SPNego supports multiple AD Domains?

Similar Messages

• LDAP supporting multiple DNS domains

  I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
  Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
  I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
  [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
  The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
  [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
  Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
  Thank you,
  Chris

  Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
  This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

• CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

  Working on a CUPS 8.6 PoC with a customer who currently is running a deployed OCS environment. 
  Users all sign into a single domain internally but have multiple SMTP domains for email as this customer has many different companies they have aquired.
  OCS  is able to support and route multiple SIP domains by specifing the SIP address under AD User settings such that two users both signed into the same OCS server can send IM's to each other even though they have different SIP addresses.  sip:[email protected] , sip:[email protected]
  CUPS on the other hand does not seem to allow this on a per-user basis.  It places every user in the sip domain that the server is a member of.
  The Jabber client allows you to specify a domain but I am not how this is used as the actual user account in CUPS is only ever the one domain and if you try and specify a different domain in the Jabber Connection Settings, it will not allow you to login.
  It is not a big deal for internal communications if everyone is on the same domain, but where it is important is for future B2B IM.  Users need to be able to give out THEIR IM address with THEIR respective domain.
  Does anyone else know for a fact that I will only be able to have one domain per CUP cluster?
  Any thoughts on this design?

  Not sure on the design perspective but as for CUPS Domain, we can only have single domain per cluster. As you have already found out that for any user licensed for CUPS, their IM address would be userid@CUPSDomain
  CUPS does have funtionality of federating with foreign domains such as AOL/GoogleTalk/WebEx Connect.

• Cisco Jabber client to support Multiple e-mail domains

  Hi All,
  Per the following link, CUCM an IM&Presence starts supporting multiple domains at version 10:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_0_1/delta/CUCM_BK_C206A718_00_cucm-new-and-changed-1001/CUCM_BK_C206A718_00_cucm-new-and-changed-1001_chapter_010.html#CUCM_RF_I31EA3AB_00
  However, we have heard from Cisco that there is NO Jabber client that works with version 10 to support multiple email domains.
  This may or not may be true.
  Can someone who has connection with BU confirm this? If there is Jabber client that supports multiple email domains, what is the version and when is it going to be available?
  Thanks,
  Mustafa

  Per-Olov
  How are you dealing with this DA restriction?
  Also, what are your comments about the use of Domain Alias vs. Domain with inetdomainbaseDN pointing to my organization? Which one was your choice?
  Thanks,
  Ivo

• Multiple DNS Domain support in Single instance of Portal

  Can BEA portal support multiple DNS domains in a single instance of BEA Portal.
  For example can I setup portal to respond as bothe www.xxx.com and www.yyy.com
  and keep those urls as trhough the entire portal?

  Hi,
  thanks for your quick response. You mean we should run only one copy of the package I mentioned and seperate the plants and machines by logic implemented in the package? Well, I think this is critical in case of deploying a new version, since all machines at all sites won't have the system available at the same time. At the moment we do not have things in the system that are needed to go on with production, but we have planned to implement some things that will be indispensable and in this stage we need a clear seperation of the plants to minimize the risk of a simultaneous stand at all plants.
  Thanks for your suggestion and best regards,
  Matthias

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• RDBMS Security Store supporting multiple domains

  Can one instance of the RDBMS Security Store be utilized to support multiple WLS 10.3.2 domains?
  I have several 10.3.2 domains, all of which have clusters and role requirements? The documentation 'suggests' one Store per domain, but all of the tables in the schema contain DOMN (domain) and REALMN (realm) columns that would seem to indicate domain independence. It would be nice to be able to manage one Store schema that supports several Domains.

  Hi,
  The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
  The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
  Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
  It is just the replacement for Embedded LDAP.
  Thanks & Regards,
  Murali.
  ============

• Supporting Multiple domains in IM&P with and Expressway deployment?

  Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
  My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
  I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
  note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
  One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and page 10 of the following guide
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and this section
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
  Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
  This being said
  Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
  To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
  I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
  Domains Configuration
  Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
  Before You Begin
  To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
  Is this what I need to do?

  Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
  My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
  I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
  note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
  One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and page 10 of the following guide
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and this section
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
  Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
  This being said
  Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
  To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
  I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
  Domains Configuration
  Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
  Before You Begin
  To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
  Is this what I need to do?

• IOS AIR3.6  runtime error 3747 Multiple application domains are not supported on this operating syst

  3747
  Multiple application domains are not supported on this operating system.
  I'm getting this error from an IOS app compiled with air 3.6.
  No code has changed  from Air 3.5 which is error free. Web app / android versions of the same codebase do not error.
  See the stackTrace below ( well done Adobe for providing this since air 3.5 !! )
  I use swfloaders for loading embedded swf vector art graphics. This has not caused any issue until now. Should I load all art into the main app's application domain ?
  The error does not crash the app and I could suppress it easily but is could the tip of the iceberg because application domains are scary stuff.
  Error: Error #3747
          at flash.display::Loader/loadBytes()
          at mx.core::MovieClipLoaderAsset()
          at mx.controls::SWFLoader/loadContent()
          at mx.controls::SWFLoader/load()
          at mx.controls::SWFLoader/initializeHandler()
          at flash.events::EventDispatcher/dispatchEvent()
          at mx.core::UIComponent/dispatchEvent()
          at mx.core::UIComponent/set processedDescriptors()
          at mx.core::UIComponent/initialize()
          at com.komodomath.app::ImageSWFloader/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/setMXMLContent()
          at spark.components::Group/set mxmlContent()
          at spark.components::SkinnableContainer/set mxmlContent()
          at spark.components::SkinnableContainer/createDeferredContent()
          at spark.components::SkinnableContainer/createContentIfNeeded()
          at spark.components::SkinnableContainer/createChildren()
          at mx.core::UIComponent/initialize()
          at com.komodomath.lesson::SaveStatusCheck/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/addElementAt()
          at mx.states::AddItems/addItemsToContentHolder()
          at mx.states::AddItems/apply()
          at mx.core::UIComponent/applyState()
          at mx.core::UIComponent/commitCurrentState()
          at mx.core::UIComponent/setCurrentState()
          at mx.core::UIComponent/set currentState()
          at com.komodomath.maingroups::LessonGroup/handleNewLessonClick()
          at com.komodomath.maingroups::LessonGroup/___LessonGroup_KButton1_click_lessonOver()

  same issue as http://forums.adobe.com/message/4736711

• Supporting multiple companies with JES6

  I have been trying to find instructions to support multiple companies using email, calendar, and IM on a single installation of JES6 (messaging, calendar, IM, delegated admin, independent convergence, etc). I have had no luck.
  The sales pitch talks a great story about scalability, so I must be missing something. Sun Docs does not have Messaging Server 7.0 yet. The wiki that the product page sends you to is incomplete. I am not sure when Sun made the decision to not require complete documentation before a product is released, but I find that frustrating.
  I see that I can add multiple domains in Delegated Administrator, but this does not create separate partition areas in Messaging Server. I believe that you need to separate each company's email and calendar so that conflicts in names don't happen.
  Can someone direct me to a document or tell me how to do this? Please?

  workman99 wrote:
  I have been trying to find instructions to support multiple companies using email, calendar, and IM on a single installation of JES6 (messaging, calendar, IM, delegated admin, independent convergence, etc). I have had no luck.Log into Delegated Administrator and create a new organisation for each of the companies you wish to support. This organisation will require a domain-name e.g. somecompany.com (hence the term "hosted domain"). The users in the company then log into Messaging/Calendar/Convergence with [email protected].
  The sales pitch talks a great story about scalability, so I must be missing something. Hosted/Virtual domain functionality is in use by a number of companies to provide the very functionality you refer to.
  Sun Docs does not have Messaging Server 7.0 yet. There is no intention to provide static PDF based docs for communication-suite-6 products (which include MS7.0) going forth.
  The wiki that the product page sends you to is incomplete.How exactly is it incomplete? Where there are differences between MS6.3 and MS7.0 they are documented on the http://wikis.sun.com/display/CommSuite/ site.
  I am not sure when Sun made the decision to not require complete documentation before a product is released, but I find that frustrating.Once again, what exactly is not complete. Sweeping statements aren't really constructive. The wiki format has provided the ability to provide much quicker updates and enhancements to the documentation then was previously possible with the publish-once PDF guide mechanism.
  I see that I can add multiple domains in Delegated Administrator, but this does not create separate partition areas in Messaging Server. I believe that you need to separate each company's email and calendar so that conflicts in names don't happen. You don't require separate partitions as Messaging Server and Calendar Server both use the hosted domain information in their storage e.g.
  bash-3.00# ./mboxutil -lxp user/[email protected]/INBOX
    msgs  Kbytes last msg         partition   quotaroot mailbox path and acl
       3     240 2008/04/03 07:28 primary          5120 user/[email protected]/INBOX /opt/SUNWmsgsr/data/store/partition/primary/=user/b7/e4/=testuser@hosted%dsun%dcom [email protected] lrswipcda
  bash-3.00# ./mboxutil -lxp user/shjorth/INBOX
    msgs  Kbytes last msg         partition   quotaroot mailbox path and acl
       6      37 2008/09/12 13:08 primary          5120 user/shjorth/INBOX /opt/SUNWmsgsr/data/store/partition/primary/=user/c4/31/=shjorth shjorth   lrswipcdaSo in the above example "testuser" is in the hosted.sun.com hosted domain and "shjorth" is in the aus.sun.com default domain. The default domain does not have the domain information appended in the path and is treated as a special case.
  bash-3.00# ./cscal list [email protected]
  [email protected]: [email protected] status=enabled
  bash-3.00# ./cscal list [email protected]
  [email protected]: [email protected] status=enabledFor calendar server, the domain of the user is appended to the UID thus providing for separate UID name-spaces for each hosted-domain organisation.
  Regards,
  Shane.

• OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)

  Hi All,
  Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?
  Solution walk-through :
  A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.
  The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.
  Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.
  Limitations and drawbacks with the current solution :  
  1. The private key of OSB system is issued and controlled by an external application vendor.
  2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.
  3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)
  4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.
  Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.
  So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?
  Thanks,
  Kunal Singh

  Hi Kunal,
  Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:
  import multiple key-pairs in your identity store
  Configure PKI credential mapper to use reference of identity store consisting of multiple keys
  When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
  Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.
  Please let me know if i understood your query correctly and above helps.
  Regards,
  Ankit

• Multiple Personal Domains on MobileMe

  Thinking about getting Mobile Me but between my wife and I we have four web-sites all with their own domain names.
  I know that MobileMe definitely supports having one personal domain name and multiple sites but does it support multiple sites with different personal domain names and if so, how?
  Many thanks!

  Para_Handy wrote:
  ...does it support multiple sites with different personal domain names and if so, how?
  Welcome to the discussions. Yes, but on an Individual MobileMe account, only one domain can be configured via CNAME. The other domains have to be configured as "web forwarding" (with or without masking.) More details here:
  http://iwebfaq.org/site/iWeb_Domains.html
  A MobileMe *Family Pack's* members could each have a domain configured via CNAME:
  http://www.apple.com/mobileme/pricing

• Multiple Application Domain Error with Preloader

  Hi all,
  I'm attempting to upgrade to Air 3.6. My app runs as a swf on the web and also meant to be packaged as a "slow" build (not interpreter) for iOS since I need the performance of Starling. Since it's a fat app, so thus it has a preloader for the web, which works perfectly. However when I try to start the app in ios-debug on my iPad, I get:
  [Fault] exception, information=Error: Error #3747: Multiple application domains are not supported on this operating system.
  mPreloader = new PreloaderSwfEmbed();
  mPreloaderLoader = Loader(mPreloader.getChildAt(0));        // need to wait until the swf loads before grabbing all the information from it
  mPreloaderLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, EmbeddedPreloaderLoadCompleteCB);
  On the first line of my code snippet here. How can I insert permission regarding multiple application domains for embedded swfs?
  Thanks!
    ZS

  Ok so I got the swf to load by changing the code above to the following:
            var context:LoaderContext = new LoaderContext(false, ApplicationDomain.currentDomain);
                 context.allowCodeImport = true;
                 mPreloaderLoader = new Loader();
                 mPreloaderLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, EmbeddedPreloaderLoadCompleteCB);
                 mPreloaderLoader.loadBytes(new PreloaderSwfEmbed(), context);
  But now when I run the app I get a message dialog on the iPad saying:
  Uncompiled ActionScript
  Your application is attempting to run uncompiled ActionScript, probably due to the use of an embedded SWF. This is unsupposed on iOS. See the Adobe Developer Connection website for more info.
  And yes I am using Adobe Air SDK 3.6, and building with -swf-version=19, at least on the main swf. The other swf was made with an fla with Flash Pro.
  Any help people? Why is this still not working? I thought it was fixed in 3.6. I must be missing something.
  Thanks!

• Multiple application domain error with ANEs

  I'm building a mobile app that loads external SWFs, and it works fine when I include the current application domain in the loader context for the Loaders.
  However, as soon as I include some native extensions I need to use for the app, I start getting this familiar error:
       Error #3747: Multiple application domains are not supported on this operating system.
  I've tried switching to the parentDomain, grabbing the application domain from the parent's loaderInfo... no dice.
  Anybody know a workaround for this?
  I really need to load the SWFs and I really need the ANEs...

  Well, in case anyone else runs into this issue, here's what I did that fixed it...
  I just deleted the <extensions> node from the application descriptor XML and re-published. I have no idea why that fixed it (since Flash Builder repopulates that node when you include ANEs in your build packaging). But it did.