Non Domain Workstations

We recently migrated from Websense to Ironport and are experiencing an issue where outside vendors who are part of a domain other than ours cannot access the Internet through Internet Explorer; they are able to access the Internet through other browsers (for example Chrome). We are sure it is an authentication issue but do not have a domain other than our primary one to test with. When the vendor opens Internet Explorer, they are brought to a blank white page with the ironport URL in the address bar. I have tried changing the authentication methods within IE on the affected workstations, but it did not resolve the issue. I also tried adding our ironport URL as a trusted Intranet site and even Internet site. I then tried adding our ironport IP as an explicity proxy, but it did not work. Has anyone else experienced this issue? If so, what was the resolution if any? We currently are having them use other browsers, if they have one, or we add their IP addresses on the appliance.

Hi All,
This problem can be solved very quickly...
Yes, problem IS authentication, and IE security settings.
For your guest users, please make Guest users policy that will be used for user that fail authentication (guests outside your domain).
If you do not know how to do this, I'll help you.
Here is what is happening to your external clients (guest users):
They access the internet, and their request ends up on WSA.
WSA is configured to authenticate users, so it sends Redirect message to users browser (HTTP 302) and redirects our user to WSA-s P1 address in order to authenticate the user.
The problem is that IE will NOT allow browser to be redirected to "some location" unless this location is set to be in IE "Trusted sites list".
So, in oreder to make your IE to respond properly to redirect message, your client must set WSA's authentication redirection FQDN in their IE browsers to be in Trusted istes list...
This was the solution if you use FQDN name of WSA for authentication.
Additionally problem can be caused if guest users can not resolve short host name of your WSA.
If you use only short hostname instead of WSA P1 FQDN, then your guest users must know what domain your organisation is using (this can be pushed via DHCP for example).
Hope this helped.
Cheers,
Ana

Similar Messages

Non Domain Servers and Workstations

Hi,
we are trying to deploy SCCM 2012 clients to non domain servers, and we are also in the process of trying to find out what the best way we can clean up machines from sccm that have not logged in 90days or more.
From my understanding if I turn on only discover machines that have logged on to the domain in a given period of time than that means if a server has not logged in will not be discovered which can be an issue when patching, and also what do I need to do
with the non domain servers with sccm client installed on the servers.
can you please help me with this that would be greatly appreciated
Thanks Tom

Hi,
This blog post does a good job explaining the steps to manage non-domain machines with ConfigMgr 2012:
http://blogs.technet.com/b/anilm/archive/2012/05/06/managing-workgroup-clients-in-configuration-manager-2012.aspx
This technet article also has more detailed information about client communication for workgroup computers:
http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Non-Domain Print server

Hello All,
We set up a non-domain print server for our SAP integration. We have several printers all being shared. When we go to add a printer on a workstation or terminal server through add a printer and choose network we can bring up list through typing in \\servername\.
When we use windows explorer it says we can not access. How can we allow them to browse printers through windows explorer? This will be done from domain and non domain accounts.
-File and printer sharing is on
-Windows firewall is off
- Guest account is on

Hi,
à
When we use windows explorer it says we can not access.
Would you please let me know complete message that you can get?
Please follow the path: Control Panel-> Network and Sharing Center-> Change advanced sharing settings.
Please also click ‘Turn on network discovery’ and monitor the result.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu

WMI filtering / GPO for non domain members

Hi all,
Our customer make use of a Windows Server 2008 R2 RDS. We use some thin clients and win7 workstations to connect with it inside our domain.
We had a policy for automatic screen lock and secure with password, but they doesnt want to use it anymore for the users who's working internally. So i disabled this policy.
What they want is a policy for all homeworkers or users connecting from an internet cafe or something. So if they are not connecting from a specific subnet or domain, the screens have to lock automatically after a few minutes.
Does anyone know how i can do this? Do i have to create a WMI filter for computers which are not domain members or do i have to do this for a specific subnet?
Thanks!
Kind regards, Raymond

I thought I should clarify this based on your question:
You say you want filtering based on "non-domain users". Are you saying you have users connecting in that are not using AD accounts? How are you doing this? Are they using local accounts on the server?
How are you allowing non-domain accounts to connect? Where are the accounts defined?
Maybe you really are asking qabout domain users connecting from the WAN and not from the LAN. Is that what you are trying to ask?
¯\_(ツ)_/¯

How many users can connect to a shared drive on a non-server workstation?

How many users can connect to a shared drive on a non-server workstation? We're waiting for our server to arrive and in the interum we're using a Pegasus 2 R6 attached to an iMac running Mavericks as our fileserver. It's been sketchy, the connection to the server being dropped once in a while or the inability to mount the drive after a week of success. The Pegasus we're using now will be attached to a server once it arrives. For now I need to figure what's coausing trouble before I commit to this being our main storage as planned. The data is backed up every night so I'm not worried, its the usability issues. 5-7 people are mounting this drive and opening/saving at the same time. Is there a limit to Maverick's fileserving ability that may be causing this? Understandable if so.

The file server in the client version of OS X has a default limit of 10 simultaneous connections. That limit can be raised by installing OS X Server, or lowered by setting a hidden preference. Assuming you've done neither, you may be able to solve the problem temporarily by stopping and restarting file sharing in the Sharing preference pane, or permanently by setting another hidden preference on the server to break idle connections quickly.
defaults write /Library/Preferences/com.apple.AppleFileServer idleDisconnectOnOff -bool YES
Stop and restart file sharing. To reverse the change, run this command in the same way:
defaults write /Library/Preferences/com.apple.AppleFileServer idleDisconnectOnOff -bool NO
Credit for this solution to ASC member suter:
this file server will not allow any additional users to log on

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

Win 8.1 domain workstation. Block all access, except for a fews users/groups and domain controller information/date.

Hi!
Win 8.1 pro, domain workstation. How Block all access, except for a fews users/groups and domain controller information/date.
Nuance:
From domain AD is locked Workstation Firewall "Domain profile" edit.
Possible?
cenubit

Hi GirtsR,
I am not sure the command to use the SID to accomplish what you want to achieve, if you only know the SID, you could take use Powershell to find the related information, more information, please check:
Working with SIDs
And a similar thread for reference:
How to find user/group known only SID
More reference: Default local groups.
Best regards
Michael Shao
TechNet Community Support

Change default key size on non Domain joined CA.

Hello,
I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048. Since it is a stand along, there are no AD template to modify. Can this be changed in the registry?
Shawn

CAPolicy.inf is the way to go.
See the following thread
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
Hth, Anders Janson Enfo Zipper

Premiere and Photoshop CC Crashes at launch on a Domain Non-Domain Admin Computer

On Windows 7 Domain computer lab as a non domain admin but local admin, program launches and then closes with the error codes below. As domain admin account, it works fine. This is a K12 education institution, so giving student's domain admin status is unacceptable. Please advise, any help is greatly appreciated.
FYI, things i have tried:
Integrated graphics cards, I have uninstalled and re-installed drivers. No luck. I have also made the pslog.txt file and given appropriate permissions to all users.
Error Codes:
Windows Error Code - Application error
Faulting application name: Adobe Premiere Pro.exe, version: 8.0.1.21, time stamp: 0x53c7b17f
Faulting module name: dvaui.dll, version: 8.0.1.21, time stamp: 0x53c76970
Exception code: 0xc0000005
Fault offset: 0x00000000002f4e39
Faulting process id: 0xf28
Faulting application start time: 0x01d01a2c32635355
Faulting application path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\Adobe Premiere Pro.exe
Faulting module path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\dvaui.dll
Report Id: 924f6336-861f-11e4-821e-0024811149b1
Fault bucket 45383478, type 20
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Windows Information - Windows Error
Problem signature:
P1: Adobe Premiere Pro.exe
P2: 8.0.1.21
P3: 53c7b17f
P4: dvaui.dll
P5: 8.0.1.21
P6: 53c76970
P7: c0000005
P8: 00000000002f4e39
P9:
P10:
Attached files:
C:\Users\esdstudent\AppData\Local\Temp\WER9443.tmp.WERInternalMetadata.xml
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Adobe Premiere P_ad637fa2c8bd70d3e74771b4be53569c25a980_00c3bab6
Analysis symbol:
Rechecking for solution: 0
Report Id: 924f6336-861f-11e4-821e-0024811149b1
Report Status: 0

I think you have answered your own question... you must have BOTH types of user accounts set to Administrator
This is an open forum with a mix of program users and Adobe staff, not Adobe support... you need Adobe support
Adobe contact information - http://helpx.adobe.com/contact.html may help
-Select your product and what you need help with
-Click on the blue box "Still need help? Contact us"

Non-Domain joined clients connect to server initially but cannot connect via Launchpad

Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed.
Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box.
Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
http://<server ip>/connect , but not http://<servername>/connect
). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
Any Services to check? Firewalls exceptions to ensure? Advice?
EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline.

Sounds like name resolution issue to me.
Are all your clients set to use the IP of the Essentials Server for their primary DNS?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

Non-domain emails

We have found a need for users in the company, whom for whatever reason, cannot access their domain email, and need to send a message to helpdesk. As is stands right now, the service manager will not take emails from outside the domain and create a ticket
for our helpdesk. Q: 1. is there a way to configure Service Manager to allow non-domain emails. 2. is this a setting within the Exchange server, or does this even exist?
Jerome Reafs

Hi,
The SCSM Exchange Connector has an option 'Only process emails from users in CMDB'. Uncheck it and EC will create a new user for every email sender not presented in the CMDB.
Cheers,
Marat
Site: www.scutils.com Twitter:
LinkedIn:
Graveyard:

Non Domain User Access to Report Server

HI Team,
I am Back with another question. These days i am working on SSRS web services as a part of that i need to provide user access to non domain users to the report manager which is residing in a virtual machine and also when i use the report service web service
URL it is asking for virtual machine's windows credentials and as per my client's requirement i should not be prompted with VM'S windows credentials.
Also, we are providing end users with a login page and this login page is connected to a separate User's database in the VM and how to register these non domain users in the report server database
and also reort manager. please help me out of this issue.
Thank you.

Hi NB515,
In Reporting Services, if we connect to Report Manager out of domain, then we need provide a domain username and password can we access to it. If you want to skip this step, you can configure anonymous access for the report server. However,anonymous access
is not recommended as it may give direct access to your report server or report projects to any one who know the URL of your Reporting Services. But in case you still want to try it, you can refer to the link below to see it:
http://blog.quasarinc.com/ssrs/sql-server-reporting-services-2012-anonymous-access/
If you have any questions, please feel free to ask.
Regards,
Charlie Liao
TechNet Community Support

Non-domain computer cannot connect to server

I have a unique issue.
I have a Windows 2008 server running Exchange 2010 (all roles on single server )
I have a Windows 7 Pro client that is not a member of the domain.
When setting up Outlook 2010 I enter user's name, email address and password. The system starts configuring, it successfully searches for [email protected] settings. It then prompts for credentials. I cannot get it to take them.
However, If I user the domain admin account I can successfully setup the domain admin email in Outlook. I just cannot do it with a standard user.
Also, I noticed that this non-domain computer can access domain member server if I provide credentials (domain\username). This does not work with this or any of my other Windows 2008 servers.
I have been fighting this with no relief in sight...
Thanks
Wayne

Let me be clear about my symptoms.
Exchange with domain joined computers autodiscover/Outlookworks fine....
DC's and exchange server all have same time/date otherwise nobody would be able to authenticate.
The problem only exists with non-domain computers (both within the network and outside of the network)
The autodiscover tests fine with exchange connectivity tester. I cannot test outlook as I have a certificate from an untrusted root that is installed manually on the non-domain computers.
The non-domain computers can connect to windows 2003 member server (with appropriate domain credentials) but not to this 2008 (or the other 2 2008 member servers)
Update- If I configure the domain administrator account on that same non-domain connected machine, it retrieves the domain admin email just fine.....

Non-domain computer WSUS entries keep getting reset

We have a non-domain member laptop. So it does not get domain GPOs, confirmed by RSOP. Somewhere along the line someone entered the wrong WSUS server into gpedit.msc for the WUSERVER and WUSTATUSSERVER: http://server02:80. Whenver I try to change it to
the correct server (http://server01:8530) using gpedit.msc, something changes it back to server02. I searched the entire registry and can't find where it's set other than the standard WUSERVER and WUSTATUSSERVER locations. Where else could this value be stored
and how to I get this laptop to check in with the proper WSUS server?
Ben JohnsonWY

We have a non-domain member laptop. So it does not get domain GPOs, confirmed by RSOP.
Don't really need RSOP to confirm that a non-domain member laptop isn't getting domain GPOs, since it's functionally impossible for that to happen.
Somewhere along the line someone entered the wrong WSUS server into gpedit.msc for the WUSERVER and WUSTATUSSERVER: http://server02:80. Whenver I try to change it to the correct server (http://server01:8530) using gpedit.msc, something changes it
back to server02.
Well... now... here we have another functional impossibility. The *only* thing that can edit Local Policy on a computer is a human being working from the Local Policy Editor on that computer. In fact, not even a Group Policy Object (GPO) can change a value
in the Local Policy configuration settings!
The Good News, though, is that the Windows Update Agent is policy aware, so IF something is changing Local Policy, specifically the URL of the WSUS Server, the Policy Change Event will be logged in the WindowsUpdate.log, and from that you can determine exactly
*WHEN* the change is being made. Knowing when the change is being made will likely help narrow down
who or what (although there's not much opportunity for a "what" in this instance) is making that policy change.
I searched the entire registry and can't find where it's set other than the standard WUSERVER and WUSTATUSSERVER locations.
That's it. But this logic seems to suggest you have inverted cause and effect. The registry values are set by the Local Policy settings, not the other way around.
how to I get this laptop to check in with the proper WSUS server?
Well, this part is easy. You fix the Local Policy problem. :-)
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

Non domain-joined Clients (CES/CEP)

Hello Everyone!
This is my first post to the security forum and it is not an overly familiar tech for me so please be gentle. :)
I am looking at building a lab to test a web based application for a client. The client has very stringent security requirements and as such have mandated the need for both the web server to be secured using SSL certs and requires the connecting
users to have a certificate. The infrastructure will be hosted in a central DC in it's own AD forest whilst the users connecting in will have their own AD as they work for different companies. Each user will have an AD account within the hosted
environment. My initial thought was to provide public certs for the web servers but my problem was providing certificates to the clients. Clearly using public certs would be very expensive. After a bit of research I stumbled across the following:
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
What I am trying to understand is, will the combination of Certificate services & CES/CEP effectively do away with the need for public certs in this instance? Can I simply use the internal authority to publish certificates to the web server and
to the end users?

Yes - I think this is one of the scenarios CES/CEP have been developed for.
End users would have to trust your internal CA and validate the chain, so intermediate CAs should be found via AIA URLs. But since you need user - not computer - certificates this is simpler than described in the article as users do not need to be local
admins to import a root. (But on principle the admin of a user's home AD could restrict this though I have never encountered that.)
You would need to publish the CES/CEP services via a reverse proxy and external users would have to configure the enrollment HTTP URLs and enter their AD credentials in the hosted AD when connecting.
As users have imported your CA certificate they will also trust the web server's certificate issued from the same CA.
Elke

Non Domain Workstations

Similar Messages

Maybe you are looking for