Search Results

Search found 8983 results on 360 pages for 'active attr'.

Page 20/360 | < Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27  | Next Page >

  • Access Control Service: Transitioning between Active and Passive Scenarios

    - by Your DisplayName here!
    As I mentioned in my last post, ACS features a number of ways to transition between protocol and token types. One not so widely known transition is between passive sign ins (browser) and active service consumers. Let’s see how this works. We all know the usual WS-Federation handshake via passive redirect. But ACS also allows driving the sign in process yourself via specially crafted WS-Federation query strings. So you can use the following URL to sign in using LiveID via ACS. ACS will then redirect back to the registered reply URL in your application: GET /login.srf?   wa=wsignin1.0&   wtrealm=https%3a%2f%2faccesscontrol.windows.net%2f&   wreply=https%3a%2f%2fleastprivilege.accesscontrol.windows.net%3a443%2fv2%2fwsfederation&   wp=MBI_FED_SSL&   wctx=pr%3dwsfederation%26rm%3dhttps%253a%252f%252froadie%252facs2rp%252frest%252f The wsfederation bit in the wctx parameter indicates, that the response to the token request will be transmitted back to the relying party via a POST. So far so good – but how can an active client receive that token now? ACS knows an alternative way to send the token request response. Instead of doing the redirect back to the RP, it emits a page that in turn echoes the token response using JavaScript’s window.external.notify. The URL would look like this: GET /login.srf?   wa=wsignin1.0&   wtrealm=https%3a%2f%2faccesscontrol.windows.net%2f&   wreply=https%3a%2f%2fleastprivilege.accesscontrol.windows.net%3a443%2fv2%2fwsfederation&   wp=MBI_FED_SSL&   wctx=pr%3djavascriptnotify%26rm%3dhttps%253a%252f%252froadie%252facs2rp%252frest%252f ACS would then render a page that contains the following script block: <script type="text/javascript">     try{         window.external.Notify('token_response');     }     catch(err){         alert("Error ACS50021: windows.external.Notify is not registered.");     } </script> Whereas token_response is a JSON encoded string with the following format: {   "appliesTo":"...",   "context":null,   "created":123,   "expires":123,   "securityToken":"...",   "tokenType":"..." } OK – so how does this all come together now? As an active client (Silverlight, WPF, WP7, WinForms etc). application, you would host a browser control and use the above URL to trigger the right series of redirects. All the browser controls support one way or the other to register a callback whenever the window.external.notify function is called. This way you get the JSON string from ACS back into the hosting application – and voila you have the security token. When you selected the SWT token format in ACS – you can use that token e.g. for REST services. When you have selected SAML, you can use the token e.g. for SOAP services. In the next post I will show how to retrieve these URLs from ACS and a practical example using WPF.

    Read the article

  • What does "active directory integration" mean in your .NET app?

    - by flipdoubt
    Our marketing department comes back with "active directory integration" being a key customer request, but our company does not seem to have the attention span to (1) decide on what functional changes we want to make toward this end, (2) interview a broad range of customer to identify the most requested functional changes, and (3) still have this be the "hot potato" issue next week. To help me get beyond the broad topic of "active directory integration," what does it mean in your .NET app, both ASP.NET and WinForms? Here are some sample changes I have to consider: When creating and managing users in your app, are administrators presented with a list of all AD users or just a group of AD users? When creating new security groups within your app (we call them Departments, like "Human Resources"), should this create new AD groups? Do administrators assign users to security groups within your app or outside via AD? Does it matter? Is the user signed on to your app by virtue of being signed on to Windows? If not, do you track users with your own user table and some kind of foreign key into AD? What foreign key do you use to link app users to AD users? Do you have to prove your login process protects user passwords? What foreign key do you use to link app security groups to AD security groups? If you have a WinForms component to your app (we have both ASP.NET and WinForms), do you use the Membership Provider in your WinForms app? Currently, our Membership and Role management predates the framework's version, so we do not use the Membership Provider. Am I missing any other areas of functional changes? Followup question Do apps that support "active directory integration" have the ability to authenticate users against more than one domain? Not that one user would authenticate to more than one domain but that different users of the same system would authenticate against different domains.

    Read the article

  • Examples using Active Directory/LDAP groups for permissions \ roles in Rails App.

    - by Nick Gorbikoff
    Hello. I was wondering how other people implemented this scenario. I have an internal rails app ( inventory management, label printing, shipping,etc). I'm rewriting security on the system, cause the old way got to cumbersome to maintain ( users table, passwords, roles) - I used restful_authentication and roles. It was implemented about 3 years ago. I already implemented AuthLogic with ruby-ldap-net to authenticate users ( actually that was surprisingly easy, compared to how I struggled with other frameworks/languages before). Next step is roles. I already have groups defined in Active Directory - so I don't want to run a separate roles system in my rails app, I just want to reuse Active Directory groups - since that part of the system is already maintained for other purposes ( shared drives, backups, pc access, etc) So I was wondering if others had experience implementing permissions/roles in a rails app based on groups in Active Directory or LDAP. Also the roles requirements are pretty complex. Here is an example: For instance I have users that belong to the supervisors group in AD and to inventory dept, so I was that user to be able to run "advanced" tasks in invetory - adjust qty, run reports, however other "supervisors" from other departmanets, shouldn't be able to do this, also Top Management - should be able to use those reports (regardless weather they belong to the invetory or not), but not Middle Management, unless they are in inventory group. Admins of the system (Domain Admins) should have unrestricted access to the system , except for HR & Finances part unless they are in HR ( like you don't want all system admins (except for one authorized one) to see personal info of other employees). I looked at acl9, cancan, aegis. I was wondering if there are any advantaged/cons to using one versus the other for this particular use of system access based on AD. Suggest other systems if you had good experience. Thank you!!!

    Read the article

  • IIS Not Accepting Active Directory Login Credentials

    - by Dale Jay
    I have an ASP.NET web form using Microsoft's boilerplate Active Directory login page, set up exactly as suggested. Windows Authentication is activated on the "Default Website" and "MyWebsite" levels, and Domain\This.User is given "Allow" access to the site. After entering the valid credentials for This.User on the web form, a popup window appears asking me to enter my credentials yet again. Despite entering valid credentials for This.User (after attempting Domain\This.User and This.User formats), it rejects the credentials and returns an unauthorized security headers page (error 401.2). Active Directory user This.User is valid, the IP address of the AD server has been verified and SPN's have been set up for the server. Error Code: 0x80070005 Default Web Site security config: <system.web> <identity impersonate="true" /> <authentication mode="Windows" /> <customErrors mode="Off" /> <compilation debug="true" /> </system.web> Sub web site security <authentication mode="Windows"> <forms loginUrl="~/logon.aspx" timeout="2880" /> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization>

    Read the article

  • jQuery .attr() crashing Internet Explorer

    - by Sunyatasattva
    Hello everyone, This is my first time posting a question here, as I usually try to find solutions myself. This one, though, being an IE issue, just drives me crazy. I use jQuery cycle plug-in on a website I made and, to populate a caption div, I use a little function that is called after the image is loaded, which uses the "alt" attribute of the image. This seems to exasperate Internet Explorer, which, doesn't have the time to fulfill this apparently so-complicated task, and, as the slideshow cycles, it enters in an infinite loop and eventually crashes – the newer the version, the worse the crash: the older IEs just display an error message saying “The webpage cannot be displayed”, while the newer (7 and 8) completely crash the system. I have no idea on how to solve or work around this. Here is the problematic code. function changeCaption() { var caption = $("img", this).attr("alt"); $('#caption').fadeIn("slow").html(caption); } Thanks in advance for any pointer: I am amazed as how something so simple and globally recognized (didn't encounter any other browser who had problem with this), can cause a problem so big. I also read somewhere that being able to crash a browser remotely is a serious issue :) Lucio

    Read the article

  • $this.attr() stops Jquery dialog from opening

    - by user342391
    I am using the following code to post my form data to player/index.php and open it in a dialog. Because I have multiple of these forms in my table I need to use $(this). But now it doesn't open in a dialog. New code (doesn't open dialog but display data in url): $("#recordingdialog").dialog({ //other options, width, height, etc... modal: true, bgiframe: true, autoOpen: false, height: 200, width: 350, draggable: true, resizeable: true, title: "Play Recording",}); $(this).click(function() { $.post('player/index.php', $(this).attr('form').serialize(), function (data) { $("#recordingdialog").html(data).dialog("open"); }); return false; }); Old code (only works on one form): $("#recordingdialog").dialog({ //other options, width, height, etc... modal: true, bgiframe: true, autoOpen: false, height: 550, width: 550, draggable: true, resizeable: true, title: "Play Recording",}); $("#wavajax button").click(function() { $.post('player/index.php', $("#wavajax").serialize(), function (data) { $("#recordingdialog").html(data).dialog("open"); }); return false; });

    Read the article

  • how to configure dns for activedirectory located on different server

    - by meera
    when we install active directory on 2k8 by dcpromo we get an option for installing dns.when we install dns with active direcory, the dns get automatically configured. but when we install active directory without a dns and the dns server is located in another server. how we will configure dns for the active directory domain installed on different server. havean attention to it reply soon thanking you

    Read the article

  • jquerymobile conflict with autocomplete : $this.attr("href") is undefined

    - by sweets-BlingBling
    When I use jquery ui autocomplete version 1.8.5 with jquery mobile alpha 2. I get an error when I click an item from the autocomplete list: $this.attr("href") is undefined. Does anyone know any fix for it? EDITED: <html> <head> <link rel="stylesheet" type="text/css" href="css/ui-lightness/jquery-ui-1.8.custom.css"> <link rel="stylesheet" type="text/css" href="css/autocomplete.css"> </head> <body> <div id="formWrap"> <form id="messageForm" action="#"> <fieldset> <label id="toLabel">select:</label> <div id="friends" class="ui-helper-clearfix"> <input id="to" type="text"> </div> </fieldset> </form> </div> <script type="text/javascript" src="js/jquery-1.4.2.min.js"></script> <script type="text/javascript" src="js/jquery.mobile-1.0a2.js"></script> <script type="text/javascript" src="js/jquery-ui-1.8.custom.min.js"></script> <script type="text/javascript"> $(function(){ var availableTags = [ "ActionScript", "AppleScript", "Asp", "BASIC", "C", "C++", "Clojure", "COBOL", "ColdFusion", "Erlang", "Fortran", "Groovy", "Haskell", "Java", "JavaScript", "Lisp", "Perl", "PHP", "Python", "Ruby", "Scala", "Scheme" ]; //attach autocomplete $("#to").autocomplete({ source:availableTags , //define select handler select: function(e, ui) { var contact = ui.item.value; createSpan(contact); $("#to").val("").css("top", 2); return false; } }); }); function createSpan(contact){ //create formatted friend span = $("<span>").text(contact) //add contact to contact div span.insertBefore("#to"); } </script> </body> </html>

    Read the article

  • Passive and active sockets

    - by davsan
    Quoting from this socket tutorial: Sockets come in two primary flavors. An active socket is con­nect­ed to a remote active socket via an open data con­nec­tion... A passive socket is not con­nect­ed, but rather awaits an in­com­ing con­nec­tion, which will spawn a new active socket once a con­nec­tion is es­tab­lished ... Each port can have a single passive socket binded to it, await­ing in­com­ing con­nec­tions, and mul­ti­ple active sockets, each cor­re­spond­ing to an open con­nec­tion on the port. It's as if the factory worker is waiting for new mes­sages to arrive (he rep­re­sents the passive socket), and when one message arrives from a new sender, he ini­ti­ates a cor­re­spon­dence (a con­nec­tion) with them by del­e­gat­ing someone else (an active socket) to ac­tu­al­ly read the packet and respond back to the sender if nec­es­sary. This permits the factory worker to be free to receive new packets. ... Then the tutorial explains that, after a connection is established, the active socket continues receiving data until there are no remaining bytes, and then closes the connection. What I didn't understand is this: Suppose there's an incoming connection to the port, and the sender wants to send some little data every 20 minutes. If the active socket closes the connection when there are no remaining bytes, does the sender have to reconnect to the port every time it wants to send data? How do we persist a once established connection for a longer time? Can you tell me what I'm missing here? My second question is, who determines the limit of the concurrently working active sockets?

    Read the article

  • Querying Active Directory in PowerShell from a Windows host that is not a member of the domain

    - by jshin47
    How can I use PowerShell [adsisearcher] to query a domain that I am not a member of? Usually I will do something like this: $myAdsi = [adsisearcher]"" $myAdsi.SearchRoot = [adsi]"LDAP://dc=corp,dc=mycompany,dc=com" $myAdsi.Filter = "objectCategory=computer" $res = $myAdsi.FindAll() If I run this snippet on a host in my domain, I get the expected result. However, if I run this from a computer that has network access to the domain (through a L2L VPN) I get the error: Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or could not be contacted. " At line:11 char:33 + $adComputers = $searcher.FindAll <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException This is somewhat expected as I have not provided any sort of credentials to [adsisearcher] that would tell it how to authenticate. My question is: how do I let [adsisearcher] know that I want to authenticate against a domain in which I am not a member?

    Read the article

  • Active Directory FRS problems. 13508 error and other problems

    - by ITPIP
    I have 3 Domain Controllers. We will call them DC1, DC2 and DC3. DC3 and DC2 show Event ID 13508 in their FRS logs with no follow-up event(13509 I think) to say the error had been fixed. DC1's FRS log no matter what you do never shows any events besides FRS service stopped and started. DC1 holds the SYSVOL that needs to be replicated to the other DC's. The other DC's sysvol folders are empty. I have tried the burflag method of fixing this but I haven't had any luck. My procedure for that was to stop all FRS services on all DC's. Then set the burflag on DC1 to D4 and the other two DCs burflag to D2. Started FRS on DC1 and the only event's I see in DC1's FRS event logs are service stopped and service started messages. This fact is leading me to believe that something is wrong on FRS for DC1. I believe there should be events 13553 and 13516 in the FRS event logs after an authoritative sysvol restore. The other two DC's do not have anything in their SYSVOL, otherwise I would have made one of them the authoritative sysvol. DC1 is MS Server 2003 Enterprise Edition SP2 DC2 is MS Server 2003 Standard Edition SP1 DC3 is MS Server 2003 R2 Standard Edition SP2 I did not setup this domain originally but I am now the administrator of it, so I don't have a lot of background on why certain things may have been done in the past. My main goal is to try and fix these issues to get myself better prepared to decommision DC1 and add a DC running Server 2008 to my domain. Thanks.

    Read the article

  • How do I speed up load times on roaming profiles with Active Directory?

    - by user65712
    I've done some reading and apparently the main obstacle to fast remote profile syncing is that Samba takes a long time to transfer lots of little files like cookies. After reading Roaming Profiles: Best Practices , I plan to use Folder Redirection, but I want my users to be able to login as rapidly as possible, even if it means that their data is still coming in when they reach their desktop. Is there a way to do this with GPO or a third party add-on that can load user profile data faster/speed up the login process for users?

    Read the article

  • mac osx active directory authentication and linux samba share problems.

    - by Matt Delves
    As a precursor, the network setup is one that includes a combination of Novell Netware servers as well as Windows Servers and Linux servers. I've successfully been able to bind my mac to the Windows Domain and can login without any problems. I've been able to mount shares without needing to resupply login credentials to any windows based share. The problem I've found is that when I'm attempting to mount a share from a linux server, it is asking to resupply the login credentials. Has anyone experienced this kind of problem. The linux servers are a combination of SLES 10 and 11 and RHEL 4 and 5. Thanks, Matt

    Read the article

  • How can I set up Redmine => Active Directory authentication?

    - by Chris R
    First, I'm not an AD admin on site, but my manager has asked me to try to get my personal Redmine installation to integrate with ActiveDirectory in order to test-drive it for a larger-scale rollout. Our AD server is at host:port ims.example.com:389 and I have a user IMS/me. Right now, I also have a user me in Redmine using local authentication. I have created an ActiveDirectory LDAP authentication method in RedMine with the following parameters: Host: ims.example.com Port: 389 Base DN: cn=Users,dc=ims,dc=example,dc=com On-The-Fly User Creation: YES Login: sAMAccountName Firstname: givenName Lastname: sN Email: mail Testing this connection works just fine. I have, however, not successfully authenticated with it. I've created a backup admin user so that I can get back in to the me account if I break things, and then I've tried changing me to use the ActiveDirectory credentials. However, once I do, nothing works to log in. I have tried all of these login name options: me IMS/me IMS\me I've used my known Domain password, but no joy. So, what setting do I have wrong, or what information do I need to acquire in order to make this work?

    Read the article

  • How do I figure out what is changing the userWorkstations attribute in Active Directory?

    - by Martin
    I just took over the IT for a medium sized business with a three domain controllers (2003/2008 Standard) and whenever I create a new user, after some time the user account cannot log into most machines on the network. I have traced this back to the "Log On To..." area becoming populated with a small list of machines. Even when I set the option to all computers, this list comes back after some time. I started hunting for vbs and ps1 scripts with the word "workstations" in them on all domain controllers to see if there is some kind of script to blame, but I have thus far come up empty handed. Is there a known software suite that can cause this (Microsoft Forefront, etc)? How can I figure out what is causing this list to change?

    Read the article

  • How do I get Bugzilla to authenticate with Active Directory LDAP?

    - by user65712
    After reading this guide and trying a ton of permutations based on that, is there an easy way to get Bugzilla working with an AD server? I keep getting the error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 I created an AD "bugzilla" user account with "Account Operators" permission as directed. I'm not sure if the error is saying that my login is incorrect or the system login to access LDAP is incorrect. Maybe I just missed an arcane option somewhere in the settings. You'd think all I'd need to do is specify the server name. As you might have been able to tell, I don't have a lot of LDAP experience. Also, will the Sysinternals LDAP tool help here?

    Read the article

  • Migrate users from one Active Directory domain to another?

    - by Matt
    I work for a company that hosts desktops for a number of different companies. At the moment, all the clients access a single domain controller called HOSTING. Under that are groups for each company. Each of the hosting servers exist on the same network and so are therefore potentially browseable by other terminal servers. This has raised some security issues and I've found it a little tricky to manage the security. As well, it's possible to see who the other hosted companies are even though other users cannot see their data. What I'd like to do is isolate each clients terminal server/s into their own VLAN. In addition, I'm thinking that each TS would have it's own DC which could just run on the TS for that company. Overhead for a DC is fairly minimal. This would isolate users on that TS from seeing the other companies completely. Firstly, does this sound like a sensible plan? Second... if it is sensible, how would I go about pulling the accounts from the HOSTING domain to a new domain? ideally, without the need for users to change their passwords?

    Read the article

  • Need to run Domain Prep after adding new domain in Forest where OCS 2007R2 already deployed + active

    - by Cybersylum
    Hello, We have just added a new domain in our forest. We have had OCS 2007 R2 (standard) up and running in our forest for some time. However those domains were already present when we did all of the prep work (schema, forest, & domain) We will not be adding a new OCS Server in the new domain (just pointing users to the existing box). Do I need to run the domain prep again for the new domain? Thanks.

    Read the article

  • Rename Active Directory domain following Windows 2000 -> 2008 migration.

    - by ewwhite
    I'm working with a site that needs an internal DNS domain rename. It currently has a DNS name of domain.abc.com and NT name of ABC. I'm trying to get to a DNS name of abctrading.com and NT name of ABCTRADING. Split DNS would be used. The site originally ran from a single Windows 2000 domain controller hosting AD, file, print, DHCP and DNS services. There was no Exchange system in the environment. The 50 client PCs are all Windows XP with a handful of users using roaming profiles. All users are in a single OU and there are no group policy/GPOs. I'm a Linux engineer, but have been trying to guide another group of consultants to reach a more suitable setup. With the help of this group, we were able to move the single Windows 2000 system to a set of Windows 2008 R2 servers separated into domain controller and file/print systems (virtualized). We are also trying to add an Exchange 2010 system to this mix. The Windows 2000 server was demoted and is no longer in the picture. This is the tricky part, as client wants the domain renamed and the consultants aren't quite sure how to get through it without another 32-40 hours of testing/implementation. THey say that there's considerable risk to do the rename without a completely isolated test environment. However, this rename has to be done before installing Exchange. So we're stuck at this point. I'd like to know what's involved in renaming the domain at this point. We're on Windows Server 2008. The AD is healthy now. Coming from a Linux background, it seems as though there should be a reasonable path to this. Also, since the original domain appears to be a child/subdomain, would that be a problem here. I'd appreciate any guidance.

    Read the article

  • Using PowerShell, in Active Direcotry, how would I change all the DNS A records that have a given IP to a new IP?

    - by djsumdog
    We've been moving data centers and I have a lot of old records that were not correctly but in DNS as CNAME records, but A records that have a direct IP (e.g. 192.168.100.n) and they're all moving to a new subnet (10.19.100.n). I just need to write a powershell script to change all those records. I found this site: http://www.indented.co.uk/index.php/2008/12/30/administering-microsoft-dns-in-powershell/ and from it I made this simple script: $dnsServer = "meldc2" $scope = New-Object Management.ManagementScope("\\$dnsServer\root\MicrosoftDNS") $path = New-Object Management.ManagementPath("MicrosoftDNS_Zone") $options = New-Object Management.ObjectGetOptions($Null,[System.TimeSpan]::MaxValue, $True) $ZoneClass= New-Object Management.ManagementClass($scope,$path,$options) $Zones = Get-WMIObject -Computer $dnsServer -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" $Zones | Get-Member foreach($Z in $Zones) { $Z | Select-Object Name,DsIntegrated,ZoneType,Reverse,Data } but that only gets me a listing of root zones. I don't understand how to iterate over all the entries in each of the zones. Also, all the examples I've seen involve adding new zones, but there aren't any examples I can find on modifying existing A records.

    Read the article

  • Is it possible to find deleted objects in active directory without the assistance of a DLP software?

    - by Itai Ganot
    It seems like a large number of security groups have been deleted from the organization's AD. i was able to find the tombstones but i see there 1400 objects from the last 180 days and i know for certain that the important groups which have been deleted, have been deleted somewhere between yesterday's night and now. Is there a way, maybe by using power shell to extract the names of all objects which have been deleted through out the night? Thanks in advance Itai

    Read the article

  • Active Directory: how to be SURE users can change their own passwords?

    - by Latro
    Working on some project where a tool we have has to authenticate against AD connecting via LDAPS and perform password changes if required or requested. IN THEORY, the tool does that, and we have seen it work in other projects. IN PRACTICE, against this particular directory, it fails. Been driving me crazy. The particulars of the situation: Windows 2003 AD Defined a "technical user" for the LDAP connection with rights to change users passwords When password change is required - in this case, because pwdLastSet is 0 - the tool uses the technical account to go, bind to the controller and change the user password. If password change is not required but the user request it, then the bind is done with the user account. That last condition is the one that doesnt work. With the technical user the password change is possible, but with the user itself, it isnt. We get an error like this: LDAP access failed: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1: 0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) no idea what DSID-03190F00 means cause it doesnt seem to be anywhere in google :-/ Been looking at several MS documentation pages and frankly, I'm not understanding one bit of it. There is some "control access right" called User-Change-Password that may, or may not, control what objects have the right to change their own password, which may, or may not, have to do with ACE and ACLs... There is GPO. There is maybe the password policy but it is only set to ask for passwords of 6 chars or more... Can anybody explain to me in easy-to-check steps how can I go and tell the AD admin guy (who is as lost as me) what to do to ensure that users in the AD directory (objectClass top,person,organizationalPerson and user) are able to change their own passwords by themselves? Thanks in advance

    Read the article

< Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27  | Next Page >