SCOM Agent in Pending Management with two way trusted domain

Hello Guys,
I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
And below message on the server where I am installing the agent.
Event 20071 OpsMgr Connector
The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log
on the server and on the agent for events which indicate a failure to authenticate.
Event 21016 OpsMgr Connector
OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts. Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
Event 20070 OpsMgr Connector
The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
Need help to resolve this can any one help me.
Thanks in Advance.
NM-BG
NM-BG

Hi,
Here i suspect Authentication issue.
1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
Kind Regards,
Naveen Kumar B
~Bommi

Similar Messages

MBAM 2.5 in Multi-Forest with two way trust

Hi All,
If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
- Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
- Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
Thanks in Advance,
Regards,
Vijay

You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
the MBAM GPO's to the domain where client resides.
Check out this link :
MBAM 2.5 installation - Multi Domain
Cheers,
Gaurav Ranjan / Sr. Analyst-Professional Services
MICROLAND Limited -India leading Infrastructure Management Services Company
NOTE:Mark as Answer and Vote as Helpful if it helps

SCCM 2012 R2 cross forest with one-way trust feasible?

We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
in Domain A the same as our current SMS 2003 server.
What we want to do, at a minimum, using SCCM is:
Client inventory (hardware, software, user) and package distribution.
Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
I have made the below diagram to better illustrate the scenario:
Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

Hi,
The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
Quote:
Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
two way trust with the forest of the parent (CAS or primary).
Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
Most of these items were taken from this TechNet article – please refer to the article for more information -
Planning for Communications in Configuration Manager .
For more information:
http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
Not sure which is correct...

Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

HI !
We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
Response from experts would be greatly appreciated.

Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
Also you can refer below link
http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical

Cannot share documents with few users in one way trusted domain

Hello
I am running in a wiered issue. I setup people picker in SP 2013 foundation version to lookup the user from one way trusted domains after which I started getting all the users from that domain in my intranet. I can also share or modify the permission of
users being administrator. However when I try to add 2 specific users as site collection administrator or try sharing a document, I get error.
I can lookup their name but when I try changing their permission or share document with them, I get error. It's wiered because it is only with this two users. there is no difference from Active Directory point of view between these and other users. Please
help or suggest some trouble shooting steps.
Regards,
Hardik Bhilota.

Hi Hardik,
What was the error message when sharing documents with the two users?
Please also check the ULS log for detailed error message which is located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS.
What is the permission of the two users in SharePoint site? Can they access the site?
Please also run the two commands below to see if the issue still occurs:
First, on every front-end Web server on a farm run this command:
STSADM.exe -o setapppassword -password key
Second, on a front-end Web server run this command:
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
Best regards.
Thanks
Victoria Xia
TechNet Community Support

Are there any security risks in two-way trusts?

Hello!
Can anybody enumerate security risks two-way trusts have? Security holes?
I mean two-way trusts between two domains from different forests Windows 2003\2008.
Thank you for any info.

Hi,
There are two potential threats to interforest trust relationships in Windows Server 2003 :
1: Attack on trusting forest by malicious user in a trusted forest :
A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting
forest, such as a Domain or Enterprise Administrator. SID filtering is set on all trusts by default to help prevent malicious users from succeeding with this form of attack
2: Attack on shared resources in a trusting forest by malicious users in another organization’s forest :
Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because
it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area.
For more info , Please refer :
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
Though the forest mentioned is on win 2003, this article applies to Win 2008,2008R2 forest environment as well.
Please revert in case of any queries
pankaj(MCT)

Sharepoint PeoplePicker cannot search account on 2nd Domain with 2 way trust

Hi all,
   I have run into this issue for 2 days, and cannot figure out why.
   We have 3 different Sharepoint environments, and we have two-way trust between 1st and 2nd domain.
   But, one of the environments cannot search 2nd domain in PeoplePicker.
   However, the other two environments didn't require any configuration to be able to search ppl on the 2nd domain.
   Is there anyone know what happened on the specific environment?
   P.S. That specific environment has two servers in the farm, and one of them can search the 2nd domain in PeoplePicker, but the other one cannot.
   Any idea? Thank you.
James

Hi,
The issue usually occurs due to invalid trusts between different forests or the incorrect property set using stsadm. By default the people picker would search for users from same forest as that of the SharePoint server. If want to find the users from other domain, you need to use stsadm to set “peoplepicker-searchadforests” of the people picker.
If the new domain is in the same forest as the domain in SharePoint server, try to run the command line: stsadm -o setproperty. If the two domains are not in the same forest, you must run the setapppassword operation, and then run the peoplepicker-searchadforests property
For more information, please refer to: http://technet.microsoft.com/en-us/library/cc263460.aspx
Let me know the result.
Xue-Mei Chang

PeoplePicker not showing domain accounts from other forest in two way trust

We recently moved from our old farm in domainA of forestA to a new farm in domainB of forestB. We also have an older farm in domainC in forestC. There is two-way trust between all these forests. By default, Peoplepicker-SearchADForests property is not set
to anything, so it will only allow forestB accounts to be looked up from AD. But, we want PeoplePicker to lookup users from both domainA and domainB. I used below script to update the settings.
$wa = Get-SPWebApplication -Identity "https://webapp"
$oldDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$oldDomain.IsForest = $false
$oldDomain.DomainName = "domainA"
$wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($oldDomain)
$wa.Update()
$wa = Get-SPWebApplication -Identity "https://webapp"
$newDomain = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$newDomain.IsForest = $false
$newDomain.DomainName = "domainB"
$wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($newDomain)
$wa.Update()
For some reason, this doesn't work for domainA. Actually, it worked once before, but it stopped working at some point. PeoplePicker is only returning domainB accounts. If I add domainC using above script, it works too, but not for domainB.
So, my question is obvious - how to make this work? I've searched for an answer a lot and went through all troubleshooting there is, but could not resolve this permanently. Any help is appreciated.
Thanks.

Thanks Vladimir. I was able to run it finally in CMD. Here are the results. Now I'm thinking that the ports are not open )) Trevor's app was probably checking the ports in domain controller servers, though not sure.
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2184
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:14004 0.0.0.0:0 LISTENING 1464
TCP 0.0.0.0:22233 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:22234 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:22236 0.0.0.0:0 LISTENING 5240
TCP 0.0.0.0:32843 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:32844 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 448
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 776
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 800
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49177 0.0.0.0:0 LISTENING 928
TCP 0.0.0.0:49201 0.0.0.0:0 LISTENING 532
TCP SERVERIP:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 672
TCP [::]:443 [::]:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 2184
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8081 [::]:0 LISTENING 4
TCP [::]:14004 [::]:0 LISTENING 1464
TCP [::]:22233 [::]:0 LISTENING 5240
TCP [::]:22234 [::]:0 LISTENING 5240
TCP [::]:22236 [::]:0 LISTENING 5240
TCP [::]:32843 [::]:0 LISTENING 4
TCP [::]:32844 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 448
TCP [::]:49153 [::]:0 LISTENING 540
TCP [::]:49154 [::]:0 LISTENING 776
TCP [::]:49155 [::]:0 LISTENING 800
TCP [::]:49156 [::]:0 LISTENING 540
TCP [::]:49177 [::]:0 LISTENING 928
TCP [::]:49201 [::]:0 LISTENING 532

SCOM Agent Causing Login errors with LSAsrv

Bit of background:
We have numerous servers within a separated secure environment which are getting flagged as having failed login attempts every 4 hours. The exact same issue is presented in our normal estate.
Initially it presents itself as an error in the event log with EventID 6037 and the following information (this is what is flagging in our security system).
The program svchost.exe, with the assigned process ID 1876, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
This actually turns out to be controlling RemoteRegistry.
The following link is a work around for this, but preferably, I don't want to disable loop back checking or strict name checking.
https://social.technet.microsoft.com/Forums/systemcenter/en-US/05cedf19-cd02-4c26-9651-4b5d5f46d58b/event-6037-lsasrv?forum=operationsmanagergeneral
(For some reason I now can't find the actual MS KB describing the work-around)
The other alternative is to then amend a registry key for BackConnectionHostNames [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] (Sorry can't find the KB where I saw the work around for this now). However, given the number of servers affected,
I'm reluctant to go down this route.
I've disabled the SCOM agent and this is definitely the culprit; so the final option is to work out which ManagementPack has been incorrectly setup and then either override it or amend it for the servers.
I've run ETL tracing on one of the servers and get the following output (I believe the two relevant lines are the [13080] [8644] lines, and the timings coincide exactly with the LSASrv.exe eventIDs.
[1] [13080] [8644] [03/09/2015-15:10:06.978] [HealthServiceCommon] [] [Warning] [] [CFileUtility::_CheckAndCreateDirectory] [FileUtility_cpp202]GetFileAttributesEx on path "C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 59\2438\" failed with code 2(ERROR_FILE_NOT_FOUND).
[0] [13080] [8644] [03/09/2015-15:10:07.000] [HealthServiceCommon] [] [Warning] [] [CFileUtility::_CheckAndCreateDirectory] [FileUtility_cpp202]GetFileAttributesEx on path "C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 59\2434\" failed with code 2(ERROR_FILE_NOT_FOUND).
[1] [13080] [8644] [03/09/2015-15:10:07.012] [HealthServiceCommon] [] [Warning] [] [CFileUtility::_CheckAndCreateDirectory] [FileUtility_cpp202]GetFileAttributesEx on path "C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 59\2430\" failed with code 2(ERROR_FILE_NOT_FOUND).
[1] [13080] [8644] [03/09/2015-15:10:07.017] [ModulesLibrary] [] [Error] [] [MOMXmlSupport::LoadElement] [MOMXmlSupport_cpp823]`VariantChangeTypeEx(&bstrVar, &bstrVar, LOCALE_INVARIANT, 0, VT_R8)` failed, returning ERROR: {hr= 0x80020005(DISP_E_TYPEMISMATCH)}
[0] [13080] [12132] [03/09/2015-15:10:07.038] [ModulesPerformance] [] [Error] [] [McPerformance::Snapshot::getNextObject] [McPerfSnapshot_cpp2115]makePerfPtr returned NULL
[2] [13080] [10612] [03/09/2015-15:10:07.134] [ModulesLibrary] [] [Error] [] [MOMXmlSupport::LoadElement] [MOMXmlSupport_cpp823]`VariantChangeTypeEx(&bstrVar, &bstrVar, LOCALE_INVARIANT, 0, VT_R8)` failed, returning ERROR: {hr= 0x80020005(DISP_E_TYPEMISMATCH)}
[2] [13080] [9540] [03/09/2015-15:10:07.138] [ModulesLibrary] [] [Error] [] [MOMXmlSupport::LoadElement] [MOMXmlSupport_cpp823]`VariantChangeTypeEx(&bstrVar, &bstrVar, LOCALE_INVARIANT, 0, VT_R8)` failed, returning ERROR: {hr= 0x80020005(DISP_E_TYPEMISMATCH)}
[0] [13080] [8644] [03/09/2015-15:10:07.451] [ModulesCommon] [] [Warning] [] [CModuleUtility::IsLocalMachine] [ModuleUtility_cpp135]Unable to find the address for the specified machine (.), assuming remote monitoring, error = 11002(WSATRY_AGAIN)
[0] [13080] [12628] [03/09/2015-15:10:07.460] [ModulesLibrary] [] [Error] [] [MOMXmlSupport::LoadElement] [MOMXmlSupport_cpp823]`VariantChangeTypeEx(&bstrVar, &bstrVar, LOCALE_INVARIANT, 0, VT_R8)` failed, returning ERROR: {hr= 0x80020005(DISP_E_TYPEMISMATCH)}
[0] [13080] [8644] [03/09/2015-15:10:07.769] [ModulesCommon] [] [Warning] [] [CModuleUtility::IsLocalMachine] [ModuleUtility_cpp135]Unable to find the address for the specified machine (.), assuming remote monitoring, error = 11002(WSATRY_AGAIN)
[0] [13080] [7060] [03/09/2015-15:10:10.097] [ModulesExpressionEvaluator] [] [Error] [] [RegExExpression::Evaluate] [MOMExprEvaluator_cpp2787]`EXPR: m_pValue->Evaluate(pitfEvaluateValue, pitfReportError, pitfProcessTrace, &spValue) FAILED` {setting hr= HRESULT=80FF0059}
So essentially my question is now that I've narrowed it down to it being a management pack of SCOM, whats the best process to work out which particular management pack is causing this?
Is there a way to get a list of all management packs that apply to a computer object? If I can get this, I can then work out which ones are on a 4 hour timer to narrow the list down and then systematically create overrides to work out which one it is.
Kind Regards,
Kevin

Hi,
If there is something wrong with the agent, we should get alerts in SCOM console for this agent. Please also check is there any errors or warnings in operation manager event log on this agent.
And here are two links about geting monitors, rules runnin on an agent, hope it can be helpful for you
What Monitors, Rules and Discoveries are running on an OpsMgr Agent?
http://blogs.technet.com/b/stefan_stranger/archive/2010/11/30/what-monitors-rules-and-discoveries-are-running-on-an-opsmgr-agent.aspx
How to View All Rules and Monitors Running on an Agent-Managed Computer
https://technet.microsoft.com/en-us/library/hh212748.aspx?f=255&MSPPError=-2147217396
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Help with getting Web Start working with two-way SSL

I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format).
After the browser connects and downloads the "myclient.jnlp" contents and places it in a temporary file, it then kicks off the javaws process with the temporary file as a parameter. The first thing javaws does is utilize the codebase and href values (found in the temporary file) to make a "GET" call to the server for the "myclient.jnlp" file (again).
However, this fails (with a SSL handshake error) since javaws uses a different keystore than IE - the server does not receive the client-side cert. I have imported the root CA and the client cert (in .pem format) into the $JAVA_HOME/jre/lib/security/cacerts file using the keytool command but alas my server still indicates a lack of a client-side cert.
Has anyone else tried this and got it working?

Hi Richard,
Indeed it appears that the 1.5 version will have more built-in capability for client certs. It has the look of the IE browser import capability. Unfortunately, I am stuck with having to utilize 1.4.2 for the time being. Since I have posted my original message I have found more information but have yet to get it all working. The truststore in javaws 1.4.2 does have a default (the 1.4.2 jre's cacert file - stragely enough not the same one that gets updated when you import the root CA! - but this has been noted in many other threads). The javaws keystore does not have a default and I have tried, to no avail yet, to utilize some command line parameters, see http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Customization - to get my client cert "available" and recognized by javaws.
With the help of some debug flags here is the output on my javaws "output" log - all seems to go well up to the point of the client's Certificate chain (which appears to be empty), after the ServerHelloDone :
trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert:
snipped all the regular trusted certs, left my root CA as proof it is recognized...
adding as trusted cert:
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1070211537 bytes = { 205, 211, 129, 234, 88, 129, 152, 176, 223, 180, 161, 138, 246, 183, 181, 89, 61, 252, 63, 35, 21, 34, 253, 32, 254, 124, 38, 198 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 40 CA 22 D1 CD D3 81 EA 58 81 ...E..@.".....X.
0010: 98 B0 DF B4 A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 .........Y=.?#."
0020: FD 20 FE 7C 26 C6 00 00 1E 00 04 00 05 00 2F 00 . ..&........./.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
Thread-3, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 ..@.".....X.....
0050: A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C .....Y=.?#.". ..
0060: 26 C6 &.
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie: GMT: 1070211539 bytes = { 81, 106, 82, 45, 233, 226, 89, 6, 38, 240, 71, 122, 90, 226, 255, 207, 9, 102, 205, 127, 223, 211, 4, 84, 79, 16, 101, 89 }
Session ID: {34, 167, 132, 174, 141, 4, 57, 197, 190, 207, 105, 117, 241, 9, 97, 81}
Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
** SSL_RSA_WITH_DES_CBC_SHA
[read] MD5 and SHA1 hashes: len = 58
0000: 02 00 00 36 03 01 40 CA 22 D3 51 6A 52 2D E9 E2 ...6..@.".QjR-..
0010: 59 06 26 F0 47 7A 5A E2 FF CF 09 66 CD 7F DF D3 Y.&.GzZ....f....
0020: 04 54 4F 10 65 59 10 22 A7 84 AE 8D 04 39 C5 BE .TO.eY.".....9..
0030: CF 69 75 F1 09 61 51 00 09 00 .iu..aQ...
Thread-3, READ: TLSv1 Handshake, length = 607
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
               To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
Found trusted certificate:
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
               To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
[read] MD5 and SHA1 hashes: len = 607
0000: 0B 00 02 5B 00 02 58 00 02 55 30 82 02 51 30 82 ...[..X..U0..Q0.
0010: 01 FB A0 03 02 01 02 02 01 00 30 0D 06 09 2A 86 ..........0...*.
0020: 48 86 F7 0D 01 01 05 05 00 30 57 31 0B 30 09 06 H........0W1.0..
0030: 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 .U....US1.0...U.
0040: 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 ...Virginia1.0..
0050: 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 .U....Fairfax1.0
0060: 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 ...U....Zork.org
0070: 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 1.0...U....Root
0080: 43 41 30 1E 17 0D 30 34 30 35 32 36 32 30 33 38 CA0...0405262038
0090: 35 39 5A 17 0D 30 34 30 36 32 35 32 30 33 38 35 59Z..04062520385
00A0: 39 5A 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 9Z0W1.0...U....U
00B0: 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 S1.0...U....Virg
00C0: 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 inia1.0...U....F
00D0: 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 airfax1.0...U...
00E0: 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 .Zork.org1.0...U
00F0: 04 03 13 07 52 6F 6F 74 20 43 41 30 5C 30 0D 06 ....Root CA0\0..
0100: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 .*.H.........K.0
0110: 48 02 41 00 E2 BD 8D E9 59 8E 07 35 2B ED 20 57 H.A.....Y..5+. W
0120: 38 00 C8 3D 34 85 50 E2 93 A0 17 C7 98 45 F3 5F 8..=4.P......E._
0130: CD 7B 4A DA 6E F0 C7 0F 7A 03 3E 69 A9 7C CD 15 ..J.n...z.>i....
0140: 46 F0 D1 C8 7A 0A E9 09 DD B7 6F 5B CD 80 29 E6 F...z.....o[..).
0150: 3A 6A 49 65 02 03 01 00 01 A3 81 B1 30 81 AE 30 :jIe........0..0
0160: 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 ...U....0....0..
0170: 03 55 1D 0E 04 16 04 14 3F A7 DF 1F FA 90 1F 98 .U......?.......
0180: 4F BA 42 9F 21 7D B4 C4 88 76 14 DA 30 7F 06 03 O.B.!....v..0...
0190: 55 1D 23 04 78 30 76 80 14 3F A7 DF 1F FA 90 1F U.#.x0v..?......
01A0: 98 4F BA 42 9F 21 7D B4 C4 88 76 14 DA A1 5B A4 .O.B.!....v...[.
01B0: 59 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 53 Y0W1.0...U....US
01C0: 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 1.0...U....Virgi
01D0: 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 nia1.0...U....Fa
01E0: 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 irfax1.0...U....
01F0: 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 Zork.org1.0...U.
0200: 03 13 07 52 6F 6F 74 20 43 41 82 01 00 30 0D 06 ...Root CA...0..
0210: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 41 00 29 .*.H.........A.)
0220: CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D 9E ..H../.J.s.q.X..
0230: 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD C4 .D....<.........
0240: FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 AE .R..re....ba5...
0250: FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 .........w..j..
Thread-3, READ: TLSv1 Handshake, length = 220
*** CertificateRequest
Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
Cert Authorities:
<CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
<CN=Server CA, OU=Server Division, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
[read] MD5 and SHA1 hashes: len = 220
0000: 0D 00 00 D8 03 01 02 05 00 D2 00 59 30 57 31 0B ...........Y0W1.
0010: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 0...U....US1.0..
0020: 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 .U....Virginia1.
0030: 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 0...U....Fairfax
0040: 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 1.0...U....Zork.
0050: 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F org1.0...U....Ro
0060: 6F 74 20 43 41 00 75 30 73 31 0B 30 09 06 03 55 ot CA.u0s1.0...U
0070: 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 ....US1.0...U...
0080: 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 .Virginia1.0...U
0090: 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 ....Fairfax1.0..
00A0: 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 18 .U....Zork.org1.
00B0: 30 16 06 03 55 04 0B 13 0F 53 65 72 76 65 72 20 0...U....Server
00C0: 44 69 76 69 73 69 6F 6E 31 12 30 10 06 03 55 04 Division1.0...U.
00D0: 03 13 09 53 65 72 76 65 72 20 43 41 ...Server CA
Thread-3, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 175, 38, 47, 77, 131, 125, 209, 147, 174, 228, 183, 99, 34, 2, 100, 186, 77, 47, 65, 233, 82, 133, 183, 113, 8, 193, 51, 241, 167, 105, 4, 187, 57, 130, 161, 11, 178, 11, 134, 84, 96, 106, 203, 11, 195, 51 }
[write] MD5 and SHA1 hashes: len = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 39 9F EC ..........B.@9..
0010: 5F 92 FA 3D 5E 3D 0C 19 10 72 DA BE B6 14 76 62 _..=^=...r....vb
0020: AE 39 75 0B 74 10 C7 B1 42 D7 A1 22 C0 0E B8 A2 .9u.t...B.."....
0030: 22 80 73 20 36 A2 FD BB F9 3E F4 F0 91 CE 95 F8 ".s 6....>......
0040: 05 D7 22 FC 2C CF 1B AB 19 82 03 D2 F5 ..".,........
Thread-3, WRITE: TLSv1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AF 26 2F 4D 83 7D D1 93 AE E4 B7 63 22 02 ...&/M.......c".
0010: 64 BA 4D 2F 41 E9 52 85 B7 71 08 C1 33 F1 A7 69 d.M/A.R..q..3..i
0020: 04 BB 39 82 A1 0B B2 0B 86 54 60 6A CB 0B C3 33 ..9......T`j...3
CONNECTION KEYGEN:
Client Nonce:
0000: 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 A1 8A @.".....X.......
0010: F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C 26 C6 ...Y=.?#.". ..&.
Server Nonce:
0000: 40 CA 22 D3 51 6A 52 2D E9 E2 59 06 26 F0 47 7A @.".QjR-..Y.&.Gz
0010: 5A E2 FF CF 09 66 CD 7F DF D3 04 54 4F 10 65 59 Z....f.....TO.eY
Master Secret:
0000: 67 B9 58 74 69 18 0B 2E 00 EB AC 9B 77 15 B4 65 g.Xti.......w..e
0010: 61 A1 AC D0 F1 D5 4C CA 0E 51 FC 58 A0 11 B7 87 a.....L..Q.X....
0020: EC 72 26 D0 83 18 27 49 8F B6 32 FF E3 89 1D E4 .r&...'I..2.....
Client MAC write Secret:
0000: D5 96 AB F7 1E 46 5F 46 8A E9 3E DF A0 5E 32 5E .....F_F..>..^2^
0010: 00 FB B8 D8 ....
Server MAC write Secret:
0000: E6 7D 8E F5 6A 4C 94 4C D6 2A 3A 4D FC C1 94 A3 ....jL.L.*:M....
0010: C5 6C 5F B6 .l_.
Client write key:
0000: 18 1D 51 8C 74 6D 18 57 ..Q.tm.W
Server write key:
0000: 0D 4E 7A F1 5A D6 5F 5B .Nz.Z._[
Client write IV:
0000: 4C BB 4D FA 4F EB CB 4E L.M.O..N
Server write IV:
0000: B7 6A CA E9 66 7D 25 88 .j..f.%.
Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
*** Finished
verify_data: { 20, 20, 38, 13, 43, 235, 102, 72, 75, 212, 21, 21 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
Padded plaintext before ENCRYPTION: len = 40
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
0010: 90 9C E9 09 F4 48 96 A6 8F AA 04 DF E9 36 72 F0 .....H.......6r.
0020: 42 F0 60 78 03 03 03 03 B.`x....
Thread-3, WRITE: TLSv1 Handshake, length = 40
Thread-3, READ: TLSv1 Alert, length = 2
Thread-3, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-3, called closeSocket()
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Finalizer, called close()
Finalizer, called closeInternal(true)
So I'll toil away trying to get *right* combination of settings - please let me know if you have any ideas! FYI here are the command line settings I am using for the keystore:
-Djavax.net.ssl.keyStore=c:\myClientIdKeyStore -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=myClientIdKeyStorePass
Thanks,
Paul

How to pass data back to MS CRM online from Azure SB with two-way listener?

Hi all,
I have already setup the integration between MSCRM Online 2015 and Azure using two-way listener. However, I am unable to retrieve the return string "Success" in MSCRM side, such as System Jobs. Anyone has idea? Thanks.
https://technet.microsoft.com/en-us/library/gg334438.aspx
public string Execute(RemoteExecutionContext context)
Utility.Print(context);
return "Success";
Best Regards,
Gary

Hello Gary,
From my understanding, Azure integration with Microsoft Dynamics CRM works as follow:
A registered Azure aware plugin sends the execution context to an Azure service bus
A listener process the message as they are queued by the Azure service bus
If the listener is a two way listener, then the listener may return a string response to the plugin
The plugin receive the response and process it
So you need both an Azure aware plugin and a listener. The Azure aware plugin is responsible for sending the execution context and process the response. In your case, you would want the plugin to write the response using the tracing service.
I think you registered the default Azure aware plugin which only sends the execution context. You need to implement your own Azure aware plugin in order to process the response. the sample Plug-ins project located in SampleCode\CS\Azure\Plug-ins implements
exactly what you want to achieve.
I hope this answer will help you.

Trouble with two way calendar sync

Recently my two way calendar sync stopped working? Any ideas why?

Its hard to tell.. Maybe some setting got thrown off during the update
Please click the Thumbs Up icon if this comment has helped you!
If your issue is resolved, please click the solution button on the resolution!
Every BlackBerry should have BlackBerry Protect, get it now! | Follow me on Twitter | Bring Back BBM Music!

Setting up two way AD domain trust ?

Hi,
I'd like to know what are the steps that I need to take when setting up Active Directory domain trust between two or more different AD domain? and also the steps to undo the domain trust in case I need to prevent some issues.
Because I currently have about 15+ site offices that runs their own Active Directory domain to be joined with my current parent company AD domain.
Thanks
/* Server Support Specialist */

Have you thought about using Azure Active Directory with users synchronization to consolidate all your office to one place?
Answering directly: There are different types of trusts. Think about setting 1-way trust (users from first domain can get access to the resources in second domain but not the other way round) or 2-way trust (users in both domains get access to resources
such as applications or sysytems in both domains). Please read https://technet.microsoft.com/en-us/library/cc730798.aspx
Setting up the trust is rather easy task (https://technet.microsoft.com/en-us/library/cc771580.aspx) and can be undone easily as well (https://technet.microsoft.com/en-us/library/cc771137.aspx)
Hope that helps!
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

Users see all applications in RDS 2012 Web access in one-way trust domain environment

Hello!
We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
In the security log of wa.domainA.local we can find an event :
An account failed to log on.
Subject:
Security ID:                IIS APPPOOL\RDWebAccess
Account Name:                RDWebAccess
Account Domain:                IIS APPPOOL
Logon ID:                0x2C7B16
Logon Type:                        3
Account For Which Logon Failed:
Security ID:                NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:                An error occurred during logon
Status:                        0xC000005E
Sub Status:                0x0
Also in network trace on wa.domainA.local kerberos error could be found:
On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
How to deal with this issue? The aim is to show only specified applications to domainB users.
Any help would be appreciated.

Hi,
Thank you for your posting in Windows Server Forum.
Please check below links might useful for your case.
“After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
this article)
1. Remote APP list empty
2. RD
Web Access unable to access Source (RD Server)
In respect to Kerberos Error, refer this link for troubleshooting.
1. Troubleshooting Kerberos Authentication problems – Name resolution issues
2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
Hope it helps!
Thanks,
Dharmesh

Can i use single node manager with two weblogic domain?

I am very new to weblogic and node manager.
i had created two domains in weblogic. (single node manger).
Can i connect both domains with same nodemanger?
How to do this?

The node manager uses a nodemanager.domains file to determine which domains it manages, for example,
domain_name=/path_to_domain/domain_name
other_domain_name=/path_to_other_domain/other_domain_name
This file can be found in the NODEMANAGER_HOME, that you specified when starting the node manager (startNodeManager - NODEMGR_HOME="${WL_HOME}/../oracle_common/common/nodemanager")
When you are running the domain on multiple machines you have to enroll the node manager into the domain (http://docs.oracle.com/cd/E23943_01/web.1111/e13813/reference.htm#i1065827)
A scripted example can be found here: Middleware Snippets: Automate WebLogic Installation and Configuration. The Node Manager administration guide can be found here: Oracle&reg; Fusion Middleware Node Manager Administrator's Guide for Oracle WebLogic Server 11g Release 1 (10.3.6) -….

SCOM Agent in Pending Management with two way trusted domain

Similar Messages

Maybe you are looking for