Resetting ActiveSync Adapter for Active Directory

I would like my Active Directory ActiveSync adapter to detect change made only after it is initially started and to disregard any changes prior to that time. The ActiveSync setup appears to allow this by checking the box labeled "When reset, ignore past changes".
That doesn't appear to be happening, however. Whenever the adapter is started and stopped, it still goes back and appears to search through modifications made well before the adapter was started.
The help item for that checkbox has this little bit of advice: "To reset the adapter, edit the XmlData object SYNC_resourceName to remove the MapEntry for the desired synchronization process, e.g. ActiveSync.", but doing that has made no difference at all.
What is the trick to completely resetting the AD ActiveSync adapter and getting it recognize only changes made from the point in time at which it was started?

steps.
Restart your server with the active sync in Manual mode, and then check the box "When reset, ignore past changes" and also delete the IAPI_Resource_name.
now start the active sync, and change the manual mode if required / as well remove the reset check box.
This is what i did when i faced with the same issue. and it worked for me.

Similar Messages

Query on DNS setup for Active Directory for a new data center

I have third party DNS appliances providing DNS Service for Active Directory (Windows 2008 R2) and there are also secondary DNS servers, which are MS DNS server with a secondary zone configured, for redundancy. I have to setup a new data center
and move servers/services to this data center. In this scenario, can I install a new Microsoft DNS server with a secondary zone and use this as the primary DNS Server for all the member servers at this new location ? I am aware that this new DNS server will
not be able to make any updates to the secondary zone and for that purpose, is there anyway to redirect such requests to the DNS appliances in my current data center across the WAN ? I am trying to avoid purchasing a new DNS appliance for the new data center
and want to know what are the alternatives I have.

im not entirely sure by your setup, as normally you would use AD integrated zones for DNS in an AD environment - although there are other options as you have already setup.
the fact the zone is a secondary zone in DNS server terms doesn't mean you can't point your clients to it as their primary dns server. They will quite happily resolve names using a secondary server.
so as long as your dns devices are correctly setup to support the additional secondary zone I see no reason why you couldn't do this.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.

Thanks ben6073 for posting your link to the solution. It worked for me as well.
I did a clean install of SL, joined the machine to the AD domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.
MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
Thanks ben6073 for the link to a fix. And thank you Rich for the post on google.
http://groups.google.com/group/macenterprise/browse_thread/thread/2c2502b08bb84c 7a?pli=1
G

Greg Plassmeyer1 wrote:
Thanks ben6073 for posting your link to the solution. It worked for me as well.
MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
I had this problem this morning. It went away after I rebooted and ran applejack in "auto pilot" mode. The machine is a macbook pro running Snow Leopard. The account is a mobile account tied to a windows active directory server. Applejack is available from http://applejack.sourceforge.net/. The auto pilot mode cleans out the system caches is /Library and /System/Library - perhaps this is what provides the fix? Just a guess.

Connector for Active Directory Password Sync

Friends,
We have some questions about the Connector for Active Directory Password Sync:
1. There is a need to extend the AD schema when using this connector.
2. If I have 10 domain controllers and are not synchronized, the documentation tells us to install the dll in each domain controller. Is there any way to do this if necessary, to install this dll in a single domain controller?
Thanks for your help.
regards

Definitely:
For your Point-1 Look for the Preinstallation section in the AD Password Sync Connector Guide which talks nothing about extending AD schema which supports the validity of the statement.
For your Point-2 Look for Metalink Article-432727.1 which confirms that the connector has to be installed on all the DC's
Thanks
SRS

Setting disk quota on Mac server for Active Directory users

I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
I also understand there's a setquota command but there's no man page on how that works.
Has anyone got disk quota for AD users working.
Better still has someone got a shell or perl script for setting quotas they could post.
Thanks
- Cameron

sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

Verification of prerequisites for Active Directory preparation failed

We currently have Windows Server 2003 SBS, SP2, Domain Controller. Would like to add Windows Server 2012, Standard, 64-bit as a backup domain controller.
"Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain sxxxx.local.
Exception: The RPC server is unavailable.
Adprep could not retrieve data from the server name.xxxxx.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130417103902-test directory for possible cause of failure."
What the log says is really:
"Adprep encountered a Win32 error. Error code: 0x6ba Error messa The RPC server is unavailable."
Can anyone has similar experience shred some lights to troubleshoot this? Have reviewed
other links that have similar probems but that doesn't help.
Many Thanks!

Of course I CANNOT remove Symnatec as Meinolf suggests. That would be out of my mind!! I tried to stop all their services though which doesn't help. I know this has nothing to do with Symantec. Here comes another test, the final one:
Test 8
This article is really good as it concludes very thoroughly about the problems about "800706BA - RPC Server Is Unavailable" and other WMI query issues:
http://goo dot gl/l2iha
I started looking at he ISA 2004 on our SBS 2003.
Tried to disable the RPF Filter:
a. Open Microsoft Internet Security and Acceleration Server 2004
b. Go to Configuration > Add-in and location RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'
c. Hit Apply....
d. Now I go back to Windows 7 and test the WMI query.
The result: it WORKS!
e. Next, I tried that on the Windows Server 2012 like so:
c:>wmic /node:sbs2003servername computersystem list brief /format:list
It also works!
f. Next also on Windows Server 2012, I continued on what was left over. I did the "Rerun prerequisites check " and no surprise - "All prerequisite checks passed successfully. Click 'Install' to begin installation"!
Well that concludes the problem of installing Windows Server 2012 (standard) as a backup domain controller to a Windows SBS 2003 domain controller and the troubleshooting process that finally led to a solution that solves my problem. Thanks for all
the discussions over the web. Every bit counts!
Well if this helps you in some way, give me some points to buy beer! I am going to have a drink with Bill, Cheers!

Authentication Plug-ins for active directory Multiple Domains(oidspad2.sh)

hi ,
i have use note 294791.1 from metalink to try link to active directory i have 2 one is staff and another is student
i first ran oidspadi.sh to create plugin for staff it works then i edit the 2 script to oidspad2.pls and oidspad2.sh with the require changes inside the files then i ran it it work but now the problem is the first ad now cant work this is my changes below
FOR oidspad2.pls
Rem
Rem $Header: oidspada.pls 02-aug-2004.04:45:11 saroy Exp $
Rem
Rem oidspads.pls
Rem
Rem Copyright (c) 2002, 2004, Oracle. All rights reserved.
Rem
Rem NAME
Rem oidspada.pls - 9.0.4 OID Password Active Directory
Rem External Authentication Plug-in
Rem
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem MODIFIED (MM/DD/YY)
Rem saroy 08/02/04 - Fix for bug 3807482
Rem qdinh 01/27/04 - bug 3374115
Rem dlin 01/08/04 - pingan perf
Rem dlin 08/22/03 - 3111770 bug fix
Rem dlin 08/27/03 - change the way to get name
Rem dlin 08/13/03 - bug 2962082 fix
Rem dlin 02/21/03 - plug-in install changes
Rem dlin 02/13/03 - dlin_bug-2625027
Rem dlin 02/05/03 - fix ssl & failover
Rem dlin 01/31/03 - dlin_adextauth1
Rem dlin 01/30/03 - Created
Rem
SET echo off;
SET serveroutput off;
SET feedback off;
SET verify off;
CREATE OR REPLACE PACKAGE OIDADPSW2 AS
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
AD_HANDLE DBMS_LDAP.session DEFAULT NULL;
END OIDADPSW2;
SHOW ERROR
CREATE OR REPLACE PACKAGE BODY OIDADPSW2 AS
SUBTYPE LDAP_SESSION IS RAW(32);
SUBTYPE LDAP_MESSAGE IS RAW(32);
SUBTYPE LDAP_BER_ELEMENT IS RAW(32);
SUBTYPE ATTRLIST IS DBMS_LDAP.STRING_COLLECTION;
SUBTYPE MOD_ARRAY IS RAW(32);
SUBTYPE BERLIST IS DBMS_LDAP.BERVAL_COLLECTION;
PROCEDURE when_bind_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
passwd IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_bind_replace()');
DBMS_LDAP.USE_EXCEPTION := FALSE;
result := 49;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := 1;
plg_debug('Can not get ADUserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_bind_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_bind_replace() ===');
RETURN;
END IF;
plg_debug( 'Go to AD for authentication');
-- externally authenticate user
IF ('&1' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&2', &3);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
-- Should free the old session if retry logic kept failing
-- to cause the number of outstanding sessions exceeding the
-- limit session number
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&4', &5);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
-- SSL bind
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&6', &7);
     plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&8', '&9', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM
-- or LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&10', &11);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&12', '&13', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary server
IF ('&14' = 'y' AND retval != 0) THEN
IF ('&15' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&16', &17);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session initialized: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&18', &19);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'retry simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
          plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&20', &21);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&22', '&23', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, passwd);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&24', &25);
     plg_debug( 'retry ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&26', '&27', 2);
     IF (retval != 0) THEN
     plg_debug( 'retry open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'retry open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, passwd);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := 0;
plg_debug('AD auth return TRUE');
ELSE
     result := retval;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_bind_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
     plg_debug( ' exception unbind_res returns ' || TO_CHAR(retval));
errormsg := 'Exception: when_bind_replace plugin';
plg_debug( 'Exception in when_bind_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
END;
PROCEDURE when_compare_replace (ldapplugincontext IN ODS.plugincontext,
result OUT INTEGER,
dn IN VARCHAR2,
attrname IN VARCHAR2,
attrval IN VARCHAR2,
rc OUT INTEGER,
errormsg OUT VARCHAR2
IS
retval pls_integer;
lresult BOOLEAN;
my_session DBMS_LDAP.session;
my_session1 DBMS_LDAP.session;
tmp_session DBMS_LDAP.session;
adupname VARCHAR2(1024) DEFAULT NULL;
BEGIN
plg_debug( '=== Begin when_compare_replace()');
result := DBMS_LDAP.COMPARE_FALSE;
DBMS_LDAP.USE_EXCEPTION := FALSE;
adupname := LDAP_PLUGIN.get_adupname(ldapplugincontext);
IF (adupname IS NULL) THEN
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('Can not get ADuserPrincipalName');
rc := DBMS_LDAP.SUCCESS;
errormsg := 'Exception in when_compare_replace: Can not get ADUserPrincipalName';
plg_debug( '=== End when_compare_replace() ===');
RETURN;
END IF;
-- externally authenticate user
IF ('&28' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&29', &30);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&31', &32);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&33', &34);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&35', '&36', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&37', &38);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&39', '&40', 2);
IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
     OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
END IF;
-- for failover to connect to the secondary AD
IF ('&41' = 'y' AND retval != 0) THEN
IF ('&42' = 'n') THEN
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&43', &44);
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&45', &46);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res again: ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     ELSE
     IF (OIDADPSW2.AD_HANDLE IS NULL) THEN
     my_session := DBMS_LDAP.init('&47', &48);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session,1,8)));
     retval := DBMS_LDAP.open_ssl(my_session,
                         'file:' || '&49', '&50', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     OIDADPSW2.AD_HANDLE := my_session;
     ELSE
     my_session := OIDADPSW2.AD_HANDLE;
     END IF;
retval := DBMS_LDAP.simple_bind_s(my_session, adupname, attrval);
plg_debug( 'simple_bind_res: ' || TO_CHAR(retval));
-- Retry logic should be invoked only
-- when retval = LDAP_UNWILLING_TO_PERFORM || LDAP_UNAVAILABLE
     IF (retval = 52 OR retval = 53 OR retval = 81) THEN
     retval := DBMS_LDAP.unbind_s(my_session);
plg_debug( 'retry unbind_res returns ' || TO_CHAR(retval));
     my_session1 := DBMS_LDAP.init('&51', &52);
     plg_debug( 'ldap_session: ' || RAWTOHEX(SUBSTR(my_session1,1,8)));
     tmp_session := my_session1;
     retval := DBMS_LDAP.open_ssl(my_session1,
                         'file:' || '&53', '&54', 2);
     IF (retval != 0) THEN
     plg_debug( 'open_ssl failed error: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.unbind_s(my_session1);
     plg_debug( 'unbind_res returns ' || TO_CHAR(retval));
     result := 82;
     RETURN;
     END IF;
     plg_debug( 'open_ssl: ' || TO_CHAR(retval));
     retval := DBMS_LDAP.simple_bind_s(my_session1, adupname, attrval);
     plg_debug( 'simple_bind_res: again ' || TO_CHAR(retval));
     IF (retval != 52 AND retval != 53 AND retval != 81) THEN
          OIDADPSW2.AD_HANDLE := tmp_session;
     ELSE
     retval := DBMS_LDAP.unbind_s(tmp_session);
     plg_debug( 'unbind_res result ' || TO_CHAR(retval));
     END IF;
     END IF;
     END IF;
END IF;
IF (retval = 0) THEN
result := DBMS_LDAP.COMPARE_TRUE;
plg_debug('AD auth return TRUE');
ELSE
result := DBMS_LDAP.COMPARE_FALSE;
plg_debug('AD auth return FALSE or ERROR');
END IF;
-- retval := DBMS_LDAP.unbind_s(my_session);
-- plg_debug( 'unbind_res Returns ' || TO_CHAR(retval));
rc := DBMS_LDAP.SUCCESS;
errormsg := 'No error msg.';
plg_debug( '=== End when_compare_replace() ===');
EXCEPTION
WHEN OTHERS THEN
rc := DBMS_LDAP.OPERATIONS_ERROR;
errormsg := 'Exception: when_compare_replace plugin';
plg_debug( 'Exception in when_compare_replace(). Error code is ' ||
          TO_CHAR(sqlcode));
plg_debug( ' ' || Sqlerrm);
     retval := DBMS_LDAP.unbind_s(OIDADPSW2.AD_HANDLE);
     OIDADPSW2.AD_HANDLE := NULL;
END;
END OIDADPSW2;
SHOW ERRORS
EXIT;
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
-- usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
-- isfailover, isfailoverssl, sechost, secport, sechost, secsslport
-- secwalletloc, secwalletpwd
FOR oidspadi.sh
#!/bin/sh
# $Header: oidspadi.sh 13-may-2005.13:48:51 saroy Exp $
# oidspadi.sh
# Copyright (c) 2002, 2005, Oracle. All rights reserved.
# NAME
# oidspadi.sh - AD external authentication plug-in install
# DESCRIPTION
# <short description of component this file declares/defines>
# NOTES
# <other useful comments, qualifications, etc.>
# MODIFIED (MM/DD/YY)
# saroy 05/13/05 - Fix for bug 4233817
# saroy 02/18/05 - Fix for bug 4054414
# saroy 11/02/04 - Fix for bug 3980370
# qdinh 01/19/04 - bug 3374115
# dlin 07/10/03 - turn off debug
# dlin 02/21/03 - plug-in install changes
# dlin 02/13/03 - dlin_bug-2625027
# dlin 07/22/02 - Creation
ADHOST="A"
ADPORT="1"
ADSSLPORT="1"
WALLETLOC="A"
WALLETPWD="A"
WALLETPWD2="A"
CONNECT="A"
ODSPWD="A"
ODSPWD2="A"
OIDHOST="A"
OIDPORT="1"
ORCLADMINPWD="A"
ORCLADMINPWD2="A"
PRGDN="A"
SCUSB="A"
EP="A"
ISSSL="n"
ISFAILOVER="n"
ISFAILOVERSSL="n"
SECADHOST="A"
SECADPORT="1"
SECADSSLPORT="1"
SECWALLETLOC="A"
SECWALLETPWD="A"
SECWALLETPWD2="A"
clear
echo "---------------------------------------------"
echo " OID Active Directory Plug-in Configuration"
echo "---------------------------------------------"
echo " "
echo "Please make sure Database and OID are up and running."
echo " "
LDAP_DIR=${ORACLE_HOME}/ldap
LDAP_LOG=${LDAP_DIR}/log
## ORACLE_HOME
if [ -z $ORACLE_HOME ] ; then
echo " ORACLE_HOME must be set for this installation script"
exit 0
fi
# gather required information
if [ ${ADHOST} = "A" ] ; then
printf "Please enter Active Directory host name: "
read ADHOST
fi
## active directory host name is required
if [ "${ADHOST}" = "" ]
then
echo "Active Directory host name is required";
exit 1;
fi
printf "Do you want to use SSL to connect to Active Directory? (y/n) "
read ISSSL
if [ "${ISSSL}" = "n" ]
then
if [ ${ADPORT} = "1" ] ; then
printf "Please enter Active Directory port number [389]: "
read ADPORT
if [ "${ADPORT}" = "" ]
then
ADPORT="389"
fi
fi
fi
if [ "${ISSSL}" = "y" ]
then
if [ ${ADSSLPORT} = "1" ] ; then
printf "Please enter Active Directory SSL port number [636]: "
read ADSSLPORT
if [ "${ADSSLPORT}" = "" ]
then
ADSSLPORT="636"
fi
fi
if [ ${WALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read WALLETLOC
fi
## wallet location is required
if [ "${WALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${WALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read WALLETPWD ; stty echo ; echo
fi
if [ "${WALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${WALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read WALLETPWD2 ; stty echo ; echo
fi
if [ "${WALLETPWD}" != "${WALLETPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
fi
if [ ${CONNECT} = "A" ] ; then
echo " "
printf "Please enter DB connect string: "
read CONNECT
fi
if [ ${ODSPWD} = "A" ] ; then
printf "Please enter ODS password: "
stty -echo ; read ODSPWD ; stty echo ; echo
fi
## password is required
if [ "${ODSPWD}" = "" ]
then
echo "ODS password is required";
exit 1;
fi
if [ ${ODSPWD2} = "A" ] ; then
printf "Please enter confirmed ODS password: "
stty -echo ; read ODSPWD2 ; stty echo ; echo
fi
if [ "${ODSPWD}" != "${ODSPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
if [ "${CONNECT}" = "" ]
then
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD} "
else
CMDNAME="$ORACLE_HOME/bin/sqlplus -s ods/${ODSPWD}@${CONNECT} "
fi
# Check if ODS password and connect string is correct
${ORACLE_HOME}/bin/sqlplus -L ods/${ODSPWD}@${CONNECT} << END 1>/dev/null 2>/dev/null
exit;
END
if [ $? -ne 0 ]; then
echo "Incorrect connect string or ODS password specified"
exit 1;
fi
if [ ${OIDHOST} = "A" ] ; then
echo " "
printf "Please enter OID host name: "
read OIDHOST
fi
## oid host is required
if [ "${OIDHOST}" = "" ]
then
echo "OID host name is required";
exit 1;
fi
if [ ${OIDPORT} = "1" ] ; then
printf "Please enter OID port number [389]: "
read OIDPORT
if [ "${OIDPORT}" = "" ]
then
OIDPORT="389"
fi
fi
# Check if OID host and port is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect OID host or port specified"
exit 1;
fi
if [ ${ORCLADMINPWD} = "A" ] ; then
printf "Please enter orcladmin password: "
stty -echo ; read ORCLADMINPWD ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" = "" ]
then
echo "orcladmin password is required";
exit 1;
fi
if [ ${ORCLADMINPWD2} = "A" ] ; then
printf "Please enter confirmed orcladmin password: "
stty -echo ; read ORCLADMINPWD2 ; stty echo ; echo
fi
if [ "${ORCLADMINPWD}" != "${ORCLADMINPWD2}" ]
then
echo "The input passwords are not matched";
exit 1;
fi
# Check if orcladmin password is correct
${ORACLE_HOME}/bin/ldapbind -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
echo "Incorrect orcladmin password specified"
exit 1;
fi
echo " "
if [ ${SCUSB} = "A" ] ; then
printf "Please enter the subscriber common user search base [orclcommonusersearchbase]: "
read SCUSB
if [ "${SCUSB}" = "" ]
then
SCUSB=`${ORACLE_HOME}/bin/ldapsearch -h ${OIDHOST} -p ${OIDPORT} -D 'cn=orcladmin' -w ${ORCLADMINPWD} -s base -b 'cn=common,cn=products,cn=oraclecontext' -L 'objectclass=*' orclcommonusersearchbase | head -2 | grep -v 'dn:' | awk '{printf $2}'`
fi
fi
if [ ${PRGDN} = "A" ] ; then
printf "Please enter the Plug-in Request Group DN: "
read PRGDN
fi
if [ ${EP} = "A" ] ; then
printf "Please enter the exception entry property [(!(objectclass=orcladuser))]: "
read EP
if [ "${EP}" = "" ]
then
EP='(!(objectclass=orcladuser))'
fi
fi
echo " "
printf "Do you want to setup the backup Active Directory for failover? (y/n) "
read ISFAILOVER
if [ "${ISFAILOVER}" = "y" ]
then
if [ ${SECADHOST} = "A" ] ; then
printf "Please enter the backup Active Directory host name: "
read SECADHOST
if [ "${SECADHOST}" = "" ]
then
echo "Backup Active Directory host name is required";
exit 1;
fi
fi
printf "Do you want to use SSL to connect to the backup Active Directory? (y/n) "
read ISFAILOVERSSL
if [ "${ISFAILOVERSSL}" = "n" ]
then
if [ ${SECADPORT} = "1" ] ; then
printf "Please enter the backup Active Directory port number [389]: "
read SECADPORT
if [ "${SECADPORT}" = "" ]
then
SECADPORT="389"
fi
fi
fi
if [ "${ISFAILOVERSSL}" = "y" ]
then
if [ ${SECADSSLPORT} = "1" ] ; then
printf "Please enter the backup Active Directory SSL port number [636]: "
read SECADSSLPORT
if [ "${SECADSSLPORT}" = "" ]
then
SECADSSLPORT="636"
fi
fi
if [ ${SECWALLETLOC} = "A" ] ; then
echo " "
printf "Please enter Oracle wallet location: "
read SECWALLETLOC
fi
## wallet location is required
if [ "${SECWALLETLOC}" = "" ]
then
echo "Oracle wallet location is required";
exit 1;
fi
if [ ${SECWALLETPWD} = "A" ] ; then
printf "Please enter Oracle wallet password: "
stty -echo ; read SECWALLETPWD ; stty echo ; echo
fi
if [ "${SECWALLETPWD}" = "" ]
then
echo "Oracle wallet password is required";
exit 1;
fi
if [ ${SECWALLETPWD2} = "A" ] ; then
printf "Please enter confirmed Oracle wallet password: "
stty -echo ; read SECWALLETPWD2 ; stty echo ; echo
fi
     if [ "${SECWALLETPWD}" != "${SECWALLETPWD2}" ]
     then
     echo "The input passwords are not matched";
     exit 1;
     fi
fi
fi
# install the plug-in PL/SQL packages
echo " "
echo "Installing Plug-in Packages ..."
echo " "
# install plug-in debug tool
cp $ORACLE_HOME/ldap/admin/oidspdsu.pls $LDAP_LOG
chmod +w $LDAP_LOG/oidspdsu.pls
echo "EXIT;" >> $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$LDAP_LOG/oidspdsu.pls
rm $LDAP_LOG/oidspdsu.pls
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspdof.pls
# install plug-in packages
${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
#stty -echo; eval ${CMDNAME} @$ORACLE_HOME/ldap/admin/oidspad2.pls ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${ISSSL} ${ADHOST} ${ADPORT} ${ADHOST} ${ADPORT} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ADHOST} ${ADSSLPORT} ${WALLETLOC} ${WALLETPWD} ${ISFAILOVER} ${ISFAILOVERSSL} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADPORT} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} ${SECADHOST} ${SECADSSLPORT} ${SECWALLETLOC} ${SECWALLETPWD} 2>&1 ; stty echo ; echo
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# usessl, adhost, adport, adhost, adsslport, walletloc, walletpwd
# isfailover, isfailoverssl, sechost, secport, sechost, secsslport
# secwalletloc, secwalletpwd
# register the plug-ins
echo " "
echo "Registering Plug-ins ..."
echo " "
$ORACLE_HOME/bin/ldapadd -h ${OIDHOST} -p ${OIDPORT} -D cn=orcladmin -w ${ORCLADMINPWD} << EOF
dn: cn=adwhencompare2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapcompare
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhencompare2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginattributelist:userpassword
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
dn: cn=adwhenbind2,cn=plugin,cn=subconfigsubentry
objectclass:orclPluginConfig
objectclass:top
orclpluginname:OIDADPSW2
orclplugintype:operational
orclplugintiming:when
orclpluginldapoperation:ldapbind
orclpluginenable:1
orclpluginversion:1.0.1
orclPluginIsReplace:1
cn:adwhenbind2
orclpluginsubscriberdnlist:${SCUSB}
orclpluginrequestgroup:${PRGDN}
orclpluginentryproperties:${EP}
EOF
cat <<DONE
Done.
DONE

Hi,
This is a problem that is not made clear in the note. What is probably happening here is that both plugins are being fired when a user logs in. OID will only read the value returned from the final plugin to fire. This can be a problem if the user authenticates correctly against the first plug-in but fails on the second. This is entirely legitimate as this note tells you to configure this way but the OID only observes the final result. The note doesn't tell us this.
Here's an example:
We've two OID User users in different containers: cn=Al is in container cn=usersA,dc=oracle,dc=com and cn=BOB is in container cn=usersB,dc=oracle,dc=com.
We have two plugins: pluginA and PluginB. Installed in that order.
When Al logs in the two plugins fire. pluginA finds Al and returns a true, but then pluginB fires and returns a false undoing the good result. OID only accepts the final answer and so rejects the user. When Bob logins in both plugins fire again but it's the second plugin that returns the answer again. This is true and bob gets in.
There's a couple of ways around this and one of the more effective ways is to associate the plugin with the dn. So in our example, we associate the pluginA to fire only for the dn cn=usersA,dc=oracle,dc=com and pluginB only to fire when a user is in cn=usersB,dc=oracle,dc=com. This gets around the problem of mulitple plugins firing and giving conflicting answers as the appropriate plugin only fires once.
I've used this solution in a realtime environment when connecting and provisioning multiple ADs into one OID and found it to be extremely effective.
Another solution is to associate the plugins with groups.
Both of these options may be configured easily by modifying the plugin properties in ODM. Don't forget to restart OID after you've made the changes.
HTH!
Phil.
If

SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

Hi
I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have access to the library and list, except for
a few additional folk who I have made individual members.
My PROBLEM:
I have created a SharePoint 2013 Workflow using SPD 2013 associated with the Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
the form and go to different Stages depending on that status.
The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
Here's a print of the info from the Workflow Status page (I don't have access to server logs):
RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor
Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
user who started the workflow, unlike 2010 which used System Account).
All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
Does anyone have any ideas why this is happening and what I can try to fix it?
Mark

Hi Lars,
I'm afraid not so far but we are trying a few things today so I will post back with results.
First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
"If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
I'll update when we try these ideas. If you have any luck please do the same.
Mark
(sorry about formatting - using my phone....)
Mark

Date and Time Sync at boot for Active Directory/Open Directory Authenticati

All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?

I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.

Best practice for Active Directory User Templates regarding Distribution Lists

Hello All
I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
this has led to problems with new employees being added to groups which they should not be a part of.
I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
of.
Has anyone come up with a better method of doing this?
Thank you

You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
the factors you predefine for them.

Activating TimeMachine Server for Active Directory Users

Currently we'd like to switch to Active Directory and I tried it out with our Test environment, setuped an Active Directory Server and joined a OSX Mavericks Server. So far so good I can manage all my AD users, but when I click on "Edit Access to Services" I can activate anything for my AD user BUT not Time Machine!
Does anyone knows why and if there is any workaround to make it work? For other Network (Open Directory) and Local Users I can activate it.

sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

SMB access for Active Directory users

Hi there,
My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
[2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
My smb.conf file is as follows:
; Configuration file for the Samba software suite.
; ============================================================================
; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).
; The following configuration should suit most systems for basic usage and
; initial testing. It gives all clients access to their home directories and
; allows access to all printers specified in /etc/printcap.
; BEGIN required configuration
; Parameters inside the required configuration block should not be altered.
; They may be changed at any time by upgrades or other automated processes.
; Site-specific customizations will only be preserved if they are done
; outside this block. If you choose to make customizations, it is your
; own responsibility to verify that they work correctly with the supported
; configuration tools.
[global]
debug pid = yes
log level = 1
server string = Mac OS X
printcap name = cups
printing = cups
encrypt passwords = yes
use spnego = yes
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
map to guest = Bad User
guest account = nobody
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
dos charset = 437
vfs objects = darwinacl,darwin_streams
; Don't become a master browser unless absolutely necessary.
os level = 2
domain master = no
; For performance reasons, set the transmit buffer size
; to the maximum and enable sendfile support.
max xmit = 131072
use sendfile = yes
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes
; Enable locking coherency with AFP.
darwin_streams:brlm = yes
; Core files are invariably disabled system-wide, but attempting to
; dump core will trigger a crash report, so we still want to try.
enable core files = yes
; Configure usershares for use by the synchronize-shares tool.
usershare max shares = 1000
usershare path = /var/samba/shares
usershare owner only = no
usershare allow guests = yes
usershare allow full config = yes
; Filter inaccessible shares from the browse list.
com.apple:filter shares by access = yes
; Check in with PAM to enforce SACL access policy.
obey pam restrictions = yes
; Don't be trying to enforce ACLs in userspace.
acl check permissions = no
; Make sure that we resolve unqualified names as NetBIOS before DNS.
name resolve order = lmhosts wins bcast host
; Pull in system-wide preference settings. These are managed by
; synchronize-preferences tool.
include = /var/db/smb.conf
[printers]
comment = All Printers
path = /tmp
printable = yes
guest ok = no
create mode = 0700
writeable = no
browseable = no
; Site-specific parameters can be added below this comment.
; END required configuration.
Any help would be much appreciated!!
Thanks.

I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
[2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
[2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
Not feeling the Mac OS X love tonight.
Bill
System is bound to active directory - green light in Directory Utility

Apply OID search filter for Active Directory Export Sync Profile

- currenlty we have active directory export profile working successfully
- the filter we apply at OID side is SynchronizeToAD!=OID
that means synchronize all ldap data that has a attribute value other than "OID"
- This works very well
Problem:
- We now need to make the export sync work based on a different condition. The condition being....
SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
- The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
Question:
1) Need a way to control synchronization based on attribute value.
2) So far tried the below filter value with out success
2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
2b) SynchronizeToAD=AD3
- In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
Please provide us with valid search filter to accomplish the above.
The OID profile attribute that we are trying to set is odip.profile.oidfilter

- currenlty we have active directory export profile working successfully
- the filter we apply at OID side is SynchronizeToAD!=OID
that means synchronize all ldap data that has a attribute value other than "OID"
- This works very well
Problem:
- We now need to make the export sync work based on a different condition. The condition being....
SynchronizeToAD=AD3 ( Note the equality condition here, the previous one was not equal to )
- The moment we set it to the above conditions it seems to invalidate the filter. Now it behaves as if there is no filter. All changes are synchronized regardless of the attribute value
Question:
1) Need a way to control synchronization based on attribute value.
2) So far tried the below filter value with out success
2a) (&(!(SynchronizeToAD=OID))(!(SynchronizeToAD=AD)))
2b) SynchronizeToAD=AD3
- In the directory we have 3 values for this attribute(SynchronizeToAD) - AD , AD3 and OID
Please provide us with valid search filter to accomplish the above.
The OID profile attribute that we are trying to set is odip.profile.oidfilter

AFP only works for Active Directory "Domain Admins"

I have purchased a new XServe to add to our Active Directory domain as a member server. It all seems to work right except that only users in AD who are members of the "Domain Admins" group seem to function properly under AFP.
The Mac Clients can connect to our Windows boxes just fine and AD login's seem to work for loggin in any clients. I've created a shared volume on the XServe and when I try to access it via AFP with any user account that doesn't have Administrator rights I get "Invalid Login or Password" on the Mac Client.
Anyone got any ideas, this is driving me crazy.

Post to the appropriate server forum or AD forum where people dealing with these products hang out.

Principal Name for Active Directory "Domain Users"

Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?

test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com

Resetting ActiveSync Adapter for Active Directory

Similar Messages

Maybe you are looking for