Manual Tomcat Active Directory (AD) Authentication with multiple domains

Similar Messages

• Active Directory integrated LION with offline Domain Controller

  Hi,
  I have some OS X Lion machine, and all of them joined into the Win2008 AD. There is no any issue when the Domain Controller is reahcable, but when it is not reahcable, or the machine is not in the same network as the DC, then I am not able to login with my AD user.
  In Windows the last credential is stored on the local machines. So if the machine is OFFLINE from the DC, then it is able to let the AD user to login.
  Is there any trick or option how I can implement it with my LION clients? Or there is no way to use AD user when the AD is not reachable?
  Thanks in advance!

  He actually didn't specify much about dynamic updates requirements for old domains, if they don't need secure dynamic updates then a primary zone would work:
  The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load
  either a standard primary or directory-integrated zone.
  REF: Understanding Dynamic updates
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• Invoking 'active directory external authentication plug-in'  from login.jsp

  Hi
  I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
  Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
  Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
  For this requirement, we have 'active directory external authentication plug-in' installed on server.
  What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
  kindly let me know

  Hi
  I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
  Then i serach using the user name in ldap directory.
  NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
  as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.

• Can Active Directory be used with SmartView?

  Hi,
  I wanted to know if Active Directory be used with SmartView or is it essential to have Native Directory? We are using Active Directory for all user/group creation and Shared Services for provisioning. However, we are unable to provide access to SmartView using AD.
  We are seriously looking for a workaround here and I would appreciate any insight on the same. Please let me know how? This would be greatly helpful. Thanks.

  There is nothing special to get SmartView to authenticate with Active Directory.
  SmartView will be using Shared Services to authenticate. Shared Services must be configured to communicate with Active Directory and your user id's in Native Directory and Active Directory should be different. If for instance you had two user names that were the same, it will prefer one directory over the other depending on your configuration.
  Regards,
  -John

• NTLM Authentication with a domain controller/active directory

  Hi,
  I have a requirement to do an NTLM authentication with the MS active directory.
  I am aware that JNDI doesn't support this protocol to communicate with the AD.
  I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
  What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
  Can any of you guys suggest any alternative to achieve this ?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Active Directory SSO Sharepoint with External sources

  I hope someone can advise me.  We use Active Directory (AD FS 2.0 SAML) for authorization/authentication for SSO.  Our new library platform that is hosted by a 3rd party complies with CAS 3 (SAML is only supported with CAS 4) they have no plans
  to update to CAS 4 anytime soon.
  How can I achieve a SSO solution from our SharePoint for users to have seamless access to their respective libraries using the attributes in AD??

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• 10.4.8 on Active Directory & connecting Xserve with Appletalk not SMB

  Hi
  I have bound my Tiger 10.4.8 desktop to Microsoft Active Directory for my company for security reasons.
  The issue I am having is that when I connect to Xserve with 10.3.9 server (which is running Windows and Appletalk sharing) is there anyway to automatically choose/mount Appletalk first rather than manually connecting with Go Server?
  I was thinking a Applescript that mounting the shares.
  Thanks in advance.

  I was thinking of a way that the appletalk on the Mac desktops connect to the Xserve server sharepoints.
  As I am linked into Microsoft Active Directory the users will mount all there appletalk sharepoint on our Xserve, without having to enter there user name and password but to use there active directory password to authticate login automatically.
  As this works if I connect by SMB no problem.
  If that makes sense?

• Authentication with Multiple SSIDs AP521G, using Autonomous

  I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

• The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

  the solution what i got from this from is to Depromote and promote it again to DC, my question when i depromote, will the OU , object will remain as it is or it will be lost. And what precautions do i need to take?
  Adding to the above points, my Domain has only 2 DC, should both the DC be demoted and promoted

   Under NO curcumstances you demote both of your DCs. You must always have one or 2DCs running, otherwise you will loose your entire AD. Only 1 DC should be demoted. you should wait couple of hours prior to promoting it back to DC role again.
  Ideally your primary DC will continue maintaining the OUs, GPOs, and user accounts.
  I would suggest brining in a new, 3rd DC intro play, leave it for a day or 2 to replicate everything properly, confirm that its propagating properly with the primary DC, and only then demote and remove the offending DC.
  There are actually ways for recovering from tombstone lifetime much painlessly than DC demotion/promotion. Depending on what is your AD running on, Windows 2003 or 2012 R2 servers:
  here a few links that might help you understand how it works:
  Primary link :http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx
  http://community.spiceworks.com/topic/343609-ad-replication-can-t-because-exceeded-tombstone-life
  https://support.microsoft.com/en-us/kb/2020053?wa=wsignin1.0
  http://shebangme.blogspot.com/2011/01/active-directory-time-since-last.html

• Authentication using multiple domains

  We've got a rather complicated configuration scenario here and I need to understand what would need to happen to put this in place, or if it can even be accomplished at all.
  We are on Business Objects XIR2 SP3 in a Windows 2003 environment. We are currently using Trusted Authentication with a 3rd party web security component (ISAPI filter) running on our IIS box, however our Web Intelligence implementation is actually done in Tomcat, which is connected to the IIS box simply using the IIS to Tomcat connector (also an ISAPI filter). We currently have the LDAP plugin configured to hit an ADAM directory server, however we are rewriting our web security solution with an AD back end. The AD back end may possibly have two different domains involved, one for internal users and one for external users. I would need to be able to authenticate users from both domains, and have all the other pieces and parts continue to work as far as authentication goes (ADAM via LDAP, trusted authentication for the thin client interface using the WEB_SESSION approach, and both AD directories with usres in each all able to authenticate to the tool set).
  First, can you tell me if it's even possible to accomplish this? And second, if it is, what kind of trust relationship does there need to be, if any, between the internal and external users AD domains? I ask because I see only one place to set up an SPN, and there are specific application server services that have to be configured to run as that given service account, so I'm assuming there has to be some sort of trust relationship there since our application servers are all installed in one of those domains.
  Thanks,
  V

  These questions keep getting more complicated
  Your domain situation depends on 2 things. If internal and external are 2 domains in the same AD forest(trust is automatic this way) then it should work fine (provided you aren't firewalling off the users as internal/external could imply).
  If they are not in the same forest then you would need a 2-way transitive trust, no firewalling, and XI 3.1 in order to map groups/users from both domains into 1 plugin (this would require the AD plugin).
  Another option might be to use the LDAP plugin for 1 forest and AD plugin for the other but that would kill your existing users. This is your only option in XIR2 if you have 2 forests.
  Regards,
  Tim

• CCM / AD intigration with Multiple domains

  Our corporation is made up of two different active directory domains. Is it possible to integrate call manager with both domains?

  If they are in the same forest, yes you can. Take a look at the following link:
  http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_2/srnd4_2/uc4_2/42drctry.htm#wp1067012
  There are definitely some added complexities and considerations in this sceario. Take a look at the following note from the previous link:
  "In a multiple-domain AD forest, try to keep the users for a specific Cisco Unified CallManager cluster within a single domain, and follow the guidelines described previously. If a single domain is not possible because users are spread across multiple domains, set the User Search Base to the lowest point in the tree containing all domains with users serviced by the Cisco Unified CallManager cluster. In structures in which serviced child domains are under the top-level domain, the User Search Base must be set at the root of the entire AD forest. In all cases, though, try to ensure that a domain controller for each serviced domain is collocated with Cisco Unified CallManager, or that the network is sufficiently resilient and fast to allow remote searches with no greater performance degradation than occurs with local searches."
  Hope this helps. If so, please rate the post.
  Brandon

• Announcing the availability of enabling Windows Server 2012 R2 Essentials' integration of Microsoft online services in environments with multiple domain controllers

  In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that
  have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials. 
  I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed.  This update adds support for both Azure
  Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.
  For more information, please go to
  http://support.microsoft.com/kb/2974308

  Hi JoeBeck,
  Thanks for the comment. Could you please tell which link you clicked to download?
  Please go to PinPoint check details and start download
  http://pinpoint.microsoft.com/en-US/applications/Dynamics-CRM-Online-Add-in-12884966386
  Thanks,
  Shanghai Wicresoft

• Essentials 2012 R2 Exchange Integration with Multiple Domain Controllers

  Attempting to integrate Exchange Server 2012 with the Essentials wizard results in the error message: "This task must be performed on the domain controller." I've found several threads that speculate this is because there are multiple domain controllers
  in the domain. Is there a workaround or patch available to resolve this issue? Why wouldn't Microsoft want the redundancy of multiple DCs?
  Thanks.

  Hi HartmannTek,
  I agree with Robert.
  We can get the following information from the article:
  Services Integration Overview for Windows Server 2012 R2 Essentials - Part 1. Please refer to.
  Currently, the Services Integration features, including Windows Azure Active Directory integration, Office
  365 integration, Windows Intune integration, and on-premises Exchange integration, are only supported in a single domain controller environment. In addition, the integration wizard must be run on a domain controller.
  Hope this helps.
  Best regards,
  Justin Gu