Users from a different domain cannot login

Hello Everyone,
We have a sharepoint 2010 in domain A. Users are in domain A and domain B and there is a bi-directional trust between the two domains (belonging to 2 different forests).
Users in domain A have no problem accessing the SharePoint.
Users in domain B keep having IE prompting them for credentials and after 3 attempts lead them to a blank page.
The people picker tool can easily find users in domain B and then assign them permissions, but there seems to be an issue when authentication occurs.
So far there is no DNS or network issue has the site name is well resolved and a nslookup of the site returns the good information (right IP address).
Thank you for your help ! :)

Can you confirm if you're using Constrained or Unconstrained delegation?
FYI new cross-forest functionality was added with Server 2012, but all of your DCs must be running 2012 or higher:
http://technet.microsoft.com/en-us/library/hh831747.aspx
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Similar Messages

  • Authenticate Users from a different domain

    Hello,
    I have three domains; Domain A, Domain B & Domain C
    Domain A does not trust Domain B
    Domain C trusts both A and B
    Users login to Domain A
    SharePoint 2013 Enterprise lives in Domain C
    Users wanting to access SharePoint must authenticate to SharePoint with their Domin B accounts.
    Crazy... I know
    I have setup people picker to work with Domain B, Thank you Trevor (
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/9f805e2d-1b39-4e1d-b5ae-c5d7b83ca690/authenticate-users-from-a-trusted-domain?forum=sharepointadminprevious)
    My next issue is that I am now testing the initial login into the SharePoint 2013 server from a standard user (who logs into Domain A in the beginning of the day)
    I have added myself (Bob) to the owners group in root site collection.  owner = Domain_B\Bob
    When I browse to my new site using IE 9 I'm presented with a not so helpful page that says, "Sorry, this site hasn't been shared with you."  Thats it.. no chance to login as a different person.  Obviously SharePoint sees me as Domain_A\Bob
    and is letting me know that I have no access.
    What I would like to happen is for SharePoint to prompt me with the standard claims NTLM login screen so that I may login to SharePoint with my Domain_B\Bob account.  Is there a way to set this up without forms authentication?
    Oddly enough, using Firefox I am prompted for login credentials, but typing in Domain_B\Bob does not work.  If I do enter the farm service account setup in Domain_C, I am able to enter SharePoint with my farm service account credentials.
    Thanks for your help,
    -Bob

    The output of the stsadm -o getproperty -pn peoplepicker-searchadforests -urlhttp://sharePoint-dev.mydomain.com was successfully completed.
    capturing the LOG files as I'm trying to log in using by Domain B account I see the following: (listed below)
    ------------Event viewer:------------------------
    Failure Reason: The User has not been granted the requested logon type at this machine. 
      > This leads me to believe that I need to add DomainB\domain users to the "access this computer from the network" policy
    What do you think?
    Thanks,
    -Bob
    ----------------------------ULS LOG FILE---------------------------------------------------
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.08 w3wp.exe (0x1C38) 0x1E78 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.11972750726699 3570659c-b893-d0f1-8d12-0081758a591c 
    12/30/2013 12:49:05.60 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.60* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 20ffe309-e6af-4c9f-a54a-a0073faf5519 
    12/30/2013 12:49:05.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 56bd1860-a63f-43b0-b0e1-b5997cfb380b 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x1DBC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.3153208019455 3570659c-88c4-d0f1-8d12-08b6d636f658 
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:05.86 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:05.87 w3wp.exe (0x1C38) 0x2258 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.21303545562355 3570659c-b8c4-d0f1-8d12-06face9fae6d 
    12/30/2013 12:49:06.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 7e316c4f-aa4d-483a-bebf-3cd76e7fc693 
    12/30/2013 12:49:06.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3998a340-44a6-4836-a3c8-33b8061159b5 
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.74 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1418 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=2.68225430885769 3570659c-c8fb-d0f1-8d12-0856ed2e7a06 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x19BC SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=1.02066044706799 3570659c-38fc-d0f1-8d12-005530b4e738 
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring nasq Medium Entering monitored scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Parent No  
    12/30/2013 12:49:06.75 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://fermipoint-dev.fnal.gov:80/) 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.76 w3wp.exe (0x1C38) 0x1BD4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://fermipoint-dev.fnal.gov:80/)). Execution Time=4.1344640170748 3570659c-78fc-d0f1-8d12-0dc88dd1e7bb 
    12/30/2013 12:49:06.80 OWSTIMER.EXE (0x07C8) 0x1490 SharePoint Foundation Health abire Medium Failed to Sql Query data XEvent collector on fv-sp13tst. The error is Object reference not set to an instance of an object.  
    12/30/2013 12:49:07.05 w3wp.exe (0x1C38) 0x1BF4 SharePoint Portal Server Runtime 8gp7 Medium Topology cache updated. (AppDomain: /LM/W3SVC/1720071765/ROOT-1-130328985568168782) 3570659c-6845-d0f1-8d12-00249d79cf0d 
    12/30/2013 12:49:07.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). f94dd497-6681-4b0b-b19b-255d6073d82f 
    12/30/2013 12:49:07.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:07.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 6ef43b9d-67d2-4717-9026-aaafbc95af2d 
    12/30/2013 12:49:08.61 w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61* w3wp.exe (0x1C38) 0x203C SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 3341568a-938d-4660-b9c8-94be1b566486 
    12/30/2013 12:49:08.61 w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable Error encountered in background cache check Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available
    for this application.     at Microsoft.SharePoint.SPRoundRobinServiceLoadBalancer.BeginOperation()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<RunOnChannel>b__2d()    
    at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)    
    at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettin... 164404b3-76ab-47cb-8fb4-a27f30d2498c 
    12/30/2013 12:49:08.61* w3wp.exe (0x0F18) 0x2544 SharePoint Server Taxonomy ca3r Monitorable ...gs()     at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()    
    at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges(Boolean enforceUpdate)     at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0(). 164404b3-76ab-47cb-8fb4-a27f30d2498c 

  • LDAP authentication in AD (users from other trusted domain)

    Hi
    I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
    I use LDAP authentication in AD for authentication users (AnyConnect).
    Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
    I do not want direct connect with the domain contoller in the trusted domain.
    My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
    But if I try to test aaa-server authentication from ASA
    I get error.
    I think, I must use username like "DOMAINB\userindomainb" but this not work.
    Help me please.
    Thanks!
    My config:
    aaa-server ADA protocol ldap
    aaa-server ADA (inside) host 10.0.0.1
     ldap-base-dn dc=domaina, dc=local
     ldap-scope subtree
     ldap-naming-attribute sAMAccountName
     ldap-login-password *****
     ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
     server-type microsoft

    Hello!
    I see in console (debug LDAP):
    Request for [email protected] returned code (10) Referral
    Does ASA support authentication via LDAP referrals?
    I read old thread:
    https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
    And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
    But I use:
    Cisco Adaptive Security Appliance Software Version 9.2(3)
    Device Manager Version 7.3(3)
    Compiled on Mon 15-Dec-14 05:10 PST by builders
    System image file is "disk0:/asa923-smp-k8.bin"
    Thanks!

  • LDAP query to fetch users from Two different OU

    I am looking for an AD query to get AD enabled users from two different OU Stores & ServiceOffice under root domain.
    Using below syntax to fetch it simultaneously but not succeeding. Please help me.
    (&(objectCategory=person)(|(ou=Stores)(ou=ServiceOffice)))

    Hi Thanks for the revert. Actly i am setting this syntax in application not running powershell script to fetch users.
    So i need query in Ldap filter format only...
    i.e.
    (&(objectCategory=person)(|(OU=Stores,DC=Mumbai,DC=Users,DC=ABC,DC=com)(ou=ServiceOffice,DC=Chennai,DC=users,DC=ABC,DC=com)))
    Please correct my above query.

  • How to use CSACS 3.3 to authenticate users from multiple windows domain?

    Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
    hello, here is my scenario:
    ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
    And adding those domains as trusted domains in domain1 is not an option.
    Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
    Any input is much appreciated.

    Hi Betcy,
    I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
    You can find more details on following SAP note:
    #[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
    I hope it helps.
    Kind regards,
    Lisandro Magnus

  • Loading a combobox with data from a different domain

    I have filled in a combobox with values from an .asp page and
    have used it
    successfully. The problem is that if the flash file is ran
    from a different
    domain from the load location, the combobox doesn't get
    filled in (as
    apposed to the error if I ran it off of my drive).
    datafeed.asp spits out the appropriate stuff for the AddItems
    function to
    read correctly. (as I has said, it does work). The combobox
    gets filled in
    the development environment (Macromedia Flash MX Professional
    2004) as well
    as flash player.
    But when I upload it to one of my other websites, the data is
    never
    retrieved. Even though that the webserver containing the data
    feed, the
    webserver hosting the flash file and my machine can all read
    datafeed.asp.
    Am I missing a setting that allows a flash file to read data
    from another
    domain?
    The following code has been changed for security reasons. But
    believe me it
    works in its original format.
    myData = new LoadVars();
    myData.onLoad = AddItems;
    myData.load("
    http://www.mydomain.com/datafeed.asp")
    function AddItems() {
    for (i=0; i<numItems; i++) {
    var ProductID = eval("myData.ProductID"+i);
    var ProductName = eval("myData.ProductName"+i);
    var ProductSale = eval("myData.ProductSale"+i);
    var DataProvider = { productid
    roductID, productsale
    roductSale };
    _root.application.chooseproducts.prodlist_cb.addItem(ProductName,
    DataProvider);
    Thank You,
    Julian

    not sure, but this might be what you need...
    //allow loading of files from domain
    System.security.allowDomain("
    http://www.mydomain.com");

  • Restrict users from changing password on first login?

    Hi,
    I am doing mass user upload into UME using script import. How should I use the below functionality to restrict the users from changing password on first login?
    IUserAccount uacc =UMFactory.getUserAccountFactory().newUserAccount(uid,newUser.getUniqueID());
    uacc.setPassword("saras");
    uacc.setPasswordChangeRequired(false);
    How to implement above functionality with mass upload from script import?
    Thanks
    Srinivas
    Edited by: srinivas M on Jan 20, 2009 9:05 PM

    hi srinivas,
    try this api
    http://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IUserAccount.html#isPasswordChangeRequired()
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d562b7-1405-2a10-dfa3-b03148a9bd19
    this document able to retrive the password.. same positon u can disable the field
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10649c90-24af-2b10-1086-ea0667ec3655
    thanks

  • How can I add a user Role member that is from a different domain

    We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
    wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
    Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access
    to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.
    How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?
    Here is the Error I'm seeing.
    Log Name:      Operations Manager
    Source:        OpsMgr SDK Service
    Date:          2/4/2015 1:11:59 PM
    Event ID:      26319
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxx.xxxx.xxxxxxxx.xxx
    Description:
    An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
     Exception message: The creator of this fault did not specify a Reason.
     Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
    Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="OpsMgr SDK Service" />
        <EventID Qualifiers="49152">26319</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
        <EventRecordID>172748</EventRecordID>
        <Channel>Operations Manager</Channel>
        <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>UpsertUserRolesV2</Data>
        <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
        <Data>The creator of this fault did not specify a Reason.</Data>
        <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
    Unable to resolve the user [email protected]  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
      </EventData>
    </Event>
    Thanks for any help I can get in resolving this issue.
    Jake

    The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  
    So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
     Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On
    the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
    approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only
    Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.
    Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.
    Thanks,
    Jake

  • Migrate Users from a child domain to a root domain in different forest

    Hello,
    it supported to migrate users from child source doman to target root domain?
    I established a trust, but i don't see child domain at ADMT installed on target domain DC. Source root domain is visible

    You should not be needed to establish a trust as all domains within the same forest already trust each other - are you sure those domains belong to the same forest? You can find out using the following command:
    nltest /DOMAIN_TRUSTS
    If ADMT dosen't show a partiuclar domain in the dropdown list, you can/have to type the domain name manually.
    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

  • Can OS X 10.9 Authenticate An Active Directory User From A Different Trusted Forest

    I am able to authenticate with an AD account from a different trusted domain in the same forest as the domain the client is bound to on OS X 10.9. An AD account from a trusted domain in a separate forest cannot authenticate on the same client. The same AD account from the same external trusted domain in the same external forest can authenticate to a Windows 7 client bound to the same domain as the Mac client. It seems that OS X is incapable of cross forest authentication. It seems as though the directory services search path only includes the forest of the domain the client is bound to. Windows clients seem to be able to handle the referral process to a different forest, but a Mac client does not. Am I correct in this assumption? Has anyone accomplished cross forest authentication on an OS X client? If so, how? If not, what is the reason this can't be done?

    Well, I’ve made some encouraging progress.
    I’ve managed to log on!
    I deleted /var/db/.AppleSetupDone while booted into the recovery volume. I then created a new local admin user and, after a much longer than usual delay, got through the account creation stuff and arrived at last in the Finder, which was sluggish as heck.
    Checked user accounts, and according to system prefs they’re all there. Fired up Activity monitor and found that opendirectoryd was consuming 365%-405% CPU.
    I unbound the system from our Active Directory domain, not really expecting it to work but it did. cpu load dropped to nothing.
    I rebooted, was able to log in as the original local admin user (woohoo! Progress!)
    Re-bound it to AD and boom CPU shot right back up.
    I unbound it again and am currently backing up the drive with CCC (conversation with professor yesterday “Time Machine? What’s Time Machine?”)
    If CCC dies, I’ll run DW on the original, but I’m now pretty sure my issue is a borked opendirectory database.
    Plan going forward:
    I’ll nuke&pave the iMac, restore the apps, but NOT users and computer settings from the CCC during the re-install, create a new local admin, re-bind to AD see what happens.
    If it doesn’t go nutz again, I’ll have him log on so it creates the local directory, copy over his original user directory from the backup drive, make it his actual home on the disk again and in theory he should be ok.
    It’s amazing how often just laying my problem out in public makes my brain think of new things to try :-)
    I don't know if this is directly applicable to an OpenDirectory-bound system rather than Active Directory, but it might work for you.

  • Ssrs security access for users on a different domain

    Hi
    We are using ssrs 2008 r2 and have added a new domain to our network as we are working with another company.
    Our original domain was say "DomainA" which can access all our reports, how do we give access to the new domain "DomainB" access to our reports?
    We are unable to add DomainB users to our AD security groups so I have created a windows groups called SSRS_DomainB_Users and given them access to our parent folder and also added them into site settings as a system user.
    What is the best way to deal with this?
    Users in DomainB will eventually be added to DomainA and DomainB will then be deleted.
    One of the users I am testing with gets an error message :
    User 'Domain name/user' does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
    Thanks

    Hi Nasa1999,
    According to your description, you want your reports can be accessed by user from different domain. Right?
    In this scenario, we should do Internet Deployment for your reports so that users from different domain can access the reports. Please the articles below:
    Planning for Extranet or Internet Deployment
    Using Reporting Services in an Internet/Extranet Environment
    SQL Server 2008 Reporting Services
    for Internet deployment
    Reference:
    SSRS reports
    global access
    If you have any question, please feel free to ask.
    Best Regards,
    Simon Hou

  • Same username and password in different domain cannot be auth.

    I created 2 domains with a user created into each domain. The users have same username and password, like below
    Domain1: user1 (password)
    Domain2: user1 (password)
    Then I create 2 policy sets
    PolicySet1 with Domain1 and add a policy (called Policy1)  with user1 from Domain1 and proper permissions
    PolicySet2 with Domain2 and add a policy (called Policy2) with user1 from Domain2 and proper permissions
    Now I apply policy1 to a document to form a secured document called SecuredDoc1.pdf
    Then I apply policy2 to a document to form a secured document called SecuredDoc2.pdf
    I open SecuredDoc1.pdf, and try to authenticate with user1 (password), I can successfully open the document
    I open SecuredDoc2.pdf, and try to authenticate with user1 (password), I can NOT open the document.
    Is this a bug? Does RightManagement authenticated with domain id?
    Thanks

    Although LiveCycle will allow you to create two users with the same user ID (each in different domains) it is not recommended for the reson you are experiencing.  The domain is not used in the authentication, LiveCycle attempts to authenticate with the first user id it locates that matches the supplied user id.
    In your example, The first instance of "user1" that LiveCycle is finding happens to be part of "Domain1", this is why SecuredDoc1.pdf can be opened and SecuredDoc2.pdf can't be opened (the user1 that is a member of the policy applied to the second document is not the user that has been authenticated).
    You need to keep all user ids unique.
    Regards
    Steve

  • Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

    I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
    I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

    If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
    Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
    You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
    Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
    The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

  • Authenticate users from a trusted domain

    Greetings,
    I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
    I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
    Domain B trusts Domain A (1 way)
    Is this possible? How?
    Thank you

    Hello Trevor,
    Thank you for your help.
    I have run the People Picker Tester and found that I am able to connect to the following ports:
    CONNECTED
    tcp/389
    tcp/686
    tcp/135
    tcp/139
    tcp/3268
    tcp/445
    and FAILED to connect to
    tcp/137
    tcp/138
    tcp/3269
    tcp/53
    tcp/749
    tcp/750
    The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
    With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
    My next question is around the two stsadm commands.
    The first command:
    stsadm -o setapppassword -password "SomeValue"
    1) What am I actually doing here? 
    2) Where will this password be used?
    3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
    The second command:
    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
    http://webAppUrl
    1) is this command setting my default people picker domain search to Domain A accounts?
    2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

  • Exchange 2010 - Users in a restricted OU cannot login to OWA externally only - internal works

    I have an OU setup where user in this OU have Log On To... rights have restricted which computers they can log onto.
    This is the only restriction other than some IE browsing settings via GPO. The problem for these users is that... 
    They cannot login to OWA externally using the https://mail.domain.com/owa - it continues to prompt for authentication. 
    They CAN login to the same URL internally.
    Troubleshooting...
    I did give them Log On To... the MAIL SERVER rights.  
    Other users can login that are NOT in this OU.
    May have started after SP3 for Exchange was installed.
    Have rebooted. 
    HELP?

    Hi,
    The Log On To setting will specify a certain computer to access a user account. Please change this user can log on to
    All computers in ADUC to have a try.
    Thanks,
    Winnie Liang
    TechNet Community Support

Maybe you are looking for

  • Complicated problem: Laggy Macbook Pro, now not booting

    I am facing a very complicated issue with my unibody Early 2011 15" Macbook Pro (2.2 ghz core i7, 4gb 1333mhz ram, amd radeon 6750m, if you need hardware details). I guess the issue started after my computer started to get laggy for no reason at all:

  • How Do I Catalog or List Everything on a Hard-Drive?

    I'm hoping this is the right category to post this. Here is the situation... I have several external drives that contain movies ripped for my Apple TV. Many are nested in specific folders (i.e. Drama, Horror, Classics, etc... as well as by director).

  • Is there a way to know from what site and/or  what link a site came from.

    I want to use the same site and code but depending on fronm what link the site was created I want to forward to sit A.jsp respectiveley site B.jsp. How can I check this. Thanks

  • Re-installation problem.... OSX

    Hi every time when I tries to re-install my system after loading disk from DVD I gating message that I need to do a hard reset what cude be a problem i atempt to do  reinstoll so many time and seam scenario same situation eny sugestion ?????

  • Final Cut X suddenly will not take my youtube credentials

    I've been using Final Cut X to upload directly to Youtube for many months. Suddenly today, it will not take my YouTube credentials on ANY of my 3 YouTube accounts... It just gives me an "Invalid Account Name or Password" every single time.  I'm still