Search Active Directory Entries without password authentication

Similar Messages

• SSO using Windows Active Directory but without EP or Java stack

  Good morning and thank you in advance for your help.
  The question is:
  our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
  I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
  Best regards
  Max

  Hi Willi,
  It won't be that easy to understand each other... as my english is not that good either
  Most of the points introduced in the SAP help link are automatically performed by sapinst.
  Almost all my customers running on MS are not using an AV, and neither get into troubles...
  but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
  Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
  Best regards
  SAP on SQL General Update for Customers & Partners April 2014
  10. Do Not Install SAPGUI on SAP Servers
  Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
  To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
  “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
  SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
  SAP on SQL General Update for Customers & Partners September 2013
  Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
  The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
  Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

• Search Active Directory

  session.setAttribute("udname",StrUser);
  Hashtable env = new Hashtable();
  String ldapUrl = "ldap address";
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, ldapUrl);
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  DirContext ctx = new InitialDirContext(env);
  String[] attrs = new String[1];
  attrs[0] = "name";
  NamingEnumeration contentsEnum = ctx.search("OU=Users,OU=domain name,DC=upperlevel domain name,DC=com",attrs[0]+"="+StrUser);
  while (contentsEnum.hasMore())
  NameClassPair ncp = (NameClassPair) contentsEnum.next();
  String userName = ncp.getName();
  userName = userName.substring(3,userName.length());
  out.println(userName);
  I am using this code to search in the Active Directory...
  But I am getting error
  There is a problem in search "can't resolve symbol"
  Can somebody help me???
  the Error goes like this : -----
  Generated servlet error:
  [javac] Compiling 1 source file
  /usr/local/Tomcat/work/Catalina/localhost/_/org/apache/jsp/main4_jsp.java:129: cannot resolve symbol
  symbol : method search (java.lang.String,java.lang.String)
  location: interface javax.naming.directory.DirContext
  NamingEnumeration contentsEnum = ctx.search("OU=Users,OU=domain name,OU=upper level domain
  name,DC=com",attrs[0]+"="+StrUser);
  1 error
       org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:127)
       org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:351)
       org.apache.jasper.compiler.Compiler.generateClass(Compiler.java:415)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:458)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:439)
       org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:553)
       org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:291)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

  Hi Ashwin,
  You have made the syntax mistake in the search.
  NamingEnumeration contentsEnum = ctx.search("OU=Users,OU=domain name,DC=upperlevel domain name,DC=com",attrs[0]+"="+StrUser);
  In this you should not send string as second parameter, it should be of type Attributes. This is the API definition of that method.
  search(Name name, Attributes matchingAttributes)
  Searches in a single context for objects that contain a specified set of attributes.
  Hope you got the error. If you have any clarifications please mail me.
  Arun
  [email protected]

• Active Directory User and Password Sync

  Hi,
  We have virtualised development labs that are direct clones of our production environment, including names, IP addresses and Active Directory. These labs are ring fenced using virtual network appliances with firewall rules that allow access to specific ports.
  The issue we have is that when passwords expire either in the labs or in production AD, it causes issues for our developers. Also, when new users are created in production, the process has to be repeated in multiple labs which is a bit of a time sink, even
  with scripts.
  Currently we sporadically do system state restores to AD controllers in the labs to get them in sync with prod but this also requires us re-adding all the servers back onto the domain and again is tedious process. Is there any way to sync from production
  AD to the labs AD?
  Thanks in advanced.
  Mark

  If it is an isolated environment, you won't be able to synchronize the data.  
  Export/Import, Backup/restore, P2V, D2VHD etc are the only option. 
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• Active directory Schema - Multiple password policies

  Hi All,
  I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
  on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
  dealer2loc3 and so on)
  I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
  be  creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
  Also, I have budet constraints to add new servers for each domain and separate password policies.
  What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
  Thanks.

  Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
  Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
  and I can set separate password policies for sales.example.com and admin.example.com.
  By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
  From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
  that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Can't search Active Directory contacts even though domain binding succeeded

  My machine is bound to an Exchange 2003 AD server correctly but I can't search contacts from address book or Mail. In neither case do I see anything to indicate that I even should be able to search. What am I missing? Two colleagues are running 10.5 and they both see a "Directory" entry in their address book.
  Thanks,
  Simon

  bump

• Active directory, SSGD and password change

  Hi everybody, we have some problems with SSGD, active directory and password change
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us^Hi Simon
  I'll try again to explain you our problem, because it seems that I wasn't so clear.
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us?
  Many thank
  Patrizia

  Added question.
  Do you guys know if changing the password will change the password on their Active directory access.
  Thanks,
  helmut

• Active sync with Active Directory.  activeSync.password

  AD - OS - Win2k3
  IDM -6.0SP1
  I am using active sync with Active Directory.
  Form for Active Sync make with Wizard Active Sync.
  Make user in AD with correct password.Excecute StartActiveSync.
  User not make in Lighthouse.
  In log file appears the following:
  <WavesetResult>
  <ResultItem type='error' status='error'>
  <ResultError throwable='com.waveset.exception.PolicyViolation'>
  <Message id='PL_POLICY_VIOLATION_HEADER'>
  <String>password</String>
  <String>Lighthouse User</String>
  </Message>
  <Message id='PL_STRING_MIN_CHARACTERS'>
  <String>4</String>
  </Message>
  <StackTrace>com.waveset.exception.PolicyViolation: Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
       at com.waveset.policy.StringQualityPolicy.check(StringQualityPolicy.java:1090)
       at com.waveset.provision.PolicyProcessor.checkPolicy(PolicyProcessor.java:716)
       at com.waveset.provision.PolicyProcessor.checkLighthousePasswordPolicy(PolicyProcessor.java:651)
       at com.waveset.provision.PolicyProcessor.checkPasswordPolicies(PolicyProcessor.java:574)
       at com.waveset.provision.PolicyProcessor.checkAccountPolicies(PolicyProcessor.java:232)
       at com.waveset.provision.Provisioner.checkPolicies(Provisioner.java:1102)
       at com.waveset.view.UserViewer.checkPolicies(UserViewer.java:1559)
       at com.waveset.view.UserViewer.checkPoliciesAndConstraints(UserViewer.java:1415)
       at com.waveset.view.UserViewer.checkinView(UserViewer.java:1159)
       at com.waveset.object.ViewMaster.checkinView(ViewMaster.java:725)
       at com.waveset.sync.IAPIUserImpl.submitCreate(IAPIUserImpl.java:559)
       at com.waveset.sync.IAPIUserImpl.submit(IAPIUserImpl.java:657)
       at com.waveset.adapter.ADSIResourceAdapter.processUpdates(ADSIResourceAdapter.java:1419)
       at com.waveset.adapter.ADSIResourceAdapter.getAndProcessChanges(ADSIResourceAdapter.java:1456)
       at com.waveset.adapter.ADSIResourceAdapter.poll(ADSIResourceAdapter.java:1546)
       at com.waveset.adapter.SARunner.doRealWork(SARunner.java:268)
       at com.waveset.task.Executor.execute(Executor.java:159)
       at com.waveset.task.TaskThread.run(TaskThread.java:119)
  </StackTrace>
  </ResultError>
  </ResultItem>
  </WavesetResult>
  2006-11-09T13:19:07.904+0500: lastname: Bogdanov9, accountId: Bogdanov9, objectGUID: <GUID=fb4016ebb4851b43af59763d6094932d>, isDisabled: false, identity: cn=Alexey L. Bogdanov9,ou=Users,ou=Test,dc=aut,dc=tst, uSNChanged: 78587, firstname: Alexey, AccountLocked: false, fullname: Alexey L. Bogdanov9, Initials: L
  Policy Violation (password on Lighthouse User):
  Must contain at least 4 valid characters.
  But, when i use sample active sync form from ...sample/forms/ActiveDirectoryActiveSyncForm user make in Ligthhouse with password change12345.
  Logicaly, from this code:
  <Field name='waveset.password'>
  <Comments>
  Make up a password for accounts that are being
  created. This makes it a constant
  </Comments>
  <Disable>
            <neq>
            <ref>feedOp</ref>
                 <s>create</s>
            </neq>
       </Disable>
  <Expansion>
  <cond>
            <notnull>
                 <ref>activeSync.password</ref>
            </notnull>
  <ref>activeSync.password</ref>
  <s>change12345</s>
  </cond>
  </Expansion>
  </Field>
  I think password from AD not put in to activeSync.
  Why?
  With MBR
  Bogdanov Alexey.

  --I think password from AD not put in to activeSync.
  --Why?
  You cannot change the user's password from the activeSync RA. The password is encrypted in Active Directory and you can't decrypt it.
  You can read the Idm Resources Reference - Active Directory. There's a table with all the supported fields; the userPassword field is write-only.
  If you want to take the AD password and send it to IDM, you want to use Password Sync.
  Good luck

• Active Directory, SSO, Integrated Windows Authentication

  Hi,
  I have to setup a NW BPM environment using Windows/Active Directory SSO.
  In the desired scenario, I would use UME to create BPM specific roles and/or groups and then I would associate:
  - specific AD users to UME groups or roles, and/or
  - associate AD groups to UME groups or roles.
  Is it possible? I would really appreciate any directions/hints on how to do that.
  Thanks in advance,
  Ricardo Giacomin

  It is possible you have the xml configuration file in the administration of ume and  you need to edit that one in order to link it to your AD. if you're using LDAPs to connect you will also have to load the certificates in NWA before the first connection.

• Can Win8.1-Enterprise-Domain-Sideloading Applications be used outside Active Directory Domain without product key?

  It is essential for our project deployment that our customers must use the side-loading application outside domains which activated those application.
  Thanks for any answer.

  Hi，
  I have to say that we cannot implement what you would like to.
  Here are the requirements we have to meet to create sideload applications:
  l 
  The computer running Windows 8 Enterprise must be joined to the domain.
  l 
  You must enable the “Allow all trusted apps to install” Group Policy setting.
  l 
  The app must be signed by a \ certificate that is chained to a trusted root certificate.
  Detailed information, please refer to this article:
  Try It Out: Sideload Windows Store Apps
  http://technet.microsoft.com/en-us/windows/jj874388.aspx
  Thanks for your understanding.
  Kate Li
  TechNet Community Support

• Solaris 10 authentication on Windows 2008 Active Directory

  Hi,
  Does anyone done it?
  I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
  I'm using only the Active Directory LDAP without Kerberos.
  I'm able to su to the user, getent passwd but everything that as password fails.
  I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
  Bellow the sshd log with wrong user password.
  sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
  sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
  And with the correct user password.
  sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
  As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
  This is how ldapclient is configured.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
  NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
  NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
  NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
  The nsswitch.conf has files ldap on both passwd and groups.
  Best regards and thanks for the help you can give

  The problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
  This is how it should be.
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password sufficient pam_ldap.so.1
  other password required pam_authtok_store.so.1
  Authentication against 2008 Active Directory working fine now.

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• Is there any way to log in to active directory from a mac without joining the AD domain?

  I am looking for a way to log in to active directory without having the Mac join the AD domain. Basically i have not been able to understand all the ramifications of joining the AD domain. From what I have read in various documentations on the apple site and some of the AD plug in sites, it seems that if the mac joins the domain, all kinds of group policies get 'transfered' to the mac experience. How exactly does that affect the privileges of the local mac user on their machine? do they need to change their mac password? what happens to their existing home directories? what happens when they have their laptops at home?
  TIA
  Costas Manousakis

  Costas Manousakis wrote:
  The reason i am hesitant about binding the macs is that i'm not sure what are all the effects of that. will they have to change their mac passwords / usernames? more than likely the auto login will have to go. If there are multiple accounts on the mac (ex one admin account and other regular and admin accounts) how does binding affect them? how will it work when the mac is not in the office? if they have admin rights on the mac but not on the windows AD, how will that affect them? Do you know of a source i could go to to find answers for questions like these?
  Unfortunately, the source for answers should be your IT department. I can tell you how my machine works. I have a personal machine with no restrictions and a work machine bound to an Active Directory domain. Even my work machine has few restrictions compared to normal. I have a privileged account I can use if necessary. Also, I'm pretty much a goody-two-shoes so I don't try to circumvent restrictions.
  Basically, the Mac uses a system called Open Directory to manage user accounts. Every Mac comes with its own miniature Open Directory server. If you have a network with MacOS X Server, you can use the server's Open Directory. You can also use Microsoft's Active Directory to perform all the same tasks. The user's logins and passwords would be whatever is on Active Directory. They can change their password on the Mac and it will change the Active Directory password. Active Directory can enforce passwords expirations too.
  I am not an Active Directory administrator, so I can't give you specifics. Pretty much everything you have mentioned can be controlled via Active Directory. That is what it is for. It does require active participation of your IT staff. If you don't have that, then I don't see it working out well. It sounds like a paradox. IT wants to control users, but doesn't want to deal with it. You can't have it both ways. Maybe let it be known among the Mac users that visiting those restricted sites could cause IT to get rid of Mac altogether. That does sound like a probable outcome.

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)