Multi forest User discovery

Similar Messages

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• SPNego for multi-forest using IBM JDK

  Hi All,
  I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
  Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
  Thanks in Advance,
  Anthony

  Jan,
  ok, thanks. I will now explain how I think we can help.
  Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
  I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
  Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
  Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
  Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
  So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
  1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
  2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
  I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
  Thanks,
  Tim

• Multi Forest AD Authentication

  Hi ,
  I think I messed up some where in the web.xml . The problem is like this:
  1. I have users across geography.
  2. In AD they are in different domains for example : Europe , Asia , NA etc.
  3. Logon the general way is
  <Domain>\ <Username>
  But when I am supplying domain name its throwing an error. But when I login with just the username it logs in fine. But that is only for one domain. The users of other domains are not able to login.
  So please advise where to change in the XML so that they can supply the domain name.
  Regards
  Sid
  Urgently required. So please all a quick response will be very helpful .

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• Multi Value User Defined field on OIM user form

  Hi Everyone,
  I have a requirement where i need to assign multiple resources to user as per access policy. These resources should be assign by virtue of some role (custom attribute as of now). The specific requirement is that one user may have multiple roles (and hence resources) and all these values should capture in any user defined field. As the requirement contains multiple Roles so we have to create multi-value user defined field for User form to capture all these role values under single attribute. Does OIM provides any such multi-value field OOTB (lookup, drop down--any customize way we can make them multivalue)?

  He's right. Multi Valued attributes on the User Profile are not available in OIM. If you want to do this, and you have a finite number of possible roles, you can create UDFs for each and map a checkbox or something to it if the user has that value. Then base your acccess policies off those.
  -Kevin

• AD User Discovery (msDS-PrimaryComputer)

  We would like to pick up an AD attribute with Active Directory User Discovery, but the attribute isn't listed as an available attribute.
  The attribute we are trying to pick up is msDS-PrimaryComputer. We want to be able to report on this AD attribute and compare it against the User Device affinity data already available within SCCM.
  Has anyone been able to successfully discover this attribute?
  Any feedback is greatly appreciated.

  Done.
  If anyone else feels this should behave differently, please share
  https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/840653/ad-user-discovery-with-custom-attributes-msds-primarycomputer
  Thanks

• Any 3rd party utilities that fix full screen mode for multi-monitor users?

  I am a multi-monitor user.  As multi-monitor users know, full screen mode is basically useless since if you try to go full screen on one monitor, it causes the other monitor to go blank and become unusable (at least with most programs).  Are there any 3rd party utitilities or fixes for this?
  Thanks

  Spaces, which is what this functionality stems from, was limited in that it used your entire setup and switched all of the screens over; space to space. I never used spaces because I always had multiple monitors and I was always working with multiple apps simultaneously that I wanted to be able to reference while working on the others.
  Now they call Spaces, "mission control" and changed the appearance of it, but the functionality remained the same, each workstation comprised all of your monitors, and would switch over all of them when switching to a new "Desktop".
  Fullscreen apps wrongly assumes that it can take the functionality of the afformentioned MS/Spaces and use it for one app, negating the whole idea of why someone would have multiple screens (real estate to work with other applications).
  If they stop considering multiple monitors as one Workspace, they can then make it so they are asynchronous "tablets" instead of one conjoined entity.
  So, you say people have been asking about this for 2 years, I've been asking for this for 5!
  The issue here is, the only answer is to not use it. Making Mission Control and Fullscreen apps completely ignored by people like us, where I could be using both functions to glide around my work station and three monitors, mixing and matching which apps I want to be viewed on each separate monitor, to perform one single task; together.
  It would actually reward people who wanted to utilize Thunderbolt technology and have more then one monitor.
  There is no telling why apple chose to push out something that would only support the casual user, with one display, but the only direct way to let apple know that we feel limited by the OS is to send feedback. Even though it seems that we are powerless in this situation, I hope that they do consider how to make this function better.
  </rant>

• VDI in multi forest

  Hello everyone,
  We have a situation with a Remote Desktop Services with virtual desktops where we are limited in our possibilities. We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts, some trusts are 1 way trusts and some
  forests have no trust at all.
  We are trying to implement a RDS solution with virtual desktops, the servers are in domain 1 and the client VDI VM’s are in domain 2. Our question is in which trust configuration is this supported and is there any documentation?
  Our consideration is that we are not flexible and we need a hardware cluster for every forest and it’s getting very expensive.
  Thank in forward i hope to get a trustful answer.
  Kind regards,
  Jasper Sybrandy

  Hi,
  Sorry for late response. But seems there are no good document regarding your case, but you can refer beneath article.
  Test Lab Guide: Virtual Desktop Infrastructure Quick Start
  https://technet.microsoft.com/en-in/library/hh831585.aspx
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• User Discovery attribute added but not showing up in v_R_User

  Hi - working in 2007 here.  I added two attributes for user discovery, mail and telephoneNumber.  v_r_User.mail0 column came in fine but tel # did not show up.  Can someone point me to where I should troubleshoot this?  Thanks.

  Yea, I didn't mention that.  The log only said it failed to get the optional attributes.  It ended up being right under my nose.  The container set was the root and was set to exclude groups.  So that attribute was not available
  in the location it was searching.  As soon as I set to include groups I kicked off a discovery, re-ran the select for v_r_user and the column was there and starting to populate.

• Remove Active Directory User Discovery

  We're looking at enabling Active Directory User Discovery in our Config Mgr 2012 instance as as part of testing Intune.  If we decide to not implement Intune, will we be able to disable Active Directory User Discovery, and remove that information from
  the database?
  If so, is there good documentation on how to do this?
  Thanks

  The easiest is to disable the Active Directory User Discovery
  and than delete all the users from the All Users collection.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Calendar permission for cross-forest users

  How can I grant mailbox folder like doctor's Outlook 2010 calendar to a cross-forest user like a receptionist. 
  The reception accepts and manages all booking for about 10 doctors and they used to work perfectly.  When reception complained that she started seeing Busy status for say 3 out of 10 doctors, I noticed the other 7 working calendars have DomainB\Reception
  explicitly added on the Calendar permission while the 3 faulty ones don't.
  When I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'DomainB\Reception' -accessrights editor
  I simply get the error "The user "DomainB\Reception" is either not valid SMTP address, or there is no matching information."
  Obviously, the cross-forest permission still works but I cannot make the powershell command to work.  I have also tried the ExFolder utility to no avail.  The old Exch admin has left the company.  We use Exchange 2010 SP2
  Thank you for any assistance.

  Just to add more info, the reception mailbox is hosted on DomainA and it is linked to an external account DomainB\Reception. 
  Alternatively, I tried:
  Add-mailboxfolderpermission -Id 'DomainADoctor1:\calendar' -user 'Reception @ DomainA.com' -accessrights editor
  and the command works fine but when the Reception checks the calendar on both Outlook and OWA, she only sees "Busy" on each existing appointments and cannot add new. 
  For those calendars that work, the Editor permission shows "NT User: DomainB" while those that won't shows DomainB mailbox.
  Appreciate any help on this.

• Multi-step user registration ?

  Hi All,
  I want to create multi-step user registration (multi step form) in struts.
  Please give me the idea...........how to do that?
  Thanks

  we dont know whats your problem. just put the form beans in session object or property files, and others all the same as normal struts application.

• AD User discovery issues

  I have a specific OU selected for User discovery but its discovering all User OU's and User groups.  I've deleted all users out of SCCM and rediscovered and same thing. Is there a way to only discover the specific OU I'm pointing to?
  Thanks
  Chris

  Also make sure you've configured your AD group discovery correctly also as it will also discover members.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Local forest roaming profiles with remote forest users within RDS?

  We have been using RDS for some time now. New users get a new profile from (*1)"\\domain_1\netlogon\Default User.v2" when they first logon to a RDS session host. Ones that is done, the profile is becomes roaming profile that is stored on (*2) "\\some_serverx_in_domain_1\profiles$\%username%".
  (Note, this last setting can be set in 4 different places. We used a GPO and used the Remote Desktop Services section to set it) 
  So far, no rocket science. Now...
  Recently we've been asked to allow user accounts from another (trusted) forest (domain_2) to our RDS environment. These users are able to logon to our RDS environment but they do not get a fresh profile from our (*1) default profile location. Instead, they
  get a default profile from the RDS session host and this new profile does not become roaming so it is not saved to our (*2) location. How can we force the foreign accounts to get a roaming profile within domain_1 without having to change anything outside our
  administrative border?  
  Note: Their logon servers do not have a "Default User.v2" in their netlogon and their roaming profile settings are set in the AD properties for the user accounts. The roaming profiles they use are pre-2008 and thus unusable for our 2008-R2 RDS environment.
  We are not looking for cross-forest roaming profile functionality. We just want foreign accounts to use our roaming profile setup. Please Help! 

  Hi,
  Thanks for your post.
  Make sure the trusted forest user have permission to access the Default User profile. In addition, ensure the following policy was enabled:
  Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming User Profiles
  Allows User based policy processing, Roaming User Profiles and User Object logon scripts for cross forest interactive logons. This setting affects all user accounts interactively logging on to a computer in a different forest when a Cross Forest or 2-Way
  Forest trust exists.
  How to troubleshoot Group Policy object processing failures that occur across multiple forests
  http://support.microsoft.com/kb/910206
  Best Regards,
  Aiden
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Aiden Cao
  TechNet Community Support

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps