Open Directory / Active Directory SSH access
I have recently bound all of our web and database servers on our active directory and open directory realms. I am able to augment the AD records for my account and the accounts of the other admins, give them NFS home directories and all is great. We can login to any machine with our AD password and get our homes. Problem is 9 times out of 10 we all prefer using SSH and the CLI for most of what we do. I can login to any of these machines with an OD user and get their home directory, but when I try with an AD user I cannot authenticate.
So to recap:
* Login works for both OD / AD users at the login window
* SSH login works for OD users
* SSH login does not work for AD users.
I don't even know where to begin with debugging this one. Any help would be greatly appreciated.
Message was edited by: Coleman Nitroy
Okay adding even more information to this (maybe this topic needs to be moved to a different sub forum)
Instead of assuming SSH would automatically work via AD/OD binds like the Login window does (apparently magically) I went thru and setup the SSHd on a test box to work via kerberos logins.
On the client side I enabled GSSAPIAuthentication as well and here is the error I get for (ssh -v [email protected]):
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database.
Then it kicks over to the next authentication method. To enable AD login via the login window I didn't have to do anything special. Kerberos tickets are generated and all is well. I am not certain as to why or how SSH works via OD automagically but still no luck getting it to work with AD. Not getting this working would be a large loss for our lab.
Anyone....?
Message was edited by: Coleman Nitroy
Similar Messages
-
Open Directory Active Directory users want to know Is there a method?
Help
Open Directory Active Directory users want to know Is there a method?
Or can I make the Active Directory users to share on the Open Directory.
My goal is to use our school Mac computers with SSOIf I understand your question correctly, using Active Directory with OSX, there are a few ways this can be accomplished.
One way is by joining each Mac directly to Active Directory. This doesn't take advantage of the additional managed preference available to OSX, but does allow AD users to authenticate on OSX. On each machine, one would open System Preferences > Accounts > Login Options > Click Join next to Network Account Server. Follow the prompts and provide the domain name of your Active Directory deployment to join the system.
Another method is to follow the steps above, but only after extending the Active Directory Schema to support the OSX-specific managed preferences. It's a mostly harmless operation and means that you'll have a single administration interface for both OSX and Windows systems. The AD Schema information is available from Apple Support, but may also be readily available on the Internet.
Because our Windows team preferred to not change our AD schema any more than we already had, we used a different method. We created an Open Directory Master on one of our OSX servers, then we joined it as a member server to Active Directory. Next, we join all of our OSX workstations and laptops as members to the Open Directory domain instead of to Active Directory. This way, SSO still works. New user accounts are added to Active Directory and all managed preferences for OSX can be managed through the native OSX Workgroup Manager tool.
I think there are some instructions in the User Management PDF (Mac OS X Server, User Management, Version 10.6 Snow Leopard) or in the Advanced Server Admin PDF (Mac OS X Server, Advanced Server Administration, Version 10.6 Snow Leopard) but not completely certain. This page might have the docs. -
New Branch Office Opening. Active Directory Options
Hello.
Our company has a new branch site in Canada that's been in operation for some time now. the "admin" of that branch office is wanting to setup 2 new domain controllers, i was going to suggest that we could add a Canada site via Active directory
sites and services and configure it that way.
he suggested that he would like the to have a separate domain name, for instance if we're contoso.co.uk, they want to be contoso.ca
is the best option in this situation to have them setup there own domain and then just federate between them?
i have good experience with AD but as were a small company (geographically) so i have little knowledge of multi site / federation topology.
any suggestions would be most welcome.
Many ThanksHello
If you decide to deploy new Domain this will lead to new administrative tasks to able to support users(creating trust to support access to resources in other domain, other suit of GPOs etc.). Instead if second site is added this will be more simple solution.
semi -solution is to have child domain which back again will lead to other admin tasks. Also Recommendation by the vendor to have simple solution. -
Open Directory & Active Directory
Dear Mac community,
We got a couple of Mac servers running in our company and we have around 140 Mac clients running in our company. We use Open directory for the policies on our macs and we use active directory for all of our computer accounts. Cause we mainly use RDP for Mac to connect to a terminal server except our graphical department.
This works perfect but now we have adjusted our password policy in Active directory and users must change password when they first login they do that on the mac witch authenticates with Active Directory. After typing there username and password like normal they get a new windows witch notify the user to change there password and conform it and a hint to fill in, after they fill this in they can't get pass that window, it just shakes so it does not work.
Any answer would be appriciated.Hi, can you help me how to put a windows machine on active directory on my MacOS X Server 10.6 ?
Thank You!
Reynolds -
Open Directory, Active Directory, Both????
Good morning from Paris,
My company will migrate its Macintosh to Mac OSX 10.5 and I'm wondering what's best for Authentification and SSO.
I did investigate a bit and finally choosed to add an Open Directory among our existing Active Directory. In order to have pretty managed Macs, I also intend to use MCX, ARD and of course Netboot among Mac OSX Server OD to manage Workstations and deployments. We don't for now intend to use solutions like Centrify's direct control or Likewise solutions...
So here's my question. If we do use two discussing directories, is it required or simply usefull to extend the Active Directory schema? I have read several discussions about the extension and the Active Directory Domain we use is quite ready for it.Hi There,
Have just read your post and wondered how you have decided to manage your Mac's.
I am looking at extending our active directory schema and manage our Mac's via mcx via the AD.
Im really looking for if anyone else has done this and how you got the schema extensions, i have read all about it, in getting an OD up and running looking at what extensions there is and editing the file e.t.c. but surely apple can provide this information?
Thanks for any advice? -
OS X Open Directory / Active Directory
I followed the direction provided by the "MacTroll White Paper" on AD/OD integration (http://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf) which is linked to from various places on Apple's website).
I can now manage Macintosh client preferences while authenticating through AD, as expected... However I can no longer (from Windows clients) access SMB shares hosted on the OS X (10.4.9) Server (acting as AD member, OD master).
I'm not sure if it's relevant, but the following error shows up in the smbd log, when starting the "Windows" service:
/SourceCache/samba/samba-100.5/samba/source/libads/kerberos.c:adskinitpassword(146)
kerberoskinitpassword host/[email protected] failed: Client not found in Kerberos database
Can anybody offer any assistance?
Thanks.http://lists.apple.com/archives/macos-x-server/2007/Jan/msg00386.html ?
Thread starts here:
http://lists.apple.com/archives/macos-x-server/2007/Jan/msg00335.html
HTH
-Ralph -
Authenticating Workgroup Manager to Active Directory.
Dear all,
I've searched the forums and Internet and tried various things that could help my situation but I'm still having issues.
I am running 10.4.11 server 10.4.11 client machines. All machines and server are connected to Active Directory via the built in AD plugin.
Logging on to a client machine with an AD login works fine, no issues.
System image deployment over the network from the Xserve work fine.
The I have is implementing managed preferences from Workgroup Manager. When I open it, it will show me all of the users and groups. It says:
*Viewing directory: /Active Directory/All domains. Not authenticated*
When I click the padlock to authenticate, and enter my domain admin username and password, it says:
*The login information is not valid for this server.*
My login works as it allows me to add machines to the domain.
More info available as needed. If anyone can assist, thanks in advance.
Regards,
M.Hi
Viewing directory: /Active Directory/All domains. Not authenticated
When you bound the server to the Active Directory Realm what user name and password did you use? It will be this name and password that you will need to authenticate to the Active Directory node. This name and password should be the one that already exists on the AD that has authority for that server. Its also the name and password that should be used when binding mac clients to the AD node using the Active Directory plugin in Directory Access.
This name and password can be the same as the one created for promoting your server to OD Master (diradmin). Its a good idea to create this account on the AD first (make it authoratative for the AD) before promotion and client binding.
If you want to augment the AD with OSX Server managed preferences (MCX) then create a group within the /LDAPv3/127.0.0.1 node (assuming you have promoted the server to OD Master and disabled sso). Have two windows open in WGM (better done from a client). One window will show you the AD node and the other the OD node. Drag users or groups from the AD node into the newly created group in the OD node.
Apologies if you already know this, Tony -
Connected to Domain but can't log in using Actived Directory Credentials
Hey everyone. I've been working on this issue for two weeks now, and I don't know what else to try. I'm connected to my domain but cannot get my Macbooks to log in using Active Directory credenitals both through our wireless network, and hard wired with an ethernet cable. The weird part about it is that it is not uniform all across our network. This only happens to certain Macbooks and as of right now there doesn't seem to be a pattern. I can say that it has happened to all new Macbook Pros that we have ordered lately though.
We use Jamf to manage our Macs on our network, and ever since upgrading to a new version (9.01 and now 9.1) we have had this issue. However I can't connect after manually adding the domain either, so for now it makes me think it is not a Jamf issue. Has anyone dealt with this issue before, that might know of a fix? Thanks!Hi Burnettb1,
I have come across a similar issue as yours. I have included the instructions that I use to bind the Mac at my institution. In regards to wifi, I have not tried binding the Mac over wifi. Should you need to log in to a Mac with domain user credentials I would suggest to bind the Mac over ethernet. Once you get to the:
*Click on triangle to the left of Show Advanced Options to expand"
portion of the instructions click on the Mappings tab and select the checkbox for creating a mobile account at login. This will create a domain user profile on the machine that you can log into when not connected to the domain.
Hope this helps.
BIND iMac:
Login into iMac using administrative credentials
Open System Preferences
*Goto Users & Groups
*Click on lock in lower left-hand corner
*Use same password used to log into iMac
*Click on Login Options
*Click on ‘Join...’ button right of "Network Account Server: "
*Click on ‘Open Directory Utility…’ button
*Click on lock in lower left-hand corner
*use same password used to log into iMac and click on Modify Configuration
*Double-click on Active Directory
Active Directory Domain = domain
Computer ID = name of Mac
*Click on triangle to the left of Show Advanced Options to expand
*Click on Administrative tab
*Check Prefer this domain server
Type domainserver_ipaddr -or- servername.domain in this field
*Click on ‘Bind…’ button
*When prompted for network administrator login
username = [domain admin user]
pwd = [domain user password]
*Click OK (Note: search path will be updating. Until completed the ‘OK’
button will be greyed out
*Click OK
*Click lock to lock and close window
*Click lock to lock and close window
BIND CHECK:
*Search AD for added mac host - it should be there.
Open Terminal app by either:
1)
*Press command+spacebar
*Type Terminal and select app
2)
*Click on desktop
*Press shift+command+A
*Goto Utilities folder located within Application folder (which you should
be in) and open Terminal
*Once Terminal is opened type in id [domain username] and press return key. The output should be
some some network account information
*Close app by pressing command+Q and any other opened windows
*Restart iMac
*Log in -
Active Directory Structure Questions
I recently started working for a company that offers cloud services for our clients where we host our software as a service and we also migrate any other applications the client is using onto the servers that we host for them.
My concern is that every client we have is in our domain. The structure of our servers is that our domain is the top of the organization and each client has their own dc and that dc is listed as an organizational unit in our AD. I have never seen anything
like it. Most of the clients have their own domains and web sites but we do not migrate that portion of their IT into our cloud. We do however bring everything else over and we offer O365 to many of them.
Imagine if you will opening ad users and computers and under the root all the OU's are named after clients and actually represent their servers all of which are dc's.
I was wondering what if any precedent would support this type of configuration? I am just asking.
Thanks
Richard TamboliNo Special hardware is required for Active Directory
Active Directory is builtin feature for most of the Windows Servers such as Windows Server 2003, 2008,2008R2,2012.
It is a feature and part of Windows Server.
Hope this may answer your questions.
http://en.wikipedia.org/wiki/Active_Directory -
Os x server loses active directory binding
I am running an open directory/active directory network. Authentication is from the Windows server 2003 active directory. It has worked fine until the last month. Now clients stop authenticating & when I check the AD plugin it says network accounts are not available. I can force the server to unbind, then renew the binding & everything works great.
Is there any work around or fix for this other than upgrading the windows server to 2008?
ThanksYes. You are likely experiencing one of two common issues. 1: You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.
Try this command on the server:
sudo dsconfigad -passinterval 0
Then:
sudo dsconfigad -show
to confirm the setting. This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting). The issue is that Apple's plugin does not properly catch an exception. What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain. When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch. This is a common AD integration issue and is likely associated with your binding rights in AD.
As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.
Hope this helps. Easy to fix. -
Adding Active Directory: sErverError
Hello,
I've been using active directory with leopard for a couple months without issue. Recently I found that the Directory Utility was telling me that the AD server was 'not responding'.
So I removed it and tried to add it again. When I try to add it I receive the following error:
'Unable to add the domain. An unexpected error of type - 14910 (eServerError) occurred.'
Has anyone seen this before? Since it is in fact contacting the sever (there is a different error if it can't see the server at all) then it leads me to believe that something is wrong on the AD server side. However, I'm still not convinced of that for the following reasons:
1. Things that have changed on the AD server and network: None.
2. OS X networking seems to be a little on the fragile side. I almost always have to fiddle around to get things working again after doing something crazy like switching back and forth between wireless and wired connections a few times.
3. There was something else that was pertinent but I've been interrupted here in my office at least 4 times since I started writing this and now I can't remember.
Anyway, I'm just wondering if anyone else has dealt with this. .
Thanks,
-TravisI ran into the same error in my initial setup of some new machines at work and was able to resolve taking the following steps.
1) Check current time on all Active Directory servers to ensure they're consistent with one another.
2) Fix any discrepancies between the Active Directory server times and your Apple machines.
3) Go into the Directory Utility application and select Services at the top.
4) Open the Active Directory Configuration, enter the appropriate Active Directory information, and attempt to rebind the machine.
I believe the issue of that error, -14910, is based on the kerberos' strict timestamp checking. -
Windows Server 2013; Exchange Server 2013 with Cumulative Update 1
Cannot install Cumulative Update 3 for Exchange Server 2013. It fails with
[xxx] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid. See the Exchange setup log for more information on this error.
[xxx] [0] [ERROR] Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.
[xxx] [0] [ERROR] The supplied credential is invalid.
(Crosses - XXX - replace original values.)
I have found that a few others have experienced the same problem but found no solution, nor could come up with anything myself. If it is any hint, Event 40961 was logged in the Event Viewer around the same time on almost all installation attempts to be purely
conincidental:
The Security System could not establish a secured connection with the server
ldap/xxx.xxx/[email protected] No authentication protocol was available.
Both Windows Server and Exchange Server otherwise work OK, and do not recall any issues with Cumlative Update 1 installation.Hi vhr1,
Based on my knowledge, the Event ID 40961 is a warning message.
This behavior occurs when we restart the server that was promoted to a DC. The Windows Time service tries to authenticate before Directory Services has started.
Found some resources for your reference even if the Exchange Version is mismatched:
http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx
http://support.microsoft.com/kb/823712/en-us
About the error message, "Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid."
The error message InvalidCredentials means: the wrong password was supplied or the SASL credentials cannot be processed.
Found a similar thread for your reference, hope it is helpful:
http://social.technet.microsoft.com/Forums/en-US/98e26ad6-8e43-4ef5-8ff9-e9fee6e76bda/bind-operation-is-invalid?forum=exchangesvrdeploylegacy
Feel free to contact me if there is any problem.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
EFS operations occur on the computer storing the files.
EFS files are decrypted then transmitted in plaintext to the client's computer
This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
2) SOLVE by setting up WebDAV (efs files accessed through web folders)
EFS operations occur on the client's local computer
EFS files remain encrypted during transmission to the client's local computer where it is decrypted
This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
a) START ... CMD
b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
1 click START and type "Turn Windows Features On or Off" and open the link
a) scroll down to "Internet Information Services" and expand it.
b) put a tick in: "Web Management Tools" \ "IIS Management Console"
c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
f) click ok
g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
a) on the "Anonymous Authentication" and click "Disable"
b) on the "Windows Authentication" and click "Enable"
NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
It can be by changing registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
BasicAuthLevel=2
c) on the "Windows Authentication" click "Advanced Settings"
set Extended Protection to "Required"
NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
a) on the right side, under Actions, click "Add Allow Rule"
b) set this to "all users". This will control who can view the "Default Site" through a web browser
NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
a) on the right side, under Actions, click "Edit Feature Settings"
b) tick the box "Allow double escaping"
*THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
a) set the Alias to something sensible eg "D_Drive", set the physical path
b) it is essential you click "connect as" and set
this to a local user (on fileserver),
if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
NB: the user account selected here must have the required EFS certificates installed.
See
here and
here
NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
The work around is on the \\fileserver create an NTFS symbollic link
e.g. to share the entire contents of "D:\",
on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
in cmd in this folder create an NTFS symbolic link to "D:\"
so in cmd type "cd c:\inetpub\wwwroot"
then in cmd type "mklink /D D_Drive D:\"
NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
b) if some exist review existing allow or deny.
Take care to not only review the "allow access to" settings
but also review "permissions" (read/write/source)
NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
a) On Windows 7 you need only change one tiny registry value:
- click START, type "regedit", open link
-browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
-on the EDIT menu click NEW, then click DWORD Value
-Type "DisableEFSOnWebDav" to name it (no speech marks)
-on the EDIT menu, click MODIFY, type 1, then click OK
-You MUST now restart this computer for the registry change to take effect.
b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
It should show the default "IIS7" image.
If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
e.g. http://localhost/D_drive
If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
eg if your server's computer name is "fileserver" go to "http://fileserver:80"
It should show the default "IIS7" image. If not, check firewall and port blocking.
Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
a) click the "Connections" tab at the top
b) click the "LAN Settings" button at the bottom right
c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
a) click START, type "regedit", open link
b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
c) click on "FileSizeLimitInBytes"
d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
a) click on "Security" (top) and then "Custom level" (bottom)
b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
SUCH an easy fix. SUCH an annoying problem on a clientpc
NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
e.g. CMD: net use * "http://fileserver:80/C_drive"
If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
a) On a clientpc, map network drive to http://fileserver/
b) navigate to a folder you know on the \\flieserver is encrypted with EFS
c) create a new folder, create a new file.
IF it throws an error, check carefully you mapped to the WebDAV and not file share
i.e. mapped to "http://fileserver" not "\\fileserver"
Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
a) see the last comment at the very bottom of
this page:
Points to consider:
- NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
It is implimented above, see (11) above
Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
This one took me a long time to track down to "network location".
Win 7 uses network locations "Home" / "Work" / "Public".
If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
FIX = either set IP address manually and specify a gateway
FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?
-
Active Directory and Open Directory not working
I am experiencing an issue, or several issues that I can't figure out how to resolve.
I have an Active Directory domain set up (running 2003 server R2) and it is humming along quite nicely.
A few weeks ago I got a new XServe running 10.5.4. Booted it up, bound it to AD, and then set up and OD Master on it so that I could manage some new Macs that we have.
The Macs are bound to both directories.
The issue I have comes in when using Workgroup Manager, and trying to add AD user to OD groups. The groups drawer is open, but the little directory menu at the top of the drawer does not include the entry for Active Directory. I see Local, Search Policy, and /LDAPv3/127.0.0.1...
If I try to pull down the directory menu above the user list, I see the following: Loca, Search Policy, Other..., /Active Directory/All Domains, and /LDAPv3/127.0.0.1.
If I select /Active Directory/All Domains from that list I get the following error.
+Unable to open the requested node.+
+The node /Active Directory/All Domains couldn’t be opened because an unexpected error of type -14002 occurred.+
I think these issues are related, but I can find no help on the first item (AD not showing up in the groups menu)
and a search for the second item only reveals the following page form Apple, which means absolutely nothing to me.
http://developer.apple.com/documentation/Networking/Reference/OpenDirectoryRef/Reference/reference.html
The killer is that this all worked at one point. I had an Apple Tech out here and he helped me set up this 'Golden Triangle" method of authenticating against both directories. And it works... sort of... I can create groups in OD and add OD machine accounts to the group to enforce some settings. But I can't bring in AD users, cause I can't see the AD user list.
I hear that this is supposed to work... I can't figure it out.
Any help would be appreciated.
Thanks for your time.
BillHi
Can you access Active Directory from the command line using dscl?
In what order are the LDAP directories listed in Directory Utility on the Server?
Is Kerberos running on the OD Master?
If you issue klist from the command line on the server itself - what is the result?
Or don't bother with any of the above and start again. You've nothing to lose anyway apart from some managed preferences which you can redo in little time. Scrub the configuration in the AD plug-in and demote to Standalone. Restart and go for an AD rebind. Make sure the edu.mit.Kerberos file is created in /Library/Preferences. Launch WGM and you should see AD Users and Groups this time, If you do go for promotion again. What you want to see in the OD Overview pane is everything running apart from Kerberos and the search base reflecting the FQDN of the OD Master. Make sure there is the loopback entry (127.0.0.1) in the LDAPv3 plug in. Finally make sure the OD Master lists itself first in the Directory Search Order.
I'm assuming the Server is configured as Advanced and is updated to 10.5.4.
Tony -
Server 2008 R2 DNS Server can not open active directory erro 4000
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly
and reload the zone. The event data is the error code. Error 4000
This just started happening yesterday. Also File service and print server is unable to contact because of this error. I have no lookup zones. When I try and go to the DNS server I get a message The server VETSALDC could be contacted The error was Access
Denied. Would you like to add it anyway?
PLEASE HELPHi,
According to your description, my understanding is that DNS unable to open Active Directory with error 4000.
This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC. This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
You may check AD DS using command line “DCdiag” (run as administrator). besides, you may try to stop and restart AD DS service(detailed steps reference the link:
http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx ), make sure that the AD DS is running correctly.
Then restart the DNS service, detailed steps reference the link:
http://technet.microsoft.com/en-us/library/cc735673(v=ws.10).aspx .
If the problem still exits, is there any other DC or DNS on your network? Post the TCP/IP parameters (ipconfig /all) of DC and DNS here.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
my ipod touch 2g is on black screen.when i connect it to my pc it is not recognizing it.then i opened i tunes and put the phone in dfu mode it says an ipod is detected but it cannot be restored error 1600.plz help me...
-
Upgrade defaults checking step with no web acces
Hi We are moving over our servers between datacenters along with a Peoplesoft Upgrade, Our present peoplesoft environment is on tools 8.47.11 which cannot be brought up in web on the new x64 servers. Due to not having the web access, what are the oth
-
Regarding Aging / Net dues report another way
Hi, I have seen aging report for customer in SAP B1, its okay but not serve my purpose. i want this report little difference. when i run this report system will ask to put the date and all customer will show. example for one customer below: i put the
-
Can 'typed in' fields be saved in a PDF using Reader?
Hi, If I set up fields in Acrobat Pro for staff to type answers into...but they use Acrobat Reader...can they save their typed out responses by saving the PDF? Or is save disabled in this case? Any work-arounds here if it is disabled, or do the staff
-
DvD's with Handbrake..downloaded vids with....?
I no how to get dvd's on my ipod now but im curious how to get my other videos from my computer onto my ipod. What program do i need to use?