View Password hash in Active Directory

Similar Messages

• Error while password sync with Active directory.

  Hi all.
  Am doing active directory password sync with oim 11g but this gives an error
  Debug [07/31/12 11:52:14] CONFIG VALUE LENGTH
  Debug [07/31/12 11:52:14] 254
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] Before adding configsync attributes
  Debug [07/31/12 11:52:14]
  sgslrgac instance
  Debug [07/31/12 11:52:14] User Name --->
  Debug [07/31/12 11:52:14] TEST.TEST10
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] RelativeId:
  Debug [07/31/12 11:52:14] 1122
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  sgsladac Instance
  Debug [07/31/12 11:52:14]
  LDAP Connected
  Debug [07/31/12 11:52:14] search string :
  Debug [07/31/12 11:52:14] (&(objectCategory=person)(objectClass=user)(sAMAccountName=TEST.TEST10))
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] Connected to ADSI
  Debug [07/31/12 11:52:14] After Search
  Debug [07/31/12 11:52:14] SID::
  Debug [07/31/12 11:52:14] S-1-5-21-449192332-2375483478-3823051035-1122
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] DN::
  Debug [07/31/12 11:52:14] CN=test test10,CN=Users,DC=thakralone,DC=com
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] GUID:::
  Debug [07/31/12 11:52:14] QHetRJE7hEKkG8PeqYRKlQ==
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14] after ladp search
  Debug [07/31/12 11:52:14] Success sgsldpap
  Debug [07/31/12 11:52:14]
  Passlen populated :
  Debug [07/31/12 11:52:14] 190
  Debug [07/31/12 11:52:14]
  Debug [07/31/12 11:52:14]
  Moving sgsloidi from asynchSystem
  Debug [07/31/12 11:52:14] Store Object populated
  Debug [07/31/12 11:52:14] [getObjectGuid=QHetRJE7hEKkG8PeqYRKlQ==
  getPasswordLen=190
  getUserDn=CN=test test10,CN=Users,DC=thakralone,DC=com
  getUserId=TEST.TEST10
  Debug [07/31/12 11:52:14]
  ***end of status
  Debug [07/31/12 11:52:14]
  Out of sgsloidi from asynchSystem
  Debug [07/31/12 11:52:14]
  Before Free
  Debug [07/31/12 11:52:14]
  After Free
  i have tried to reconfig and reinstall the connector but still the same issue.

  Don't think so.
  Reconcile will just find accounts that are out of sync (that is, that exist on one system but not the other). It doesn't update account attributes.
  ActiveSync can identify and process changed records, but the password itself is hashed, so unless you can use the hashed password directly (and IDM can't) then you just would get "garbage" data via the sync.
  I think you do need to use one of the PasswordSync tools for this, because they intercept the password change process before the password is hashed, allowing you to apply the changes in multiple locations.

• Password Sync from Active Directory Locking Accounts

  Hello,
  We recently set up Active Directory as a resource and are synching passwords. We are using IDM 7.1.1.11. We are noticing that when actions in IDM push the password out to AD, and they sync comes back to IDM, the sync workflow is locking up the account, before the original IDM action completes. For example, when an admin resets a users password, they see several error messages stating that the account is locked by the account that authenticates through the password sync utility. They also see succesful password reset messages, but I would like it if they didn't see errors saying the account is locked. We are using a direct connection between the Password Sync util and IDM. Has anyone ran into this? Any advice on overcoming it?
  Thanks.
  Jim

  I opened a support case with Sun about this issue, and they recommended logging a trace file for com.waveset.adapter.ActiveDirectoryActiveSyncAdapter. While the tracefile does not seem to contain any useful information, the simple fact that there is tracing going on for it now seems to be easing the situation. In my test environment I saw occurrences of this locking problem drop by 90-95% simply by turning the tracing on. I started tracing in production in the hopes that it will at least lessen the occurances of this.
  Sounds like we are taking the same approach Raj, the problem I've been having with it is getting it to happen will I'm debugging our reset password workflow. I want to make sure I add the locking check in the right place, so I was attempting to determine which area to check for it.
  I'll be sure to keep the thread updated if anything changes on our end.
  Jim

• Integrate Password CUA and Active Directory (AD)

  Hello Everybody,
  We have integrated AD with our CUA system.
  Is it possible integrated the same password CUA and AD?
  How can I configure this?
  Thank you,
  Luciana

  Luciana,
  I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.
  This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.
  I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.
  I hope this is useful ?
  Thanks,
  Tim

• Db10g external password authentication with Active Directory via OID

  HI ALL
  - i have the synchronization AD-to-OID
  - i have the external authorization of AD users via SSO (external authorization plug-in)
  - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
  - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
  Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
  To accomplish what you want to do
  1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
  2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
  3) Reverse the schema from OID and transport it to AD
  Aside from that, it's a no-brainer.

• Db10g external password authentication from Active Directory via OID

  HI ALL
  - i have a synchronization AD-to-OID (OAS 10.1.2 (Infra)cold failover cluster, 2 nodes)
  - i have external authorization of AD users via SSO (external authorization plug-in)
  - i have RAC DB(10.1.0.3, 2 nodes) enterprise authorization of OID native users who have their passwords in OID (global schema)
  - but i cann't configure DB autorization of AD-to-OID synchronized users who don't have their passwords in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  I've gone through that thread a few times already, but it only covers infrastructure based on Sun JDS, which seems to pose less problems than Active Directory. Many others refer only to hand-compiled OpenLDAP installations which are quite different to configure... sigh
  I have, however, managed to get the base system running - meaning I can see Solaris ask LDAP for locally unknown user and group names - but all I get back is Unknown Object.
  Here's a snoop dump of one of the failed requests, in hope someone here can shed some light on the problem:
  request from my server to the LDAP box:
  LDAP: [Base Object]
  LDAP: ou=people,OU=Austria,DC=AT,DC=OurADdomain,DC=com
  LDAP: [Scope]
  LDAP: wholeSubtree
  LDAP: Equality Match *[3]
  LDAP: [Attr Descr]
  LDAP: objectClass
  LDAP: [Value]
  LDAP: posixAccount
  LDAP: *[3]
  LDAP: [OctetString]
  LDAP: uid
  LDAP: [OctetString]
  LDAP: myusername
  reply from the LDAP server:
  LDAP: [Error Message]
  LDAP: 0000208D: NameErr: DSID-031001CD
  LDAP: , problem 2001 (NO_OBJECT), data
  a) our Active Directory 2003 R2 with the default Unix schema does not seem to implement the objectClass=posixAccount attribute, although the documentation on MSDN suggests that attribute should be there. I'm atm about to get some MS guy to solve this..
  b) The base object DN seems to always get prefixed with ou=people - why? I didn't enter that field with ldapclient, and that orgunit does not exist in AD per default. How can I prevent Solaris from modifying my search path in that way? I think this is one of the reasons why I keep getting no-object-errors.
  c) Our AD doesn't seem to offer a way to create/modify the unix object classes shadowExpire, shadowFlag and others for password management. Are those strictly necessary - i.e. will I run into new problems with those if I managed to solve a) and b)?

• Configuring AD LDS Password Hash Algorithm

  Hello,
  I have a client which has a requirement that the passwords in Active Directory should be stored using the Secure Hash Standard (SHS) standard. This could be SHA-1 or SHA-2.
  Could you please tell me where can I check the current hashing algorithm and configure the new one?
  Windows Server 2008 R2 Enterprise
  Forest & Domain functional level: Windows Server 2008 R2
  Thanks!

  Hi Levente,
  I don’t think it is possible to specify algorithm to encrypt AD passwords. The password is computed by RSA MD-4 and MD-5 algorithm.
  More information for you:
  Help: How to configure encryption/hashing policies on Active Directory 2008 LDS
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/04591e6e-22d3-4251-ab55-b778a479465e/help-how-to-configure-encryptionhashing-policies-on-active-directory-2008-lds?forum=winserverDS
  View Password hash in Active Directory
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/63e3cf2d-f186-418e-bc85-58bdc1861aae/view-password-hash-in-active-directory?forum=winserverfiles
  Active Directory hashing algorithms used?
  http://social.technet.microsoft.com/forums/windowsserver/en-US/7fbc0669-2ccb-4c24-9f08-24241e30d72b/active-directory-hashing-algorithms-used
  Md5 passwords in Active Directory
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/5bed809e-3e04-4917-b940-47d3c758987f/md5-passwords-in-active-directory
  Best Regards,
  Amy

• SAP ECC 6.0 / Active Directory Password synchronization

  Hello,
  We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0).  We do not use CUA and currently do not use a Portal and are not looking at doing SSO.  We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems.  So far, we have not found a way to do this.  SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things.  However, we did find a white paper that stated the following:
  ~snip
  <i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
  Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
  I very much appreciate your time and help.
  Paul

  Paul,
  You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
  This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
  I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
  Regards,
  Tim

• Portal Password Reset - Active Directory - Urgent

  Friends
  We are using SAP Portal 6.0 SP 18.  The Portal UME data source has been configured with Microsoft ADS.
  Now we have an requirement to change the user Password in the Active Directory from the Portal.
  How can we achieve this...?  I am OK even to do some development for this.
  Please let me know the mechanism.

  You can use the UME API to change your own password on a Microsoft Active Directory server, but before that please see the SAP note 876938. Also please see the SAP note 613577, this note have an attachment, it is very helpful. Useful blog <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1789">User management API in WebDynpro</a> for how to use UME API's.
  Regards,
  Nitin

• Problem during the changing of  Password in Active Directory

  Hello All !
  I am facing a problem during the password modification
  in active directory, i got the same exception as other are getting i.e
  javax.naming.OperationNotSupportedException: [LDAP: error code  53 - 00002077: SvcErr: DSID-03190959, problem 5003 (WILL_NOT_PERFORM), data 0
                     Can any body help me how i will come to know that 128 bit
    Encryption is done successfully. Although i Installed the  MS High Encryption  Pack but it's registry is not done in Conrol Panel.
  is this a problem(as i think) ?
      I am giving the code please check it out->
                        import java.util.Hashtable;
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  //import java.io.*;
  //import javax.net.ssl.*;
  //import java.security.*;
  import java.io.UnsupportedEncodingException;
  public class setpassword
       public static void main (String[] args)
            Hashtable env = new Hashtable();
            String adminPassword = "";
            String userName = "ou=MCA,ou=Trainee,dc=ControlsNet,dc=local";
            String newPassword = "yadav";
            String keystore = "D:\\j2sdk1.4.2_12\\jre\\lib\\security\\cacerts";
            System.setProperty("javax.net.ssl.trustStore",keystore);
            env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION,"simple");
            env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            env.put(Context.SECURITY_PROTOCOL,"ssl");
            String ldapURL = "ldap://gateway.ControlsNet.local:636/";
            env.put(Context.PROVIDER_URL,ldapURL);
            try {
                 LdapContext ctx = new InitialLdapContext(env,null);
            ModificationItem[] mods = new ModificationItem[1];
                 String newQuotedPassword = "\"" + newPassword + "\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 ctx.modifyAttributes(userName, mods);
            System.out.println("Reset Password for: " + userName);     
                 ctx.close();
            catch (NamingException e) {
                 System.out.println("Problem resetting password: " + e);
            catch (UnsupportedEncodingException e) {
                 System.out.println("Problem encoding password: " + e);
  Please reply me immideiately as soon as you see this problem.
  I think some of u already solved this problem. thanks in advance.

  Believe it or not, looks similar to the problem in the post http://forum.java.sun.com/thread.jspa?threadID=580113&tstart=0
  More unbelievable is the huge security hole in your network !String adminPassword = "";
  env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
  env.put(Context.SECURITY_CREDENTIALS,adminPassword);An administrator with a blank password !
  The ldap standard (rfc 2251) defines an anonymous user as a user with a null passsword. By default, Active Directory does not allow anonymous users to perform searches against the directory, let alone reset a user's password.

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• Active directory, SSGD and password change

  Hi everybody, we have some problems with SSGD, active directory and password change
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us^Hi Simon
  I'll try again to explain you our problem, because it seems that I wasn't so clear.
  Scenario:
  We have 2 different perfectly working Active directory called "Gruppo" and "Eracle";
  We have 2 different tarantella installations called "Sgd" and "Tlv";
  Sgd servers are working servers and users authenticate against Eracle, used by our customer.
  We made 2 basic different test with Tlv:
  1. we configure Tlv to authenticate users against Gruppo (that is our real need)---> we can't change pasword using kpasswd or ttakpasswd
  2. we configure Tlv to authenticate users against Eracle ---> everything was ok
  There are NO DIFFERENCE beetween Sgd and Tlv, they have same configuration, same krb5.conf etc..
  There is ONE DIFFERENCE beetween Eracle and Gruppo:
  Eracle Active Directory's properties:
  Domain functional level: Windows 2000 mixed
  Forest functional level: Windows 2000
  Gruppo Active Directory's properties:
  Domain functional level: Windows 2000 native
  Forest functional level: Windows 2000
  SSGD documentation doesn't speak about different Active Directory properties. The SSGD documentation says that you can authenticate users against Active directory, so, IT HAS TO WORK even if the domain functional level of active directory is different.
  Can someone help us?
  Many thank
  Patrizia

  Added question.
  Do you guys know if changing the password will change the password on their Active directory access.
  Thanks,
  helmut

• Sync external database with Active Directory

  Hi,
  We are in the process of consolitating all user information in our systems in Active Directory.
  We have a system that can only authenicate users from information stored in a relational database. We are investigating options that would allow us to sync the password in this relational database with the password stored in Active Directory. Whenever the user changes their domain password, we would like for an JNDI application to update the relational database with their new password.
  I'm fairly new to JNDI/Active Directory. My research does not look too positive. Does anybody know of any way that we can perform this password synchronization? Any advice would be greatly appreciated!
  Thanks!
  Dave

  There are several mechanisms available that enable AD to authenticate users for your web application.
  1. Perform a simple LDAP bind using the user's credentials submitted from a form. If the bind is successful, then you can infer that the credentials are correct.
  2. If the users have already performed an interactive logon to Active Directory, provide a Single Sign-On experience by utilizing their existing Kerberos ticket. Refer to JNDI, Active Directory and Authentication (Part 1) (Kerberos)
  http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  for an explanation of using Kerberos & GSS-API.
  3. If the users are not performing an interactive logon to your Active Directory, but you want to provide a federated single sign-on experience, then you may be interested in Active Directory Federation Services which uses SAML 1.0 tokens & WS-* to assert claims. Information on ADFS can be found at http://www.microsoft.com/windowsserver2003/techinfo/overview/adfsoverview.mspx
  Two third party ISV's; Vintela and Centrify both provide solutions for non-Windows Web Servers to enable the second & third scenarios.

• Integrating Active Directory LDAP in OBIEE 11g

  Hi All,
  I Have Configured Active Directory LDAP in OBIEE.
  Steps i have Followed are,
  1) configured Active Directory in providers under Scurity Releam.
  2) Restarted BI Services to Load the Ldap Users.
  3) login to the EM under bifoundation domain selected securitues->security configuration provider.created user.login.attr and username.attr.
  4) under Credentials->oracle.bi.system map->system.user->deleted BISystemUser and Created key with the Existing name in Active Directory.
  5) assigned System user to BISystem role in em.
  6) in Console Roles and Polocies->Global Roles->Roles->Admin->view Role Condition (User = Active Directory User or Group=Administrators).
  7) Restarted BI Server and Presentation Services.
  Now I am Unable to Login to Presentation Services.
  Please Reply ASAP.
  Thanks and Regards
  Kiran Kumar

  Kiran, Is there a specific reason for using RPD for LDAP authentication? From 11g onwards, the best practice is to use Weblogic (or external Authentication providers). Is it correct to say that for "Authentication' without proper RPD LDAP config for "USER" variable, users cannot login via presentation layer?
  Cheers!
  BK

• Open Directory & Active Directory

  Dear Mac community,
  We got a couple of Mac servers running in our company and we have around 140 Mac clients running in our company. We use Open directory for the policies on our macs and we use active directory for all of our computer accounts. Cause we mainly use RDP for Mac to connect to a terminal server except our graphical department.
  This works perfect but now we have adjusted our password policy in Active directory and users must change password when they first login they do that on the mac witch authenticates with Active Directory. After typing there username and password like normal they get a new windows witch notify the user to change there password and conform it and a hint to fill in, after they fill this in they can't get pass that window, it just shakes so it does not work.
  Any answer would be appriciated.

  Hi, can you help me how to put a windows machine on active directory on my MacOS X Server 10.6 ?
  Thank You!
  Reynolds