Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

ADFS Forms Authentication not continuing after proper sign in.

February 21, 2015, 11:38 am
$
0
0

I have ADFS deployed and setup and it's working great. It is also connected to Azure.

With internet explorer I can sign on via windows auth. I cannot sign on with chrome or firefox with forms. If I set auth to forms only and I use internet explorer it prompts me for login instead of actually using the form.

If I enter an incorrect password it displays an error like normal. However if I enter my account correctly. It just goes back to the forms page like I just got there. The password is blank and it does not continue. No errors in the event log unless I use a bad password.

This is the same for the test page or normal auth. Not sure what else to check. 

Thank you




Search

Need help on ADFS 4.0

July 20, 2020, 12:34 pm
$
0
0
I am testing ADFS iDP. It is working fine for Windows authentication. It get authenticated and showed "you're logged in". But for form authentication, it re-directs back to iDP login page immediately after authenticated successfully. What could be the causes and how to fix it?

Event 11 The KDC encountered duplicate names while processing a Kerberos authentication request. (of type KEY ID)

November 26, 2018, 11:35 pm
$
0
0

I have recently migrated a Windows 2012 R2 DC to Windows Server 2016. Afterwards I started noticing series of this particular error.

Log Name:      System

Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center

Date:          11/27/2018 9:24:24 AM

Event ID:      11

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      BBL-DC-CDC01.bd.bracbank.com

Description:

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 (of type KEY ID). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763 in Active Directory.

Event Xml:

<Event xmlns="">

  <System>

    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />

    <EventID Qualifiers="49152">11</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2018-11-27T03:24:24.310757900Z" />

    <EventRecordID>3984</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>System</Channel>

    <Computer>BBL-DC-CDC01.bd.bracbank.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="Name">D5B2E9E1E8C74C45D7F939E93ED09C7B0315FE69EE06D2F2458E0A050E453763</Data>

    <Data Name="Type">KEY ID</Data>

    <Binary>

    </Binary>

  </EventData>

</Event>

I have been struggling with this error for the last few days. Even though Event 11 is a very common error and there are clear instructions on how to mitigate the error, they fail to address my specific scenario.

All the solutions I got so far is related to "Type DS_SERVICE_PRINCIPAL_NAME" but mine is "Type KEY ID ". Basically this error says that KDC encountered duplicate names and then spits out a large string of hexadecimal no. rather than producing which SPN is duplicated. Therefore, it's difficult to solve the issue with "setspn" cmdlet.

I'm an amateur when it comes to Windows Server Active Directory, so any help is highly appreciated. Thanks.

Windows cannot move object error...

July 21, 2020, 8:00 am
$
0
0

Hi everyone!

  May someone help me with this error when i try to move a user object to another OU?

Doria

How to change wireless(SSID) password (Pre-Shared Key) by GPO in active directory Server

June 18, 2020, 12:21 am
$
0
0

Dear Cherry

I want to auto change wireless (SSID) password (Pre-shared key) by GPO in active directory server, only change for wireless SSID connected AD users, password policy will change every three months. please advice me

Regard | Parvez



is there any script for finding out the inactive AD user for more then 45 days and sending an email to respective users manager

July 21, 2020, 2:25 pm
$
0
0

Hello All,

I am looking for script for finding out the inactive AD user for more then 45 days and sending an email to respective users manager

Thanks

GroupWise Policy Deploy

July 21, 2020, 8:10 pm
$
0
0

Dear Team

I want to active directory policy deploy only group wise so that all device (Computers) in group then i will configure by GPO setting.

note: I do not AD policy apply in OU.

Please advice and share documents.

Trusting AD CS CA issued SSL in another AD Domain that has no trust relationship

July 17, 2020, 11:28 am
$
0
0

Trusting AD CS CA issued SSL in another AD Domain that has no trust relationship

Hello - We have two 2016 level AD domains. They are not in a forest and there's no trust relationship.

One domains controller in the 1st domain (DMZ) has an AD CS role and I have issued issued a CA SSL (server auth) cert to the WSUS in the same domain. The WSUS will serve as the WSUS for both AD domains, DMZ and Domain2.

Currently, Domain2 GP is configured to deliver the certificate to the Trusted Root Certificate Authorities repository. The machines in the test are receiving the certificate successfully and GP is processing without issues. All the GP settings pushed by the group policy are correct for WSUS URL, there is no FW in the middle. The machines can check into our previous WSUS in the DMZ domain that is not secured over SSL. 

Those client computers in Domain2 however, fail to check for updates with the new SSL configured WSUS with error 800b0109

Viewing the SSL certificate certification path on the Domain2 machines shows the message "the issuer of this certificate could not be found".

The question is, is it is possible to have the DMZ CA SSL cert trusted by the secondary domain (Domain2) computers so that WSUS can be secured with SSL across domains?

Thank you for any advice.

Search

windows 2019 Domain controller

July 16, 2020, 8:40 am
$
0
0

Hello All,

i need some advise here, we are currently have win2012 r2 dc, and planning to upgrade to win 2019 DC.

Please let us know if we have to extend the schema or just get new server with 2019 OS and promote it?

regards

Aamir Masthan

NA

ADMT 3.2 User Migration issue

July 15, 2020, 10:44 pm
$
0
0

I am using ADMT 3.2 inter-domain user Migration with in the forest.

After the migration below issues are occurring:

1. UPN suffix is getting changed- I know this is common but its not setting it to the destination domain suffix instead using one of my email domain suffix which i have manually added in UPN suffixes under Domains and Trusts.

2. "user must change password at next logon" getting checked.

3. While checking the creation date i found the user is showing as a newly created user at the Destination and SiDhistory is showing some values which is contradicting and of course i am doing migration and not newly creating the users in the Destination domain.

checked GPO and nothing is related to this.

checked UPNSuffix attribute for the domain if that is hardcoded somehow via GPO or OU properties but this is not the case either.

Is there something needs to be checked at ADMT or this is related to something else, please help me with your feedback.

dns server and ad server

July 11, 2020, 6:50 am
$
0
0

newly configure one dns (jkil.local)server 2012 r2 make dns and configure AD 

i want rename  domain jkil.local-jkumar.local 

but still domain name showing JKIL.local when i using rendom/ upload its showing error a domain rename process already in progress pls suggest what need to do 

Ways to seamlessly migrate an existing DC (windows server 2012) to a new server (windows server 2016).

July 21, 2020, 10:49 pm
$
0
0

I have an existing domain - but I was given a task to reconfigure a new one.
I have zero experience in this field some maybe some/all of my questions may sound stupid for you guru.
1) How do I create a new DC without the need to manually reconnect each and every client to "new domain". It seems to me that the new domain should have a new UUID even if it has the same name as the previous one? What is the industry standard way to do it? Do I need to migrate from the old server to a new one? Or isn't it enough just to migrate, and I have to add a new DC to an existing forest.
2) What are the instruments to migrate - DNS, DHCP, GPO, and Active Directory itself? Is there a way to migrate it selectively? so wrong settings from the previous DC won't go to a new one?   
3) How do I properly install a new DC with a minimum downtime? Is there a proper way?

is it possible to do it seamlessly without copying all the settings from the previous DC?

Local Security Policy cannot be contacted

July 16, 2020, 12:04 am
$
0
0

Hi,

We have two Windows 2012 DCs. After the primary DC went down, users were unable to login to an RDP Server and getting error message, "Local security policy cannot be contacted". Does this mean the second DC is not working fine. Both DCs have the same roles installed.

Thanks.

Default CA certificate expiring, cannot issue past its own expiration date

July 16, 2020, 9:12 am
$
0
0

Server12R2 DC with Single CA in AD that has expiration date in November, installed in 2010.

Planning to run   All Tasks | Renew CA Certificate  to update it. no pending requests, all issued certs in all panes have expired... I'm concerned that updating certificate will muck something up with AD. Should i just go ahead and renew it, or is there a way to test first if anything is using it? Generated two certs against the CA and they both terminate at the end date of the CA's cert. When i do renew, the soon to expire one is still active correct, until it expires?

Set a specific expiration date in AD

July 16, 2020, 10:06 pm
$
0
0

I want to set 1 days password expireation in AD. how can I do that?

Search

Computer restarts A critical system process, "failed with status code c0000005" - Windows 10

July 16, 2020, 3:41 am
$
0
0
Hello,

My computer is automatically restarting, when I consulted the event viewer, the error was as follows:

"A critical system process, C: \ WINDOWS \ system32 \ lsass.exe, failed with status code c0000005. The machine must now be restarted."

Active Directory Domain services monitoring

July 15, 2020, 1:09 am
$
0
0
Hello, I'm using Active Directory on Windows server 2016, other application in my company which works on linux, is connected to my DC. Sometimes this application couldn't synchronize users from my DC. I want to proof that problem isn't on my side, I can't find any event logs related to this problem. I need monitoring software to show them logs, please any advice. Thanks

Shota Tadumadze

Event id 4776

July 4, 2020, 9:11 am
$
0
0

Hi,

I have configured the settings in default domain controller policy "SendNLTMv2Responseonly,Refuse LM and NTLM request"

one of my domain user created 1000 of event id 4776 with error code C000006A.

He used work group pc and configured his domain account in the script.

The particular script failed to execute in the work group pc.

domain controller does not locked out the account even after 1000 failure login attempt.

I don't  have any fine grained password policy configured.

May I know the reason for not causing the lockout out.



How to set number of group members?

June 30, 2020, 9:16 am
$
0
0

Dears,

We have several locations in our organization that are divided into groups at AAD.Each group has a license assigned that is automatically assigned to members of this group.I would like to limit the number of members of individual groups so as not to exceed the number of licenses intended for the group.Unfortunately, I don't see this option anywhere in Azure. Groups are synchronized to the AAD from our local AD in which it is also not possible to set the number of members of a particular group other than the default.

Do you have any idea how to do this? No matter in AD or AAD.                                                          I will be very grateful for all the subordinates.


error: 5 (Access s denied) RODC (win srv 2012) with DC (win srv 2016)

July 22, 2020, 1:57 am
$
0
0

Good Day Dears,

I'm trying to add RODC (windows server 2012 R2) to DC (windows server 2016) and I have error: 5 (Access is denied)

note that my user is member of : Administrators , Domain Admins , Allowed RODC Password and Enterprise Admin .

Also I tried to add it from DC , from Pre-create Read-only Domain Controller account

Br,

Ahmed Maxsood

Viewing all 31638 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>