Naming Collisions in Trusted Domains?

Hi all,
I am trying to have two WLS instances communicate with each other via JMS. The basic setup is working but now I want to add security to it. After adding User rstrictions as policies to the Queues I received error messages on the remote instance that it could not connect to the JMS resources defined on the local instance via the defined foreign jndi provider. This seemed logical as the two domains did not trust each other, so I created a Trusted domain between them.
But now i receive warnings on the remote instance that a filestore (which is defined on the local instance to persist the JMS messages) is not "assigned to any of these servers: adminserver". Which is wrong in my opinion since the server of the local instance is called 'adminserver' and the file store is targeting it.
On the other hand, the server of the remote instance is also called 'adminserver', now I am wondering if this naming conflict is the cause of the warning and more important if there might be other more severe problems that could arise from this situation?
Is there a solution for this problem apart from creating a new instance with a differently named server? To my knowledge it is not possible to rename a server once it is created.
Thanks, Chris

Communicating domains normally must minimally have different domain names, and, in most cases, must not have any server names in common. In addition, it's sometimes necessary to make sure that there are no JMS server names in common either. I've been able to change names by first shutting all servers down, and performing a search-and-replace in the config.xml.
I don't recommended changing the names in production setups without very careful planning. For one, there may be persistent data that references the old names (for example, the file names of each server's default file store are generated based on the server's file name).
Tom

Similar Messages

  • LDAP authentication in AD (users from other trusted domain)

    Hi
    I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
    I use LDAP authentication in AD for authentication users (AnyConnect).
    Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
    I do not want direct connect with the domain contoller in the trusted domain.
    My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
    But if I try to test aaa-server authentication from ASA
    I get error.
    I think, I must use username like "DOMAINB\userindomainb" but this not work.
    Help me please.
    Thanks!
    My config:
    aaa-server ADA protocol ldap
    aaa-server ADA (inside) host 10.0.0.1
     ldap-base-dn dc=domaina, dc=local
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
     server-type microsoft

    Hello!
    I see in console (debug LDAP):
    Request for [email protected] returned code (10) Referral
    Does ASA support authentication via LDAP referrals?
    I read old thread:
    https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
    And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
    But I use:
    Cisco Adaptive Security Appliance Software Version 9.2(3)
    Device Manager Version 7.3(3)
    Compiled on Mon 15-Dec-14 05:10 PST by builders
    System image file is "disk0:/asa923-smp-k8.bin"
    Thanks!

  • Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

    Hi,
    SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
    But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
    the SharePoint Logs I found out the below exception
    11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
     8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
    11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
     2myf Medium   Enabling the configuration filesystem and memory caches. 
    11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
     8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
    11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
     2myf Medium   Enabling the configuration filesystem and memory caches. 
    11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
     fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
    11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     75dz High     The SPPersistedObject with
    Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
    domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
    sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
    at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
    11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
    at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
    persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
    11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
     8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
    11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
     2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
    sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
    targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
    T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
    11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
     2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
    at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
    id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
    currentVe...
    Please guide me on the above issue ,this will be of great help
    Thanks.

    I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
    The problem is caused by User profile Synch Service:
    UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
    The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
    Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
    targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
    identifier, T grantRightsMask, T denyRigh...        
    08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
            0x293C        SharePoint Portal Server              User Profiles                
            eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
    at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
    Please let me know if you any solution found for this?
    Regards,
    Kunal  

  • DNS/LDAP Issue for Trusted Domain

    Hi
    I'm trying to configure  Configuration Manager 2012 R2 Forest Discovery to a trusted domain.
    Objects from the trusted domain (users/computers) show up in the Collections, but when I check under Administration\Active Directory Forests I can see Discovery Status "Failed to connect using default account" and Publishing status "Cannot
    Contact LDAP Server".
    I've added the SCCM server to local admin at the trusted domain via GPO and have also created the system Management container.
    When I check the log ADForestDisc.log I get this error message:
    "Failed to connect to forest X. This can be because of disjoint DNS namespaces, network connectivity or server availibility issue. Error Information The specified forest does not exist or cannot be contacted."
    I have setup Conditional Forwarders in DNS in both domains.
    I have also read other forums about this issue and should have the answer:
    "This error occurs for all of the domains that you mentioned and is typical when SRV records for DCs in those remote domains cannot be found. Forest discovery relies on DNS name resolution of SRV records to locate a suitable DC to communicate with."
    "The site server performing the forest discovery must be able to resolve the SRV records for the DCs or root domain of the other forest."
    We are using Windows AD integrated DNS in both domains.
    I'm not so familiar with DNS configuration so I appreciate if someone could tell more specific how to fix this.
    Thanks in advance

    Hi
    Thank you for your answer. This issue is solved. I've missed to open some ports in the router/firewall between the LANs.
    The status under Active Directory Forests is Succeded now, but when I check under boundaries, I can only see the "Default-First-Site-Name" site for the first domain (same LAN as CM Server) and I can only see the IP address range for that LAN.
    I don't Think  this is a big issue, but shouldn't the site name and address range for the other LAN (where the trusted domain is) be automatically found to during forest Discovery when I've checked the options to create site and ip boundaries automatically?

  • SQLServer Reporting Services 2005 Prompts for Credentials for a trusted domain user

    Currently the report is running in the domain AAA. Users in the domain AAA are using the report.
    Another new domain BBB and an user XXX is now created and  BBB\XXX has been given Browser access. Domain AAA and BBB are trusted domains.
    After this when the user BBB\XXX logs in and access the report, before loading the report, credentials dialog is prompted, once credentials of BBB\XXX is entered, the report is loaded.
    Why the report prompts for this additional credential dialog for the trusted domain user?

    Hello,
    Did you have get two textboxes in the report parameter panel (in the left side of the "View Report" button)? The issue is occurred when the credential of the datasource is configured with “Prompt for credentials”. Please check if you configured the credential
    with "Stored Credential" of the datasource.
    Please refer to the following thread to configure the credential.
    http://social.msdn.microsoft.com/Forums/sqlserver/en-US/1564cd7a-6b7a-40f1-9f98-5c766ebfc63e/datasource-userid-and-password-being-asked-eachtime-when-report-is-generated?forum=sqlreportingservices
    Regards,
    Alisa Tang
    Alisa Tang
    TechNet Community Support

  • Rd web showing all remoteapps when logging in with an account of a trusted domain

    we have a dmz with a separate domain. there is a one way trust to our local domain
    In the dmz domain there is a rdweb and rd gateway. When logging in with an account from the dmz domain in the rdweb it's all fine but when logging in with an account from the trusted domain all remoteapp's are shown
    all servers are 2012r2

    Hi sir,
    Please make sure your account has already added into your Pay-As-You-Go subscription as co-administrator role . If the account was not in your subscription please add it and try to login on from your VS again.
    If you always occurred this issue, you can try to download the publish file and import it into you VS, please follow this steps:
    http://azure.microsoft.com/en-us/documentation/articles/mobile-services-windows-how-to-import-publishsettings/
    Regards,
    Will 
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Javax.naming.AuthenticationException: No such domain/application:

    I'm trying on JDeveloper 11g tutorial on "Build a Web Application with JDeveloper 11g Using EJB, JPA, and JavaServer Faces. I encounter this problem when try to run the simple java client created by Jdeveloper.
    javax.naming.AuthenticationException: No such domain/application: "current-workspace-app"
         at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:120)
         at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:70)
         at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:720)
         at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:252)
         at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:235)
         at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:302)
         at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:64)
         at javax.naming.InitialContext.lookup(InitialContext.java:351)
         at mssql.HRFacadeClient.main(HRFacadeClient.java:13)
    Anyone knows what's the cause of this error? I follow exactly the steps in Jdeveloper 11g tutorial. The only difference is that my database is MS SQL database.

    Same error.
    The real application (web and ejb's) are running on the same OC4J instance. The Web client are accessing the ejb's on port 3101, so i think this is the correct rmi port.
    The server is a part of an infrastructure that are running on the same server, the server is one of two ApplicationServers that the infrastructure (farm) is controlling.
    each server has an instance name, the server i was deplying to has name instance2. Maybe i have to give a reference to to the instance?

  • Cannot share documents with few users in one way trusted domain

    Hello
    I am running in a wiered issue. I setup people picker in SP 2013 foundation version to lookup the user from one way trusted domains after which I started getting all the users from that domain in my intranet. I can also share or modify the permission of
    users being administrator. However when I try to add 2 specific users as site collection administrator or try sharing a document, I get error.
    I can lookup their name but when I try changing their permission or share document with them, I get error. It's wiered because it is only with this two users. there is no difference from Active Directory point of view between these and other users. Please
    help or suggest some trouble shooting steps.
    Regards,
    Hardik Bhilota.

    Hi Hardik,
    What was the error message when sharing documents with the two users?
    Please also check the ULS log for detailed error message which is located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
    What is the permission of the two users in SharePoint site? Can they access the site?
    Please also run the two commands below to see if the issue still occurs:
    First, on every front-end Web server on a farm run this command:
    STSADM.exe -o setapppassword -password key
    Second, on a front-end Web server run this command:
    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
    Best regards.
    Thanks
    Victoria Xia
    TechNet Community Support

  • Documentation on settings up DP, MP in non trusted domain USING HTTPS

    Is there any documentation that specifically talks about setting up a site system in a non trusted domain with management point and distribution point and communication using HTTPS.
    I see some examples but none of them talk about the certificates that are required on the DP and MP in the non trusted site server.
    Thanks Lance

    Hi Jason,
    I am stumped (and not a certificate guru) and not sure how to get certs based on the Config Manager Web Server template and Config Manager Distribution Client Template into the machine (Secondary MP/DP) that is in the untrusted domain.   I hear
    you about the untrusted domain part not making a difference.   Our secondary MP/DP in the untrusted domain does have the root certificate in the trust root store.
    I have tried MMC certificates, certreq and have tried to go directly to the CA (https://caserver/certsrv) but in neither case do the Config Manager Distribution Client nor Config Manager Web Server templates show up.
    Conversely in the domain that the CA Server resides,  I can request both of these certs in the MMC certificate plugin.
    I am certain I am missing something.
    We used this technet document to setup the certificate templates, etc.
    http://technet.microsoft.com/en-us/library/gg682023.aspx
    Thanks Lance

  • By default, which right has a user on a "external trusted" domain ?

    Hi,
    I would like to know what are the rights for users in DomA when a bidirectionnal external trust is in place with DomB ?
    By default, the user in DomA is member of "DomB\Domain User" (otherwise, how can the user in DomA can list the users in DomB for example ?)
    Is there any specifics things to know if DomB is in Win2000 compatibility domain/forest level ?
    I know this ressource
    https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx and this
    https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx but didn't find my answer.
    Thank you ! :)

    I've created many trusts in my day and they can get confusing... quickly...
    #1 Who is the "trusting Domain" (who is saying "yeah I, domA, will let DomB in the door")
    #2 Who is the "trusted domain" (who is "walking through the door (DomB)")
    *** I know you said "bidirectional" but it helps you visualize the "security trust" for what is actually required. **
    #3 Is that "Domain User" part of a Group? Is the Group Domain or Universal? Only certain types of groups can work across a trust.
    #4 Are you doing a domain level trust or a forest level trust? External trusts are "domain to domain". However the domains can exist in separate, non-related forests.
    If you do a two-way domain External trust -- Domain Users from DomA can access all the resources on DomB, if explicitly provided they have access to those resources. What I mean by that is if Domain User Doesn't have domain admin privileges in DomA, it won't
    get domain admin privileges to DomB and vice versa.
    This is where the trick is though. In a two-way domain External Trust -- All domain / enterprise admins in DomA will have domain /enterprise admin access in DomB and vice versa. They can grant themselves privileges to any servers and resources.
    This is why one way trusts are popular...because you only want to let one domain into the other domain. "big brother" type of trust.
    Kind of make sense?
    Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015!

  • OSD Across a Non-Trusted Domain

    Hello All,
    Thank you in advance for the help. I am trying to validate a configuration I would like to put in place for a client.
    The client has Configuration Manager 2012 set up to manage computers in a non-trusted domain with no MPs in the non-trusted domain. There are DPs in the non-trusted domain. The site runs in an https configuration for these clients. We have configured a subordinate
    CA in their forest that trusts the CA in the forest that hosts the ConfigMgr site servers and all certs are working fine.
    My question: Will OSD function correctly for computers in the non-trusted domain? Or so I need to have an MP in the non-trusted domain as well?
    Thanks!

    Hi Jason,
    Yes, you are correct - there are multiple HTTP MPs that are reachable from the non-trusted forest's computers on the Intranet. There is also an HTTPS MP in the DMZ which is reachable from the internal network as well (we use split-brain DNS for this). The
    DMZ MP in HTTPS mode can handle the requests from the non-trusted forest's clients and I envision DPs being configured in the non-trusted forest's domain in HTTPS mode to provide the DP service for the non-trusted domain's clients.
    One of the other respondants indicated that they believed this config would work as long as the client could reach a PXE enabled DP. I don't see a reason this won't work as well with a boot image with a cert on it or via Software Center, right?
    Does this configuration sound kosher?
    Thank you!

  • Distribution/management point in non trusted domain

    Hoping somebody can clarify a stituation for us on distribution points on a machine in a non trusted domain.
    We are assuming that this distribution point uses the same certicate that the primary distribution point uses.
    Is this correct?   When we try this it says that certicate is already in use and do we want to continue.
    Thanks in advance.
    Thanks Lance

    Hi,
    Please configuring CEP/CES web service and the following blog is for your reference.
    https://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • WDS doest not start - 0x6fc Error Trusted Domain

    Hey guys,
    first of all, i am not a native Speaker but hope that you could understand my english.
    In our Environment we have two 2 Deploymentserver and since yesterday we can not install Clients because we can not start the WDS Service. Here are some Informations about our Environment: Both Servers are virtual Machines which have Windows Server
    2008 R2 Standard running. The Computers got the WDSServer Role and the MDT 2013. We installed hundreds of Clients with them but since yesterday the WDSServer Service is not running. In the past we had the Problems with the Trusted Domain error sometimes, but
    the only Thing I had to do was to rejoin the Servers to our Domain, but this Solution does not work yet.
    I found many Solutions here in the Forum or in other Forums. The folowing Solutions i already tried:
    - Rejoined the Domain. Did not work
    - Checked all Trusted Domains for Problems. Deleted two Trusted Domains which are offline.
    - run dcdiag on our DC. Everythin seems to be fine.
    - Added the WDSServer Role on another Server. Same Problem here.
    In the eventlog i could find the following entrys:
    Event ID 768: An error occurred while trying to initialize the Auto Add Policy.
    Event ID 261: An error occurred while trying to initialize provider BINLSVC loaded from C:\WINDOWS\system32\binlsvc.dll. If the provider is marked as critical the Windows Deployment Services server will be shutdown.
    Event ID 265: An error occurred while trying to initialize provider BINLSVC. Since the provider is marked as critical, the Windows Deployment Services server will be shutdown
    Event ID 513: An error occurred while trying to initialize provider WDSPXE from C:\WINDOWS\system32\wdspxe.dll. Windows Deployment Services server will be shutdown
    Event ID 257: An error occurred while trying to start the Windows Deployment Services server.
    Event ID 7024: The "Windows Deployment Server" service terminated with service-specific error:
    The Error Number is everytime 0x6fc.
    We did not Change anything in our Domain or something else. The only thing i have done was to add new Drivers to our Image on Monday but the everything was fine with the Deployment. We installed Clients an on Thursday morning both Deployment Servers crashed.
    I really dont know what i can do now. Did anybody have a solution for my Problem or some ideas which could help me?

    Hi,
    This article provided a good troubleshooting guide:
    Enable WinLogon debug log, then refresh the policy, then find out the problem account name and policy.
    For more information you can refer to:
    Troubleshooting SCECLI 1202 Events
    http://support.microsoft.com/kb/324383
    Hope this helps.

  • SQl engine service account in different trusted domain from server?

    Is it possible to use an SQL service account from a different, but still trusted, domain than the one to which the server is joined?  If so, are there any nonstandard configuration settings I need to use?
    I've got this setup running, but when I try to connect with an account from any domain other than the one to which the server is joined, I get the following error:
    Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
    I've created the SPN in the service account's domain, and verified there is both connectivity and a valid trust relationship.  The users I'm testing also have logon permissions for the server.

    Hi AccuMegalith,
    Firstly, it is possible to use an SQL Server service account from a different, trusted domain. We need to note the following configuration.
     For more details, please review this article:
    Security Account Delegation.
    1. The service account must be trusted for delegation on the domain controller.
    The following options in Active Directory Users and Computers must be specified in order for delegation to work:
    •The Account is sensitive and cannot be delegated check box must not be selected for the user requesting delegation.
    •The Account is trusted for delegation check box must be selected for the service account of SQL Server.•The
    Computer is trusted for delegation check box must be selected for the server running an instance of Microsoft SQL Server
    2. The service account must have SPNs registered on the domain controller. If the service account is a domain user account, the domain administrator must register the SPNs.
    Login failed for user 'SERVICEACCOUNTDOMAIN\account'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
    Secondly, regarding to above error message, it means that SQL Server was able to authenticate you, but weren't able to validate with the underlying Windows permissions. 
    It could be caused by that the Windows login has no profile or that permissions could not be checked due to UAC. Please perform the following steps to troubleshoot this issue. For more details, please review this
    blog.
    1. Run SQL Server Management Studio (SSMS) as administrator and disable UAC.
    2. Check if that login is directly mapped to one of the SQL Server logins by looking into the output of sys.server_principals.
    3. If the login is directly mapped to the list of available logins in the SQL instance, then check if the SID of the login matches the SID of the Windows Login.
    Thanks,
    Lydia Zhang
    If you have any feedback on our support, please click
    here.
    Lydia Zhang
    TechNet Community Support

  • Full mailbox access from trusted domain

    I have an issue with users unable to login to OWA or ActiveSync using trusted domain credentials. I have two forests, FOREST A and FOREST B. I have a 2-way forest trust between them. I have migrated users from FOREST A to FOREST B, but their mailboxes need
    to stay in FOREST A for the time being.
    I have added Full Mailbox access for their FOREST B accounts, as well as Send As permission.
    Outlook accesses their mailboxes no problem, with no security credential prompts. Sending is also fine. However, OWA and ActiveSync will not accept their FOREST B login credentials, I get the following error:
    The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted,
    or because you don't have the correct permissions.
    I have a single Exchange 2010 SP2 server in FOREST A. All roles are on this server.
    Why would Outlook clients work but OWA and ActiveSync are failing? Things I have checked:
    DNS suffixes for trusted and trusting domain are set on the Exchange Server
    Trust is in place and functional
    Outlook clients work fine using FOREST B accounts
    Changed OWA authentication options between UPN / Domain\User / logon name only - no options worked
    Checked time sync between DC's and Exchange
    Any ideas?? Thanks.

    HiBobby4300,
    Great checklist from Martin.
    Please try following links to set the msExchMasterAccountSID attribute in the Active Directory Account Forest, for your reference:
    http://www.msexchange.org/articles-tutorials/exchange-server-2003/management-administration/Understanding-External-Associated-Account-Windows-Server-2003-Exchange-2003.html
    Additional, the best way is to configure linked mailboxes. This is a mailbox associated with an external account. More details about
    Create a Linked Mailbox, please refer to:
    http://technet.microsoft.com/en-us/library/bb123524(v=exchg.141).aspx
    Best regards,
    Allen Wang

Maybe you are looking for

  • FCP to WMV

    i want to export a a movie from FCP to windows media player but when i do it does not export the whole thing only 28 sec of it. the whole thing is about a minute long. any ideas why it won't export the entire movie? i already checked for spaces in th

  • Dealer Portal Vs DBM

    Hi Gurus, I would like to understand few things here. There is this Dealer Portal which uses the services of VMS, Spare Parts Functions and WMS. Now as I understand there is add-on called DBM. What are the differences we have incase DBM is activated.

  • Difference between RPCIPE00_OLD and RPCIPE00

    Hi Friends, Can you please explain me, difference between RPCIPE00_OLD pgm and RPCIPE00. Cheers, Guru. Edited by: Guru Prasad on Aug 25, 2009 7:16 AM

  • I'm looking for software that can search wifi networks

    i just finished to install the network card i thought the software "wifi radar" should do it, but i don't see the option to search networks:/

  • Asmcmd utility dosent support cp command

    hi, i m working on oracle 10g rac on aix . i get into the asm instance & using asmcmd utility but i dodnt find any copy command there . so tell me where i m making mistake or do i need to do something else to support copy command. $ export ORACLE_HOM