Managing ldap user querying permission at BI server level

Hello Guys
I am trying to manage the corporate resource by limiting certain users to run query at certain time or certain size. I know it can be done using 'manage--security' to set the querying limit for each users that are defined in the Admin tool..
However, since we are using Ldap authentications, none of the users that are using OBIEE are created in admin tool, they are all set up using Ldap server which is configured in the Admin tool..
So in this case, how would i be able to set up query limit for these users throu Ldap?
Thanks in advance

You should still create a group in your RPD and set the query limits. Then in your GROUP init block you could add something like this to make sure all users will get this group:
UNION ALL
SELECT 'GROUP', 'General Query Limits' FROM DUAL

Similar Messages

Managing LDAP users with Solaris Management Console

I'm using Solaris Management Console (SMC) to manage users in our Directory Server. Unfortunately, the default "user manager" in SMC does not have a tab to manage netgroups. Does anybody else use SMC to manage users and have you created a custom tool to manage netgroups? If so, how did you do it?

Hello Senthilkumar,
Here are the outputs from the commands. The other ones that I left out (/var/adm/messages and showrev -p) had a lot of output and I wasn't sure what you needed. Please let me know what to post or if you want me to post the whole things.
# more /etc/release
Solaris 8 7/01 s28x_u5wos_08 INTEL
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved.
Assembled 06 June 2001
# java -version
java version "1.2.2"
Solaris VM (build Solaris_JDK_1.2.2_07a, native threads, sunwjit)
Here are the errors that come back when /etc/init.d/init.wbem fails.
Exception in thread "main" java.lang.NoClassDefFoundError: com/sun/management/viperimpl/server/ViperServer
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:495)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:110)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:252)
at java.net.URLClassLoader.access$1(URLClassLoader.java:218)
at java.net.URLClassLoader$1.run(URLClassLoader.java:199)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:193)
at java.lang.ClassLoader.loadClass(ClassLoader.java:300)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:290)
at java.lang.ClassLoader.loadClass(ClassLoader.java:256)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:316)

LDAP user query

Hi, Im currently working on LDAP configuration on ACS for integrating with AD (window 2003) by TACACS+.
but im really confuse with common LDAP configuration. After configured, Im not able to map into the database,
'LDAP NOT REACHABLE' - keep getting this message,
this is what i configured, My username is test3
User directory subtree = dc=terry, o=terry
Group Directory subtree = ou=users, o=terry
UserObjectType = test3
UserObjectClass = user
GroupObjectType = cn
GroupObjectClass = groupOfuniqueNAMEs
GroupAttributeName = uniqueMember
Admin DN = uid=test3,ou=members,ou=administrators,o=terry
im pretty sure that this isnt rite. can ani one give me a hand for this issue?

with AD, usually the userobjectclass is "Person".
The userobjecttyp would be "cn" if "test3" is the value of the cn field for your user.
it's very confusing why your user subtree is supposed to be "dc=terry, o=terry" and you state the the user DN doesn't contain "dc" ...
I would advise you to take an LDAP browser like Softterra's and browse your AD, you will see the attributes and types of each folder etc ... and it should be clearer for you

Assigning roles to LDAP users through BIP API

Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.

In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.

Error while configuring external LDAP user store with weblogic

Hi,
I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
To do this, I have configured authentication provider and provided all the required details to connect to ldap.
For example:
Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
User DN: ou=People,dc=test,dc=com
Group DN: ou=Groups,dc=test,dc=com
This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
password=xxxxxxx
username=admin
Now while starting the admin weblogic server, I am getting the below error:
<Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
<Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
>
<Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
Regards,
Neeraj Tati.

Hi,
Please refer the below content that I found for Oracle 11g in the docs.
"If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
Here not sure what to do.
Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
Regards,
Neeraj Tati.

How to enable only a subset of LDAP users to be able to login to OBIEE

We have enabled LDAP authentication. Now every single LDAP user can login to Presentation server. That is an issue. Not all LDAP users are OBIEE users. Only a small subset of the LDAP users should be able to access OBIEE. We have a database table that lists all OBIEE users. This table however does not have user password information. User Password information is stored in the LDAP.
so question is how do we limit OBIEE access to only OBIEE users and not all LDAP users.
Thank you

Thanks for your suggestion. If i understand it correctly, user will still be able to login to Presentation server but will not have access to any content using your solution approach. Did i get it right?
In my current setup, user gets authenticated against LDAP, then i extract user group for that user and assign it to GROUP. Only those users gets assigned to GROUP who have access to OBIEE. We have secured RPD and Catalogs so that user must be a member of at least one GROUP to be able to access content.
Right now, a LDAP user who is not present in OBIEE user table, is able to login to BI Presentation server but is not able to see any thing. Because user gets authenticated, but does not have any authorization rights. So far so good.
I would like to take next step, where use login to BI Presentation server is denied if user id does not exist in the OBIEE user table ( but exists in the LDAP).
Thank you

LDAP Users and Groups

Hi,

I have configured an LDAP Authenticator for an external LDAP directory in the security realm of the samples portal. User Management is working, but when I try to access the Group Management for the LDAP Authenticator I get the following error:

com.bea.p13n.usermgmt.hierarchy.TreeNotBuiltException: State: UNINITIALIZED. Tree is uninitialized. Add provider GAAD to list of providers to build. Tree is uninitialized. Add provider GAAD to list of providers to build.


It seems that this needs to be setup. How do I do this?


Some general notes on LDAP:

I think that in a production environment it is of great value to manage users and groups in a LDAP directory. For instance we have a company directory which contains all users. It seems that users from LDAP can not been added to groups which are in the DB. LDAP also has the advantage of supporting dynamic groups.
As in previous weblogic releases the LDAP authenticator is read only. It would be great if the write functionality could be added as well. Actually managing LDAP users and groups in one place would be a tremendous improvement for us.

Another thing on my wishlist are examples for delegated administration and visitor entitlements. For the sample portal these are empty. But I think it would be nice to have some out of the box examples that show what is possible and help developers and business analysts to understand the concepts and create their own roles.

It would be interesting to read what Bea and other developer think about this.

Kind regards,

Kai


Marcus,
Yes, I am using 9.2 TP.
We are already using LDAP for user management with 8.1.
Now, I try to configure 9.2 as well. I am running 9.2 installations on different machines. When I click on Service Administration in the Admin Portal, I get the following error message for each installation:
java.lang.NullPointerException at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746) at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235) at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122) at util.tree.TreeController.constructTree(TreeController.java:142) at util.tree.TreeController.buildTree(TreeController.java:422) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285) at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336) at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984) at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535) at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821) at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625) at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)
java.lang.NullPointerException
java.lang.NullPointerException
at com.bea.jsptools.serviceadmin.ads.ToolAdServiceBean.cloneFromAdServiceBean(ToolAdServiceBean.java:190)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdContentProviderNodes(ServiceAdminTreeBuilder.java:769)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.buildAdServiceBranch(ServiceAdminTreeBuilder.java:746)
at com.bea.jsptools.serviceadmin.ServiceAdminTreeBuilder.createTreeElement(ServiceAdminTreeBuilder.java:184)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:234)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildWholeTree(TreeService.java:235)
at com.bea.jsptools.patterns.tree.TreeService$DefaultTreeServiceImpl.buildTree(TreeService.java:122)
at util.tree.TreeController.constructTree(TreeController.java:142)
at util.tree.TreeController.buildTree(TreeController.java:422)
at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:852)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:782)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:456)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:336)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1984)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2055)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:535)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:821)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:625)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:156)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1178)

Initiall SharePoint Server 2013 setup -- unable to manage new User Profile Service Application

During initial farm setup, creating an initial User Profile Service Application works fine. However, once it's created, I cannot 'manage' it through the Manage Service Applications page in central
admin.
I get a generic error (Sorry, something went wrong / unexpected error) with a correlation ID that doesn't seem to match any ULS log entries. (Yes, I merged logs from all machines in the farm.)
A Windows event log entry says:
A failure was reported when trying to invoke a service application: Endpoint Failure
Also frequent errors in ULS logs: (see below)
UserProfileApplicationNotAvailableException
User Profile Application Proxy failed to retrieve partitions from User Profile Application: Micro…
SPDistributedCache DataCacheException
I did notice that the file 'ProfileService.svc does not exist in SharePoint's web services app at the URL you see in the error. (below)
I also found it interesting that the event log error shows 1 active endpoint and 3 failed endpoints. I have 2 WFEs and 2 app servers. But I'm only trying to get the user profile service app running on the application
servers. I have deleted and recreated this service app several times under various names (deleted/recreated its app pool as well) and wonder if these other failed endpoints could be orphans from previous instances...
Any thoughts on how I might successfully create this service application? I've already been Binging my head against a wall long enough that I would have been better off reinstalling the entire farm... I may still
do that.
FYI, my farm came from a slipstreamed SP1 install package, and received the July CU after several other things were already configured, including the already-failed UP service application.
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 8/8/2014 6:11:54 PM
Event ID: 8313
Task Category:
Topology
Level: Error
Keywords:
User: xyz\sp_farm
Computer: spapp1.xyz.local
Description:
A failure was reported when trying to invoke a service application: EndpointFailure
Process Name: w3wp
Process ID: 4284
AppDomain Name: /LM/W3SVC/560632691/ROOT-1-130519915587486075
AppDomain ID: 2
Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:3f215b603e634a629875945488863f75#authority=urn:uuid:9f338b52a7b049b193d8f8dc514fdadd&authority=https://spapp1:32844/Topology/topology.svc
Active Endpoints: 1
Failed Endpoints:3
Affected Endpoint:
http://spapp1:32843/3f215b603e634a629875945488863f75/ProfileService.svc
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
 <EventID>8313</EventID>
 <Version>15</Version>
 <Level>2</Level>
 <Task>13</Task>
 <Opcode>0</Opcode>
 <Keywords>0x4000000000000000</Keywords>
 <TimeCreated SystemTime="2014-08-08T23:11:54.738080000Z" />
 <EventRecordID>14550</EventRecordID>
 <Correlation ActivityID="{02A1AC9C-1125-6026-E124-A52653003266}" />
 <Execution ProcessID="4284" ThreadID="16072" />
 <Channel>Application</Channel>
 <Computer>spapp1</Computer>
 <Security UserID="S-1-5-21-499312637-3451022336-10712144539-44056" />
</System>
<EventData>
 <Data Name="string0">EndpointFailure</Data>
 <Data Name="string1">w3wp</Data>
 <Data Name="int2">4284</Data>
 <Data Name="string3">/LM/W3SVC/560632691/ROOT-1-130519915587486075</Data>
 <Data Name="int4">2</Data>
 <Data Name="string5">urn:schemas-microsoft-com:sharepoint:service:3f215b603e634a629875945488863f75#authority=urn:uuid:9f338b52a7b049b193d8f8dc514fdadd&authority=https://spapp1:32844/Topology/topology.svc</Data>
 <Data Name="int6">1</Data>
 <Data Name="int7">3</Data>
 <Data Name="string8">http://spapp1:32843/3f215b603e634a629875945488863f75/ProfileService.svc</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 8/8/2014 6:51:04 PM
Event ID: 8313
Task Category: Topology
Level: Error
Keywords:
User: VANTAGE\sp_farm
Computer: spapp1.vantage.local
Description:
A failure was reported when trying to invoke a service application: EndpointFailure
Process Name: OWSTIMER
Process ID: 8472
AppDomain Name: DefaultDomain
AppDomain ID: 1
Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:3f215b603e634a629875945488863f75#authority=urn:uuid:9f338b52a7b049b193d8f8dc514fdadd&authority=https://spapp1:32844/Topology/topology.svc
Active Endpoints: 1
Failed Endpoints:3
Affected Endpoint:
http://spapp2:32843/3f215b603e634a629875945488863f75/ProfileService.svc
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
 <EventID>8313</EventID>
 <Version>15</Version>
 <Level>2</Level>
 <Task>13</Task>
 <Opcode>0</Opcode>
 <Keywords>0x4000000000000000</Keywords>
 <TimeCreated SystemTime="2014-08-08T23:51:04.938901900Z" />
 <EventRecordID>14596</EventRecordID>
 <Correlation />
 <Execution ProcessID="8472" ThreadID="17360" />
 <Channel>Application</Channel>
 <Computer>spapp1.vantage.local</Computer>
 <Security UserID="S-1-5-21-499312637-3451022336-10712144539-44056" />
</System>
<EventData>
 <Data Name="string0">EndpointFailure</Data>
 <Data Name="string1">OWSTIMER</Data>
 <Data Name="int2">8472</Data>
 <Data Name="string3">DefaultDomain</Data>
 <Data Name="int4">1</Data>
 <Data Name="string5">urn:schemas-microsoft-com:sharepoint:service:3f215b603e634a629875945488863f75#authority=urn:uuid:9f338b52a7b049b193d8f8dc514fdadd&authority=https://spapp1:32844/Topology/topology.svc</Data>
 <Data Name="int6">1</Data>
 <Data Name="int7">3</Data>
 <Data Name="string8">http://spapp2:32843/3f215b603e634a629875945488863f75/ProfileService.svc</Data>
</EventData>
</Event>
20:22:31.94 SharePoint Portal Server User Profiles cm6y High
User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging
:: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have 6cd1c1f0-5874-4f8e-9c0a-ed1aff342048 at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs() at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext)
20:22:38.16 SharePoint Portal Server User Profiles d22b High
Failure retrieving application ID for User Profile Application Proxy 'User Profile Service Application': Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging
:: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have 6cd1c1f0-5874-4f8e-9c0a-ed1aff342048 at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_AppID()
20:22:44.25 SharePoint Foundation DistributedCache ah24v High
[Forced due to logging gap, cached @ 08/08/2014 20:22:38.16, Original Level: Verbose] DistributedCacheClient TransportProperties- ChannelInitializationTimeout '{0}', ConnectionBufferSize '{1}',
MaxBufferPoolSize '{2}', MaxBufferSize '{3}', MaxOutputDelay '{4}',ReceiveTimeout '{5}'.
20:22:55.26 SharePoint Foundation DistributedCache ah24w Unexpected
Unexpected Exception in SPDistributedCachePointerWrapper::InitializeDataCacheFactory for usage 'DistributedViewStateCache' - Exception 'Microsoft.ApplicationServer.Caching.DataCacheException: ErrorCode<ERRCA0017>:SubStatus<ES0006>:There
is a temporary failure. Please retry later. (One or more specified cache servers are unavailable, which could be caused by busy network or servers. For on-premises cache clusters, also verify the following conditions. Ensure that security permission has been
granted for this client account, and check that the AppFabric Caching Service is allowed through the firewall on all cache hosts. Also the MaxBufferSize on the server must be greater than or equal to the serialized object size sent from the client.). Additional
Information : The client was trying to com...

Thanks for the suggestion. I performed the service restarts, and then an iisreset an the two web servers, and the application server that does not run the services. Finally, I ran iisreset on the application server that does run the services.
After performing those steps, I still cannot manage the user profile service application.
ULS log at the time of the attempt contains User Profile Application Proxy errors (in my original post) and am also noticing the following error:
08:15:21.17 SharePoint Foundation General ajlz0 High Getting Error Message for Exception System.Web.HttpUnhandledException
(0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException:
This User Profile Application's connection is currently not available. The Application Pool or User Profile Service may not have been started. Please contact your administrator. at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ProfileAdminPage.get_CurrentApplicationProxy()
at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ManageUserProfileServiceApplicationBase.OnPreRender(EventArgs e) at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean
includeStag...

Server App not seeing external LDAP users & groups

I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
This is all so much more opaque than our superbly reliable Snow Leopard servers!
TIA

Ok, and again:
You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
Connect the third party ldap to your server
Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
Feel lucky
And there ist ist; now you are able to use The accounts taken from an external LDAP.

Users not showing in Terminal Server Under Remote desktop services manager and Task Manager

Hi All,
I have a problem here in Terminal Server. I can not see the users logged in to Server but i know users are accessing the files and currently working.
1. From the Task Manager-- Show processes from all users displayed all the processes accessing by users.
2. From the Task Manager-- From Users Tab--No users list at all
3. From the Command Prompt- Query users-- No information
4. From the Remote desktop services Manager-- used with IP/Host name-- Still can not see the users list and processes. So i can not kill the session if needed.
Enviroment:
TS CALS 20 currently accessing 15 users
VM-WARE GUEST: 2008 RS Terminal Services/Remote Desktop services installed
Windows up to date-- Just updated last month
Problem is here for long time. Just couldn't find the time to trouble shoot.
UMESH DEUJA MCP,MCTS,MCSA,CCNA

Hi,
Thank you for posting in Windows Server Forum.
As you have tried many steps, I suggest you to try below command line and power shell command if successful in your case. Please try below command with Admin access:
qwinsta /server:<servername>
To kill a session use rwinsta to delete the session specifying the ID number:
rwinsta /server:computer01 3
Here's the list of command line tools for Remote Desktop Or, you can use PowerShell:
Get-RDUserSession and Disconnect-RDUser
Please check the list of Power Shell command from
this link.
Hope it helps!
Thanks,
Dharmesh

SQL Query for Project Permission in Project Server 2010

HI
I have assign multiple users on multiple projects with different level permission,
The permission level is assign from Project Permission (icon ribbon in PWA 2010.)
(1.Open the project within Project Professional or Project Web App,
2.Edit and Save
the project within Project Professional or Project Web App
3.Edit Project
Summary Fields within Project Professional or Project Web App
4.Publish the
project within Project Professional or Project Web App
5.View the Project
Summary in the Project Center
6.View the Project
Schedule Details in Project Web App.
7.View the Project
Site)
Is there any SQL Query to find which user/resource is assign to which projects and what above permission is assign.
Thanks
Farhan
farhan

Hi Farhan,
Please find the SQL below below which will give project permission users:
select RES_SECURITY_GUID from ProjectServer_Published.dbo.MSP_RESOURCES where RES_UID = '37A56C30-34DE-417B-95A8-42FBA6F47565'
select PROJ_NAME from ProjectServer_Published.dbo.MSP_PROJECTS where PROJ_UID in (
select distinct c.PROJ_UID from ProjectServer_Published.dbo.MSP_WEB_SECURITY_PROJECT_CATEGORIES c
          INNER JOIN ProjectServer_Published.dbo.MSP_WEB_SECURITY_SP_CAT_RELATIONS pcr on pcr.WSEC_CAT_UID = c.WSEC_CAT_UID
          INNER JOIN ProjectServer_Published.dbo.MSP_WEB_SECURITY_SP_CAT_PERMISSIONS pcp on pcp.WSEC_REL_UID = pcr.WSEC_REL_UID
          INNER JOIN ProjectServer_Published.dbo.MSP_WEB_SECURITY_GROUP_MEMBERS gm on gm.WSEC_GRP_GUID = pcr.WSEC_SP_GUID
          INNER JOIN ProjectServer_Published.dbo.MSP_WEB_SECURITY_FEATURES_ACTIONS AS SFA ON SFA.WSEC_FEA_ACT_UID = pcp.WSEC_FEA_ACT_UID
          INNER JOIN ProjectServer_Published.dbo.MSP_WEB_CONVERSIONS AS CONV ON CONV.CONV_VALUE = SFA.WSEC_FEA_ACT_NAME_ID where (1=1)
And (CONV.LANG_ID = 1033) and gm.WRES_GUID = '2F5512D4-F561-43AF-AB7B-A189B0B9B6E8') -- Replace with above returned RES_SECURITY_GUID
Vivek

CSCul66951 LDAP routing query fails when user name is the same (6 july 2014)

in the case CSCul66951 LDAP routing query fails when user name is the same it is mentionned that the version 8.0.2-055 correct this bug ? How come i don't see this version on my menu Available upgrades from my IronPort C370 ?
Is there someone on the support team that have try this LDAP query on a IronPort C370 with this version in the development lab ?
Do i have to open a support Case to have this version of AsyncOS ?
Best regards,
Benoit Belair
University of Quebec in Montreal

Yes - CSCul66951 - this was included w/ the 8.0.1-HP1, and is rolled into 8.5.6-074 GA release.
See release notes, resolved issues:
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/release_notes/ESA_8-0-1_HP1_Release_Notes.pdf
CSCun02766 - 8.5.6-063, which was superseded by the 8.5.6-074 GA release.
See release notes, resolved issues:
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_Release_Notes.pdf

Messaging server and external LDAP user store

Is it possible to have an external LDAP application store all user information and then have the messaging server authenticate against it and create a mail profile in it's own LDAP instance, similar to the way portal handles LDAP users? If not, what is the best way to store user information outside of the mail server instance? Create an LDAP instance and extend the schema to support the mail classes and then use replication to push the users into the mail servers directory instance?

Correct, extending the schema on the master directory server and replicating down to the messaging server ldap instance the user info is the way to go.
This way you do not have to maintain two different sets of user data.
-Chris

Grant execute permission to stord proc for user setup on inital DB server creation

When I setup my SQL Azure DB it asked for me to create a login, which I did. Now I need to give that users execute permission on some stored proc but when I run
GRANT EXECUTE ON ELMAH_GetErrorsXml TO MyUser;
I get the error
Cannot find the user 'MyUser', because it does not exist or you do not have permission.
If I look under Security -> Users I do not see my user listed I only see dbo, quest, INFORMATION_SCHEMA, and sys.

Hi,
Please refer these links for more details.
http://azure.microsoft.com/en-us/documentation/articles/sql-database-get-started/
http://msdn.microsoft.com/en-us/library/ms187965.aspx
http://msdn.microsoft.com/en-us/library/ms173463%28v=SQL.100%29.aspx
Girish Prajwal

Problem with Afaria and LDAP user authentication in Android device

Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.

Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.

Managing ldap user querying permission at BI server level

Similar Messages

Maybe you are looking for