Hi,

I have a windows 2012 with RDWEB. I am trying to configure ADFS with it. I installed WIF and modified all my web.config accordingly. But when i try to access the RDWEB i get redirected to ADFS and after authentication. I get below error. Can someone throw some light on this.

[InvalidCastException: Unable to cast object of type 'Microsoft.IdentityModel.Claims.ClaimsIdentity' to type 'System.Security.Principal.WindowsIdentity'.]
   Microsoft.TerminalServices.Publishing.Portal.RapWebService.GetRemoteApps(String strSid) +156
   Microsoft.TerminalServices.Publishing.Portal.WebFeed.GetDataForFeed(String userSid, String folderName, Dictionary`2& resource_list, Dictionary`2& ts_list, List`1& folders) +394
   Microsoft.TerminalServices.Publishing.Portal.WebFeed.GenerateFeed(String userSid, FeedXmlVersion xmlVersion, String folderPath, Boolean writeXmlDecl) +354
   ASP.en_us_default_aspx.Page_PreInit(Object sender, EventArgs e) +1805
   System.Web.UI.Page.PerformPreInit() +49
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1844

Does anyone know how to get the "Profile Path" for a user to act the same within Active Directory Administrative Center as it does in ADUC? Another words in AD Users and Computers one can enter "\\domain\folder\%username%" and it will automatically repopulate the field with "\\domain\folder\actual.username". ADAC seems to treat this field strictly as all text, leaving the field as "\\domain\folder\%username%". No variable accepted.

-Eric

We have a service account that has an unusual authentication problem. The account runs fine on our server 2008 R2 server, but the same account does not appear to be able to use kerberos for authentication with the domain controller. You get logged in, but you get a balloon tip that says:

"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card."

Logging out or rebooting doesn't help.

We also noticed that kerberos logon does not complete successfully when trying to use the service account to connect to an SQL server on a different box. During the SQL server connection process we are able to get a network capture, and have noticed that kerberos fails requiring preauth (which we understand to be normal), but we never see a successful kerberos authentication with the domain controller in the network trace or the security logs. If we turn off pre-Authentication, we can see that the issue is related to encryption due to the krb5kdc_err_etype_nosupp error.

So we believe we have an encryption issue, except that if anyone else logs into the server, none of these problems exist. We have made this account a member of the same groups that I am a part of (way more rights than required), and we have put the account in the same OU as my account. My account works just fine for everything. The service account doesn't seem to authenticate properly. Even in Kerbtray I see no indication of issued kerberos certificates.

This service account has rights in active directory, Exchange, and SQL databases. I don't want to recreated it if I don't have to, but I cannot figure out why it doesn't work right. Any help pointing me to what I have over looked would be appreciated.

I have a migration scenario where I Plan to use ADMT for migration.

The source domain is windows 2003 r2 and the target domain (newly created) is windows 2008 r2. I have already created a two-way external trust between the two domains. However when I want to add the 'administrator' user from the target domain to the source domain built-in "administrators" group it does not allow me to do this. why??

can anyone help?

Hello,

I'm receiving the following error when trying to authenticate a remote internet user via WAP and ADFS 3.0:

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 


Relying Party: 


Exception details: 
System.FormatException: Invalid length for a Base-64 char array or string.
   at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
   at System.Convert.FromBase64String(String s)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.DecodeMessageInternal(String message)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

However, if I connect to the application internally (skipping WAP) I can authenticate fine.  Iv've tried researching the specific exception regarding invalid length but I have yet to find any relevant information.

Regards,

Ryan

Hello,

We have a 2008 Standard server which is the DC, DNS, Print and File server.

Yesterday I joined an iMac to the domain and it seems to have caused all hell to break loose... unless it was just a random coincidence!

Basically, right after joining the mac to the domain, I tried to log on to the server locally, only to find out that my creds were not working. I get an error message saying: "The user name or password is incorrect."

Also, no-one else can log in to the domain. They get "Access denied."

I can connect via RDP but get the same error when trying to login, and I can connect to services via RSAT and AD, DNS, etc services show up as 'Started'.

DCDIAG returns: LDAP bind failed with error 8341

and the System Event log shows:

Warning17/06/2014 17:07:48Microsoft-Windows-Time-Service12NoneTime Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Information17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1044NoneThe DHCP/BINL service on the local machine, belonging to the Windows Administrative domain xxxxxxxx.local, has determined that it is authorized to start. It is servicing clients now.
Error17/06/2014 17:07:46Microsoft-Windows-DHCP-Server1059NoneThe DHCP service failed to see a directory server for authorization.
Warning17/06/2014 17:07:45Microsoft-Windows-DHCP-Server10020NoneThis computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
Information17/06/2014 17:07:41Microsoft-Windows-ResourcePublication 104None The service is publishing to the network.
Warning17/06/2014 17:07:37Microsoft-Windows-DHCP-Server1056None"The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line ""netsh dhcp server set dnscredentials"" or via the DHCP Administrative tool."
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14531NoneDFS server has finished initializing.
Information17/06/2014 17:07:36Microsoft-Windows-DfsSvc14533NoneDFS has finished building all namespaces.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service143NoneThe time service has started advertising as a good time source.
Information17/06/2014 17:07:36Microsoft-Windows-Time-Service139NoneThe time service has started advertising as a time source.
Warning17/06/2014 17:07:29LsaSrv40960(3)"The Security System detected an authentication error for the server ldap/ITSERVER01.xxxxxxxx.local. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request.
 (0xc000005e)""."
Information17/06/2014 17:07:09Microsoft-Windows-Spooler-LPDSVC4000NoneThe Line Printer Daemon (LPD) service started successfully. No user action is required.
Warning17/06/2014 17:07:01Microsoft-Windows-Kerberos-Key-Distribution-Center29NoneThe Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Information17/06/2014 17:06:52Microsoft-Windows-FilterManager6NoneFile System Filter 'luafv' (6.0, 19/01/2008 06:30:35) has successfully loaded and registered with Filter Manager.

DNS Event Log:

17/06/201417:08:46DNSErrorNone4007N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open zone 137.251.10.in-addr.arpa in the Active Directory from the application directory partition DomainDnsZones.xxxxxxxxxx.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:08:08DNSErrorNone4000N/AITSERVER01.xxxxxxxxxx.localThe DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
17/06/201417:07:14DNSWarningNone4013N/AITSERVER01.xxxxxxxxxx.localThe DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I'm at a loss as to what to do... 

Hi Team,

i have question.

i already enable audit logging policy from GPO, especially logon logoff audit.

at server event viewer show (security/audit success) display log off and log on event id. 4634 for logoff and 4624 for logon

my question are :

1.Why event viewer always show computer name at account name information? event viewer 4624 logon

can i get the user name info from this event id 4624 logon

2.At event id 4634 logoff, security id and account name info always show computer name account

can i get user name too?

3. what if the active user log on user never log off ( I mean user only disconnect from RDP session ).

can i get info from security event viewer whose user that being active remote to server?

Thanks

Regards :)

I am having a problem with cross forest migration with ADMT. I have a source domain which is Win 2003 R2 and target domain is Win 2008 R2. I've already created a two-way external trust and also added the target domain administrator to the administrators group of the source domain.

I need to move mailboxes from source domain exchange 2010 to target domain exchange 2010.

The ADMT 3.2 is installed on a member server in target domain with sql express 2008 sp1.

However when I try to migrate any user using ADMT it starts to run but gives me the following error,

"ERR3:7585 The account replicator is unable to continue.   An operations error occurred."

I already have forwarders in DNS servers for each domain to resolve the other and I get the correct response when I ping the target domain from the source domain dc and also vice versa. Also I've checked that auditing is enabled on both sides.

what's the problem now and how do I resolve it?

Hi

i need to do a bulk reset of around 200 people in a test environment and i need to reset everyone password to the same password and never to expire.

Hi everybody,

I've having 2 AD Server : GDS and DC1.

They can't replicate with each other for a long time ( more than 60 days )

They placed at 2 diffirent subnet, no FW rule.

• I can ping, resolve the DNS by nslookup both Servers
• When i use cmd command : net view \\domain 

=> The error appear : System error 5 has occurred Access is denied in both server

• In the event log i see some error like Event ID 2087, 1864 in the GDS AD Server 

Please check this link  for more detail http://1drv.ms/1wqmeuf ( Link contact image and log file of repadmin|dcdiag )

After searching,

• i planning to depromote and rejoin the GDS to the DC1 AD Server, clean metadata. But what about the user account, group data. Is that lost ?
• Server not replicate for more than 60 days, it need to reset Kerberos password right ?

I'm lost now, Please help me to setting somehow that replicatie this 2 server again.

If you need any information to resolve this problem, Please tell me.

Thank you!!

Hello,

We run Project Server 2007 (PWA) on Windows Server 2003. Our company plans to upgrade Active Directory to 2008. The Active directory runs on a different server. The server which PWA runs on would not be upgraded.

Could you confirm PWA 2007 is compatible with Windows 2008 Active Directory.

Thank you,
VK

We have a Windows Server 2008 Standard environment with 2 DC's. The primary DC (IS10 @ .15) and a secondary DC (*A virtual machine on Hyper-V - IS14 @ .3).  We are all Windows 7, 8, and 8.1 workstations and have a problem with time synchronization. The majority of our workstations are pulling their time from IS14, our secondary domain controller. This domain controller, since it's a VM, has the wrong time (off by about 5 minutes). Some workstations are pulling from IS10 correctly.

My question is, why are some pulling from the correct source and some pulling from the wrong source. I would of course like all workstations to pull from the primary DC.

Jonathan Strader

I am attempting to setup AD FS 2.0 and get the following error when testing: 

https://adfs.server.local/adfs/ls/idpinitiatedsignon.aspx

Encountered error during federation passive request.

Additional Data

Exception details:
System.ServiceModel.FaultException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.SignMessage(HttpSamlMessage httpSamlMessage, PrincipalType principalType, String principalIdentifier)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.BuildSignedSamlRequestMessage(HttpRedirectSamlBindingSerializer httpRedirectSamlBindingSerializer, AuthenticationRequest authenticationRequest)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.SignOn(AuthenticationRequest authenticationRequest)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.LocalIdentityProviderSignOn(Uri returnUrl, SignOnRequestParameters parameters)

I've google'd til I'm in the face.

I have one ADFS server setup (no adfs proxy), and a CNAME dns record in place.  I've purchased and installed a 3rd party SSL Cert, verified permissions.  I know I'm close, but what gives?

Any help is greatly appreciated.

Good day,

I'm testing the addition of a routed local subnet to existing network and seem to be experiencing trouble with AD authentication.

Primary network:

• Subnet: 192.168.0.0/24
• Default GW: 192.168.0.1
• PDC/DHCP/DNS1: 192.168.0.2
• BDC/DNS2: 192.168.0.3

Routed network:

• Subnet: 192.168.17.0/24
• Default GW: 192.168.17.1
• DNS1/2: 192.168.0.2/192.168.0.3

DHCP relay is configured and functioning.

Primary network gateway has persistent route for subnet 192.168.17.0/24 hopping via router IP 192.168.0.122.

Ping tests OK both ways and internet is browsable from clients in routed network.

Problem occurs when clients in routed network attempt to access domain resources in primary network. Usingnet view //test-host results in 5 minute pause and then "Access Denied". Unable to view //test-domain/netlogon

I have added routed subnet to existing default-first-site in AD Sites and Services.

I'm certain I'm missing something simple here and will appreciate any advice.

BACKGROUND:

I had a domain with two Server 2012 DCs: DC1 and DC2.

I decommissioned DC2 by removing the role, and had no problems.  The domain appeared fine afterwards.

I then created two new Server 2012 R2 DCs: DC01 and DC02.

Again, there did not seem to be any issues with the domain and the three DCs appeared fine.

Next i transferred the FSMO roles from DC1 to DC01, then i tried to demote DC1 which complained repeatedly.  I could not get DC1 to demote, and none of the logs showed the sources of the problem, so after following a Perti guide on removing a dead DC, forced the demotion of DC1 (just ticking the tick box to force it).  That is when I realised that DC01 and DC02 were not sufficient, and the domain was lost.]

I used a System State backup of DC1 (in Directory Services Recovery Mode) to recover that machine and the domain is back up again, users can log in once more, but there are many errors in DCDiag.  I cannot ping the domain, and when I shut down DC1, the domain is once again inaccessible.

The main problems are:

Since restoring DC1 the computer object does not exist in the domain

I cannot ping the domain (Home.net)

I cannot manage the domain (AD Users and Computers) from either DC01 and DC02

DC01 and DC02 do not have SYSVOL or NETLOGON shares (appear to never have had since migrating the FSMO roles - why??)

WHAT I AM TRYING TO ACHEIVE:

I ultimately want to remove DC1 and keep DC01 and DC02, however, i understand this may not be possible.  It IS an option to completely delete DC01 and DC02 and rebuild those machines from scratch (one physical and once VM).

My main concern is that I may lose the domain again.