Windows server firewall blocking active directory authentication?

Similar Messages

• Directory Security Strange Permissions Issues (Windows Server 2003 running Active Directory)

  I have a user that all of a sudden was not able to open 70% of her files located on a file server, Windows Server 2003 running Active Directory, from her laptop. The same user can access all the same files from a different machine, logging on with the same
  credentials. Just looking for a point in the right direction and a possible theory as what could cause this problem, an why all of a sudden. I did go back through the logs but nothing sticks out. For the most part the logs on the server and the laptop are
  pretty clean. 
  Both machines are Latitude E5420s running Windows 7 Enterprise Service Pack 1. Both machines are 64bit and connect to the network via hard-wire, not wireless.
  Thanks in advanced.
  Grajek

  I would recommend proceeding that way:
  Check that your DCs are in a healthy state and AD replication is fine: It might be that the user is member of security groups and the membership is not getting replicated properly which can cause this random behavior. You can use
  dcdiag and repadmin for checks and you can refer to my recommendations here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  Make  sure that the file server is reachable from the user client computer. Start with
  ping and nslookup. Also, you need to make sure that the traffic between the client and the server is not blocked or filtered. You might want to temporary disable security software for testing
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows Server 2008 R2 - Active Directory Replication over DynDNS

  Hello,
  I have one server that Windows Server 2008 R2 - Active Directory / DNS
  Now some users shifted to new office with the server
  Some users still in the original place that now don't have ADDS/DNS
  i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
  is that possible of not?
  Best regards,

  Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
  You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
  http://technet.microsoft.com/en-us/network/dd420463.aspx
  Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
  http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
  licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue

• VDI 3.4 Inegrate with Windows Server 2008 R2 Active Directory

  OK,I follow the official documents step by step,I installed the vdi 3.4 in Oracle Linux 5.7(oraclevdi.jiayutester.com),then installed a window server 2008 r2 64bit(jiayudc.jiayutester.com) that made it to be the Domain Controller(jiayutester.com) and DNS,at the end,I edit the /etc/krb5.conf.I execute the following commands:
  1.getent hosts jiayudc.jiayutester.com
  --------------------My Note:Normal-----------
  2.kinit -V [email protected]
  Authenticated to Kerberos v5
  This is my krb5.conf------------------------------------
  [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  [libdefaults]
  default_realm = JIAYUTESTER.COM
  default_checksum = rsa-md5
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
  [realms]
  JIAYUTESTER.COM = {
  kdc = space-21pel8ghu.jiayutester.com
  admin_server = space-21pel8ghu.jiayu.com:749
  default_domain = jiayutester.com
  [domain_realm]
  .jiayutester.com = JIAYUTESTER.COM
  jiayutester.com = JIAYUTESTER.COM
  [appdefaults]
  pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
  Then,I login to the web console to set company, I select Active Directory to use as User Directory,then I fill up all the needed information(I am sure that all the information I fill in the form is correct),when I click the next,error occured....it's the context:
  Unable to Connect to User Directory
  Failed to connect, no servers available
  Now,I searched everywhere for information,but I can't resolve the problem...Please help me,smart guys

  Would probably need to see your VDI instance cacao log file to see why this is failing, but you might need to add the following to [libdefaults] section of your krb5.conf file, for 2008R2 AD server:
  default_tkt_enctypes = rc4-hmac
  default_tgs_enctypes = rc4-hmac
  And then restart VDI services (/opt/SUNWvda/sbin/vda-service restart)
  Note that VDI will actually try to query individual AD servers as defines as part of your AD Global Catalog when it tries to lookup AD domain data. This means you need to verify that your global calalog referenced servers are valid and having matching forward and reverse DNS information:
  For example:
  $ *nslookup -querytype=any gc.tcp.vdi.com.*
  Server:          win2008.vdi.com
  Address:     192.168.1.100#53
  gc.tcp.vdi.com     service = 0 100 3268 win2008.vdi.com*.
  $ nslookup win2008.vdi.com.
  Server:          win2008.vdi.com
  Address:     192.168.1.100#53
  Name:     win2008.vdi.com
  Address: _192.168.1.100_
  r$ nslookup 192.168.1.100
  Server:          win2008.vdi.com
  Address:     192.168.1.100#53
  100.1.168.192.in-addr.arpa     name = win2008.vdi.com.*
  You'd want to verify that every record returned by the *nslookup -querytype=any gc.tcp.yourdoamin.com* command refers to a server that can be reached and has matching forward and reverse DNS. Otherwise, this may trigger VDI to have failures or delays in performing directory queries.
  Beyond that, you need to look in the cacao.log file for errors that you can find and post.
  Edited by: DoesNotCompute on Oct 13, 2012 11:48 AM

• Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory

  We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
  can recommend?

  Hi Ginandtonic,
  To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
  Upgrade from windows Server 2012 to 2012 R2                                 
  Upgrade Active Directory from 2012 to 2012 R2
  I hope this helps.
  Best Regards,
  Anna

• Windows Server 2008 R2-Active Directory

  Hi ,
  I cloned a machine using VMware VSphere 5.1 and did not use sysprep during cloning. The original source machine disappeared from Windows Active Directory. Is there anyway to get the object back ? I also deleted the cloned Virtual machine .
  Thanks in advance.
  Pro1962
  India1947

  You can use my script here: https://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a
  All you need to change is
  (objectCategory=person)(objectClass=user)
  by
  (objectCategory=computer)
  and add a comment at the beginning of the command Remove-ADUser.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows Server 2008 R2 Active Directory Report Tool

  I have some computers in 2K8 R2 AD that are no longer in use in our organization. I would like to run a report to see which computers in our AD structure have reported to AD within a certain amount of time so I will know whether to delete them or not.
  Is there a tool I can use specifically to see if computers in our AD domain have logged in within a certain time frame?

  You can use my script here: https://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a
  All you need to change is
  (objectCategory=person)(objectClass=user)
  by
  (objectCategory=computer)
  and add a comment at the beginning of the command Remove-ADUser.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows Active Directory Authentication

  Hi Experts,
  I have an enterprise application running in a clustered environment. The jars are diployed in jboss and wars in tomcat servers. The requirement is to authenticate users with thier Windows username/password with active directory itself and depending upon their roles give access to various functionalities in the application. Could someone guide on how the windows authentication should be done?
  Thanks

  We were able to successfully enable the Windows AD Authentication.
  Section 4 would be on the SIA's or server tier. Sections 5,6,and 7 would be for the Java Web app server or web tier.
  We got an error when trying to enable SSO though.
  The server encountered an internal error (com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "account@domian_name" but not key type (18) + KVNO (32) in this entry: Principal: [1] account@domain_name TimeStamp: Wed Dec 31 19:00:00 COT 1969 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [......] )) that prevented it from fulfilling this request.
  We disabled the SSO for the time being, but the Windows AD works fine.

• WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

  Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
  a managed server using the node manager? I can boot the server without the AD
  authenticator and I can also boot the server using a script and successfully authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
  configuration works fine with weblogic running on W2K, but not on Solaris (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

  Solved the problem. The 'domain root' directory specified in the remote start configuration,
  must contain a copy of the file 'SerializedSystemIni.dat' that was created along
  with the domain, in order to boot when an AD authenticator is configured. If an
  AD authenticator is not configured, no file is required. This was not a platform
  specific issue; on Win2K I had configured the 'domain root' remote start parameter
  to point to an existing domain root and not a new directory.
  "Andrew Walker" <[email protected]> wrote:
  >
  Has anyone managed to setup a WLS 7.0 Active Directory authenticator
  and booted
  a managed server using the node manager? I can boot the server without
  the AD
  authenticator and I can also boot the server using a script and successfully
  authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup
  a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
  This
  configuration works fine with weblogic running on W2K, but not on Solaris
  (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
  <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException:
  RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException:
  Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute
  method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Unable to find user list in Active Directory Authenticator

  Hi all,
  I am using weblogic 10.3 and want to configure ActiveDirectory Authenticator for my weblogic application. We have one managed srever under admin server . I have configured a Active Directory Authenticator named "ADAuthenticator" and made following changes as per the below values:
  I set the control flag to "OPTIONAL" .
  Security Realms-->myrealm-->Providers-->ADAuthenticator-->Provider Specific
  UserName Attribute : ServiceBEA
  Principal : ServiceBEA
  Host : xxxxxx
  User Search Scope : subtree
  Group From Name Filter : (&(ServiceBEA=%g)(objectclass=group))
  Credential : xxxxxx
  Confirm Credential : xxxxxx
  User From Name Filter : (&(ServiceBEA=%u)(objectclass=user))
  Static Group Name Attribute : ServiceBEA
  User Base DN : values provided as per requirement
  Port : 389
  User Object Class : user
  Use Retrieved User Name as Principal : checked
  Group Base DN : same values as per User Base DN
  Static Group Object Class : group
  Group Membership Searching : unlimited
  Max Group Membership Search Level : 0
  These are my AD settings. After doing this i click on save and then activate changes and then restarted the admin server.
  But the problem is when i login to weblogic console to check the user list under "User and Group" i am unble to find any Active Directory users.
  I don't know where i made the mistake. Can some make me out of this trouble.
  Any help is highly appreciated.
  Thanks in advance !

  Hi Sean,
  Actually we have already a Active Directory with username "ServiceBEA" in our windows server. So i used this "ServiceBEA" as UserName Attribute in weblogic console while creating a Active Directory Authenticator.
  You mean to say that we should go for "sAMAccountName" or what? If that is the case then i have also tested with following values, but still no luck.
  UserName Attribute : sAMAccountName
  Principal : ServiceBEA
  Host : xxxxxx
  User Search Scope : subtree
  Group From Name Filter : (&(sAMAccountName=%g)(objectclass=group))
  Credential : xxxxxx
  Confirm Credential : xxxxxx
  User From Name Filter : (&(sAMAccountName=%u)(objectclass=user))
  Static Group Name Attribute : sAMAccountName
  User Base DN : values provided as per requirement
  Port : 389
  User Object Class : user
  Use Retrieved User Name as Principal : checked
  Group Base DN : same values as per User Base DN
  Static Group Object Class : group
  Group Membership Searching : unlimited
  Max Group Membership Search Level : 0
  Please advise what to be place in case of User Name Attribute.
  Any help is highly appreciated.
  Thanks in advance !

• Can't connect to Small Business Server 2003 via Active Directory

  I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
  I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
  But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
  I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
  Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!

  Hi Andbrowny, thanks for your response.
  Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
  Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
  So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
  Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
  Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.

• Active Directory Authentication in Weblogic 8.1

  Hi,
  We want to do authentication from Microsoft Active Directory using weblogic 8.1.
  I have created a Active directory and
  configured weblogic from console to use it. But it is still not working. Your
  help with these question would be highly
  appreciated.
  1. Is there anyone in group who have tried this before. Please let me know how
  to proceed.
  2. Is there any tool by which I can get to know the different attribute asked
  for configuration in Weblogic?
  3. I am not able to login to my application after configuration. Is there any
  other way to come to know whether it is working
  or not?
  There could be plethora of reason but nothing which can come to my mind. Everything
  seems to be configured correctly. Here is
  portion of my config.xml related with authentication:
  <FileRealm Name="wl_default_file_realm"/>
  <PasswordPolicy Name="wl_default_password_policy"/>
  <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
  <Security GuestDisabled="false" Name="vendavo-dev"
  PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm" RealmSetup="true">
  <weblogic.security.providers.authentication.DefaultAuthenticator
  ControlFlag="SUFFICIENT"
  Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.DefaultIdentityAsserter
  ActiveTypes="AuthenticatedUser"
  Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultRoleMapper
  Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAuthorizer
  Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAdjudicator
  Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.credentials.DefaultCredentialMapper
  Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.authentication.UserLockoutManager
  Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.Realm
  Adjudicator="Security:Name=myrealmDefaultAdjudicator"
  AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
  =myrealmADAuthenticator"
  Authorizers="Security:Name=myrealmDefaultAuthorizer"
  CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
  DefaultRealm="true" DisplayName="myrealm"
  Name="Security:Name=myrealm"
  RoleMappers="Security:Name=myrealmDefaultRoleMapper"
  UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
  <weblogic.security.providers.pk.DefaultKeyStore
  Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
  ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
  DisplayName="ADAuthenticator" FollowReferrals="false"
  GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
  Name="Security:Name=myrealmADAuthenticator"
  Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
  </Security>
  First, of all is it possible to use Active Directory authentication in Weblogic
  without writing any custom code. If yes, how?
  Thanks in advance,
  Amit Tyagi

  Amit,
  We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
  and downs though.
  |
  |
  1) First, make sure you are sending right LDAP queries to AD. To verify this,
  we used free 3rd party LDAP browser from Softerra. There is also java based free
  browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
  Play with your LDAP settings using this and make sure AD is returning the right
  data.
  |
  2) AD has some default settings that makes it return only the top 1000 users.
  Use ntdsutil.exe to modify these default settings
  |
  3) AD needs to have the right set of users and groups. To configure this, refer
  to WLS docs. This is very well documented in WLS docs. Also refer to this article
  http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
  reference
  |
  4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
  one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
  another product AD/AM (AD in Application Mode) in combination with MIIS server.
  But if you are using sp2, you shouldn't be worry about this.
  |
  5) In your providers, you might want to get rid of the DefaultAuthentication provider,
  once you are able to establish a connection with your ActiveDirectoryAuthentication
  provider. The DefaultAuthentication provider causes some problems and does not
  let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
  investgated the root of this prob. When we deleted DefaultAuthentication provider,
  everything worked normally - so we didn't really care that much :-)
  |
  6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
  your are able to authenticate talk to your AD.
  |
  These are the ones I could think of. Hope this helps..
  Regards,
  Anant
  "Amit" <[email protected]> wrote:
  >
  Hi,
  We want to do authentication from Microsoft Active Directory using weblogic
  8.1.
  I have created a Active directory and
  configured weblogic from console to use it. But it is still not working.
  Your
  help with these question would be highly
  appreciated.
  1. Is there anyone in group who have tried this before. Please let me
  know how
  to proceed.
  2. Is there any tool by which I can get to know the different attribute
  asked
  for configuration in Weblogic?
  3. I am not able to login to my application after configuration. Is there
  any
  other way to come to know whether it is working
  or not?
  There could be plethora of reason but nothing which can come to my mind.
  Everything
  seems to be configured correctly. Here is
  portion of my config.xml related with authentication:
  <FileRealm Name="wl_default_file_realm"/>
  <PasswordPolicy Name="wl_default_password_policy"/>
  <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
  <Security GuestDisabled="false" Name="vendavo-dev"
  PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm" RealmSetup="true">
  <weblogic.security.providers.authentication.DefaultAuthenticator
  ControlFlag="SUFFICIENT"
  Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.DefaultIdentityAsserter
  ActiveTypes="AuthenticatedUser"
  Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultRoleMapper
  Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAuthorizer
  Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAdjudicator
  Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.credentials.DefaultCredentialMapper
  Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.authentication.UserLockoutManager
  Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.Realm
  Adjudicator="Security:Name=myrealmDefaultAdjudicator"
  AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
  =myrealmADAuthenticator"
  Authorizers="Security:Name=myrealmDefaultAuthorizer"
  CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
  DefaultRealm="true" DisplayName="myrealm"
  Name="Security:Name=myrealm"
  RoleMappers="Security:Name=myrealmDefaultRoleMapper"
  UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
  <weblogic.security.providers.pk.DefaultKeyStore
  Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
  ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
  DisplayName="ADAuthenticator" FollowReferrals="false"
  GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
  Name="Security:Name=myrealmADAuthenticator"
  Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
  </Security>
  First, of all is it possible to use Active Directory authentication in
  Weblogic
  without writing any custom code. If yes, how?
  Thanks in advance,
  Amit Tyagi

• Active Directory Authentication and permissions for user group in APEX 4.0

  Hello,
  I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
  These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
  Help with Authentication (APEX_LDAP.AUTHENTICATE)
  Re: LDAP Authentication Via Groups
  Thanks,
  Tony

  You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.