Using Active Directory and ACS for Concentrator 3000 VPN

Similar Messages

• Using Active Directory to connect to OS X VPN

  I have 2 servers in my infrastructure that handle my entire small business.  I have a MacMini with Mountain Lion and Server running along with Windows SBS.  The Mountain Lion server has a lot of resources that we use, namely the VPN.  When my users authenticate, they have to use an account created onto the Mac server as opposed to Active Directory.  I have opened up the account settings and selected the services that the Active Directory user has access to but, it still does not authenticate. 
  Has anyone used a Mac server service like this and allowed Active Directory to be the authentication piece to access the services?
  Any help will be greatly appreciated.
  Thanks
  Dan

  Yes, assuming you are using windows for your web server.  And I'll assume server 2003 since your using IIS6.
  You ColdFusion service needs to run as the domain user/password.
  So, start menu -> run -> services.msc
  Open the advance properties of the cold fusion service and set the user as domain\user and the password for the user.
  The sql server will then need to allow this user the appropriate access, your DBA should be able to add this without issue.
  Then your DSN is setup WITHOUT a user or password.  The credentials will be what the service is running under.
  To take this to the next level, with windows 2008 server you can run the CF service as the "Network Service" user of the local machine. That account is actually domain\computername$ on the AD domain.  Then the sql server would need only need permissions for domain\computername$ and there is no need for a password.  When setting the service user/pass using services.msc you can specify "1"  as the password  and "Network Service" as the suer and things should start up OK.  (You'll need to add the "Network Service" permissions to the CF folder though). I don't think there are any security implications with this, but we have all our app servers firewalled, so it's not a huge concern for us, so that might take a little more investigation.  Plus we don't actually do this in production, we just tried it out in our lab.
  Byron Mann
  [email protected]
  [email protected]
  Software Architect
  hosting.com | hostmysite.com
  http://www.hostmysite.com/?utm_source=bb

• Advice needed for WAP4410n to authenticate using active directory ?

  Hello,
  We have a couple of Cisco WAP4410n newly purchased for our organisation.
  1)We already have a windows 2003 active directory with domain and users.
  2)We have installed a machine with ubunto linux.It has freeradius configured
  in it.we have also installed the certificate server in this machine.
  3)we have given the linux machine's ip to the freeradius settings in  wap4410n.
  4)Our logic is that when a wireless users tries to connect to wap4410n the linux
     free radius server will communicate with the windows active directory and grant
     access to the wireless user.
  However when we try to connect a wireless user we are getting certificate related
  errors.
  Can someone advice us on the settings (PEAP and certificate issues) with respect to freeradius and wap4410n
  so that the active directory users can be authenticated.
  Thanks & regards.....

  Hi Sabeesh,
  if you get a certificate warning, then you should check what it is complaining about.
  -If you go for PEAP, you're supposed to install a certificate on the radius server and to have the clients to trust it.
  -Usually people configure the windows peap client to NOT validate the server certificate, which bypass this problem. However a certificate still has to be installed on the Radius server but it can be invalid.
  Hope this helps
  ===
  Don't forget to rate answers that you find useful

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Connected to Domain but can't log in using Actived Directory Credentials

  Hey everyone.  I've been working on this issue for two weeks now, and I don't know what else to try.  I'm connected to my domain but cannot get my Macbooks to log in using Active Directory credenitals both through our wireless network, and hard wired with an ethernet cable.  The weird part about it is that it is not uniform all across our network.  This only happens to certain Macbooks and as of right now there doesn't seem to be a pattern.  I can say that it has happened to all new Macbook Pros that we have ordered lately though.
  We use Jamf to manage our Macs on our network, and ever since upgrading to a new version (9.01 and now 9.1) we have had this issue.  However I can't connect after manually adding the domain either, so for now it makes me think it is not a Jamf issue.  Has anyone dealt with this issue before, that might know of a fix?  Thanks!

  Hi Burnettb1,
  I have come across a similar issue as yours.  I have included the instructions that I use to bind the Mac at my institution.  In regards to wifi, I have not tried binding the Mac over wifi. Should you need to log in to a Mac with domain user credentials I would suggest to bind the Mac over ethernet.  Once you get to the:
  *Click on triangle to the left of Show Advanced Options to expand"
  portion of the instructions click on the Mappings tab and select the checkbox for creating a mobile account at login.  This will create a domain user profile on the machine that you can log into when not connected to the domain.
  Hope this helps.
  BIND iMac:
            Login into iMac using administrative credentials
            Open System Preferences
                      *Goto Users & Groups
                      *Click on lock in lower left-hand corner
                      *Use same password used to log into iMac
                      *Click on Login Options
    *Click on ‘Join...’ button right of "Network Account Server: "
                      *Click on ‘Open Directory Utility…’ button
                      *Click on lock in lower left-hand corner
                      *use same password used to log into iMac and click on Modify Configuration
                      *Double-click on Active Directory
    Active Directory Domain = domain
                                Computer ID = name of Mac
                      *Click on triangle to the left of Show Advanced Options to expand
                                *Click on Administrative tab
                                *Check  Prefer this domain server
  Type  domainserver_ipaddr -or- servername.domain in this field
                                *Click on ‘Bind…’ button
                                *When prompted for network administrator login
                                          username = [domain admin user]
                                          pwd = [domain user password]
                                *Click OK (Note: search path will be updating. Until completed the ‘OK’
  button will be greyed out
    *Click OK
    *Click lock to lock and close window
                      *Click lock to lock and close window
  BIND CHECK:
            *Search AD for added mac host - it should be there.
            Open Terminal app by either:
                      1)
                                *Press command+spacebar
                                *Type Terminal and select app
                      2)
                                *Click on desktop
                                *Press shift+command+A
                                *Goto Utilities folder located within Application folder (which you should
    be in) and open Terminal
            *Once Terminal is opened type in id [domain username] and press return key.  The output should be
  some some network account information
            *Close app by pressing command+Q and any other opened windows
            *Restart iMac
            *Log in

• Active Directory and many OUs

  Hello all,
  This topic might have been talked about before but after a lot of searching I still have not found a solution, so I ask for a bit of help.
  In our Active Directory there are many OUs where users are kept. There is no one top OU where you can start your search. I don't really know why it was set up this way and I don't have an option to change that. I would really like to have ou=users like most have!
  So when I try to authenticate a user (I'm installing DSpace in my uni) I cannot automatically add the OU for the user trying to log in and the users themselves don't know their OU (well, why would they!).
  I'm hoping there is some simple solution to this. Maybe JNDI API allows for searching in many OUs at the same time (some fixed list in the code)? Or maybe the OU is not needed at all in the search?
  Any help/hints would be appreciated.
  best regards, Logi

  For searching, you can issue a subtree search will search through the entire subtree, irrespective of how many levels of OU's may exist, by using SearchControls.SUBTREE_SCOPE
  Have a look at the tutorial at http://java.sun.com/products/jndi/tutorial/basics/directory/scope.html
  For authentication, you can either get the user to enter their:
  distinguished name
  (cn=Albert Eirnstein, ou=Research,dc=Antipodes,dc=com), although that is not entirely user friendly
  their NT style logon name (samAccountName)
  ANTIPODES\alberte, more user friendly,
  or their Windows 200 style logon name (userPrincipalName),
  [email protected], equally as user friendly.
  You may also want to look at some of the following posts:
  JNDI, Active Directory and Authentication (Part 1) (Kerberos)
  http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  JNDI, Active Directory & Authentication (part 2) (SSL)
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50
  JNDI, Active Directory & Authentication (part 3) (Digest-MD5)
  http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
  JNDI, Active Directory & Authentication (part 4) (SASL EXTERNAL)
  http://forum.java.sun.com/thread.jspa?threadID=641047&tstart=0
  JNDI, Active Directory and Authentication (part 5, LDAP Fastbinds)
  http://forum.java.sun.com/thread.jspa?threadID=726601&tstart=0
  JNDI, Active Directory, Referrals and Global Catalog
  http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• 10.6 home directory mounting with active directory and open directory integration

  Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
  For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
  I feel like this is the problem with the home folders not mounting.
  Can anyone provide some help with this?
  Thanks,
  Dani

  Hi dani190,
  are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
  If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
  For the contact search path, did you put the AD at the top the list? (in directory utility)
  Did you set the WINS work group on your client computer to your domain?
  ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

• User synchronization issue between Active Directory and Solution manager.

  Requirement:
  Synchronize the users between Active directory and solution manager system.
  <u>What we did:</u>
  1.     Created RFC connection (LDAP_RFC) for LDAP connector.
  2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
  3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
  details to the physical directory.
  4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
  5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
  directory attributes.
  6.     Testing from LDAP transaction working fine. We are able to see the attributes and
  values       from Active directory.
  <b><u>Issue:</u></b>
  When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
  LDAP Server = CUA (created earlier)
  LDAP Connector = LDAP_RFC (RFC connection created created ealier)
  In the tab: (Object that exist both in the directory and in the Database:)
  Selected: Compare Time Stamp.
  In the tab: (Objects the only exist in the Directory.)
  Selected : Create in Database.
  In the tab(Objects that only Exist in the Database:
  Selected: Ignore Object.
  Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
  The program does not create any new user in the Solution Manager system.
  Any help on this issue greatly appreciated.
  Thanks & Regards,
  Harish

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• The box indicating that this domain controller is the last controller for the domain is unchecked. However, no other Active Directory domain controllers for that domain can be contacted

  I have 2 domain controllers running 2003 server, server1 and server2. I ran dcpromo on server1 and removed AD and removed him from the domain and disconnected from network. I then added a 2012 server
  with the same name and IP address server1 with no problem. Replication from sites and services work fine on both controllers.
  The new 2012 server1 is GC. I transferred all FSMO roles to server1. Again no problem and replicating using sites and services. AD on server1 is populated correctly.
  Now what I had intended on doing was a dcpromo to remove server2 from the domain so I can then add another 2012 server. That is when I get the: "The box indicating that this domain controller is the last controller for the domain
   is unchecked. However, no other Active Directory domain controllers for that domain can be contacted.
  I have DNS installed on both servers and both look good with replicating there. Strange thing is when on the 2012 server within DNS if I right click and connect to another DNS server I can add server2 just fine but from server2 adding server1 it tells me it
  is not available.
  Help please!

  Hi,
  As there is server 2012 DC (SERVER1) DC is operational in a domain then "This domain controller is the last controller for the domain" should be remain unchecked when you demote SERVER2 DC. 
  If you are getting error "Active Directory domain controllers for that domain can be contacted" while demoting SERVER2 DC then check the DNS pointing on both as per below article, disable windows firewall on all DC, less possiblities but worth to check if both
  are different site then check the ports are open on firewall. 
  http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
  http://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  run “ipconfig /flushdns & ipconfig /registerdns“, restart DNS server and NETLOGON service on each DC and try to demote server2 DC.
  If issue reoccurs, post dcdiag /q result.
  NOTE: If initial replication was completed between both DC (new 2012 and old DC) then you may remove the server2 DC from Active Directory forcefully (DCPROMO /FORCEREMOVAL) and perform metadata cleanup.
  Active Directory Metadata Cleanup
  http://abhijitw.wordpress.com/2012/03/03/active-directory-metadata-cleanup/
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

• Using Active-Directory PW at SAP logon procedure

  Hello,
  I have the requirement no to use single sign on for some systems with sensitive data, but  would like to check during sap logon procedure the  from our central active directory password.
  is there any best practice configuration or SAP / AD Win Addon solution available to connect SAP NW abap 7.40 at Win2012 sever with our active directory. Nearly all win based applications can handle a PW check from application to AD. Is there any SAP or Partner implementation helpful to expand the SAP client internal User-PW check?
  Thanks in advanced for alternatives to the standard client SSO or any idea in the direction using active directory password within sap-logon.
  Please give me a short feedback if you need more details.
  regards,
  Bernhard Mair
  Goethe-Institut München

  The SAP NetWeaver ABAP app server only accepts SAP user id and password or it can use SNC to authenticate the user when SAP GUI is used on workstation. So, if you want the user to be prompted to enter their Active Directory credentials during a logon using SAP GUI, and you don't want SSO, then you need to purchase a third party product.
  Please note, that SAP is not JUST a Windows based application, as it can also be installed on Unix and Linux, so SAP have made it work in same way on all platforms without any 'special' windows authentication capabilities.
  Thanks
  Tim

• Use Active Directory to Authenticate to OS X Server VPN

  I have a Windows 2008r2 Small Business Server that I use primarily but, I have to integrate with services on my Mac Mini OS X Server.
  First off, I have all updates loaded and everything runs great between both servers.  My OS X server does not have Open Directory running; only services such as FTP, VPN, and File Sharing.  I have joined the server to Active Directory and can log into the server as a Active Directory user.  I have assigned the rights to even log on with my AD credentials to that server and be an admin.  I know that everything is working fine between the 2 servers and I am pretty happy with the way it is working.
  My challenge deals with authenticating to these services; specifically VPN, on the OS X server with Active Directory credentials.
  When I open the server app, I go to the users section and then, I cahnge it from "local users" to "Users from 'domain.'" 
  Next, I select the account that I am trying to allow access to the VPN services and select it in the check mark area.
  I try to log into the VPN and continually get an authentication error.
  I have tried the following combinations for the login:
  domain\user.name
  domain.local\user.name
  user.name
  user.name@domain
  [email protected]
  None of these authentication attempts are successful.
  I have successfully authenticated with a local user account that I created on the OS X server and it works flawlessly.
  Has anyone ever attempted this?  Has anyone ever had any success with this?  I have been spinning my tires on this for 3 weeks and have finally given up and have to ask for help.
  I appreciate anyone's feedback.

  Here is a properly connected client
  2013-07-16 22:37:27 EDT          Incoming call... Address given to client = 10.1.1.231
  Tue Jul 16 22:37:27 2013 : Directory Services Authentication plugin initialized
  Tue Jul 16 22:37:27 2013 : Directory Services Authorization plugin initialized
  Tue Jul 16 22:37:27 2013 : L2TP incoming call in progress from '10.1.1.109'...
  Tue Jul 16 22:37:27 2013 : L2TP received SCCRQ
  Tue Jul 16 22:37:27 2013 : L2TP sent SCCRP
  Tue Jul 16 22:37:27 2013 : L2TP received SCCCN
  Tue Jul 16 22:37:27 2013 : L2TP received ICRQ
  Tue Jul 16 22:37:27 2013 : L2TP sent ICRP
  Tue Jul 16 22:37:27 2013 : L2TP received ICCN
  Tue Jul 16 22:37:27 2013 : L2TP connection established.
  Tue Jul 16 22:37:27 2013 : using link 0
  Tue Jul 16 22:37:27 2013 : Using interface ppp0
  Tue Jul 16 22:37:27 2013 : Connect: ppp0 <--> socket[34:18]
  Tue Jul 16 22:37:27 2013 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]
  Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]
  Tue Jul 16 22:37:27 2013 : lcp_reqci: returning CONFACK.
  Tue Jul 16 22:37:27 2013 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]
  Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]
  Tue Jul 16 22:37:27 2013 : sent [LCP EchoReq id=0x0 magic=0x51bcd2b8]
  Tue Jul 16 22:37:27 2013 : sent [CHAP Challenge id=0x99 <25530231620a2a32144123670735585d>, name = "server1.domain.com"]
  Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoReq id=0x0 magic=0x2a2e6968]
  Tue Jul 16 22:37:27 2013 : sent [LCP EchoRep id=0x0 magic=0x51bcd2b8]
  Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoRep id=0x0 magic=0x2a2e6968]
  Tue Jul 16 22:37:27 2013 : rcvd [CHAP Response id=0x99 <e05bcc591f50471f1db5dc92e30eda800000000000000000799cfb93fa3a0b70d15a018b1b1db9 9877e05463f540e54400>, name = "localusername"]
  Tue Jul 16 22:37:27 2013 : sent [CHAP Success id=0x99 "S=D079042B80380C3806A1EAE231CAE53074ED1F88 M=Access granted"]
  Tue Jul 16 22:37:27 2013 : CHAP peer authentication succeeded for localusername
  Tue Jul 16 22:37:27 2013 : DSAccessControl plugin: User 'localusername' authorized for access
  Tue Jul 16 22:37:27 2013 : sent [IPCP ConfReq id=0x1 <addr 10.1.1.3>]
  Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfReq id=0x1]
  Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
  Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-NAK
  Tue Jul 16 22:37:27 2013 : sent [IPCP ConfNak id=0x1 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
  Tue Jul 16 22:37:27 2013 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::426c:8fff:fe0c:4d37>]
  Tue Jul 16 22:37:27 2013 : Unsupported protocol 0x8057 received
  Tue Jul 16 22:37:27 2013 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 42 6c 8f ff fe 0c 4d 37]
  Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfReq id=0x1 <route vers 16777216> <domain vers 16777216>]
  Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfAck id=0x1 <route vers 16777216> <domain vers 16777216>]
  Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfAck id=0x1 <addr 10.1.1.3>]
  Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfAck id=0x1]
  Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 15, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name mtg.local>]
  Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 12, packet seq 0, CI_ROUTES, flags: START END REQUIRE-ACK>
      <route: address 10.1.1.1, mask 255.255.255.0, flags: PUBLIC>]
  Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
  Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-ACK
  Tue Jul 16 22:37:27 2013 : sent [IPCP ConfAck id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]
  Tue Jul 16 22:37:27 2013 : ipcp: up
  Tue Jul 16 22:37:27 2013 : found interface en0 for proxy arp
  Tue Jul 16 22:37:27 2013 : local  IP address 10.1.1.3
  Tue Jul 16 22:37:27 2013 : remote IP address 10.1.1.231
  Tue Jul 16 22:37:27 2013 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 10.1.1.3), current interface setting (name: ppp0, family: PPP, address: 10.1.1.3, subnet: 255.255.255.0, destination: 10.1.1.231).
  Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
  Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_ROUTES, flags: ACK>]

• LDAP Using Active Directory failed in BAM

  I tried to configure the LDAP Using Active Directory as described in the BAM installation guide 10.1.3.1.0.
  In appsetting, i gave the server name, username and password used by us. Then i restarted the active data cache and IIS. Then i tried to access the http:\\server\oraclebam. But it is throwing the following error. What shall i do.
  Exception Message The directory service is unavailable
  Stack Trace at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at
  System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at
  System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at
  System.DirectoryServices.DirectorySearcher.FindOne() at
  Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at
  Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String
  strAssembly, String strApp, String strType, String strMethod, String strParam)
  Debugging Information The directory service is unavailable [ErrorSource="System.DirectoryServices"] Debugging information:
  System.Runtime.InteropServices.COMException (0x8007200F): The directory service is unavailable at
  System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at
  System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
  findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at
  Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at
  Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String
  strAssembly, String strApp, String strType, String strMethod, String strParam)

  Hi,
  We are also facing the issue stated in the first thread. We followed everything specified in the LDAP PDF under TechNotes and still not able to access the BAM console successfully.
  The error we get is pasted at the end of this post. The request doesn't even seem to reach our LDAP server (configured in a remote system).
  A couple of clarifications required:
  1. Does our windows logon need to be the same as BAM console logon?
  2. I do not know the LDAP setting for my actual windows logon. But i have retained my same usrId and have configured a user in LDAP with my own organization and other hierarchies. I have configured this userId with the complete hierarchy in BAM login management and have given admin access also to this user. Is this correct?
  An error occurred while processing your request
  Details...
  Exception Message The server is not operational
  Stack Trace at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String strAssembly, String strApp, String strType, String strMethod, String strParam) ...
  Debugging Information The server is not operational [ErrorSource="System.DirectoryServices"] Debugging information: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String strAssembly, String strApp, String strType, String strMethod, String strParam) ...
  Assembly StartPage
  State Oracle.BAM.StartPage.StartUp
  Event Initialize
  Thanks,
  KM

• How to manage Active directory and tools to manage Active Directory

  How to manage Active directory and which tools we use?

  You can use Microsoft Active Directory management tools:
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  erview of Server Message Block signing
  http://support.microsoft.com/kb/887429/en-us
  Remote Server Administration Tools for Windows 7:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
  AD Admin Center:
  http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx
  http://technet.microsoft.com/en-us/library/dd560652(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• JNDI, Active Directory and Persistent Searches (part 2)

  The original post of this title which was located at http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 subsequently disappeared into the ether (as with many other posts).
  By request I am reposting the sample code which demonstrates receiving notifications of object changes on the Active Directory.
  Further information on both the Active Directory and dirsynch and ldap notification mechanisms can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/overview_of_change_tracking_techniques.asp
  * ldapnotify.java
  * December 2004
  * Sample JNDI application that uses AD LDAP Notification Control.
  import java.util.Hashtable;
  import java.util.Enumeration;
  import javax.naming.*;
  import javax.naming.ldap.*;
  import com.sun.jndi.ldap.ctl.*;
  import javax.naming.directory.*;
  class NotifyControl implements Control {
       public byte[] getEncodedValue() {
               return new byte[] {};
         public String getID() {
            return "1.2.840.113556.1.4.528";
       public boolean isCritical() {
            return true;
  class ldapnotify {
       public static void main(String[] args) {
            Hashtable env = new Hashtable();
            String adminName = "CN=Administrator,CN=Users,DC=antipodes,DC=com";
            String adminPassword = "XXXXXXXX";
            String ldapURL = "ldap://mydc.antipodes.com:389";
            String searchBase = "DC=antipodes,DC=com";
            //For persistent search can only use objectClass=*
            String searchFilter = "(objectClass=*)";
                 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,"simple");
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL,ldapURL);
            try {
                 //bind to the domain controller
                    LdapContext ctx = new InitialLdapContext(env,null);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[] = null;
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                       //Specifiy the search time limit, in this case unlimited
                 searchCtls.setTimeLimit(0);
                 //Request the LDAP Persistent Search control
                       Control[] rqstCtls = new Control[]{new NotifyControl()};
                       ctx.setRequestControls(rqstCtls);
                 //Now perform the search
                 NamingEnumeration answer = ctx.search(searchBase,searchFilter,searchCtls);
                 SearchResult sr;
                       Attributes attrs;
                 //Continue waiting for changes....forever
                 while(true) {
                      System.out.println("Waiting for changes..., press Ctrl C to exit");
                      sr = (SearchResult)answer.next();
                            System.out.println(">>>" + sr.getName());
                      //Print out the modified attributes
                      //instanceType and objectGUID are always returned
                      attrs = sr.getAttributes();
                      if (attrs != null) {
                           try {
                                for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
                                     Attribute attr = (Attribute)ae.next();
                                     System.out.println("Attribute: " + attr.getID());
                                     for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println("   " + e.next().toString()));
                           catch (NullPointerException e)     {
                                System.err.println("Problem listing attributes: " + e);
            catch (NamingException e) {
                        System.err.println("LDAP Notifications failure. " + e);
  }

  Hi Steven
  How can I detect what change was made ? Is there an attribute that tell us ?
  Thanks
  MHM