MBAM 2.5 in Multi-Forest with two way trust

Hi All,
If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
- Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
- Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
Thanks in Advance,
Regards,
Vijay

You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
the MBAM GPO's to the domain where client resides.
Check out this link :
MBAM 2.5 installation - Multi Domain
Cheers,
Gaurav Ranjan / Sr. Analyst-Professional Services
MICROLAND Limited -India leading Infrastructure Management Services Company
NOTE:Mark as Answer and Vote as Helpful if it helps

Similar Messages

SCOM Agent in Pending Management with two way trusted domain

Hello Guys,
I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
And below message on the server where I am installing the agent.
Event 20071 OpsMgr Connector
The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log
on the server and on the agent for events which indicate a failure to authenticate.
Event 21016 OpsMgr Connector
OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts. Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
Event 20070 OpsMgr Connector
The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
Need help to resolve this can any one help me.
Thanks in Advance.
NM-BG
NM-BG

Hi,
Here i suspect Authentication issue.
1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
Kind Regards,
Naveen Kumar B
~Bommi

SCCM 2012 R2 cross forest with one-way trust feasible?

We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
in Domain A the same as our current SMS 2003 server.
What we want to do, at a minimum, using SCCM is:
Client inventory (hardware, software, user) and package distribution.
Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
I have made the below diagram to better illustrate the scenario:
Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

Hi,
The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
Quote:
Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
two way trust with the forest of the parent (CAS or primary).
Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
Most of these items were taken from this TechNet article – please refer to the article for more information -
Planning for Communications in Configuration Manager .
For more information:
http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
Not sure which is correct...

PeoplePicker not showing domain accounts from other forest in two way trust

We recently moved from our old farm in domainA of forestA to a new farm in domainB of forestB. We also have an older farm in domainC in forestC. There is two-way trust between all these forests. By default, Peoplepicker-SearchADForests property is not set
to anything, so it will only allow forestB accounts to be looked up from AD. But, we want PeoplePicker to lookup users from both domainA and domainB. I used below script to update the settings.
$wa = Get-SPWebApplication -Identity "https://webapp"
$oldDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$oldDomain.IsForest = $false
$oldDomain.DomainName = "domainA"
$wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($oldDomain)
$wa.Update()
$wa = Get-SPWebApplication -Identity "https://webapp"
$newDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$newDomain.IsForest = $false
$newDomain.DomainName = "domainB"
$wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($newDomain)
$wa.Update()
For some reason, this doesn't work for domainA. Actually, it worked once before, but it stopped working at some point. PeoplePicker is only returning domainB accounts. If I add domainC using above script, it works too, but not for domainB.
So, my question is obvious - how to make this work? I've searched for an answer a lot and went through all troubleshooting there is, but could not resolve this permanently. Any help is appreciated.
Thanks.

Thanks Vladimir. I was able to run it finally in CMD. Here are the results. Now I'm thinking that the ports are not open )) Trevor's app was probably checking the ports in domain controller servers, though not sure.
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2184
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:14004 0.0.0.0:0 LISTENING 1464
TCP 0.0.0.0:22233 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:22234 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:22236 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:32843 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:32844 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 448
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 776
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 800
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49177 0.0.0.0:0 LISTENING 928
TCP 0.0.0.0:49201 0.0.0.0:0 LISTENING 532
TCP SERVERIP:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 672
TCP [::]:443 [::]:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 2184
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8081 [::]:0 LISTENING 4
TCP [::]:14004 [::]:0 LISTENING 1464
TCP [::]:22233 [::]:0 LISTENING 5240
TCP [::]:22234 [::]:0 LISTENING 5240
TCP [::]:22236 [::]:0 LISTENING 5240
TCP [::]:32843 [::]:0 LISTENING 4
TCP [::]:32844 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 448
TCP [::]:49153 [::]:0 LISTENING 540
TCP [::]:49154 [::]:0 LISTENING 776
TCP [::]:49155 [::]:0 LISTENING 800
TCP [::]:49156 [::]:0 LISTENING 540
TCP [::]:49177 [::]:0 LISTENING 928
TCP [::]:49201 [::]:0 LISTENING 532

Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

HI !
We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
Response from experts would be greatly appreciated.

Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
Also you can refer below link
http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical

Are there any security risks in two-way trusts?

Hello!
Can anybody enumerate security risks two-way trusts have? Security holes?
I mean two-way trusts between two domains from different forests Windows 2003\2008.
Thank you for any info.

Hi,
There are two potential threats to interforest trust relationships in Windows Server 2003 :
1: Attack on trusting forest by malicious user in a trusted forest :
A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting
forest, such as a Domain or Enterprise Administrator. SID filtering is set on all trusts by default to help prevent malicious users from succeeding with this form of attack
2: Attack on shared resources in a trusting forest by malicious users in another organization’s forest :
Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because
it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area.
For more info , Please refer :
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
Though the forest mentioned is on win 2003, this article applies to Win 2008,2008R2 forest environment as well.
Please revert in case of any queries
pankaj(MCT)

Sharepoint PeoplePicker cannot search account on 2nd Domain with 2 way trust

Hi all,
   I have run into this issue for 2 days, and cannot figure out why.
   We have 3 different Sharepoint environments, and we have two-way trust between 1st and 2nd domain.
   But, one of the environments cannot search 2nd domain in PeoplePicker.
   However, the other two environments didn't require any configuration to be able to search ppl on the 2nd domain.
   Is there anyone know what happened on the specific environment?
   P.S. That specific environment has two servers in the farm, and one of them can search the 2nd domain in PeoplePicker, but the other one cannot.
   Any idea? Thank you.
James

Hi,
The issue usually occurs due to invalid trusts between different forests or the incorrect property set using stsadm. By default the people picker would search for users from same forest as that of the SharePoint server. If want to find the users from other domain, you need to use stsadm to set “peoplepicker-searchadforests” of the people picker.
If the new domain is in the same forest as the domain in SharePoint server, try to run the command line: stsadm -o setproperty. If the two domains are not in the same forest, you must run the setapppassword operation, and then run the peoplepicker-searchadforests property
For more information, please refer to: http://technet.microsoft.com/en-us/library/cc263460.aspx
Let me know the result.
Xue-Mei Chang

AD RMS across forests with external AD trust

The RMS servers is deployed in the resource AD forest abc.com . My client also wants to let the users in other AD forests to use the RMS services. However, they only have “external trust” type with
the resource AD. I can find Microsoft document to support the “forest trust” scenario.
http://technet.microsoft.com/en-us/library/ee918789%28v=ws.10%29.aspx
But I cannot find any document that Microsoft will support the “external trust” scenario. Can anyone confirm whether this scenario work and any potential issue?
Do note that we already deployed FIM for directory synchronization. There are contact objects in the resource forest to present users/groups in the account forests.
William Yang

Hi William,
"Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your
organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest. "
Ref. http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx
So if you want to use two forests with ADRMS, deploy it to each forest and create TUD or TPD. Also you
can think of having federation services with ADFS together with ADRMS.
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

Help with getting Web Start working with two-way SSL

I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format).
After the browser connects and downloads the "myclient.jnlp" contents and places it in a temporary file, it then kicks off the javaws process with the temporary file as a parameter. The first thing javaws does is utilize the codebase and href values (found in the temporary file) to make a "GET" call to the server for the "myclient.jnlp" file (again).
However, this fails (with a SSL handshake error) since javaws uses a different keystore than IE - the server does not receive the client-side cert. I have imported the root CA and the client cert (in .pem format) into the $JAVA_HOME/jre/lib/security/cacerts file using the keytool command but alas my server still indicates a lack of a client-side cert.
Has anyone else tried this and got it working?

Hi Richard,
Indeed it appears that the 1.5 version will have more built-in capability for client certs. It has the look of the IE browser import capability. Unfortunately, I am stuck with having to utilize 1.4.2 for the time being. Since I have posted my original message I have found more information but have yet to get it all working. The truststore in javaws 1.4.2 does have a default (the 1.4.2 jre's cacert file - stragely enough not the same one that gets updated when you import the root CA! - but this has been noted in many other threads). The javaws keystore does not have a default and I have tried, to no avail yet, to utilize some command line parameters, see http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Customization - to get my client cert "available" and recognized by javaws.
With the help of some debug flags here is the output on my javaws "output" log - all seems to go well up to the point of the client's Certificate chain (which appears to be empty), after the ServerHelloDone :
trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert:
snipped all the regular trusted certs, left my root CA as proof it is recognized...
adding as trusted cert:
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1070211537 bytes = { 205, 211, 129, 234, 88, 129, 152, 176, 223, 180, 161, 138, 246, 183, 181, 89, 61, 252, 63, 35, 21, 34, 253, 32, 254, 124, 38, 198 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 40 CA 22 D1 CD D3 81 EA 58 81 ...E..@.".....X.
0010: 98 B0 DF B4 A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 .........Y=.?#."
0020: FD 20 FE 7C 26 C6 00 00 1E 00 04 00 05 00 2F 00 . ..&........./.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
Thread-3, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 ..@.".....X.....
0050: A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C .....Y=.?#.". ..
0060: 26 C6 &.
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie: GMT: 1070211539 bytes = { 81, 106, 82, 45, 233, 226, 89, 6, 38, 240, 71, 122, 90, 226, 255, 207, 9, 102, 205, 127, 223, 211, 4, 84, 79, 16, 101, 89 }
Session ID: {34, 167, 132, 174, 141, 4, 57, 197, 190, 207, 105, 117, 241, 9, 97, 81}
Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
** SSL_RSA_WITH_DES_CBC_SHA
[read] MD5 and SHA1 hashes: len = 58
0000: 02 00 00 36 03 01 40 CA 22 D3 51 6A 52 2D E9 E2 ...6..@.".QjR-..
0010: 59 06 26 F0 47 7A 5A E2 FF CF 09 66 CD 7F DF D3 Y.&.GzZ....f....
0020: 04 54 4F 10 65 59 10 22 A7 84 AE 8D 04 39 C5 BE .TO.eY.".....9..
0030: CF 69 75 F1 09 61 51 00 09 00 .iu..aQ...
Thread-3, READ: TLSv1 Handshake, length = 607
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
               To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
Found trusted certificate:
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
               To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
[read] MD5 and SHA1 hashes: len = 607
0000: 0B 00 02 5B 00 02 58 00 02 55 30 82 02 51 30 82 ...[..X..U0..Q0.
0010: 01 FB A0 03 02 01 02 02 01 00 30 0D 06 09 2A 86 ..........0...*.
0020: 48 86 F7 0D 01 01 05 05 00 30 57 31 0B 30 09 06 H........0W1.0..
0030: 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 .U....US1.0...U.
0040: 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 ...Virginia1.0..
0050: 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 .U....Fairfax1.0
0060: 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 ...U....Zork.org
0070: 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 1.0...U....Root
0080: 43 41 30 1E 17 0D 30 34 30 35 32 36 32 30 33 38 CA0...0405262038
0090: 35 39 5A 17 0D 30 34 30 36 32 35 32 30 33 38 35 59Z..04062520385
00A0: 39 5A 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 9Z0W1.0...U....U
00B0: 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 S1.0...U....Virg
00C0: 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 inia1.0...U....F
00D0: 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 airfax1.0...U...
00E0: 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 .Zork.org1.0...U
00F0: 04 03 13 07 52 6F 6F 74 20 43 41 30 5C 30 0D 06 ....Root CA0\0..
0100: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 .*.H.........K.0
0110: 48 02 41 00 E2 BD 8D E9 59 8E 07 35 2B ED 20 57 H.A.....Y..5+. W
0120: 38 00 C8 3D 34 85 50 E2 93 A0 17 C7 98 45 F3 5F 8..=4.P......E._
0130: CD 7B 4A DA 6E F0 C7 0F 7A 03 3E 69 A9 7C CD 15 ..J.n...z.>i....
0140: 46 F0 D1 C8 7A 0A E9 09 DD B7 6F 5B CD 80 29 E6 F...z.....o[..).
0150: 3A 6A 49 65 02 03 01 00 01 A3 81 B1 30 81 AE 30 :jIe........0..0
0160: 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 ...U....0....0..
0170: 03 55 1D 0E 04 16 04 14 3F A7 DF 1F FA 90 1F 98 .U......?.......
0180: 4F BA 42 9F 21 7D B4 C4 88 76 14 DA 30 7F 06 03 O.B.!....v..0...
0190: 55 1D 23 04 78 30 76 80 14 3F A7 DF 1F FA 90 1F U.#.x0v..?......
01A0: 98 4F BA 42 9F 21 7D B4 C4 88 76 14 DA A1 5B A4 .O.B.!....v...[.
01B0: 59 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 53 Y0W1.0...U....US
01C0: 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 1.0...U....Virgi
01D0: 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 nia1.0...U....Fa
01E0: 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 irfax1.0...U....
01F0: 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 Zork.org1.0...U.
0200: 03 13 07 52 6F 6F 74 20 43 41 82 01 00 30 0D 06 ...Root CA...0..
0210: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 41 00 29 .*.H.........A.)
0220: CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D 9E ..H../.J.s.q.X..
0230: 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD C4 .D....<.........
0240: FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 AE .R..re....ba5...
0250: FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 .........w..j..
Thread-3, READ: TLSv1 Handshake, length = 220
*** CertificateRequest
Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
Cert Authorities:
<CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
<CN=Server CA, OU=Server Division, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
[read] MD5 and SHA1 hashes: len = 220
0000: 0D 00 00 D8 03 01 02 05 00 D2 00 59 30 57 31 0B ...........Y0W1.
0010: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 0...U....US1.0..
0020: 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 .U....Virginia1.
0030: 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 0...U....Fairfax
0040: 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 1.0...U....Zork.
0050: 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F org1.0...U....Ro
0060: 6F 74 20 43 41 00 75 30 73 31 0B 30 09 06 03 55 ot CA.u0s1.0...U
0070: 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 ....US1.0...U...
0080: 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 .Virginia1.0...U
0090: 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 ....Fairfax1.0..
00A0: 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 18 .U....Zork.org1.
00B0: 30 16 06 03 55 04 0B 13 0F 53 65 72 76 65 72 20 0...U....Server
00C0: 44 69 76 69 73 69 6F 6E 31 12 30 10 06 03 55 04 Division1.0...U.
00D0: 03 13 09 53 65 72 76 65 72 20 43 41 ...Server CA
Thread-3, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 175, 38, 47, 77, 131, 125, 209, 147, 174, 228, 183, 99, 34, 2, 100, 186, 77, 47, 65, 233, 82, 133, 183, 113, 8, 193, 51, 241, 167, 105, 4, 187, 57, 130, 161, 11, 178, 11, 134, 84, 96, 106, 203, 11, 195, 51 }
[write] MD5 and SHA1 hashes: len = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 39 9F EC ..........B.@9..
0010: 5F 92 FA 3D 5E 3D 0C 19 10 72 DA BE B6 14 76 62 _..=^=...r....vb
0020: AE 39 75 0B 74 10 C7 B1 42 D7 A1 22 C0 0E B8 A2 .9u.t...B.."....
0030: 22 80 73 20 36 A2 FD BB F9 3E F4 F0 91 CE 95 F8 ".s 6....>......
0040: 05 D7 22 FC 2C CF 1B AB 19 82 03 D2 F5 ..".,........
Thread-3, WRITE: TLSv1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AF 26 2F 4D 83 7D D1 93 AE E4 B7 63 22 02 ...&/M.......c".
0010: 64 BA 4D 2F 41 E9 52 85 B7 71 08 C1 33 F1 A7 69 d.M/A.R..q..3..i
0020: 04 BB 39 82 A1 0B B2 0B 86 54 60 6A CB 0B C3 33 ..9......T`j...3
CONNECTION KEYGEN:
Client Nonce:
0000: 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 A1 8A @.".....X.......
0010: F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C 26 C6 ...Y=.?#.". ..&.
Server Nonce:
0000: 40 CA 22 D3 51 6A 52 2D E9 E2 59 06 26 F0 47 7A @.".QjR-..Y.&.Gz
0010: 5A E2 FF CF 09 66 CD 7F DF D3 04 54 4F 10 65 59 Z....f.....TO.eY
Master Secret:
0000: 67 B9 58 74 69 18 0B 2E 00 EB AC 9B 77 15 B4 65 g.Xti.......w..e
0010: 61 A1 AC D0 F1 D5 4C CA 0E 51 FC 58 A0 11 B7 87 a.....L..Q.X....
0020: EC 72 26 D0 83 18 27 49 8F B6 32 FF E3 89 1D E4 .r&...'I..2.....
Client MAC write Secret:
0000: D5 96 AB F7 1E 46 5F 46 8A E9 3E DF A0 5E 32 5E .....F_F..>..^2^
0010: 00 FB B8 D8 ....
Server MAC write Secret:
0000: E6 7D 8E F5 6A 4C 94 4C D6 2A 3A 4D FC C1 94 A3 ....jL.L.*:M....
0010: C5 6C 5F B6 .l_.
Client write key:
0000: 18 1D 51 8C 74 6D 18 57 ..Q.tm.W
Server write key:
0000: 0D 4E 7A F1 5A D6 5F 5B .Nz.Z._[
Client write IV:
0000: 4C BB 4D FA 4F EB CB 4E L.M.O..N
Server write IV:
0000: B7 6A CA E9 66 7D 25 88 .j..f.%.
Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
*** Finished
verify_data: { 20, 20, 38, 13, 43, 235, 102, 72, 75, 212, 21, 21 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
Padded plaintext before ENCRYPTION: len = 40
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
0010: 90 9C E9 09 F4 48 96 A6 8F AA 04 DF E9 36 72 F0 .....H.......6r.
0020: 42 F0 60 78 03 03 03 03 B.`x....
Thread-3, WRITE: TLSv1 Handshake, length = 40
Thread-3, READ: TLSv1 Alert, length = 2
Thread-3, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-3, called closeSocket()
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Finalizer, called close()
Finalizer, called closeInternal(true)
So I'll toil away trying to get *right* combination of settings - please let me know if you have any ideas! FYI here are the command line settings I am using for the keystore:
-Djavax.net.ssl.keyStore=c:\myClientIdKeyStore -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=myClientIdKeyStorePass
Thanks,
Paul

How to pass data back to MS CRM online from Azure SB with two-way listener?

Hi all,
I have already setup the integration between MSCRM Online 2015 and Azure using two-way listener. However, I am unable to retrieve the return string "Success" in MSCRM side, such as System Jobs. Anyone has idea? Thanks.
https://technet.microsoft.com/en-us/library/gg334438.aspx
public string Execute(RemoteExecutionContext context)
Utility.Print(context);
return "Success";
Best Regards,
Gary

Hello Gary,
From my understanding, Azure integration with Microsoft Dynamics CRM works as follow:
A registered Azure aware plugin sends the execution context to an Azure service bus
A listener process the message as they are queued by the Azure service bus
If the listener is a two way listener, then the listener may return a string response to the plugin
The plugin receive the response and process it
So you need both an Azure aware plugin and a listener. The Azure aware plugin is responsible for sending the execution context and process the response. In your case, you would want the plugin to write the response using the tracing service.
I think you registered the default Azure aware plugin which only sends the execution context. You need to implement your own Azure aware plugin in order to process the response. the sample Plug-ins project located in SampleCode\CS\Azure\Plug-ins implements
exactly what you want to achieve.
I hope this answer will help you.

Trouble with two way calendar sync

Recently my two way calendar sync stopped working? Any ideas why?

Its hard to tell.. Maybe some setting got thrown off during the update
Please click the Thumbs Up icon if this comment has helped you!
If your issue is resolved, please click the solution button on the resolution!
Every BlackBerry should have BlackBerry Protect, get it now! | Follow me on Twitter | Bring Back BBM Music!

BGP multi-homing with two different providers – iBGP and traversal question.

I have two internet connections. Both connections are with different providers and on two separate routers. I have two ASA’s that sit behind the routers and I proxy arp all hosted services off of the ASA’s outside interface.
I am obtaining a provider independent AS number from ARIN and would like to setup eBGP peering with each provider, accepting a default route only and advertise my leased block (let’s say 50.100.150.0/24). I’d like to prepend my AS on the ISP-B connection to ensure that it is only used as backup.
Here is the real question. I know I will need to allow TCP-179 through the ASA’s to establish the iBGP connection but because the hosts that I have at site A are proxy-arp’d off of the firewall outside interface, I need some way for traffic to come in from ISP-B, to router B and then traverse over to router A so that it can be sent to ASA-Firewall A. (please see attached diagram). What is the best way to accomplish this? GRE tunnel between the routers & through the firewalls? I have ample bandwidth and low latency between site A and B.
Thanks

Is that orange line a direct connection between CPE routers? If yes, a direct iBGP connection is possible. If not, I suggest that you obtain one as it is almost impossible to make the ASAs stay in sync with BGP routing. (-: If you can't, then GRE could be a workaround.
Is ASA redundancy a requirement too? (I mean in case ASA-A fails, are the site-A servers supposed to be accessible via ASA-B?) If yes, you must ensure that the outgoing traffic (default route in internal network) is in sync with active ISP and asymmetric routing is prevented. You can solve that with object tracking and you need the same static NATs in both ASAs.
I would consider creating shared VLANs on ASA interfaces and form a failover pair too but it's a different setup.

2 domain, each with 2 way transitive truts, with sub domains pointing to the same DNS server (how should forward and reserver look zone be configured)

Hello,
I found a test environment and I just trying to understand how it works.
If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.

Hello,
I found a test environment and I just trying to understand how it works.
If I have two domains (a.com and b.com) with sub domains(a1.com and b1.com) with two way trust and I want them to point to a Windows DNS server. How should the Forward lookup zones and Reverse lookup zones be configured? In forward lookup
zones do I just add a new zone, make them all primary since only one DNS server, add a.com and b.com and do the same for reverse zones.
Do the sub domains need to be added? What about pointers? Do I add the IP address of a.com and b.com in reverse lookup zones.
A side question: When you create a Domain with dns AD intergrated the forward and reserve lookup are automatically created. You don't need to add the zone of the domain you just created but have to add zones of other domains.
Make each domain controller as a DNS server too. Reverse lookup zones & forwarders are not replicated automatically. You can create AD-Integrated reverse lookup zone & set the replication scope.
You can create AD-Integrated DNS zones in the parent/root domain, set the replication scope to the forest-wide & delegate the zones for handling request locally. Once you create AD-Integrated DNS zone & set the replication scope forest wide, all
the zones will appear automatically in each domain's DNS server.
http://awinish.wordpress.com/2011/04/09/configuring-dns-in-child-domain/
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Supported AD topology - Two forests with one domain in each

Hi all,
I've been tasked with deploying Lync in our environment and I've hit a wall in regards to Lync's AD topology support, my environment is as follows:
Two forests and each one has a single domain in it. There is a two-way trust relationship between the forests.
All of our user accounts and computer accounts are in Domain A (in Forest A)
All of our server accounts and mailboxes (linked with user account in Domain A) are in Domain B (in Forest B)
If I was to deploy Lync Server in Domain B (Forest B), can my users in Domain A (Forest A) access Lync with all functionality? Are there any special considerations I need to take into account?
Many thanks,
Craig

Hi,
It is supported by Microsoft for your Lync topology.
For your Lync topology, it is called Multiple Forests, Central Forest. The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled
user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 and mail-enabled for Microsoft Exchange
Server if it is deployed.
You can refer to the link below to deploy Resource Forest Topology for Lync Server 2010:
http://technet.microsoft.com/en-us/library/gg670909(v=ocs.14).aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Questions on Multi forests scenario

Hi All,
One of our customer raised the below questions:
Environment
Forest A
Domain (Contoso.com)
User accounts
Exchange 2010 + UM role
Forest B
Domain (Fabrikom.com)
Lync 2013 server with EV enabled.
We have Two way Trust and FIM in place.
Questions
Is there any restrictions on functionality when setting up User\Exchange in one forest and Lync in another forest with a two way trust and FIM?
With the two way trust, can the permissions\access to resources and service in Forest A be restricted from Forest? and is this support in the aforementioned design ?
Please advise. Many Thanks.

Hi,
Base on my knowledge, it is the supported scenario to deploy User\Exchange and Lync Server in different forest.
you need to establish a two-way trust between the resource forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the resource forest.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support

MBAM 2.5 in Multi-Forest with two way trust

Similar Messages

Maybe you are looking for