Weblogic's LDAP Compliant directory service ?
Hi Guys,
I want to use the LDAP security realm for my authentication module.Now, as per
J2EE compliancy Weblogic's directory server is LDAP compliant.Can I use weblogic's
directory server itself (instead of Netscape,Microsoft etc.)for my LDAP security
realm ?
If I can use it what are the pros or cons ?
Any pointers is greatly appreciated.
Thanx,
Krish.
Krishnan.Venkataraman
Symphoni Interactive
Technical Lead.
[email protected]
412 414 5385(mobile)
412 446 2219(Work)
1 800 439 7757 (# 2219) (Work)
412 343 6549(Res)
WEB:http://members.123india.com/krishnan
WebLogic does not ship with a default LDAP implementation. You must install
a 3rd party LDAP server.
Neil Smithline
WLS Security Architect
BEA Systems
"Krishnan.Venkataraman" <[email protected]> wrote in message
news:3ae57f34$[email protected]..
>
>
Hi Guys,
I want to use the LDAP security realm for my authentication module.Now, asper
J2EE compliancy Weblogic's directory server is LDAP compliant.Can I useweblogic's
directory server itself (instead of Netscape,Microsoft etc.)for my LDAPsecurity
realm ?
If I can use it what are the pros or cons ?
Any pointers is greatly appreciated.
Thanx,
Krish.
Krishnan.Venkataraman
Symphoni Interactive
Technical Lead.
[email protected]
412 414 5385(mobile)
412 446 2219(Work)
1 800 439 7757 (# 2219) (Work)
412 343 6549(Res)
WEB:http://members.123india.com/krishnan
Similar Messages
-
LDAP as directory service and bind dn
hi, i dont want to bind with the manager user for a dt subtree, but when i create acl for a entry with all permitions for his acl i have permisions problems to create groups and organizational units in administration proxy
�i can only bind with a manager user?
�how i must config another user diferent a manager (i delete acl in ldap thats can bind anonymous)?
thanksYou can bind with a user dn instead of a manager, however you will have to give the user enough rights to create and delete other users. The directory server manual should explain more on this.
-
LDAP (Directory service) server and client compatiblw with windows 7
Hello Experts,
Earlier we were using Netscape Server 4.0 and Console in Windows XP for LDAP Integration testing with BRM.
Now that Windows XP is soon going to be decommissioned and the software is incompatible with windows 7,I am looking for Directory service (both server and client) alternatives compatible with Windows 7.
Has anyone tried setting up a Directory service(or LDAP) in windows 7 Operating system ??
Any help is appreciated. Thank youHello Mr Thio,
Basic cause for this type of error message is Generally permission issue.If you are using a domain account make sure it is added as local administrator in local machine.
RK on setup.exe and select run as administrator
Makes sure you copy installables on local drive and run setup from machine if your are running from CD directly avoid it.
Below MS link has documented this error please go through the link properly
http://support.microsoft.com/kb/2799534
Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers -
Weblogic app server wsdl web service call with SSL Validation error = 16
Weblogic app server wsdl web service call with SSL Validation error = 16
I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
Cannot complete the certificate chain: No trusted cert found
Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
Validation error = 16
From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
Here is how I load trustStore and keyStore in my java program:
System.setProperty("javax.net.ssl.trustStore",”cacerts”);
System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.keyStore", keyStoreName);
System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd); System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
Here is how I create cacerts using verisign hierarchy certs (in this order)
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
Because my program is a weblogic app server, when I start the program, I have java command line options set as:
-Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=strong
That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
1. Do I create “cacerts” the correct order with right keeltool options?
2. Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
3. Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
4. Do I need to put the “cacerts” to some specific weblogic directory?
---------------------------------wsdl file
<wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<wsp:Policy wsu:Id="TokenServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="ITokenServices_GetUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
</wsdl:message>
<wsdl:portType name="ITokenServices">
<wsdl:operation name="GetUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TokenServices" type="tns:ITokenServices">
<wsp:PolicyReference URI="#TokenServices_policy"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="TokenServices">
<wsdl:port name="TokenServices" binding="tns:TokenServices">
<soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
<wsa10:EndpointReference>
<wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
----------------------------------application log
adding as trusted cert:
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>I received a workaround by an internal message.
The how to guide is :
-Download the wsdl file (with bindings, not the one from ESR)
-Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
-Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
-Create a new logicial destination that point to the wsdl file modified
-Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
Then the received data is check by the metadata logical destination but the data is retrieved from the correct server. -
Storage Integration with Active Directory Services Part 2
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Having your storage device join Active Directory Services can be relatively straightforward. What do do if the JOIN button fails? This demo goes through a basic checklist from network to server. Demo covers integration between the NSS2000/3000/4000/6000 platform and Microsoft ADS Server 2003.
Part 1 - Network Overview
Part 2 - NSS Configuration
Part 3 - Connecting a share
Part 4 - Server 2003 Administration
Note: Some artistic license was used to make the test environment more easy to illustrate but the principles are the same in a live network.Hi Angus,
Policy Server does not require a specific LDAP schema. During configuration you simply map the LDAP attributes of your schema to the ones that Policy Server supports (e.g., common name, email address, etc).
If you are configuring Policy Server to use an LDAP, it will use the LDAP to authenticate the user (Policy Server does not store the password itself in this case).
If passwords are stored outside of the LDAP (e.g., in a database), it is possible to write a custom authentication provider to authenticate against this source.
Hope this helps,
-Bill -
Storage Integration with Active Directory Services Part 4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Having your storage device join Active Directory Services can be relatively straightforward. What do do if the JOIN button fails? This demo goes through a basic checklist from network to server. Demo covers integration between the NSS2000/3000/4000/6000 platform and Microsoft ADS Server 2003.
Part 1 - Network Overview
Part 2 - NSS Configuration
Part 3 - Connecting a share
Part 4 - Server 2003 Administration
Note: Some artistic license was used to make the test environment more easy to illustrate but the principles are the same in a live network.Hi Angus,
Policy Server does not require a specific LDAP schema. During configuration you simply map the LDAP attributes of your schema to the ones that Policy Server supports (e.g., common name, email address, etc).
If you are configuring Policy Server to use an LDAP, it will use the LDAP to authenticate the user (Policy Server does not store the password itself in this case).
If passwords are stored outside of the LDAP (e.g., in a database), it is possible to write a custom authentication provider to authenticate against this source.
Hope this helps,
-Bill -
We are in the process of removing a child domain from the forest and are down to two DCs. These are both Server 2008r2 sp1 servers, one physical and virtual (PDC). When I try to remove a DC (not the PDC emulator) I get the following error:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=mydomain,DC=local to
Active Directory Domain Controller \\V-Svr03.mydomain.local.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I have checked replication with repadmin /showrepl and all connections were successful. The dcdiag /test:kccEvent test on all servers passed.
Most DCdiag tests are successful. The only failure is on NCSecDesc when running dcdiag /test:NCSecDesc
Testing server: Default-First-Site\DC1-DEV-OFC
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=hookemup,DC=local
......................... DC1-DEV-OFC failed test NCSecDesc
In researching this I find "If you do not plan to add an RODC to the forest, you can disregard this error."
We have not successfully run ADprep /rodcPrep nor do we plan on having any Read-Only DCs, so I think we can ignor this error. We did try running ADprep /rodcPrep but got an LDAP error which I can duplicate if this is important.
Schema and Naming FSMOs are on a DC higher in the forest. RID, PDC, and Infrastructure FSMOs for the child domain are on the Virtual server (PDC).
Any guidance on where to go from here would be greatly appreciated as I have no more hair on my head to pull.Ok... I ran repadmin /showreps /v again and it shows no errors
C:\>repadmin /showreps /v
Default-First-Site\DC1-DEV-OFC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: b294c59f-8b46-4133-89c5-0f30bfd49607
DSA invocationID: 1054285d-cffe-42b4-8074-e2d44adbb151
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=mydomain,DC=local
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381490/OU, 16381490/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114817/OU, 114817/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 66047/OU, 66047/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8098197/OU, 8098197/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
CN=Schema,CN=Configuration,DC=mydomain,DC=local
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8097482/OU, 8097482/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 65239/OU, 65239/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114149/OU, 114149/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381373/OU, 16381373/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
DC=ForestDnsZones,DC=mydomain,DC=local
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 66295/OU, 66295/PU
Last attempt @ 2012-10-29 13:57:48 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 8098367/OU, 8098367/PU
Last attempt @ 2012-10-29 13:58:13 was successful.
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 115032/OU, 115032/PU
Last attempt @ 2012-10-29 13:58:25 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 16381653/OU, 16381653/PU
Last attempt @ 2012-10-29 13:58:34 was successful.
DC=mySUBdomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114871/OU, 114871/PU
Last attempt @ 2012-10-29 13:54:02 was successful.
DC=DomainDnsZones,DC=mySUBdomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 114017/OU, 114017/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
DC=mydomain,DC=local
Default-First-Site\V-SVR03 via RPC
DSA object GUID: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8
Address: 53018cc4-b8c9-48ce-9a54-1b987e7b08c8._msdcs.mydomain.local
DSA invocationID: 45de2c10-ec8b-443d-a645-db4e0a352a23
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 114017/OU, 114017/PU
Last attempt @ 2012-10-29 13:52:39 was successful.
Default-First-Site\HESTIA via RPC
DSA object GUID: b464fde9-29d7-4490-9582-fe9270050d50
Address: b464fde9-29d7-4490-9582-fe9270050d50._msdcs.mydomain.local
DSA invocationID: afea3845-9fa8-40a6-a477-84348a206348
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 16381614/OU, 16381614/PU
Last attempt @ 2012-10-29 13:56:52 was successful.
Default-First-Site\V-SVR01 via RPC
DSA object GUID: e2f794eb-9658-4bad-b695-3d8c08f46371
Address: e2f794eb-9658-4bad-b695-3d8c08f46371._msdcs.mydomain.local
DSA invocationID: 07bb0fe9-bca9-46d1-92ce-308d36da478d
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 66325/OU, 66325/PU
Last attempt @ 2012-10-29 13:58:34 was successful.
Default-First-Site\ATHENA via RPC
DSA object GUID: cb00a5b0-6dea-473c-bb42-19356dd9ed36
Address: cb00a5b0-6dea-473c-bb42-19356dd9ed36._msdcs.mydomain.local
DSA invocationID: 57313a9c-46a2-4b94-87cc-b3f91d54faed
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS
USNs: 8098385/OU, 8098385/PU
Last attempt @ 2012-10-29 13:58:38 was successful. -
Active Directory Services Can't Connect to Domain
I removed Active Directory services form a server running 2012. I then went to reinstall and reconfigure it, but I keep running into issues. When I launch active directory admin center it gives me an error that it can't connect to any domain, and I can't
make any changes. The local server has already been promoted to the domain controller. Here is the output from dcdiag:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = ACSSVR
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Connectivity
......................... ACSSVR passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ACSSVR
Starting test: Advertising
Fatal Error:DsGetDcName (ACSSVR) call failed, error 1355
The Locator could not find the server.
......................... ACSSVR failed test Advertising
Starting test: FrsEvent
......................... ACSSVR passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... ACSSVR failed test DFSREvent
Starting test: SysVolCheck
......................... ACSSVR passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 03/02/2015 12:00:00
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification)
and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
A warning event occurred. EventID: 0x80000734
Time Generated: 03/02/2015 12:00:37
Event String:
The local domain controller could not connect with the following domain controller hosting the following directory partition to resolve distinguished names.
......................... ACSSVR passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ACSSVR passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ACSSVR passed test MachineAccount
Starting test: NCSecDesc
......................... ACSSVR passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\ACSSVR\netlogon)
[ACSSVR] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... ACSSVR failed test NetLogons
Starting test: ObjectsReplicated
......................... ACSSVR passed test ObjectsReplicated
Starting test: Replications
......................... ACSSVR passed test Replications
Starting test: RidManager
......................... ACSSVR passed test RidManager
Starting test: Services
......................... ACSSVR passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:21:34
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:21:58
Event String:
The WinRM service is not listening for WS-Management requests.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:26:01
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:26:16
Event String:
Name resolution for the name teredo.ipv6.microsoft.com. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000002E
Time Generated: 03/02/2015 11:34:32
Event String:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
An error event occurred. EventID: 0xC0001B6F
Time Generated: 03/02/2015 11:34:32
Event String:
The Windows Time service terminated with the following error:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:35:01
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:39:08
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 11:39:27
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 11:39:40
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 11:39:39
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 11:42:01
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:44:31
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 11:45:05
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:22
Event String:
The dynamic deletion of the DNS record 'ACS.acsolutionsinc.net. 600 IN A 192.168.56.1' failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:22
Event String:
Name resolution for the name acsolutionsinc.net timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168F
Time Generated: 03/02/2015 11:55:47
Event String:
The dynamic deletion of the DNS record '_ldap._tcp.ACS.acsolutionsinc.net. 600 IN SRV 0 100 389 ACSSVR.ACS.acsolutionsinc.net.' failed on the following DNS server:
A warning event occurred. EventID: 0x000727A5
Time Generated: 03/02/2015 11:55:53
Event String:
The WinRM service is not listening for WS-Management requests.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:55:53
Event String:
Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/02/2015 11:59:53
Event String:
Name resolution for the name _ldap._tcp.dc._msdcs.ACS.local. timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 Virtual Storage Driver service failed to start due to the following error:
An error event occurred. EventID: 0xC0001B58
Time Generated: 03/02/2015 12:00:13
Event String:
The Vstor2 MntApi 2.0 Driver (shared) service failed to start due to the following error:
A warning event occurred. EventID: 0x000727AA
Time Generated: 03/02/2015 12:00:25
Event String:
The WinRM service failed to create the following SPNs: WSMAN/ACSSVR.ACS.local; WSMAN/ACSSVR.
A warning event occurred. EventID: 0x0000000C
Time Generated: 03/02/2015 12:00:25
Event String:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in
the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the
authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
A warning event occurred. EventID: 0xC000042B
Time Generated: 03/02/2015 12:02:47
Event String:
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 03/02/2015 12:05:17
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain
controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
......................... ACSSVR failed test SystemLog
Starting test: VerifyReferences
......................... ACSSVR passed test VerifyReferences
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : ACS
Starting test: CheckSDRefDom
......................... ACS passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ACS passed test CrossRefValidation
Running enterprise tests on : ACS.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... ACS.local failed test LocatorCheck
Starting test: Intersite
......................... ACS.local passed test Intersite
I've been trying to debug errors one at a time, but I'm having a hard time finding any information that pertains to this issue as a whole. Anything you can tell me about this would be great, thank you for reading.It was the only server in the network, the only dc in the old forest. When I re-installed ad ds I gave the new forest different name, but I guess the old settings are still in the system somewhere conflicting with the new setup? Is there a way to
purge the old setup entirely and start over with ad ds, or am I going to have to re-install the whole OS? Thanks again for the help.
Honestly, the best way to handle this is to rebuild the server. There are many things that are "left behind" when you remove the Domain / Forest from a Domain Controller. In fact many articles will say after using ADMT (active directory migration
tool) you should decommission the original Domain Controller (aka reinstall the OS).
While you could spend more time trying to get that domain controller working, it absolutely is going to be 1) More reliable 2) faster to reinstall the OS on the old domain controller. If you are still leveraging storage, or services on that domain controller,
you will want to back them up, or have a transition plan before reinstalling everything on the server. I have a feeling if you choose to keep troubleshooting this, you will run into more issues down the road.
Entrepreneur, Strategic Technical Advisor, and Sr. Consulting Engineer - Strategic Services and Solutions Check out my book - Powershell 3.0 - WMI: http://amzn.to/1BnjOmo | Mastering PowerShell Coming in April 2015! -
ALBPM 5.7 BPM process admin issues with Oracle 11g RAC as directory service
Hi,
Setup ALBPM 5.7 enterprise for weblogic.
BPM Engine deployed on weblogic cluster.
BPM process admin (web console) deployed on tomcat.
BPM process admin uses WEB-INF/directory.properties for directory configuration.
things were fine with oracle SID,
directory.default.url=oracle://<db_host>:1521/schema=diruser,sid=BPMDB { with this, login to process admin was working fine}
But clueless, on how to configure RAC as the directory service in the above directory.properties file. Since this is a old version, no directory.xml in the installation.
Connection string:
(DESCRIPTION =
(LOAD_BALANCE = on)
(FAILOVER = on)
(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST1)(PORT=1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST2)(PORT=1521))
(CONNECT_DATA =
(SERVICE_NAME = BPMDB)
(FAILOVER_MODE =
(TYPE = SELECT)
(METHOD = BASIC)
Please help how to use service name (above connection string) in directory.properties, to be able to login to process admin successfully.
Thanks in advance,
SwamyUsing admin center, able to get the string to be used in directory.properties.
FYI, the string looks like below,
directory.default.url=oracle://customURL:0/schema=bpmdirectory,customURL=jdbc:oracle:thin:@(DESCRIPTION = (LOAD_BALANCE = on)(FAILOVER = on)(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST1)(PORT=1521))(ADDRESS = (PROTOCOL = TCP)(HOST = DB_HOST2)(PORT=1521)) (CONNECT_DATA = (SERVICE_NAME = BPMDB.DOMAIN.COM) (FAILOVER_MODE = (TYPE = SELECT) (METHOD = BASIC)))) -
Directory services and windows 2003
hello all i am new to the world of solaris. So the trouble is that we have a sunfire and i installed directory services 5.2 but windows 2003 refuse to join the domain at all... the sunfire box is in nat and there's an entry in the nat dns server. the question is: is it really possible for a win box to join the solaris ds? or only other solaris boxes can do it?
Dear Andreas:
I have read that:
Hello together,
I think I've got a solution for my
Real-Time-LDAP-Password-Check. T was right there is a BSA package,
which exectly do this but it is not available through the website
or any download.
For this you don't need a NTLM Server running or a reverse
proxy for user authentication. It simply checks over the LDAP port
to your LDAP server and
returns if the login is granted through the LDAP password ior
not.
Yesterday I spoke to a Breeze dev. and he sent me these
scripts. He said they will be already implemented into the next
Breeze version but will also work with Breeze 6.
When some is interested in this solution please send me pm
with your email adress and I will send the zip file to you.
Regards,
Andreas
We are an spanish company specilized in developing PDF forms
and other type of applications and also involved with Adobe,
specially in Connect.
I will appreciate if you can send me the zip file to solve
the LDAP question.
My email is [email protected]
Thanks in advance.
Desirée -
Problem in configuring MS Win2003 AD as a Directory Service
I am trying to configure MS Windows Server 2003 Active Directory as a Directory Service for Sun ONE Web Server 6.1
I have made the following configuration at the Global Settings Page of the Administration Server :
Directory Service ID : default
Host Name : myhost.mydomain.mycountry
Port : 389
Use Secure
Sockets Layer (SSL)
for connections? : No
Base DN : DC=mydomain,DC=mycountry
Bind DN : CN=myuser,CN=Users,DC=mydomain,DC=mycountry
Bind Password : mypassword
Whatever I am trying to do at the Users and Groups Page of the Administration Server I am getting the following message :
An error occurred while contacting the LDAP server.
(Can't connect to the LDAP server)
A connection to the directory server could not be opened. Contact your directory server administrator for assistance.
The user myuser is member of the Administrators Group.
I log on to the Sun ONE Web Server 6.1 as myuser.
I know that Base DN and Bind DN are correct because I use them with Microsoft's LDP Tool. I don't know if the user lacks any privilege (although he is a member of the Administrators) or if I have to configure something else from the Administration Server.
Any help on this problem would be appreciated very much.
Thanks in advanceHi
Are you able to use ACL (ACE's) in iPlanet after integrating ADS?. userId field is empty. How are you actually using this iPlanet integration with ADS in your application/in your company.?
Thanks!
GV
[email protected] -
10.6.6 Server Combo Update Crashes LDAP and Kerberos Services
Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
Everything was working fine under 10.6.4
All users can no longer authenticate to server via mail or ldap logins
LDAP and Kerberos Services stopped.
Will downgrade from an open directory master to standalone then back to master again and post status...I think there is something with LDAP on 10.6.6
I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
It seems to be an issue on ldap ACL.
Message was edited by: Xalio -
UCCX 8.0.2. HA unable to manualy sinchronize directory Services
Good morning,
We have an agent that exists as a Call Manager user with an IPCC extension, the same user shows up in RMCM under de UCCX 8.0.2, but he is unable to log in to CAD with error "ID introuvable" (ID NOT FOUND). When we look in the Desktop administrator, we notice the user is missing. When we try to initiate a manual directory services synck, we instantly get the error "CDAUI2082 At least one error has occured during the manual synchronization of directory services. Contact Technical Support"
We found BUG ID CSCtd94036 , no luck after increasing the timeout value to even 120s.We restarted both UCCX with no change in behavior. IF you remove the IPCC extension in the end users of CUCM, the user becomes a unactive agent instantly and if you go give the IPCC extension he is back in RMCM, but never shows up in Desktop administrator.
Anybody knows of a fix, or necessary debugs to gather before we go to TAC on this ?
Thanks.here are some few interesting debug I gathered. means anything to anyone?
2011-07-14 15:50:42:958 DEBUG [0x29b4ba0] ManualSync.cpp[76] DASynchronize: BEGIN.
2011-07-14 15:50:42:959 DEBUG [0x29b4ba0] LCLDAP.cpp[454] Get: First entry is NULL.
2011-07-14 15:50:42:959 DEBUG [0x29b4ba0] LCServerType.cpp[310] Get: End false.
2011-07-14 15:50:42:959 DEBUG [0x29b4ba0] ManualSync.cpp[167] GetServerIOR: Error getting Server Type Profile from LDAP.
2011-07-14 15:50:42:959 ERROR [0x29b4ba0] WAL2237 DASynchronize: Error getting GetServerIOR for Sync Server.
2011-07-14 15:50:42:959 DEBUG [0x29b4ba0] ManualSync.cpp[80] DASynchronize: Could not connect to Directory Services Synchronize Server.
2011-07-14 15:50:42:959 ERROR [0x29b4ba0] WAL2223 write: Error synchronizing directory services.
2010-12-01 12:50:26:376 ERROR SPLKTSSP2038 Network communication error (TRANSIENT).
2010-12-01 12:51:23:406 ERROR SPLKTSSP2038 Network communication error (TRANSIENT).
2010-12-01 12:52:13:550 ERROR SPLKTSSP2038 Network communication error (TRANSIENT).
2010-12-02 16:25:52:194 INFO STD0005 Client disconnected from service at <192.168.8.16>.
2010-12-02 16:25:52:209 INFO LC0012 Failed to bind to Calabrio LDAP service on <192.168.8.16>: <-1>
2010-12-02 16:25:53:017 WARN SOCKET3000 Received an invalid event from SocketLRMClient socket service. Recovery initiated. Error nested com.spanlink.util.socket.SplkClosedChannelException: Attempting to read when the connection has been closed.>.
ontact LDAP server> -
Internal vs. external directory services best practices
Hello everyone,
We have two distinct directory services here where I work, one that supports 'internal' needs, and one that is used for external clients, the people who use our web-facing applications. We are limited by the separation of the directory services. E.g., our internal users cannot use the external directory service to look up email addresses.
I have been asked to look into design options and best practises. Is it common to have distinct services like this? Or are those external users usually part of the same service as the internal users? Is my online banking account information in the same directory service (assuming it is in a directory service at all) as the employees at my bank? Does it make sense to run separate services like this? What are some alternatives?
Part of the integration problem is AD vs. Sun Directory Server. The external service is in Sun Directory Server and predates AD. The AD service is obviously here for the Windows environment. Some organizations I have worked with in the past used Sun LDAP as the authoritative source of data, and synced in one way or another into AD.
Any feedback is appreciated,
MarkNo, what I am looking for is architectural input regarding the use of AD and a separate LDAP server. In my case I am talking about AD and the SJS Directory Server, but this would apply to any environment that has AD plus some other LDAP server.
I need to be able to reasonably answer the general question: Why should we keep the SJS Directory Server, when we could just put all our LDAP data into AD?
I also need to answer the more specific question: Given our LDAP data is external users only (customer, partners), does it make sense to keep them there? Again, why not just put these "external" entities into AD?
I'm not trying to figure out how to get AD and LDAP to work together. I'm trying to figure out why I have two directories, and why I should or should not keep two directories. I've found nothing online dealing with what should be a very common scenario.
Mark -
hello all
i need your help in configuring directory service in CUCM, i wanna look directory of extensions in IP phone, please suggest me ways how to fo it as i am using cucm 9.1 and 7945 phones.
thanksIn CUCM go to User Management --> End Users menu and add the user there if you chose to do it one by one. Best practice is to integrate to corporate LDAP and pull users from other. If you do not want to do that and want to import many users you can do this via BAT user import.
Chris
Maybe you are looking for
-
Pages 08 is very slow to open or will not open at all. I am using OS X version 10.9.3 and having the same problem on my imac and macbook pro.
-
Final Cut Timeline Feed as video source for iChat?
I was at the Apple NAB presentation in Vegas a few weeks ago, and one of the things they showcased in regard to iChat AV was the ability for an editor to videoconference with several other people at once and one of the video feeds in the chat window
-
O?S is Vista Ultimate 32 bit fully updated. I have just installed Firefox 4.01. I have lost use of back and forward buttons - they are greyed out. Is there a solution please?
-
Instances not displayed in ESB control
hi I created this tutorial to integrate esb with bpel http://www.oracle.com/technology/products/integration/esb/files/esb-bpelmanualtask.pdf Tutorial is created succesfully and it's registered successfully in esb , Problem is : I'm not able to see in
-
Com.solarmetric.kodo.util.ImplHelper.getPersistentClasses(ImplHelper.java:46)
This trace uses almost 10% of my CPU time. It looks like static data collection. Is it being called much more often than it should, or am I calling something more often than I should? (After this, I am down to the DBMS being the bottleneck and a fact