Multi name in multi domainname.
I have 1 domain and 1 po. Up until now this has worked quite well, but we have an problem and I would like opinions on how to solve it.
We have employees in this system that work for mulitple closely held companies. The domain names are all valid within the single GW domain. i.e. a.com b.com c.com. Mail to [email protected], [email protected] [email protected] all go to Jack in the only PO.
Now, i have to have mail for jack go to 3 different people of the same address but in a different domain. i.e. [email protected] goes to [email protected], [email protected] goes to [email protected] and [email protected] goes to [email protected] It can no longer be delivered to just the jack in the po.
I'm not even sure I can create 3 different "Jack"s in the system even though they belong to different domainnames. (But the same GW domain.)
Any ideas?
On 10.09.2012 22:36, moreaujeff wrote:
>
> I have 1 domain and 1 po. Up until now this has worked quite well, but
> we have an problem and I would like opinions on how to solve it.
>
> We have employees in this system that work for mulitple closely held
> companies. The domain names are all valid within the single GW domain.
> i.e. a.com b.com c.com. Mail to [email protected], [email protected] [email protected] all
> go to Jack in the only PO.
>
> Now, i have to have mail for jack go to 3 different people of the same
> address but in a different domain. i.e. [email protected] goes to [email protected],
> [email protected] goes to [email protected] and [email protected] goes to [email protected] It can
> no longer be delivered to just the jack in the po.
>
> I'm not even sure I can create 3 different "Jack"s in the system even
> though they belong to different domainnames. (But the same GW domain.)
>
> Any ideas?
That's actually no problem whatsoever. The only thing that can't be the
same is the groupwise userid, but it's vastly irrelevant. You create
three users, say jacka, jackb, and jackc. Then, in Interne Addressing of
these users you set their email address to [email protected],
and make sure to check the box that says that the user is only known for
that domain. Do the same for all three of them, and you're set.
CU,
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
Similar Messages
-
Exchange 2010SP1 Multi-Tenant Issue with Multiple Domains
I have an installation of Exchange 2010 SP1 with multi-tenant support enabled via the install time /hosting switch.
Everything works well for my smaller clients. I now have a bigger client that has about 300 users and 3 domains. The users are divided roughly equally amongst the domains - ie, 3 domains each with 100 users. I've added the first domain as normal:
$c = get-credential
New-organization -name "Pretend Company" -DomainName domain1.com -ProgramId HostingSample -OfferId 2 -location en-US -AdministratorPassword $c.password
After that I logged into the ECP control panel and created all the users. The migration went smoothly and has been working well for the last week. Now, it's time to add the next domain. Since the client wants all 300 users visible in the same GAL, I just
added a domain to the organization:
New-AcceptedDomain -Name domain2.com -DomainName domain2.com -Organization "Pretend Company"
This is where I run into problems. When I try to create the users for domain2.com via ECP, I am able to create the user successfully, and select domain2.com from the drop down. Once the user is created however, I am able to see that although their UPN
is [email protected], it created their email address as [email protected].
I tried creating the users manually via EMS:
$password = Read-Host "Enter password" -AsSecureString
New-MailUser -UserPrincipalName [email protected] -Password $password -Name "Test User" -Organization "Pretent Company" -PrimarySmtpAddress [email protected]
The user creates successfully and I can see the user created in the proper OU in AD. Unfortunately I can not see them in ECP nor can I see them if I do:
get-mailbox -Organization "Pretend Company"
This makes the management of the users very difficult to delegate, and I'm not sure that the users at domain2.com will even work.
This brings me to my questions:
(1) Is is possible create accounts that have different domain names in their default email addresses within the same Organization in /hosting mode?
(2) Is this something I need to do with an EmailAddressPolicy? I read the documentation but it didn't seem /hosting friendly.Hi Earonk,
Please post your issue on below forum, you will get more help from there:
http://social.technet.microsoft.com/Forums/en-us/exchange2010hosters/threads
Regards!
Gavin -
Confusing with the Global Database Name and Instance Name
Dear fellow DBA's and Experts,
Good Day.
We presently have an existing database registered (on V2 Exadata) with global database name as BIDEV.domainname.com. It has 4 instances viz., BIDEV1 and BIDEV2 which have the same service name as the instance name.
Last week, on our new X4-2 Exadata, we tried to create a fresh database. While doing so, we entered the details as below in the installer:
Global Database Name: BIDEV
SID Prefix: BIDEV
Service Name: BIDEV.
Then upon the successful installation of the database, when we query
1. (SELECT * FROM GLOBAL_NAME), it shows BIDEV as the global database name.
2.
SQL> sho parameter service
NAME TYPE VALUE
service_names string BIDEV1
3. Sho parameter name gives the below details:
SQL> sho parameter name;
NAME TYPE VALUE
cell_offloadgroup_name string
db_file_name_convert string
db_name string BIDEV
db_unique_name string BIDEV
global_names boolean FALSE
instance_name string BIDEV_1
lock_name_space string
log_file_name_convert string
processor_group_name string
service_names string BIDEV1
Curious to know why it created an instance name as BIDEV_1 instead as BIDEV1.
Had tried another attempt on our test environment with SID prefix as BIDEV1, then the instance was created with the name as BIDEV1_1.
Also, would like to know what happen if we give the Global Database Name as BIDEV.domainname.com for installing the same BIDEV database on a different server while the 1st server is still functional.
Appreciate if someone could throw some light on the above confusion. Any reference material or source to the clarify the doubt.
Warm Regards,
Vikram.Hi Vikram,
Your clustered database is not full RAC, it's RAC ONE node database. In RAC ONE node database, instance names are created in that format only (i.e.e dbname_1), I don't know if there is any way we can change it to dbname1. OR if you really want to change the instance name to dbname1 format, then you can convert RAC one node database to Full RAC, then remove instance and add another instance, I hope it would be added in dbname1 format. I have not tested it, test it on your test system first.
You can find the database type in the output you shared,
Type: RACOneNode
Regards,
Saurabh -
MDT 2012 Windows 7 Deployment Stops At User Account and Computer Name Setup Page
I was given a sysprepped custom Windows 7 WIM image that was set up by a third party that didn't use MDT to create the WIM.
I created a task sequence to deploy it, but it never finishes. After the OS installs and it reboots, it comes up to the white setup page asking for a user name and computer name that looks like this image:
Is there a setting in MDT that can change that behavior?Are you joining the computer to a domain?
It sounds like MDT did not create the unattend.xml file itself (or is there an unattend file already in the image itself?)
MDT needs to be able to autologin with the local admin account
From MDT in your task sequence - OS info - Edit unattend.xml you can check if your unattended file is correct.
Check what's in there for:
- computer name in 4 Specialize area - Windows-Shell-Setup_neutral (it should be empty if you want MDT to handle it).
- Also i think you need to have in the Specialize section, under Microsoft-Windows-Deployment_neutral - Run Synchronous an EnableAdmin insert
This will enable the local admin account
- Also check in phase 7 oobe System in Shell-Setup_neutral
There should be an autologon with a count of 999
Check if you have any Local Accounts there.
Finally read this:
When I am joining clients to a domain, can I avoid creating a local user
account on the computer?
Yes. To do this, create an image unattend file that adds a domain account to the Administrators group. In addition, you must delete the <LocalAccounts> section if it is present in your
unattend file (simply commenting it out will not work). An example file is below. Note that if domain join fails, Windows Deployment Services will not use the unattend file so you will be able to create a local account. For more information about creating
unattend files, see Automating Setup.
<?xml version='1.0' encoding='utf-8'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:ms="urn:schemas-microsoft-com:asm.v3" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
<UserAccounts>
<AdministratorPassword>
<Value>password</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
<DomainAccounts>
<DomainAccountList wcm:action="add">
<DomainAccount wcm:action="add">
<Group>Administrators</Group>
<Name>DomainAdmin</Name>
</DomainAccount>
<Domain>DomainName</Domain>
</DomainAccountList>
</DomainAccounts>
</UserAccounts>
</component>
</settings>
</unattend>
I tried opening the unattend.xml from the MDT workbench, but it errors out saying it cannot be done because the captured image is x86. -
using DSEE7
dsconf set-server-prop ssl-rsa-cert-name:mycertalias
...lets you use a signed certificate for your instance. but the cert is tied to the hostname when you generate the initial request using dsadm.
dsadm request-cert name $(hostname).$(domainname) org blah city London state London --country GB -o /tmp/$(hostname).cert.req -F ascii /instance/dir
questions:
- can I use a wildcard cert?
- does dsadm request-cert support the SubjectAltName tag?
- plan B - i'd like to connect via 1 interface for secure traffic and another interface for non-secure, so does anyone have any better suggestions for connecting to a single dsee instance using TLS:Simple ssl on a multi-homed network environment?the short answer is yes.. you can use a wildcard cert. generate as normal.
dsadm request-cert name $(hostname)*.$(domainname) city ......
All badness shown in the error logs!
[22/Feb/2010:17:09:24 +0000] - ERROR<4753> - SSL - conn=-1 op=-1 msgId=-1 - Security Initialization: Can't find certificate (*) for family cn=rsa,cn=encrypt
ion,cn=config (error -8174 - security library: bad database.)
(this was because the alias name I used to import the cert had a * )
I requested, resigned & reimported a new cert with a cert db alias of '$(hostname).wc' instead of '$(hostname)*' and glorious SSL magic happens! :-) -
I've started getting an intermittent error editing my Windows 7 OSD task sequence. Sometimes I can open the TS to edit, but when I try to apply changes I get the error. Other times I get the error when trying to open the TS. If I try again
right away, I still get the error, but if I wait a few minutes and try again sometimes it will open the TS.
The error reads:
ConfigMgr Error Object:instance of SMS_Extended Status{Description = "Failed to load dynamic properties for class \"SMS_TaskSequence_ApplyWindowsSettingsAction\" from XML into WMI";Error Code = 2147943746;File = "e:\\qfe\\nts\\sms\\siteserver\\sdk_provider\\smsprov\\ssptspackage.cpp";Line = 3454;Operation = "ExecMethod";ParameterInfo = "SMS_TaskSequencePackage";ProviderName = "WinMgmt";StatusCode = 2147749889;}
Coinciding with this error, I show the following entries in the TaskSequenceProvider.log file:
[PID: 7608] Invoking method SMS_TaskSequence.LoadFromXml
TaskSequenceProvider
Failed to protect memory buffer, hr=0x80070542
TaskSequenceProvider
Failed to load dynamic properties for class "SMS_TaskSequence_ApplyWindowsSettingsAction" from XML into WMI 0x80070542 (2147943746)
TaskSequenceProvider
Failed to load node Apply Windows Settings from XML into WMI 0x80070542 (2147943746)
TaskSequenceProvider
Failed to load children steps for node "PostInstall" from XML 0x80070542 (2147943746)
TaskSequenceProvider
Failed to load children steps for node "Execute Task Sequence" from XML 0x80070542 (2147943746)
TaskSequenceProvider
Failed to load children steps for node "" from XML 0x80070542 (2147943746)
TaskSequenceProvider
Failed to load XML for the task sequence into WMI 0x80070542 (2147943746)
TaskSequenceProvider
[PID: 7608] Done with method SMS_TaskSequence.LoadFromXml
TaskSequenceProvider
Setting status complete: status code = 0x80070542; Failed to load dynamic properties for class "SMS_TaskSequence_ApplyWindowsSettingsAction" from XML into WMI
TaskSequenceProvider
I exported the task sequence and checked in "object.xml" for the "ApplyWindowsSettingsAction", to see if there was something odd in the xml, but I don't find anything that jumps out as being wrong. Here's the section of XML for
that step. I've removed identifying info, and replaced it with a generic term in bold.
<step type="SMS_TaskSequence_ApplyWindowsSettingsAction" name="Apply Windows Settings" description="" runIn="WinPE" successCodeList="0" runFromNet="false"><action>osdwinsettings.exe /config</action><defaultVarList><variable name="OSDLocalAdminPassword" property="AdminPassword"></variable><variable name="OSDComputerName" property="ComputerName">%_SMSTSMachineName%</variable><variable name="OSDProductKey" property="ProductKey"></variable><variable name="OSDRandomAdminPassword" property="RandomAdminPassword">false</variable><variable name="OSDRegisteredOrgName" property="RegisteredOrgName">COMPANY NAME</variable><variable name="OSDRegisteredUserName" property="RegisteredUserName">COMPANY NAME</variable><variable name="OSDServerLicenseConnectionLimit" property="ServerLicenseConnectionLimit">5</variable><variable name="OSDTimeZone" property="TimeZone">Central Standard Time</variable></defaultVarList></step><step type="SMS_TaskSequence_ApplyNetworkSettingsAction" name="Apply Network Settings" description="" runIn="WinPEandFullOS" successCodeList="0" runFromNet="false"><action>osdnetsettings.exe configure</action><defaultVarList><variable name="OSDDomainName" property="DomainName">DOMAIN.COM</variable><variable name="OSDJoinPassword" property="DomainPassword"></variable><variable name="OSDJoinAccount" property="DomainUsername">DOMAIN ACCOUNT</variable><variable name="OSDEnableTCPIPFiltering" property="EnableTCPIPFiltering" hidden="true">false</variable><variable name="OSDNetworkJoinType" property="NetworkJoinType">0</variable><variable name="OSDAdapterCount" property="NumAdapters" hidden="true">0</variable></defaultVarList></step>
Is there any other log I should check for a clue on this issue? What could be causing this error?Thanks for sharing that! I tend to save contacting MS support until after I've exhausted other options. I'm always afraid that I'll spend the $500 to open a case and then it turns out to be something simple that I would have found if I had just
kept working on it myself a little longer.
It looks like that link is for an update released in February as KB3023562. I downloaded and installed it. I'll try opening/editing/saving the task sequence a few times today to see if the issue is resolved.
After I had already installed it, I thought to look up that update in configmgr. The update is listed as superseded by 2 other updates. The newest of those is KB3046049, which just installed last night with the other March patches, so it's possible
that I didn't need to install KB3023562 after all. -
I'm having 2 problems.
1. I want to create a hyperlink so visitors to my iWeb created website can download a .pdf document. But I can't figure out how to create,or even find, a URL at .mac (MobileMe) to direct it and automatically download or even open in a window in the browser. How do I find/create the URL to the document in .mac?
2. I published my site BEFORE I was able to set up the 3rd party redirect from GoDaddy.com. Now when anyone types in the address, it goes there and masking works as it's supposed to and all, BUT, when I visit the site from iWeb or look at the URLs for it at .mac, the addresses are wrong. How can I correct the URLs at .mac? Do I have to unpublish the entire site and re-publish?
Please help, I need this stuff working right. Thank you in advance, JonIt does not matter that you published your site before you set-up re-direct from GoDaddy. When you publish an iWeb site it gets published to your iDisk and only there and when you forward from GoDaddy, you are doing just that, forwarding your domain from GoDaddy to your iWeb site, so when you publish really makes no difference, it is still all going to MMe/iDisk which is your site host.
When you set-up forwarding, did you enter your personal domain name into your MMe account? Even if you set-up domain forwarding, you will always be able to reach your site by typing in web.me.com/username and then from your domain name so www.domainname.com.
Also, when you publish you don't need to un publish, you just publish again and everything is overwritten.
I would check that all your settings are correct both in your MMe account and also at GoDaddy. -
Problem to access POP3 of MS Exchange Server using Java Mail
{color:#0000ff}Hi,
I have a requirement to read emails from my office mailbox using POP3 protocol which is in Microsoft Exchange Server.
My code is given below.{color}
{color:#0000ff}*package emailadaptor;*
import java.util.Properties;
import javax.mail.Session;
import javax.mail.Store;
*public class Test {*
*public static void main(String[] args) {*
* // POP3 server name of Exchange Server*
* String host = "popServer.domain.com";*{color}
{color:#0000ff}*
* // User name*
* String user = "domainName\\userName";*
* String password = "password";
* // Get a session. Use a blank Properties object.*
* Session session = Session.getDefaultInstance(new Properties());
* try{*
* // Get a Store object*
* Store store = session.getStore("pop3");*
* store.connect(host, user, password);*
* }catch(Exception e){*
* e.printStackTrace();*
*{color:#0000ff}I can ping popServer.domain.com from my machine where I am testing the code.*
For username I have tried with domainName\\userName and username pattern both but unsuccessful. For example if my username if user1 and my domain name is domain1 than the two patterns I have tried are ‘domain1\\user1’ and ‘user1’.
For both these cases I am getting same error, and below is my error stack Trace.
*{color}*
*{color:#ff0000}javax.mail.AuthenticationFailedException: The requested mailbox is not available on this server.*
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:158)
at javax.mail.Service.connect(Service.java:291)
at javax.mail.Service.connect(Service.java:172)
at emailadaptor.Test.main(Test.java:19)
*{color}*
*{color:#0000ff}Please give me some idea and steps what is wrong with this code and if any other information is needed then also let me know that.*
Please help.
Regards,
*Gourab{color}
*{color}Turn on session debugging. What does the protocol trace show?
Are you able to connect with other mail clients, such as Thunderbird?
(Outlook doesn't count.) -
IFS-20010 Unable to get service configuration
Hi,
I'm trying to connect to iFS from a Java application. Basically it's a remote server which we'll connect to using RMI for some integration work. It will run on the same server as CM SDK.
Anyway, I try and connect to the service using:
LibraryService.startService(name, schemaPassword, serviceConfig, domainName)
and it comes back with this error:
oracle.ifs.common.IfsException: IFS-20102: Unable to start service (IfsDefault)
oracle.ifs.common.IfsException: IFS-20010: Unable to get service configuration properties (SmallServiceConfiguration)
java.lang.NullPointerException
at oracle.gss.util.NLSLocale.getNLSLanguage(NLSLocale.java:675)
I'm running it from the command line, I have a batch file to set the classpath. Interestingly, if I run an Agent (i.e., a java class that extends oracle.ifs.management.domain.IfsServer) standalone, it works fine.
This makes me think there's some element of the classpath that I'm missing, but I'm not entirely sure what!
Could anyone shed any light on this? Metalink doesn't seem to have anything!
Cheers,
Phill
P.S. -- my CLASSPATH is as follows:
set CLASSPATH=%CLASSPATH%;%ORACLE_HOME%\ifs\cmsdk\lib\cmsdk.jar;%ORACLE_HOME%\lib;
set CLASSPATH=%CLASSPATH%;%ORACLE_HOME%\jdbc\lib\classes12.zip;%ORACLE_HOME%\j2ee\home\lib;
set CLASSPATH=%CLASSPATH%;%ORACLE_HOME%\j2ee\home\jazn.jar
set CLASSPATH=%CLASSPATH%;%ORACLE_HOME%\jdbc\lib\nls_charset12.jar
set CLASSPATH=%CLASSPATH%;%ORACLE_HOME%\ifs\cmsdk\settings\Just FYI, the solution to this was that the java security policy was denying access. I changed the java.policy to
grant {
permission java.security.AllPermission;
And this solved the problem. -
[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA
Hello,
We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
We tested the other certificate functions and that went fine too.
But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
We recreated the wireless policy but also no success.
We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
It looks like that older versions of Windows do not work with newer certificate servers?
Do we miss something? Can someone confirm this.
We already looked for these forum posts, but with no success
http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\NB80W7$
Account Name:
host/NB80W7.domainname.local
Account Domain:
domainname
Fully Qualified Account Name: domainname\NB80W7$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
EAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
48
Reason:
The connection request did not match any configured network policy.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\Username
Account Name:
domainname\Username
Account Domain:
domainname
Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
WLC5500
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
PEAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.Hi,
Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
More information:
Renew a Certificate
http://technet.microsoft.com/en-us/library/cc730605.aspx
NPS Server Certificate: Configure the Template and Autoenrollment
http://msdn.microsoft.com/en-us/library/cc754198.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
RADIUS Authentication Problems with NPS Server Eventid 6274
Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/hostname.domainname.com
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 40-20-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: C1-18-85-08-10-E1
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS servername
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: domainname\username
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 20-18-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: 09-3E-8E-3E-5A-C9
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS server name
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//CrisHi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference:
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
First page on website is blank
I have successfully started a personal domain withiWeb.
My address however shows something like this www.mywebsite/www.mywebsite/firstpage name.html
when I go to MOBILE ME , and look under iWeb, the first page is labeled blank
On the iWeb editing page the first page is www.mywebsite, and the second page is firstpage
here, have a look for yourself
http://www.stoptaxpayerfundedbailouts.com/www.stoptaxpayerfundedbailouts.com/CON RAD_TAMEA_JR_MD.html
What am I doing wrong??
ThanksYou may want to consider renaming your Site to something simpler instead of giving it the same name as your domainname.
On the iWeb editing page the first page is www.mywebsite, and the second page is firstpage
here, have a look for yourself
http://www.stoptaxpayerfundedbailouts.com/www.stoptaxpayerfundedbailouts.com/CON RAD_TAMEA_JR_MD.html
Do not confuse Pagenames with Sitenames with Domainnames.
The first part is your Domainname
The second part is your Sitename
The third part is your Pagename
The Sitename and Pagename is what you entered yourself. You can change it if you want.
Here's a little learning regarding the concept of iWeb Sites :
The concept of iWeb Sites -
OAM Access Server - Cannot load cert chain file aaa_chain.pem
Hi experts,
I am in the midst of changing the Transport Layer Security (TLS) of OAM Access Server from Open mode to Cert mode, and encountering the error not able to load aaa_chain.pem.
Below are the steps which I have did:-
1. Change the TLS mode for both Access Server and Webgate from Open >> Cert mode in the Access System console
2. Stop the Access Server from Services
3. From the <access server install dir> run ConfigureAAAServer.exe to generate aaa_req.pem and aaa_key.pem.
4. Copy the certificate request from the aaa_req.pem and submit to Internal CA (Ms CA).
5. Download the Certificate and Certificate Chain in Base 64 encoding, and rename into *.pem. E.g. certnew.cer >> aaa_cert.pem certnew.p7b >> aaa_chain.pem.
6. Copy *.pem files in to <access server install dir>/oblix/config
7. Rerun ConfigureAAAServer.exe to install the cert, all went smoothly without issue.
8. Start Access Server from Services. <<< Service failed to start.
NOTE: I did the same thing for Policy Manager, used genCert.exe to generate certificate request, submit the CA to sign and installed.
Check on the event viewer, the following error was found.
**===========================================================================**
Log Name: Application
Source: ObAAAServer-AccSvr01
Date: 16/8/2010 1:06:39 AM
Event ID: 1
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IDMsvr.SSO.com
Description:
The description for Event ID 1 from source ObAAAServer-AccSvr01 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ObAAAServer-AccSvr01" />
<EventID Qualifiers="49152">1</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-08-15T17:06:39.000Z" />
<EventRecordID>1072</EventRecordID>
<Channel>Application</Channel>
<Computer>IDMsvr.SSO.com</Computer>
<Security />
</System>
<EventData>
<Data>Access Server Exception: Error: Cannot load cert chain file C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem</Data>
</EventData>
</Event>
**===========================================================================**
The ConfigureAAAServer.exe_
C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
mple) 3(Cert) : 3
Do you want to request a certificate (1) or install a certificate (2) ? : 1
Please enter the Pass phrase for this Access Server :
Do you want to store the password in the file ? : 1(Y) 2(N) : 1
Preparing to generate certificate. This may take up to 60 seconds. Please wai
t.
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to 'C:\Program Files (x86)\NetPoint\access\oblix\config\
aaa_key.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Some-Organization Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, hostName.domainName.com) []:IDMsvr.sso.com
Email Address []:.
writing RSA key
Your certificate request is in file : C:\Program Files (x86)\NetPoint\access/ob
lix/config/aaa_req.pem
Please get your certificate request signed by the Certificate Authority.
On obtaining your certificate, please place your certificate in 'C:\Program Fil
es (x86)\NetPoint\access/oblix/config/aaa_cert.pem' file and the certificate aut
hority's certificate for the corresponding component (for example: WebGate, AXML
Server) in 'C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem'
file.
Once you have your certificate placed at the above mentioned location, please f
ollow the instructions on how to start the Access Server.
More Information on setting up Access Server in Certificate mode can be obtaine
d from the Setup Installation Guide.
Access Server mode has been re-configured successfully.
Please note that new security mode will take effect only after the security mod
e for this Access Server is changed to 'cert' from the Access Manager System Con
sole.
Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
Please restart the Access Server from the Control Panel Services once you have
placed your certificates at the above mentioned location.
Press enter key to continue ...
C:\Program Files (x86)\NetPoint\access\oblix\tools\configureAAAServer>configureA
AAServer.exe reconfig "C:\Program Files (x86)\NetPoint\access"
Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Si
mple) 3(Cert) : 3
Do you want to request a certificate (1) or install a certificate (2) ? : 2
Please enter the Pass phrase for this Access Server :
Do you want to store the password in the file ? : 1(Y) 2(N) : 1
Please provide the full path to the Certificate key file [C:\Program Files (x86)
\NetPoint\access/oblix/config/aaa_key.pem] : C:\Program Files (x86)\NetPoint\acc
ess\oblix\config\aaa_key.pem
Please provide the full path to the Certificate file [C:\Program Files (x86)\Net
Point\access/oblix/config/aaa_cert.pem] : C:\Program Files (x86)\NetPoint\access
\oblix\config\aaa_cert.pem
Please provide the full path to the Certificate authority's certificate chain fi
le [C:\Program Files (x86)\NetPoint\access/oblix/config/aaa_chain.pem] : C:\Prog
ram Files (x86)\NetPoint\access\oblix\config\aaa_chain.pem
Access Server mode has been re-configured successfully.
Please note that new security mode will take effect only after the security mod
e for this Access Server is changed to 'cert' from the Access Manager System Con
sole.
Do you want to specify or update the failover information ? : 1(Y) 2(N) :2
Please restart the Access Server from the Control Panel Services.
Press enter key to continue ...
**===========================================================================**
I followed through the documentation on OAM Identity & Common Admin - Chapter 8 guide.
Is there anything which I have missed or something to do with the certificate.
Thanks in advance.
Regards,
Wing
Edited by: user13340813 on Aug 19, 2010 8:56 PMNo, you didn't do anything wrong, JeanPhilippe. I'm right there with you. There's even another thread on this issue:
<http://discussions.apple.com/thread.jspa?messageID=10808126>
I had the same problem: IMAP & POP services would not launch using SSL. Finally got it resolved today. It had nothing to do with certificates and their names, or creating them in openssl, and everything to do with a botched dovecot.conf file, courtesy of Server Admin.
It appears that every time I changed the certificate for IMAP & POP SSL in Server Admin, it appended the new selection to the dovecot.conf file on 3 separate lines. The result was an unhealthy list of every certificate file Server Admin had ever been pointed to for this service.
After making a backup, I edited the file (/etc/dovecot/dovecot.conf) down to the single cert file I wanted it to use. It happened to be first in the list, FWIW.
If you want to duplicate this, look for the lines beginning with:
"sslcertfile"
"sslkeyfile"
"sslcafile"
Obviously you need to be careful in there. But I did not even have to bounce the service before it took my changes. Thankfully, Server Admin did not overwrite my edits (which I've seen happen with manual config of other services, such as the iChat service.)
Good luck, and let me know if I can provide more detail. -
V8 SP4 SPNEGO Identity Asserter problem
I configured my domain to authenticate against AD using the SPNEGO Identity Asserter.
Two questions.
1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic groups (if so, how do the userids get matched) ?
2) It doesn't work - I get challenged for userid/pwd/domain.
In debug, I get:
"Found NTLM token when expecting SPNEGO"
What can I do about this ?
Some lines from debug...
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found NTLM token when expecting SPNEGO>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles subject: Subject: 0
Resource: type=<url>, application=earspnegodemo, contextPath=/earspnegodemo, uri=/index.jsp, httpMethod=GET>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): input arguments:
Subject: 0
Thanks,
MikeThe documentation on dev2dev appears to change all the time and without notice. I run Google beta which caches all visited web pages and one of the documents for WL enterprise security has three different versions in my cache each with slightly different implementation instructions.
Anyway, I have implemented SSO using WL and AD using a third party Spnego identity asserter in the past and I presume the asserter which is now built in to sp4 works in the same way. You need to set up an active directory authenticator to enable weblogic to 'see' the users and roles in the AD domain.
When you access the protected web application from the client pc (the one in the AD domain) the url used has to contain the SPN name
eg http://domainname.project.net/test where domainname is the SPN.
and not http://192.168.7.2:7001/test
I think this is what triggers IE to send the kerberos ticket during the negotiate step.
The order of the identity asserters (in the WL console) is important the SPNEGO one should be first and the AD one should be second and have a value of SUFFICIENT for the control flag.
I have done all of the above and it still doesn't work but I think that there should be a servlet to handle the kerberos negotiation. A previous version of the WLES documentation does mention a negotiate servlet but has since been removed. I have sent an email to one of the security gurus at BEA, but as I am out of the office all week I don't know if I have a reply.
I don't know if the above is of any use but I will post more info as I get it.
Stephen -
Exchange 2010+Outlook Anywhere+Windows XP not working together
Hello,
We have Exchange 2010 installed on Server 2008 R2. CAS/Hub/mailbox roles on same server. Outlook Anywhere is enabled and using a Go Daddy signed certificate for OWA. Now my problem is that Windows XP (w SP3) PC's that are not located inside domain and
shoud use Outlook Anywhere cannot connect to that service. Outlook version is 2007 SP2. On the other hand, that same user can connect from a Windows 7 pc what is also located outside domain without problems. On XP pc windows keeps asking for password repeatedly,
on W7 pc it asks it and accepts and logs the user in and connects it to his mailbox. I have read numerous posts about this kind of issue, put so far none of them helped me. The certificate is issued to mail.domainname.ee and autodiscover.domainname.ee. The
internal name of the server is excha.domainname.ee, external name is mail.domainname.ee. Also I used the Set-OutlookProvider cmdlet to set EXPR to msstd:mail.domainname.ee and also tried msstd:excha.domainname.ee this change did not have any effect on XP pc.
What is wrong in XP and Outlook 2007 combination not being able to connect to Echange 2010?I was suffering from a very similar issue. The one major difference for me is that I was using a wildcard ssl certificate for "*.contoso.com" which was not matching with the server name of owa.contoso.com.
Behaviour definitely seemed to only manifest with Windows XP on the open internet (not domain joined or internal) trying to use either Outlook 2007 or 2010 to connect to our internal Exchange 2010 server via RPC over HTTPS. Autodiscover was successful
but user would be repeatedly prompted for their credentials but they would never match.
The key changes that seemed to fix this for us were to make these updates -
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com
alternatively if you dont care whether the proxy server name exactly matches your ssl cert you can do this (not recommended) -
Set-OutlookProvider EXPR -CertPrincipalName none
These commands manipulate the Microsoft Exchange Proxy Settings under the Outlook Anywhere options under the connection tab of your mail profile. In particular the field labeled "Only connect to proxy servers that have this principal name in their
certificate"
Also, to force RPC over HTTPS and never try and timeout on TCP/IP connection (which cannot work through the firewall) -
Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect
This should click the checkbox for "On fast networks, connect using HTTP first, then connect using TCP/IP"
This should then allow autoconfigure to work fine when setting up your mail profile. If you want to check the settings page you should have something that looks like this -
Finally, please note that Autodiscover settings are updated periodically not instantly. I believe it is something like every 15m or so. As such, make the changes above and then wait for at least 15-30mins before making any other changes.
I ended up chasing my tail and then some complete red-herring *seemed* to fix the problem. It was actually something that I had changed 20mins before!
Maybe you are looking for
-
Need help on how to specify the current select row in a View Object
Hi, I have a ADF table on my page, when I was selecting the rows in this table, I want the set and get methods in the ViewRowImpl class to do some customized actions. I found out that each time regardless the row I select in the table, the viewrowimp
-
Animation-need help: reverse clip order , different arrows in timeline
hey! i am editing a puppetanimation and there are a few annoying things i really would like to know how to use better. 1. i have 4000 pictures, sometimes i want to reverse the order of the pictures/clips. i checked making a own new file out of some p
-
Action-Box: workflow for choise Business Activities
Hello, I must add a workflow in the action box in WinClient. The workflow multichoise we appear and to the last the agent choose the correct Business Activities. do you have any advice? Thank you in advance, Maddalena
-
Unable to link another pc to Homegroup
I have 2 x HP desktops both running Win 8 64bit. I can set up a Homegroup on either or both pcs but I cannot get either to connect to the other Homegroup, whether there is only 1 Homegroup in existence on either pc or a Homegroup established on both
-
Aiuto per installazione in nuovo pc di app già attive in uno vecchio fuori uso
Ho installato in un pc fuori uso da qualche giorno, un app in design che ho nel mio account come posso fare ad installare il programma in un'altro pc?