" />
        <EventRecordID>7471544</EventRecordID>
        <Channel>Application</Channel>
        <Computer>OSS01-MAP-226.global.corp</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Application: Microsoft.Workflow.Deployment.ConfigWizard.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.DirectoryServices.AccountManagement.MultipleMatchesException
    Stack:
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRefHelper(System.Type, System.String, System.String, System.DateTime, Boolean)
       at System.DirectoryServices.AccountManagement.ADStoreCtx.FindPrincipalByIdentRef(System.Type, System.String, System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(System.DirectoryServices.AccountManagement.PrincipalContext, System.Type, System.Nullable`1&lt;System.DirectoryServices.AccountManagement.IdentityType&gt;,
    System.String, System.DateTime)
       at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsUserValid(System.DirectoryServices.AccountManagement.PrincipalContext, System.String)
       at Microsoft.ServiceBus.Commands.Common.SecurityHelper.IsDomainUserValid(System.String, System.String)
       at Microsoft.ServiceBus.Commands.Common.ValidateUserAttribute.Validate(System.String)
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsViewModel.ValidateDomainUser()
       at Microsoft.Deployment.ConfigWizard.UICommon.AccountDetailsControl.UserIdTextBox_LostFocus(System.Object, System.Windows.RoutedEventArgs)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.Controls.Primitives.TextBoxBase.OnLostFocus(System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.IsFocused_Changed(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.Controls.TextBox.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.ClearValueCommon(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata)
       at System.Windows.DependencyObject.ClearValue(System.Windows.DependencyPropertyKey)
       at System.Windows.Input.FocusManager.OnFocusedElementChanged(System.Windows.DependencyObject, System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.FrameworkElement.OnPropertyChanged(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.NotifyPropertyChange(System.Windows.DependencyPropertyChangedEventArgs)
       at System.Windows.DependencyObject.UpdateEffectiveValue(System.Windows.EntryIndex, System.Windows.DependencyProperty, System.Windows.PropertyMetadata, System.Windows.EffectiveValueEntry, System.Windows.EffectiveValueEntry ByRef, Boolean, Boolean,
    System.Windows.OperationType)
       at System.Windows.DependencyObject.SetValueCommon(System.Windows.DependencyProperty, System.Object, System.Windows.PropertyMetadata, Boolean, Boolean, System.Windows.OperationType, Boolean)
       at System.Windows.DependencyObject.SetValue(System.Windows.DependencyProperty, System.Object)
       at System.Windows.FrameworkElement.OnGotKeyboardFocus(System.Object, System.Windows.Input.KeyboardFocusChangedEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.KeyboardDevice.ChangeFocus(System.Windows.DependencyObject, Int32)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.DependencyObject, Boolean, Boolean, Boolean)
       at System.Windows.Input.KeyboardDevice.Focus(System.Windows.IInputElement)
       at System.Windows.UIElement.Focus()
       at System.Windows.Documents.TextEditorMouse.MoveFocusToUiScope(System.Windows.Documents.TextEditor)
       at System.Windows.Documents.TextEditorMouse.OnMouseDown(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.UIElement.OnMouseDownThunk(System.Object, System.Windows.Input.MouseButtonEventArgs)
       at System.Windows.RoutedEventArgs.InvokeHandler(System.Delegate, System.Object)
       at System.Windows.EventRoute.InvokeHandlersImpl(System.Object, System.Windows.RoutedEventArgs, Boolean)
       at System.Windows.UIElement.RaiseEventImpl(System.Windows.DependencyObject, System.Windows.RoutedEventArgs)
       at System.Windows.UIElement.RaiseTrustedEvent(System.Windows.RoutedEventArgs)
       at System.Windows.Input.InputManager.ProcessStagingArea()
       at System.Windows.Input.InputProviderSite.ReportInput(System.Windows.Input.InputReport)
       at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr, System.Windows.Input.InputMode, Int32, System.Windows.Input.RawMouseActions, Int32, Int32, Int32)
       at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr, MS.Internal.Interop.WindowMessage, IntPtr, IntPtr, Boolean ByRef)
       at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
       at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
       at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
       at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
       at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
       at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
       at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
       at System.Windows.Application.RunInternal(System.Windows.Window)
       at System.Windows.Application.Run()
       at Microsoft.Workflow.Deployment.ConfigWizard.App.Main()
    </Data>
      </EventData>
    </Event>

    Hi Karthik,
    You could refer to the series of videos below to install and configure workflow manager in SharePoint 2013:
    http://technet.microsoft.com/en-us/library/dn201724(v=office.15).aspx
    The Episode 2 describes the necessary account in AD with right permission in the installation process:
    http://technet.microsoft.com/en-us/library/dn201724(v=office.15).aspx#episode2
    Regards,
    Rebecca Tu
    TechNet Community Support

  • Why would you use a managed service account rather than a virtual account in SQL Server 2012?

    In SQL Server 2012, service accounts are created as
    virtual accounts (VAs), as described
    here, as opposed to
    managed service accounts (MSAs).
    The important differences I can see for these, based on the descriptions:
    MSAs are domain accounts, VAs are local accounts
    MSAs use automagic password management handled by AD, VAs have no passwords
    in a Kerberos context, MSAs register SPNs automatically, VAs do not
    Are there any other differences? If Kerberos is not in use, why would a DBA ever prefer an MSA?
    UPDATE:
    Another user has noted a
    possible contradiction in the MS docs concerning VAs:
    The virtual account is auto-managed, and the virtual account can access the network
    in a domain environment.
    versus
    Virtual accounts cannot be authenticated to a remote location. All virtual accounts
    use the permission of machine account. Provision the machine account in the format
    <domain_name>\<computer_name>$.
    What is the "machine account"? How/when/why does it get "provisioned"? What is the difference between "accessing the network in a domain environment" and "authenticating to a remote location [in a domain environment]"?

    Hi,
    “Virtual accounts cannot be authenticated to a remote location. All virtual accounts use the permission of machine account. Provision the machine account in the format <domain_name>\<computer_name>$.”
    “The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account
    using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>”
    Per the above description, they are two concepts and not conflict with each other.
    As you understand, virtual account access network resources by using the credentials of the computer account. Generally, computer account will not be granted permission unless giving the computer account permission on the shared folder manually.
    Thanks.
    Tracy Cai
    TechNet Community Support

  • Question : Service Accounts for SQL Server 2012

    Hello,
    I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
    I was reading the following
    Configure Windows Service Accounts and Permissions
    and
    Windows Privileges and Rights
    Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
    Isn't it recommended to create separate account for every service and they should not be local accounts ?
    Hope to hear soon as to what industry standards are being followed for production systems ?
    Thank you very much in advance.
    Regards
    Nikunj

    From MSDN:
    Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
    at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
    When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
    not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
    From Glen Berry's Blog:
    You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
    where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
    You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
    or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
    secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
    Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
    program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
    location.
    Please Mark This As Answer if it solved your issue
    Please Mark This As Helpful if it helps to solve your issue
    Thanks,
    Shashikant

  • Should I use Managed Service Accounts or individual, Domain User accounts?

    I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
    I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
    At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
    etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
    Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
    https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
    Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
    Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
    So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
    successful installation of the software?
    Ed

    No, script 1 does not create Active Directory Managed Service Accounts (see here:
    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
    commandlets, they are very different.
    Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
    At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
    Script 2 updates the settings on those managed accounts in bulk.

  • Weblogic Server cannot find Service accounts  in my MSAD via LDAP

    Hello,
    I've configured an LDAP security provider in my WebLogic server but it's only finding some of my users, not my "service account" users.
    The users are found in the following locations in the tree:
    OU=Users,OU=Accounts,DC=dev,DC=mtb,DC=com
    OU=Service,OU=Accounts,DC=dev,DC=mtb,DC=com
    So I configured the LDAP provider with the following settings:
    User Base DN: OU=Accounts,DC=dev,DC=mtb,DC=com
    All Users Filter: (blank)
    User from Name Filter: (&(cn=%u)(objectclass=user))
    User Search Scope: subtree
    User Name Attribute: cn
    User Object Class: user
    But it cannot find users in the "Service" node, only users in the "Users" node. Both users have CN=, and "user" as part of their objectClass string. Any idea what I might be missing?
    Thank you,
    -Ben

    Hi
    1. I hope you already created a datasource on Weblogic Side using weblogic admin console and create New Data Source. Create a data source preferably with this JNDI Name "jdbc/mydbDSDS". It can be anything, but standard is jdbc/whatevernameyouwant. Once data source is created, you give db details like host, port, sid, username/password. Then deploy to appropriate server(s) like using Targets screen. Once all done. Under your domain/config/jdbc, you should see a .xml file with some unique name that has all the datasource details. The jndi name tag should be like this: <jndi-name>jdbc/mydbDSDS</jndi-name>
    2. Now, edit your persistence.xml file to refer above jndi name. By default, I know, it adds that wierd name with jdbc/jdbc etc etc. But you can edit it always. Take a backup of your persistence.xml file and edit it to look like this.
      <persistence-unit name="mydbDS">
        <provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
        <jta-data-source>jdbc/mydbDSDS</jta-data-source>
        <properties>
          <property name="eclipselink.target-server" value="WebLogic_10"/>
          <property name="eclipselink.cache.shared.default" value="false"/>
        </properties>
      </persistence-unit>
    </persistence>Save it. Redeploy and see how that goes. The above file is simplified version. What it means is, just refer already deployed data source whose jndi name is "jdbc/mydbDSDS". If you really have some extra properties, you can retain them. Otherwise they are not required.
    Thanks
    Ravi Jegga

Maybe you are looking for

  • Status of backend PO appears as archived (I1101)

    Hi colleagues, I'm working with SRM5.5 as Add-On on ERP6.0 When I create a SC and release it, it is transfered into the backend and a PO is created. So far so good. After a while the status of the SC in SRM gets updated and the PO is shown with the c

  • When i plug my iphone in to my computer it doesn't show up that it's plugged in. what do i do?

    I'm trying to transfer motoblur contacts to my new iphone, but it doesnt show up that the uiphone has been plugged in. what do i do??

  • N73 & Problem with Lifeblog

    Not sure if this should have gone in here, but here goes... I bought an N73 on 3 in the UK a few weeks ago, and Lifeblog was working fine. About a week after I had the phone, my old number was ported over, and several programs stopped working, one of

  • Synch iphone with itunes on Windows vista

    I just purchased new iphone (verizon)...and when i connect to my computer - the itunes doesnt recognize the device???  My computer recognizes the device.  I have had an ipod for sometime and the computer recognizes the ipods.  Hence i cannot synch pl

  • TestStand 4.0 Types

    We have a large TestStand project with multiple development PCs and developers.  We are using Perforce to source control and share our work. We have created some custom type files which are in the Teststand\Components\User\TypePalettes directory whic