Quantcast
Channel: Directory Services forum
Viewing all 31638 articles
Browse latest View live

AD FS 3.0 issue with iPads/iPhone (RelayState, cookie, MSIS7046)

December 30, 2015, 1:26 pm
$
0
0

Hello,

In a development environment at the moment. Setup an (browser) application called SAP Fiori and configured SAML authentication. From a desktop OS 8/10, the configuration is active and functional.  IE (11), Firefox and opera will use (internal) integrated authentication or (external)form authentication and logon.

Everything works correct!

On iPad/Iphone (9.2), however...

When I first go to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx, I can logon to the sts and select the site! And it works.

But when I go first to the url fiori.domain.com, I am correctly redirected to thehttps://sts.domain.com/adfs/ls.
the logon page is shown and when enter the credentials, the ADFS3 form throws the below error.

Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.CookieManagers.InvalidSamlContextException: MSIS7046: The SAML protocol parameter 'RelayState' was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
   at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext.InitializeSamlProtocolContext(Uri baseUrl, String encodedValue)
   at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext..ctor(String encodedValue, Boolean samlEnabled, Boolean wsFederationEnabled)
   at Microsoft.IdentityServer.Web.CookieManagers.RequestCookieManager.Load(Boolean samlEnabled, Boolean wsFederationEnabled, WrappedHttpListenerRequest context)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

The iPad has "allow all cookies" enabled. I have tested with Safari, Firefox, chrome and Opera, same result..

I have seen this tread also, but they gave up... https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e8be1ac-e8da-47e5-b1d7-f708b51536cb/ad-fs-3-adfs3-issue-with-ipads?forum=winserverDS

Environment setup:

F5-> WAP (2012r2)   <-> AD FS (2012r2)
       <-> SAP Fiori (App)
       <-> Topdesk (App)
       <-> ...

Thanks,

Perry

Update!

When I go the url:

https://fiori.domain.com I get the above error (You can see that your are redirected to sts). When you enter the same url (https://fiori.domain.com) again in the browser, You are in! So the authentication is OK, but AD FS displays an error in the logon page...


Search

AD LDS Question - Security Groups

December 22, 2015, 8:38 am
$
0
0

First off let me apologize if this was submitted into the wrong forum. Please let me know what would be the best forum and I will try to move.

I have recently setup a Server 2008 R2 AD LDS server. The idea was to use this device in the DMZ and have WordPress authenticate against the LDS server. I have a handful of users in an OU that will have exported and then imported into my LDS instance. After some troubleshooting I was able to get this going. Then management requested that a bigger handful also be allowed to authenticate against this instance also but they are all over the place as far as different OU's and importing this just seemed to be a nightmare. So I had a thought can I create a universal security group and make all the users desired members of that group and then export/import my users in that way? If so what would I need to change?

Here is the export command I'm using: ldifde -f diffXX.ldf  -d "DC=xxx,DC=com" -p subtree -r "(&(objectcategory=person)(objectclass=user)(givenname=*))" -l "cn,givenname,objectclass"

Member Servers not able to Query User Objects when attempting to add users to Local Remote Desktop users group

November 10, 2015, 2:00 pm
$
0
0

I have a member server with a terminal server role. It seems to have issues with adding active directory accounts to local account groups such as remote desktop users.

Example > Create a domain account > Go to the remote desktop users group on the server and go to Add > try to view the directory structure for objects > Expand domain > Nothing appears here and I cannot select users or active directory objects to add to the group.
Nor can I type the newly created domain account to add it to the local groups IE local administrators. It just says the account cannot be found.

I get weird stuff like:

Failed to apply policy and redirect folder "Documents" to "\\servername\Users Documents\username\Documents".

Redirection options=0x80001219.

The following error occurred: "Can not create folder "\\servername\Users Documents\username\Documents"".

Error details: "The system cannot find the file specified.

".

-----------

The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

------------

  Windows(R) Lightweight Directory Access Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user <NT AUTHORITY\SYSTEM>.

  Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources.

  Verify that the Windows user is in Active Directory Domain Services and has access permissions.

------------

Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(xxxxxxxxxxxxxxxxxxxxxxxxxx.bak).  hr = 0x80070539, The security ID structure is invalid.

-----------

Has the member server / terminal server lost trust on the domain / is a communication channel broken? (No firewalls enabled)
Why would I not be able to browse AD on this member server if it is joined to the domain and domain users are otherwise able to use this terminal server to access other member server file shares and resources without issue?

Weird behaviour change ever since removing last W2K3 DC

December 31, 2015, 5:19 am
$
0
0

Ever since removing our last W2K3 DC's from AD we've noticed a clear change in password expiration behaviour for our AD users. Removing W2K3 went without a hitch, no hiccups at all. I can't find any information on this unexpected behaviour change and am hoping there's an explanation and maybe even a solution somewhere out there.

Before removing W2K3 DC's: AD would force users to change their password at logonif the password was due to expire that same day.

After removing W2K3 DC's: AD no longer forces users to change their password if it's due to expire that same day, meaning that users just ignore the option to change their password and then logon using their soon-to-expire password which then expires after they've logged on - causing (amongst other things) Outlook 2010 to prompt for credentials and go into offline mode.

Windows 7 does briefly display a taskbar notification allowing the user to change their password without logging off - but users don't ever notice the notification so it's of no use.

What we now miss is AD forcing the user to change their password IF it's due to expire that same day.

Appreciate this is only a minor change but it's enough for users to get themselves confused, and Outlook running in offline mode then obviously delays email delivery which creates more problems.

All client machines are Windows 7 SP1. Our AD is now a mix of 2008 R2 and 2012 R2 DC's. All FSMO Roles reside on a 2008 R2 DC. We run Exchange 2010 SP3 r10 and Outlook 2010 SP2. We've raised both the DFL and FFL from 2003 to 2008 and then also to 2008 R2 but this has made no difference at all.

Can anyone clarify the definite change in behaviour that we've seen? thanks

Need to Unlock AD user Accounts Automatically

May 23, 2012, 8:57 am
$
0
0

Dear All,

We are getting Tickets of more than 500 counts for Unlocking  AD user Accounts & which is spending lots of time & efforts for it. So is there any  tool / utilities  or any integrated Administrative console by which we User can himself unlock & change the password himself.

Ex- Citrix password  management console which integrates with the AD & does unlock & change the password.

Thanks & Regards,

Amit Satam

     

     

adprep.exe is not a valid win32 application windows server 2003 SP2

January 1, 2016, 3:39 am
$
0
0

Hi

I am migrating the active directory from windows server 2003 to windows server 2012.

When I run the command "ADPREP.EXE /FORESTPREP" then I am getting the error "adprep.exe is not a valid win32 application windows server 2003" .

So please Help Me out.

Regards

Manjesh Sharma

Delegation tab is missing for user account in windows server 2012 R2

January 1, 2016, 9:57 pm
$
0
0
Dear Experts,

I created an service account. I want give the delegation permission to the user for any service (kerbos only).

But I cant see the Delegation tab for the user ad below. 

Any suggetions/help will be very thankful.

adprep 2012r2 in 2008r2 domain

November 3, 2015, 2:10 am
$
0
0

I was reading through all the changes that 2012r2 makes when running ADprep, most seem to be fields related to auditing.

Are there any known issues to old devices XP, server 2000 after introducing a new 2012r2 DC to a 2008r2 environment?

Or any other known issues to any MS products, we have about every combination of MC products & versions running. 


 
Search

Active Directory deleting objects on move them to another OU

March 6, 2014, 10:15 am
$
0
0

Hi all!

A misterious issue... i have an OU with user accounts. In same level in hierarchy I have an OU to put the users account of employees who left company (they are manually disabled so moved to that OU). The disabled account OU doesnt receive any GPO, except default domain polices that is untouchable - i apply GPO in OU only.

Last week, i made this with an account as usually and to my surprise, when i did the move, AD shown me the message: "Windows cannot create the object [account name here] because: directory object not found." and the account is automatically deleted!!! checking inside this OU all of others accounts was deleted too! to testing, i created an dumb account, move to that OU and the same happening again.

Any ideias about this? its possibile recovery the deleted accounts?? checking event logs, no suspect registry has found...

Thanks,


No computers in network neighborhood - net view returns error 53

January 2, 2016, 7:02 am
$
0
0

Using Windows Server 2016 TP3 and Windows 10 clients.

When I expand the network neighborhood on the WIN10 clients, which are joined to my Domain, i'm not seeing any computers.

Trying to run the 'net view' or 'net view /domain' command returns an error 53 message. Using net view with the actual computer names, including that of the active domain controller, gives the expected results. Using these same commands on both of my domain controllers will show all the domains and workgroups in the network, and I can see all the computers in network neighborhood. Using 'nbtstat -a' for the domain controller tells me the Master Browser is active on this DC. As far as I can tell Firewalls are not active. If I remove a computer from the domain and then use 'net view' I will return all the computers in the WORKGROUP and I can see those in Network Neighborhood.

This has been working before. I'm suspecting a GPO setting that has gone wrong, or maybe a WINS configuration that is incorrect but have not been able to resolve.

Any suggestions on how to troubleshoot further?

active directory reporting tool

September 29, 2011, 8:17 pm
$
0
0

Hi ALL,

       Anyone could help me in finding reporting tools for Active directory

Thanks

group policy

January 3, 2016, 3:46 am
$
0
0

hi.

I have a lan network and my Domain servers windows is 2008R2 .

I want disable domain users access to shift+delete on the file for security by use group policy.

please help mi for find thise group policy. thanks.

Issue with msDS-Behavior-Version

January 3, 2016, 6:10 am
$
0
0

We have some RODC , which we upgraded from 2008R2 to 2012R2 .But the msDS-behavior-Version value in NTDS Settings did not change automatically to 6.It is still 4.Can we update attribute manually using adsiedit. Will there be any impact?

Thanks,

Vijayaragavan S

Change wallpaper from group policy

January 4, 2016, 2:27 am
$
0
0

Hi

I need to change the wallpaper for all users on the domain so i did that from Group policy of  User Configuration-Administrative Templates- Desktop - Desktop Wallpaper . and then linked the group policy to the domain and then shared folder for wallpaper for Authenticated Users and for the groups and by users but its working just on the administrator users and then i created new group policy and i added just the group and linked to the domain and still not working but if i change any think other on the plicy its will be but the problem with the wallpaper i think there something miss .

Regards

Restrict trust traffic to specific site

September 28, 2015, 5:35 am
$
0
0

Hi,

we have a multi-tenant Active Directory supporting a cloud workspace based on Citrix XenApp/XenDesktop. So many customers in 1 AD, each in their own OU. We have dedicated WAN links to many customer sites.

We've received a request from 1 customer to connect our AD to their (resource) forest using a Forest Trust, but since the customer uses he same IP range as one of our other customers we've implemented Source-NAT on the WAN link. I know that AD traffic and trusts in combination with Source-NAT are unsupported, but would it be a possible (and supported!) solution to setup 2 dedicated domain controllers in a separate site and configure sites & services in both forests to use the same site name? In this scenario the 'Core' domain controllers in the default site would not be accessible/routable from the remote forest.

Search

Disabled VSS eats disk space

January 4, 2016, 4:13 am
$
0
0

Hi,

I have 3 domain controllers running Windows Server 2008 R2 SP1. My problem is that VSS are eating disk space. I checked the VSS configuration and it is disabled on disk C: and B: but they still eating the disk space.

Any help would be appreciated.

Thanks a lot.

repadmin removelingeringobjects

December 10, 2015, 2:26 pm
$
0
0

Hello,

I have a single DC environment (that had previously demoted DCs) I've tried searching for tutorials on how to show lingering objects in AD using repadmin.

Here is the command that I see:

repadmin /removelingeringobjects <Dest_DSA_LIST> <Source DSA GUID> <NC> [/ADVISORY_MODE]

I keep coming up with a help file like thing when trying to run it. 

Since there is only one DC at this point, I am using it like this:

repadmin /removelingeringobjects  dcname   dc_guid (found by repadmin /showrep or NTDS settings) and directory path (dc=domain,dc=tld) /advisory_mode

I keep getting errors. I am not certain if it can be run against itself in a single dc environment. If anyone can provide help. Please let me know

Thanks

AD 2008 R2 - Password Blacklist

October 19, 2011, 9:02 am
$
0
0

Hi,

Is there a way to restrict users in my AD 2008 R2 environment to set their passwords to predefined blacklist. I want to restrict them from useing well known strings/words/phrases as passwords.

Thanks in advance

Chavdar

Be our Windows Server TechNet Guru of 2016 and become renowned in community and professional circles!

January 4, 2016, 1:45 pm
$
0
0

A new year! A new start for the TechNet Guru Awards 2016!

2015 Guru was soooo last year! 2016 Guru is where it's @ my friends!

This is when you make your mark on history and stamp your authority on your favoured technology!

This is when they shall know your name and come to appreciate your depth and breadth of knowledge!

This is... the Year of You!

All you have to do is add an article to TechNet Wiki from your own specialist field. Something that fits into one of the categories listed on the submissions page. Copy in your own blog posts, a forum solution, a white paper, or just something you had to solve for your own day's work today.

Drop us some nifty knowledge, or superb snippets, and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can truly get noticed!

HOW TO WIN

1) Please copy over your Microsoft technical solutions and revelations toTechNet Wiki.

2) Add a link to it on THIS WIKI COMPETITION PAGE (so we know you've contributed)

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises in blogs and forums, similar to the weekly contributor awards. Once "on our radar" and making your mark, you will probably be interviewed for your greatness, and maybe eventually even invited into other inner TechNet/MSDN circles!

Winning this award in your favoured technology will help us learn the active members in each community.

Feel free to ask any questions below.

More about TechNet Guru Awards

Thanks in advance!
Pete Laker

#PEJL
Got any nice code? If you invest time in coding an elegant, novel or impressive answer on MSDN forums, why not copy it over toTechNet Wiki, for future generations to benefit from! You'll never get archived again, and you could win weekly awards!

Have you got what it takes o become this month's TechNet Technical Guru? Join a long list of well known community big hitters, show your knowledge and prowess in your favoured technologies!

My AD LDS windows service stopped for some reason it cannot start anymore, I am using Windows 2008 Server R2

January 4, 2016, 12:11 pm
$
0
0
I have a problem with starting my AD LDS service, it started before however recently I found that the service has stopped and wont start again, It complains that the service cannot be started on a local computer. Please assist
Viewing all 31638 articles
Browse latest View live
Search