SUP configuration multi forest

Similar Messages

• VDI in multi forest

  Hello everyone,
  We have a situation with a Remote Desktop Services with virtual desktops where we are limited in our possibilities. We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts, some trusts are 1 way trusts and some
  forests have no trust at all.
  We are trying to implement a RDS solution with virtual desktops, the servers are in domain 1 and the client VDI VM’s are in domain 2. Our question is in which trust configuration is this supported and is there any documentation?
  Our consideration is that we are not flexible and we need a hardware cluster for every forest and it’s getting very expensive.
  Thank in forward i hope to get a trustful answer.
  Kind regards,
  Jasper Sybrandy

  Hi,
  Sorry for late response. But seems there are no good document regarding your case, but you can refer beneath article.
  Test Lab Guide: Virtual Desktop Infrastructure Quick Start
  https://technet.microsoft.com/en-in/library/hh831585.aspx
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• SPNego for multi-forest using IBM JDK

  Hi All,
  I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
  Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
  Thanks in Advance,
  Anthony

  Jan,
  ok, thanks. I will now explain how I think we can help.
  Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
  I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
  Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
  Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
  Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
  So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
  1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
  2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
  I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
  Thanks,
  Tim

• Multi Forest AD Authentication

  Hi ,
  I think I messed up some where in the web.xml . The problem is like this:
  1. I have users across geography.
  2. In AD they are in different domains for example : Europe , Asia , NA etc.
  3. Logon the general way is
  <Domain>\ <Username>
  But when I am supplying domain name its throwing an error. But when I login with just the username it logs in fine. But that is only for one domain. The users of other domains are not able to login.
  So please advise where to change in the XML so that they can supply the domain name.
  Regards
  Sid
  Urgently required. So please all a quick response will be very helpful .

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• Can anybody know how to configure Multi threaded server?

  Hi
  All,
  Can anybody know how to configure Multi threaded server?
  Thanks,
  Vishal

  Values are just samples only. use what ever appropriate for your environment. Understand each of them before using in production.
  alter system set DISPATCHERS="(PROTOCOL=tcp)(DISPATCHERS=3)(CONNECTIONS=1000)"
  alter system set shared_servers=100
  replace "DEDICATED" with "SHARED" in tns names
  Ready to go.
  select username,server from gv$session (server should show none or shared)

• Super BOM, Multi BOM configurations

  Sir,
  how configure Super BOM, and Multi BOM please provide me the configuration settings to do practise in my home PC.
  Thank u

  Hi Supraja Bolli
  BILL OF MATERIAL
  The Material Ordered, Delivered and Billed consists of one or Several Components.
  These components are called as Bill Of Materials
  The Material Ordered by the Customer is referred as Main Item or Higher Level item. The Components are referred as Sub-items.
  When we enter the Main-item in the Sales documents, the Components are automatically determined and this is called as expansion of Bill Of Materials.
  In SD, we treat the processing of Boms in two ways.
       Processing at Main-item.
       Processing at the Sub-item
  The Processing in both cases is controlled by the Item Categories and Schedule line Categories.
  Step: 1
     Prepare the Martial Master for all the Materials, which is main-item and Sub-item.
  In the Material Master, the Item Category group of the Main-item is important.
  We need to Maintain the item category group for the Main-items and sub-items as follows.
  Scenario               Main-Item                    Sub-Item
  Processing at               ERLA                         NORM
  Main-item level
  Processing at               LUMF                         NORM
  Sub-items
  Item Category               TAQ                         TAE
  Schedule line               CP                         CT
  Category
  Step: 2
  Let us take Computer as a Bom. It has Varies parts like Mouse, keyboard, Motherboard, Ram, CPU.
  Let us take Computer has the main-item, and sub-item as the rest.
  Prepare Material Master. We have to Prepare Material Master for Main-item and Sub-items.
  T-Code: MM01
  First Prepare for Computer which is the Main-item.
  In Sales: General/Plant. Maintain ERLA in the Item Category Group
  Then Create and Save the Material Master
  Step: 3
  Create Material Master for the Sub-item. That is for Keyboard, Mouse,
  Motherboard, Ram & CPU.
  In Sales: General/Plant. Maintain NORM in the Item Category Group
  Similarly Create Material Master for the rest of the Sub-item and SAVE.
  Step: 4
    Create Material Bom.
  T-Code: CS01
  Enter the Details
  Material no: xxxxxx
  Plant: xxxxxx
  Bom Usage: 5
  Then Enter
  Step: 4A
  A screen will pop-up. Enter the details of Components such as:
  Mouse , keyboard, Motherboard, Ram etc, in the screen
  Then SAVE
  Step: 5
  Create Condition Record.
  T-Code: VK11
  Maintain Pricing for only the Main-item.
  Maintain Pricing only for Main-item.
  Thas is Computer.
  Then SAVE
  Step: 6
    Create Sales Order
  T-Code: VA01
  Enter only the Main-item.
  Then ENTER
  Step: 7
  The Bom Explodes
  Bom Explodes with the Sub-item.
  Pricing is done only for the Main-item.
  Then SAVE
  Step: 8
  Create Delivery
  T-Code: VL01N
  Picking is happening only for the Main-item and not the sub-item
  Then SAVE
  Then do billing.
  Reward if helpful to u

• Additional SUP in untrusted forest

  Hi to all,
  I currently have a single stand-alone Primary Site with good working MP and SUP and DP roles in one single server. I need to configure a proxy server on site server SUP properties for updates syncronization and download (no direct access is permitted in
  our environment).
  I added additional MP, SUP and DP roles on another server on another untrusted domain. All install phases works great, and MP and DP roles are now up and running.
  The problem is regarding the additional SUP: Primary Site seems CANNOT contact, and configure, the additional SUP because it try to use proxy for contact it, see WCM.log on Primary Site:
  Using <***username***> credentials for network connections SMS_WSUS_CONFIGURATION_MANAGER 19/02/2014 09:01:54 4424 (0x1148)
  Attempting connection to WSUS server: <***servername***>, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 19/02/2014 09:01:54 4424 (0x1148)
  System.Net.WebException: The request failed with HTTP status 407: Proxy Authentication Required.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String
  ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONFIGURATION_MANAGER 19/02/2014 09:02:25 4424 (0x1148)
  When I unchecked the proxy server on site server SUP properties for updates syncronization on Primary Site / first installed SUP, it seems CAN contact, and configure accordly, the additional SUP ... but in this way it obviously fails the updates syncronization
  from Microsoft website...
  Any workaround (direct access is NOT permitted)?
  Any further help (or suggestion) will be higly appreciated,
  thanks in advance.

  ... wrong forum ... sorry ...
  I will re-post in the right one ... SCCM 2012 ...

• SUP in untrusted forest using SCCM 2012 SP1

  Hi, I have a single primary site in a single domain/AD forest. I also have a single site system in an untrusted forest behind a firewall.
  I have installed a DP and an MP onto this server in the untrusted forest and have now installed WSUS and added the SUP role. The SUP role has been installed, however the SUP in the untrusted forest isnt synching its catalog from the SUP in the primary
  site.
  In the Software Update Point Synchronisation Status, its source is specified as Microsoft Update, rather than the name of the Priamry Site server with the SUP role.
  The relevant ports 80/443/8530/8531 are open between the two forests, but it doesnt appear to attempt to sync from the primary site.
  How do I get this SUP to sync from the Primary site? I've tried setting a WSUS Server Connection Account, but this doesnt appear to make any difference.
  Thanks for your help.
  Carl

  I had to remove the use of the proxy server at the primary SUP so that it downloads directly from the internet without the use of a proxy.
  As soon as this was removed the untrusted SUP synchronised successfully. Even though the proxy isnt specified in the SUP properties of the untrusted site system, it still appears to use this when performing a sync.
  Do you want to file this on Connect as feedback to the Product Group?
  https://connect.microsoft.com/ConfigurationManagervnext/Feedback
  Rob Marshall | UK | My Blog |
  WMUG |
  File CM12 Feedback |
  CM12 Docs |
  CM12 Release Notes

• MBAM 2.5 in Multi-Forest with two way trust

  Hi All,
  If we have two forests with two way trust, say A and B. If MABM 2.5 is setup in domain A and the urls used in the GPO of domain B to make the clients report to MABM. What additional steps do we need to take to ensure all functionality work fine namely
  - Users from domain B logging in to the self service of MBAM. How will the authentication work? Do we need to add All users from Domain B to any group?
  - Also I read that the Self Service website should not be hosted over the internet as per Microsoft. Why is it?
  Thanks in Advance,
  Regards,
  Vijay

  You have to define the group policies in all of the domains where the client resides and place the MBAM Web server in the root domain. Make sure the client can access the MBAM service endpoints. If clients can access the endpoints, you only need to define
  the MBAM GPO's to the domain where client resides.
  Check out this link :
  MBAM 2.5 installation - Multi Domain
  Cheers,
  Gaurav Ranjan / Sr. Analyst-Professional Services
  MICROLAND Limited -India leading Infrastructure Management Services Company
  NOTE:Mark as Answer and Vote as Helpful if it helps

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• Multi Forest Client Management

  Our system has 4 forests with multiple child domains in each forest. We will be collapsing 3 of those forests into Forest 1 Domain 1A over the next few years. Our SCCM 2012 server is in Domain 1A and we currently have clients from 2 other
  child domains in Forest 1. The request to start getting the other forest workstations for forests 2,3, and 4 as clients of our DOMAIN 1A SCCM server. The other forests have their own SCCM environments (2007 or 2012) that will be going away.
  1. Since the forest 2, 3, and 4 workstations have a SCCM client on them already, what would be the path look like to get DOMAIN 1A's SCCM cleint installed? Uninstall existing client and push the DOMAIN 1A SCCM cleint to them?
  2. Once we have the other forests workstations loaded, will the domain change affect the DOMAIN 1A SCCM client that is installed on each of them when that time comes?
  3. Are we better off waiting and letting those forests manage their clients until the migration, rather than trying to install the SCCM cleint they will eventually have prior to them going through a mirgration to a new domain?

  How about subnets and the overlapping subnets issue?
  Since the SCCM environments are all separate and not aware of each other, would putting the other regions subnets in DOMAIN 1A's SCCM boundaries affect those other regionas SCCM implementations or current clients?
  To me, I can't see that it would. The DOMAIN 1A SCCM server would jsut be able to see new boundaries and once AD Sysytem Discovery was configured, it could see the new workstations from the other forests. We are currently not auto installing the SCCM client
  in DOMAIN 1A and we use subnet ip ranges for boundaries.
  The other regions SCCM servers and clients should be unaware of the fact that the DOMAIN 1A SCCM server has those subnets and I don't think that discovery process would interfere would it?

• PCNS multi-forest config?

  Hi,
  Forest A contains FIM services, and a copy of the users from Forest B (via FIM provisioning).
  Forest B contains the users, and this is where users will change passwords from workstations.
  We would like passwords to replicate from Forest B to Forest A.
  Have setup a 2 way trust between the forests, and then:
  Have installed PCNS in Forest B only
  Then, ran the following in Forest A: setspn -A PCNSCLNT/DC1.ForestA.com ForestA\FIMSyncService
  Then,, ran the following in Forest B: pcnscfg.exe ADDTARGET /N:FIMServer /A:FIM.ForestA.com /S:PCNSCLNT/DC1.ForestA.com /FI:"Domain Users" /FE:"Domain Admins" f:3
  Are the above steps correct?
  Thank you,
  SK

  thanks Cameron...so in my example is this still correct:
  - setspn is run in forest A (where FIM is deployed)
  - pcnscfg is run in Forest B?
  Secondly, the article is a bit confusing: http://technet.microsoft.com/en-us/library/cc720654%28v=ws.10%29.aspx#bkm1
  there are 2 MA options below ... since I have an MA for Forest A & B, which option do I enable on which MA?
  Configure the Management Agent for Active Directory
  Because Active Directory is the only supported password source for password synchronization, all password change requests must be sent to MIIS 2003 by the Management Agent for Active Directory. Also, management agents that are targeted to receive password
  change notifications from the Active Directory domain must be enabled in the Management Agent for Active Directory.
  To configure the Management Agent for Active Directory to receive password change requests
  In Identity Manager, open Properties for the Management Agent for Active Directory.
  Select the partition from the list, and then, in Password Synchronization, select
  Enable this partition as a password synchronization source.
  Click Targets to display the Target Management Agents dialog box.
  Select the management agents to be the targets to receive password change notifications from the authoritative Active Directory domain.
  Optionally, under Specify maximum number of password changes for a 24 hour period, change the default setting, which is 5.
  Configure the Target Management Agents
  You now individually configure the management agents for the connected data sources that will receive password change notifications from the authoritative Active Directory domain.
  To configure a target management agent for a connected data source
  In Identity Manager, open Properties for the management agent that you want to configure.
  For Configure Extension, select Enable password management. This enables both password synchronization and the Windows Management Instrumentation (WMI) interface for the management agent.
  Optionally, click Settings to configure any of the following options:
  Maximum retry count – Specifies the number of times MIIS 2003 attempts to push a password change to the connected data source when there are connectivity errors.
  Retry interval (seconds) – Specifies how much time elapses between retry attempts.
  Require secure connection for password synchronization operations –Specifies that a secure connection to the connected data source is required before the management agent attempts to push a password change to that connected data source.
  If you do not select this option, the management agent pushes the password change to the connected data source regardless of the security level. Examples of secure connections are Secure Sockets Layer (SSL) and "Sign and encrypt LDAP traffic."

• Question about MP affinity in a multi-forest scenario without AD publishing

  I am looking at deploying an SCCM system that will feature multiple forests and the caveat of NOT being able to use any sort of AD publishing or schema extension. Knowing this, and that
  clients will use the MP residing in their forest by default...
  When AD publishing is not leveraged, will a client in a remote forest use the MP located within its forest?
  If true, does this become a single point-of-failure when the client can't communicate with the MP in its forest?

  AD publishing does not affect affinity at all. AD Publishing simply provides a "boot strap" location method where a client can find an MP if it has no knowledge of any MPs in the site. However, the choice of which MP to use is never based upon
  this boot strap location from AD. Clients always query an MP to determine which MP to use (thus the need for the boot strap process otherwise you're stuck with chicken-egg).
  Also remember that this is just "affinity" and thus not truly guaranteed although in nearly all cases that I've seen/sued this, it does follow the affinity pretty well.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Multi forest LDAP and Extension mobility

  hello,
  We want to support the following configuration:
  MultiForest LDAP integration with CUCM 10.5.
  So we want to set the "LDAP Attribute for User ID" on UserPrincipalName (UPN). > [email protected]
  We also want to support Extension Mobility.
  Is there a way to make te login proces easier than logging in with [email protected] and the PIN code?

  Unfortunately no, the EM process uses whatever you chose for userID for the login.