Reassociating Domain Policy Store
WebLogic Server 11.1.1 (PatchSet 2)
Referencing the Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) E10043-06 (Section 7), I tried to reassociate my domain's policy store to an OID instance. In the "Set SecurityProvider" page of the Fusion Middleware Control (em), upon clicking "OK", I get the following result in the popup window:
Authentication to LDAP server ldap://npldevoamsvr:3060 is successful.
Starting to migrate policy store...
Set up security provider reassociation successfully.
null
javax.management.RuntimeMBeanException: Self-causation not permitted
Error occurred while migrating LDAP based policy store.
How can I ressolve this?
Regards,
Tom Gresham
if policy store is OID then user credential should also stored in OID. Having said that the authentication will happen via OID in this case.
In case of DB. policy will be stored in OIM DB. and not mandatory to have the authentication via OID.
Better go for DB
Similar Messages
-
Hello folks, I am trying to reassociate the weblogic policy store. I could successfully do it using the EM console but I need to script it and every time I try to use the API I get the error below:
NameError: reassociateSecurityStore
The dump stack is empty.
One note is that the domain I am configuring does not use SOA.
I start the wlst.sh script from $MIDDLEWARE_HOME/wlserver_10.3/common/bin
WLS version is 10.3.6
Jrockit version is 28.2.7
I have checked the other discussions and the one solution presented was to start the script from the SOA home which for me is not an option.
Any ideas on how I can get this script to execute is greatly appreciated.
Regards,
AndreFolks I figured it out. Secret is starting it from:
$MIDDLEWARE_HOME/oracle_common/common/bin
Andre -
Cannot read from policy store.
Hi All,
while starting our managed server(soa_server1) we are getting below error.
we tried removing cache, tmp and data and fresh restart but no luck.
The Memory on the mount point was 100% full, we have freed some memroy but now the server is not coming up.
Any solutin or pointer would be really helpful.
<Apr 3, 2013 1:17:14 PM EST> <Notice> <Log Management> <BEA-170019> <The server log file /opt/app/Middleware/user_projects/domains/dev1_aia_domain/servers/soa_server1/logs/soa_server1.log is opened. All server side log events will be written to this file.>
oracle.security.jps.JpsRuntimeException: Cannot read from policy store.
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:440)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.<init>(XmlPolicyStore.java:227)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:100)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:74)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:850)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1339)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1020)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:879)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: oracle.security.jps.JpsRuntimeException: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:166)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:187)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.loadXmlDataStore(XmlDataStore.java:418)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.<init>(XmlDataStore.java:283)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.getInstance(XmlDataStore.java:216)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:436)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.<init>(XmlPolicyStore.java:228)
... 26 more
Caused by: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:80)
at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:99)
at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:316)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
... 33 more
Caused by: javax.xml.stream.XMLStreamException: Premature end of file encountered
at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:69)
at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:100)
at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:317)
... 34 more
<Apr 3, 2013 1:17:19 PM EST> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
<Apr 3, 2013 1:17:19 PM EST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:293)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:899)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
Truncated. see log file for complete stacktrace
Caused By: java.security.PrivilegedActionException: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:860)
at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:285)
Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsRuntimeException: Cannot read from policy store.
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:440)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.<init>(XmlPolicyStore.java:227)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:100)
at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:74)
at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
Truncated. see log file for complete stacktrace
Caused By: oracle.security.jps.JpsRuntimeException: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
ed
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:166)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:187)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.loadXmlDataStore(XmlDataStore.java:418)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.<init>(XmlDataStore.java:283)
Truncated. see log file for complete stacktrace
Caused By: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:80)
at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:99)
at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:316)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
Truncated. see log file for complete stacktrace
Caused By: javax.xml.stream.XMLStreamException: Premature end of file encountered
at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:69)
at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:100)
at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:317)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
Truncated. see log file for complete stacktrace
>
<Apr 3, 2013 1:17:20 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Apr 3, 2013 1:17:20 PM EST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Apr 3, 2013 1:17:20 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>Hi,
Your issue is something similar to the issue described in below metalink id. Please check below metalink id, you issue may be resolved.
Start OMS failed with "javax.xml.stream.XMLStreamException: Premature end of file encountered" [ID 1481158.1]
Mark if this helps you.
Regards,
Kishore -
The policy store is not available - Oracle Access Manager
Hi,
I am trying to configure OAM in a new domain and I get the below error message in the OAMCONSOLE.
The policy store is not available; please see the log file for more details
The database security store has been configured using the below command :
C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd C:\Oracle\Middleware\Oracle_IDM1\common\tools\configureSecurityStore.py -d C:\Oracle\Middleware\user_projects\domains\OIMDomain -c IAM -p password123 -m create
The security store initialization fails with this error :
Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique
constraint (DEV_OPSS.IDX_JPS_RDN_PDN) violated
Any help would be appreciated.Hi,
There are one or two situations that can cause this message:
- the schema is already correctly configured, or is corrupt somehow (in which case drop/recreate the schema)
- different versions of Identity Management products have been installed in the same Weblogic domain (for example OID 11.1.1.7 and OAM 11.1.2). In this case, the products must be installed in different domains
- the environment (CLASSPATH, PATH) is for some reason pointing to, or including, a different domain containing a different version of Identity Management software. In this case, ensure that the environment does not have these references.
Please also see Note 1525714.1 and Note 1553293.1
Regards,
Colin -
We have a WebCenter Spaces PS4 (upgraded from PS3) env on Linux64 OS and we are trying to migrate our policy store from the file-based store (system-jazn-data.xml) to an Oracle DB using the OPSS schema.
Issue: When migrating the policy store to Oracle DB the migration is successful through the Enterprise Manager GUI or the WLST script command, but when trying to login to the spaces application we receive an instant redirect to an Unauthorized.jspx page that gets stuck in a loop of redirects.
Temp. Solution: Reverting back to our back-up [webcenter spaces domain home]\config\fmwconfig\jps-config.xml changes the policy store back to a file system.
Attempt #1 Notes:
• 5/30/12
• Migrated using the Enterprise GUI to Oracle DB.
• Successful migration
• Checked the policies within EM and was able to retrieve policies from the Oracle DB.
• Tried to login and received an infinite loop.
• Checked the spaces diagnostics log and the infinite loop is showing the user is hitting the UnAuthorized.jspx page.
Attempt #2 Notes:
• 5/30/12
• Dropped the OPSS table and reverted the entire fmwconfig directory to prior to Attempt#1. Re-ran RCU and recreated the OPSS schema.
• Same as Attempt #1 but used the wlst command to perform the migration.
• Successful migration
• Same issue as Attempt#1
One thing that has been mentioned is the issue may be because we are running an "upgraded" env and not a new install env. Has anyone been able to successful migrate their policy store to an Oracle DB or OID in a "upgraded" Spaces PS4 env? If so, could you post any additional steps needed that are not in the following Oracle documentation?
http://docs.oracle.com/cd/E21764_01/webcenter.1111/e12405/wcadm_security_credstore.htm#BABGJEHC
Thanks,
NickHi,
What is the exact installation type you are using in 11g ?
OPSS is not shipped alone as a component, hence we need to provide you the upper layer product guide.
Below url is just for reference:
http://docs.oracle.com/middleware/1213/core/INFUP/upgrade_previous.htm#INFUP1060
Thanks,
Sharmela -
How do I move the policy from Default domain policy to a custom policy.
I want to implement a new password policy. In the past we had a fairly loose policy, now I want to implement minimum length and complexity. I know how to set this up in Computer Config Policies windows settings security settings and account policies
password policy. However after I set it up I notice that it is not being applied. I have run gpupdate, and even waited several days but still it's not taking effect. I have created what im calling a custom gpo calling it "password policy".
It is situated under domains/mydomain.com . There are a number of other policies here.
When I run gpresult /h c:\temp\gpreport.html its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
But let me ask this first off .
The previous administrator I think has the password policy set up in the "default domain policy"
Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
If this is so how can I make it so my custom password policy is applied over the default domain policy.
Or what other answers could it be.Hi,
Based on your requirement you can create Fine Grained Password Policies.
This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
Regards,
Gopi
JiJi
Technologies -
Load XML file from addon domain without cross-domain Policy file
Hello.
Assuming that there are two addon domains on the same server: /public_html/domain1.com and /public_html/domain2.com
I try to load XML file from domain2.com into domain1.com without using cross-domain policy file (since it doesn’t work on xml files in my case).
So the idea is to use php file in order to load XML and read it back to flash.
I’ve found an interesting scripts that seems to do the job but unfortunately I can't get it to work. In my opinion there is somewhere problem with AS3 part. Please take a look.
Here are the AS3/PHP scripts:
AS3 (.swf in www.domain1.com):
// location of the xml that you would like to load, full http address
var xmlLoc:String = "http://www.domain2.com/MyFile.xml";
// location of the php xml grabber file, in relation to the .swf
var phpLoc:String = "loadXML.php";
var xml:XML;
var loader:URLLoader = new URLLoader();
var request:URLRequest = new URLRequest(phpLoc+"?location="+escape(xmlLoc) );
loader.addEventListener(Event.COMPLETE, onXMLLoaded);
loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHandler);
loader.load(request);
function onIOErrorHandler(e:IOErrorEvent):void {
trace("There was an error with the xml file "+e);
function onXMLLoaded(e:Event):void {
trace("the rss feed has been loaded");
xml = new XML(loader.data);
// set to string, since it is passed back from php as an object
xml = XML(xml.toString());
xml_txt.text = xml;
PHP (loadXML.php in www.domain1.com):
<?php
header("Content-type: text/xml");
$location = "";
if(isset($_GET["location"])) {
$location = $_GET["location"];
$location = urldecode($location);
$xml_string = getData($location);
// pass the url encoded vars back to Flash
echo $xml_string;
//cURLs a URL and returns it
function getData($query) {
// create curl resource
$ch = curl_init();
// cURL url
curl_setopt($ch, CURLOPT_URL, $query);
//Set some necessary params for using CURL
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//Execute the curl function, and decode the returned JSON data
$result = curl_exec($ch);
return $result;
// close curl resource to free up system resources
curl_close($ch);
?>I think you might be right about permissions/settings on the server for php. Unfortunately I'm not allowed to adjust them.
So I wrote my own script - this time I used file path instead of http address of the XML file. It works fine in my case.
Here it is:
XML file on domain2.com:
<?xml version="1.0" encoding="UTF-8"?>
<gallery>
<image imagePath="galleries/gallery_1/images/1.jpg" thumbPath="galleries/gallery_1/thumbs/1.jpg" file_name= "1"> </image>
<image imagePath="galleries/gallery_1/images/2.jpg" thumbPath="galleries/gallery_1/thumbs/2.jpg" file_name= "2"> </image>
<image imagePath="galleries/gallery_1/images/3.jpg" thumbPath="galleries/gallery_1/thumbs/3.jpg" file_name= "3"> </image>
</gallery>
swf on domain1.com:
var imagesXML:XML;
var variables:URLVariables = new URLVariables();
var varURL:URLRequest = new URLRequest("MyPHPfile.php");
varURL.method = URLRequestMethod.POST;
varURL.data = variables;
var MyLoader:URLLoader = new URLLoader;
MyLoader.dataFormat =URLLoaderDataFormat.VARIABLES;
MyLoader.addEventListener(Event.COMPLETE, XMLDone);
MyLoader.load(varURL);
function XMLDone(event:Event):void {
var imported_XML:Object = event.target.data.imported_XML;
imagesXML = new XML(imported_XML);
MyTextfield_1.text = imagesXML;
MyTextfield_2.text = imagesXML.image[0].attribute("thumbPath"); // sample reference to attribute "thumbPath" of the first element
php file on domain1.com:
<?php
$xml_file = simplexml_load_file('../../domain2.com/galleries/gallery_1/MyXMLfile.xml'); // directory to XML file on the same server
$imported_XML = $xml_file->asXML();
print "imported_XML=" . $imported_XML;
?>
Regards
PS: for those who read the above discussion: the first and the second script work but you must test which one is better in your situation. The first script will also work between two domains on different servers. No cross domain policy file needed. -
Windows 8 and Default Domain Policy modification issue
Hi,
I'm unable to edit the default domain policy from my new Windows 8 desktop. It's the only Win8 in the environment so I'm not able to easily test another one unfortunately. The error I receive is:
Group Policy Error
Failed to open the Group Policy Object. You might not have the appropriate rights.
Details: The volume for a file has been externally altered so that the opened file is no longer valid.
I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account. The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick
out as having anything to do with AD management).
It only occurs if I click edit on the GPO. I'm able to successfully view the policy and edit the permissions etc. Have rebooted and the machine is current with patches as of now.
thanks
Andy
Cheers AndyHi,
According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:
1. Check out whether the issue only occurred to Default domain policy object.
2. Test on another new installed Windows 8 client with only RSAT installed.
3. Create another new account and add it to domain admin group to test again.
4. Run dcdiag on DCs to check out whether the replications work fine.
Hope this helps.
Regards,
Yan Li
If you have any feedback on our support, please click
here
Cataleya Li
TechNet Community Support -
Gpupdate wont update because of Default Domain Policy
Hi Technet Community
I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
how to change this policy about, or whether I can delete the current one and recreate it?
Could anyone let me know what I can do to resolve this.
A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
All users can still log in.
Thanks
EdHi Technet Community
I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
how to change this policy about, or whether I can delete the current one and recreate it?
Could anyone let me know what I can do to resolve this.
A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
All users can still log in.
Thanks
Ed -
Default domain policy got corrupted and can't reverse to old system state?
Initially we had two servers which was 2003 and 2008, after adding additional two more servers (server 2012) in the network and then demoted the old servers. and that was quite while ago. after carefully looking a the default policy I have noticed that there
so many policies was applied on default policy object which led me to disable them and created a backup for both domain controller and the domain policy.
now the problem is stupidly run
dcgpofix thought it will restore the domain policy to it's original state but it did not instead it came up with an empty default policy template and inside there is no security policy which i can edit. However i did tried to restore the old policy which
i backed up but i get an access denied error.
Now i realise that the original default policy was from server 2003 and the current schema domain functional level is 2012. Currently
I can not login to any newly added computers to the domain via domain administrator account.
Please help! Is there any way to create a new default domain policy?Hi thanks for your input,
but that doesn't resolves my issue. However I have managed to fix it by modifying the Default policy systemflags and then run the command gpfixup.exe /ignoreschema /target :domain.com.
and after that I was able to restore my old gp from earlier backup. -
Dear all,
I have test environnement with AD 2012 R2 and Windows 7 clients.
My default domain policy is in "enforced" mode and has the following security settings:
-Password Max Age: 45 days
I created a FGPP applied to a security group, with the following security settings:
-Precedence 1
-Password Max Age: 180 days
I added my test user account to this group, then made him changed his password. But when I type "net user mytestuser /domain" I still get a "Password expires" date to 45 days after today.
What am I doing wrong ? Is it because the Default Domain Policy is enforced ? (I doubt so as I tested also with it not enforced). Is it the precedence level ? (from my understanding it is only in case of conflict between two FGPP objects)
Thank you ! :)> But when I type "net user mytestuser /domain" I still get a "Password
> expires" date to 45 days after today.
"net user" is unaware of FGPP.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Broken Default Domain Policy! GPOFIX Doesn't work
Justin1250 wrote:
So I noticed that command prompt is open in the users directory.
Did you right click on the command window and run as administrator?
It should run from the system directory as an admin.Yes I did. I just made sure again to run it as admin. Same result.I've spent hours and hours trying to fix this but can't. I seem to have located the problem where the default domain policy has lost is child associated with the GUID in AD/Registry. None of the tools seem to work, and I can't delete and recreate it because it thinks it doesn't exist and because Microsoft has engineered it to not be removable. This would be fine if it wasn't corrupted. I've read on some forums that the in-ability to delete a policy object is due to permissions issues. However, that isn't the issue in my case.I've tried THISwhich didn't work.I recently did a test migration to 2012 from 2003, and was hoping when I migrated the data that the GPO wouldn't transfer it's corrupted data, but I was wrong :-/The pictures below should illustrate more detail than I could describe.GPOFIX ToolActive Directory showing that the GUID...
This topic first appeared in the Spiceworks Community -
Discrepancy in Default Domain Policy
Hello,
About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"
I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:
"Default Domain Policy"
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.
Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"
Can anyone explain to me the following:
1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?
2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?
3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?
Thank You in advance for any assistance.
P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."I have made some interesting discoveries that I think may help future individuals, if they find this posting.
When looking at the picture in my original posting you see that the group policy points to:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted
Root Certification Authorities"
So you would expect that you would navigate to the same path in the GPME (Group Policy Management Editor)
but it turns out, that is not the case, to edit these settings you must navigate to the following:
"Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies" and
double-click on "Certificate Path Validation Settings"
I discovered this information using this technet article:
http://technet.microsoft.com/en-us/library/cc754841.aspx
Under "Managing Trusted Root Certificates for a Domain"
However this does not resolve my original issue, in that it does not explain the discrepancy between RSAT tools and the DC.
Well I have a friend who has almost an identical setup to mine at his company (he is using Server 2012 R1), he checked, and he saw the exact same scenario as I have.
I am unsure if this is by design or a bug in GPO. I would assume that if it was a bug that others would have discovered it by now and written about it, can anyone provide any insight? -
I am attempting to communicate with a web service via flash
across sub domains. All works fine and dandy on my local machine,
but when i upload to my web server there is no communication across
the domains. The way the servers are configured, i don't have
access to the root of the domain to place the crossdomain.xml in
the default location, so i have it in the folder next to the web
service and link to it directly shown below. I have this line on
the first frame of the first layer of my file
quote:
System.security.loadPolicyFile("MYDOMAIN/StudentConnect2Apply/crossdomain.xml");
The server containing the flash file is insecure and the web
service is secure (https). this is what my crossdomain.xml file
looks like:
quote:
<cross-domain-policy>
<allow-access-from domain="*.MYDOMAIN.net"
secure="false"/>
</cross-domain-policy>
I have also enabled logging within my flash player to track
down problems, when i initially load the page in the browser, it
approves the policy file:
quote:
OK: Policy file accepted:
https://MYDOMAIN/StudentConnect2Apply/crossdomain.xml
But after submitting the form and attempting to interact with
the web service, i get an error saying permission is denied due to
lack of policy file permissions and
quote:
Warning: Failed to load policy file from
MYDOMAIN/crossdomain.xml
It is looking in the root of the domain after i defined and
it accepted the overridden location. Is there another way to define
where the crossdomain.xml file is located that i am missing,
possibly in the web service settings somewhere?I have found my answer, thanks to another forum.
Meta-Cross Domain Policies.
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html
Basically I can now say "f*ck you adobe. I as a college
student who likes to host things on my 150 MB of server space can
no longer host XML formatted levels for games I write. Because I am
not the administrator of the server and will never be able to
convince the administrator to let me have the MCDP file allow my
flash file to load it's levels."
F*ck you Adobe, F*ck You. -
Cross domain policy file and BitmapData
Hey guys and gals, I'm having an issue with a Security error
when trying to access photos from an external site. I have a client
who is at siteA.com, who wants to load in photos from siteB.com,
siteC.com, and probably 100 other sites. He has permission to do so
from the other sites, but doesn't want to go through all the
trouble of asking each site to post a cross-domain policy file.
Please correct me if I'm wrong, but the way I understand it is, if
you want to simply load an image into a Loader object within a swf,
you're ok, but if you want to access the BitmapData, you will then
get a security error? My snippet of code that I believe is causing
the security error is
public function imageLoaded(e:Event):void {
var image:Bitmap = Bitmap(e.target.loader.content);
image.smoothing = true;
imageContainer.addChild(e.target.loader);
As you can tell, the reason why I want to access the Bitmap
itself is to apply smoothing. That is my main concern, I want to be
able to apply smooth transitions to these pictures that are loaded
in from external sites. My main goal is to load images externally,
then apply smooth transitions, so if you know of a way to get
around the security violations, that would be great. The only
work-around we have for this is to write a script that will load
all the images from the external sites onto the local server, as
this will be less work than getting the cross-domain policy file on
each server (if that's what it takes). Thanks in advance for
anybody who can shed some light on the subject.If I understand you correctly, a 'helper' swf would be on the
site where the images are held, much like a cross-domain policy
file? I don't understand how that would be much different than
getting the external sites to add a cross-domain policy file on
their server. It sounds easier to just throw the cross-domain
policy file on the external site's server with '*' for the path of
allowed directories to load images from. I'm pretty new to the
cross-domain security issue, so I'm not sure. I don't understand
why it's a security risk to access the pixels of an image either...
anybody know about that? Just trying to figure out where to go from
here on this project. Thanks for the reply GWD, still looking for
some more feedback.
Maybe you are looking for
-
Can my ipad use wifi and bluetooth at the same time?
Hi I can stream radio via wifi radio apps and play through earphones. I can connect to my bluetooth speaker and play music stored on my ipad ok. When I connect up to my bluetooth speaker and try to stream the radio app it plays for a couple of second
-
I need to re install my retina system for my new mac book pro ?
My Retina system is not working correctly, I need to re install it, but I don't know how !! Thanks for your help in advance. CAF
-
Updated imac to OS X 10.8.5, now can't restart or shutdown
Hi I applied the new 10.8.5 update this afternoon. As part of this it asks for a restart. Thing is it won't let me restart, logoff or shutdown now. Any advice on what the problem may be please? Thanks TinTin_57
-
The message app was deleted off my ipad how do I fix it ?
I tried the reset home layout that did not work please help. Ever time I look up previous messages that shows but when I click it it says error and the app was deleted from my ipad
-
GREP style won't recognise codes for Uppercase?
I've tried [A-Z] and \u and can't get them to work. I can use Find Change to get them. I want to GREP style words that are capitals and give them a no break - so they don't hyphenate.