**

I would suggest you start by disabling the LDAP authentication plugin.

I just ran this test on my dev server here and what I found was the following:

The login name must equal the sam account name or the UPN

Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.



Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.



Thanks,

Andrew Baxter

Manager, Information Technology

w. (781) 902-6026

f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration



**

Dear Baxter Andrew,

Thanks for your reply.

Yes. My ARS is installed as a domain member.

I have a single domain.

I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.

I can see it is not authenticating using Remedy.

Regards

Sri


"Baxter, Andrew" wrote:

**

If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:

Install ARS on a Windows server as a domain member

If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts

Check the box to cross reference blank passwords

You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.



If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.



The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.



Thanks,

Andrew Baxter

Manager, Information Technology

w. (781) 902-6026

f. (781) 902-6002





20060125This posting was submitted with HTML in it

! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it

**
In your logs I see the following (from your config forms)...
ARDBC Host ldap-sg-atex-01.mis.amat.com
ARDBC User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
AREA Host vaughan.amat.com
AREA User DN rmdyadm

We use the same host here for both AREA and ARDBC (since it is the same Active Directory).

If ARDBC is working have you checked LDP against vaughan (or set your AREA host to the same as ARDBC)?

Fred




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 1:41 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Grooms Fredrick,
I tried with domainname\accountname. No luck. Is there anything to be installed/ configured? Remedy login does not know my OS domain login name right?
I used ldp utility. It is clearly authenticating.
Regards
Sri


"Grooms, Frederick W" wrote:

**
It looks like your rmdyadm service account is not being found correctly.

I have found that the ARDBC LDAP configuration likes the full Distingushed Name (DN) from Active Directory while the AREA LDAP configuration likes the WindowsDomain\LoginName combination.

i.e.
! ARDBC LDAP Configuration form has: CN=remedysvcacct,OU=System Users and Groups,DC=corp,DC=domain,DC=org
AREA LDAP Configuration form has: CORP\remedysvcacct

The vendor form Queries use the ARDBC LDAP configuration form data to log in and do the lookups. User logins use the AREA LDAP configuration form to login and search for the user so the user's password can be verified.

Fred




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Wednesday, March 15, 2006 6:26 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Matt,
The Error is "Invalid credentials". How can i debug this?
Pasting the part of the log
//
/* Wed Mar 15 2006 16:15:55.8130 */ Notif Mech Attribute
/* Wed Mar 15 2006 16:15:55.8130 */ Notif Mech Default 0
/* Wed Mar 15 2006 16:15:55.8130 */ IO timeout 40
/* Wed Mar 15 2006 16:15:55.8130 */ Connect timeout 35
/* Wed Mar ! 15 2006 16:15:55.8130 */ Entering ARPluginEvent (1)
/* Wed Mar 15 2006 16:15:55.8130 */ Entering UpdateConfiguration(0)
! ; /* Wed Mar 15 2006 16:15:55.8130 */ LoadSysConfigFile
/* Wed Mar 15 2006 16:15:55.8130 */ Configuration File D:\Program Files\AR System\conf\ar.cfg
/* Wed Mar 15 2006 16:15:55.8! 130 */ Host Name ldap-sg-atex-01.mis.amat.com
/* Wed Mar 15 2006 16:15:55.8130 */ Port Number 389
/* Wed Mar 15 2006 16:15:55.8130 */ Using SSL 0
/* Wed Mar 15 2! 006 16:15:55.8130 */ User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
/* Wed Mar 15 2006 16:15:55.8130 */ Certificate DB
/* Wed Mar 15 2006 16:15:55.8130 */ Page Size 10000
/* Wed Mar 15 2006 16:15:55.8130 */ Leaving UpdateConfiguration
/* Wed Mar 15 2006 16:15:55.8130 */ Leaving ARPluginEvent
/* Wed Mar 15 2006 16:16:59.6810 */ +VL AREAVerifyLoginCallback -- user shullahallix041396
/* Wed Mar 15 2006 16:16:59.6810 */ AREAVerifyLoginCallback
/* Wed Mar 15 2006 16:16:59.6810 */ ldapinit("vaughan.amat.com", 389)
/* Wed Mar 15 2006 16:16:59.6810 */ connect timeout previously: -1
/* Wed Mar 15 2006 16:16:59.6810 */ connect timeout used: 35000
/* Wed Mar 15 2006 16:16:59.6810 */ ldapsimplebind("rmdyadm", hidden)
/* Wed Mar 15 2006 16:16:59.9150 */ Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
/* ! Wed Mar 15 2006 16:16:59.9150 */ -VL FAIL

//
Regards
Sri

"Watson, Matthew (Melbourne)" wrote:

**
Have you turned on plugin logging? Add the following line into your ar.cfg file and enable plugin logging via the Admin Tool - it will give you a detailed output of what the LDAP plug-in is doing as you try to login:

Plugin-Log-Level: 400

Cheers,
Matt




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, 16 March 2006 11:00 AM
To: arslist@ARSLIST.ORG
Subject: Active Directory integration


**
Dear All,
I am doing the Microsoft Active Directory- SunOne directory service integration with ARS 6.3 patch 14 which is on win 2003.I have followed the Tips and tr! icks article and able to enter the data in the AREA LDAP configuration form.
Active directory Login/Password is correct and has the privileges. ! Search filter is correct.
I have checked the cross ref blank password as well as Authenticate unregistered users in the admin tool. I have created a user with blank password. External Authentication RPC number is 390695.
I have not installed any third party software apart from Remedy ARS remedy modules and plug-in on the server.
I am using Remedy client using my laptop and typing my OS domain account at login. Authentication is failed.
Then I tried using the account with blank password. Here too Authentication is failed.
Am I doing the testing in right way? Anything else has to be installed?
Plug-in is working because I can query my ldap objects and query the vendor form.



Regards
Sri

20060125This posting was submitted with HTML in it




Regards
Sri



Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
20060125This posting was submitted with HTML in it

**
James,
Just authenticate the user against AD. Pulling data from LDAP is over and working fine. I am not able to login to Remedy using my domain account as well aradm which is specially created in AD, Remedy server, Domain as well as in LDAP. where as i can use LDP to connect /bind without any problem. I have used ARDBC to connect to LDAP and am good. But Authentication suppose to happen ny AD. This is not happening.
Regards
Sri

"McKenzie, James J C-E LCMC HQISEC/L3" wrote:

**
Sri:

I am confused at this point. What are you attempting to do? Authenticate users against AD or pull back user information into a Vendor form?
If you are trying to authenticate users, this is working as you can log into Remedy with the remedyadm account. If it is the latter, you have more work to do.

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of sri sri
Sent: Thursday, March 16, 2006 3:06 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Dear James,
I have this a/c on the server as well with admin privilage
Regards
Sri

"McKenzie, James J C-E LCMC HQISEC/L3" wrote:

**
Matt:

Is your account a domain account or an account actually on the server. If I remember correctly, the account has to be directly on the server and not a domain account.

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of Watson, Matthew (Melbourne)
Sent: Thursday, March 16, 2006 2:35 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Sri,

We've been using the AREA LDAP plug-in for about three years, since v5.1.2, and haven't changed our configuration at all during our upgrades to 6.0, 6.0.1 and now 6.3. So it would definitely appear to be something in your config, or perhaps your install......

Matt




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Friday, 17 March 2006 8:28 AM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
HI Baxter, Andrew,
I tried this combination. Not able to login. LDP is getting the data.Any patch need to installed? I am on patch 14 for ARS 6.3
Regards
Sri

"Baxter, Andrew" wrote:

**
I would suggest you start by disabling the LDAP authentication plugin.
I just ran this test on my dev server here and what I found was the following:
The login name must equal the sam account name or the UPN
Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.

Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration

**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****
20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it




Relax. Yahoo! Mail virus scanning helps detect nasty viruses! 20060125This posting was submitted with HTML in it








**********************************************************************
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you have received this communication in error, please notify us immediately by return e-mail with the subject heading "Received in error" or telephone +61 2 93357000, then delete the email and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.

KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses.

KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such.

Liability limited by a scheme approved under Professional Standards Legislation.

This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com for more information.
**********************************************************************
20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it




Regards
Sri


Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
20060125This posting was submitted with HTML in it



Regards
Sri




Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

**
James,
I can pull the data using LDP. AD person told me that it is a Remdy's headache.Question is how my OS login name when entered in remedy's login name field is not authenticated. I thought just AREA LDAP configuration form entry, Admin tool config alone will complete the integration!!!.
Thanks
Sri

"McKenzie, James J C-E LCMC HQISEC/L3" wrote:

**
Sri:

This appears to be a permissions problem. Can you pull back any data with that user when you use LDP?

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of sri sri
Sent: Thursday, March 16, 2006 12:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it




Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it




Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

**
HI Baxter, Andrew,
I tried this combination. Not able to login. LDP is getting the data.Any patch need to installed? I am on patch 14 for ARS 6.3
Regards
Sri

"Baxter, Andrew" wrote:

**
I would suggest you start by disabling the LDAP authentication plugin.
I just ran this test on my dev server here and what I found was the following:
The login name must equal the sam account name or the UPN
Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.

Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration

**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****
20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it




Relax. Yahoo! Mail virus scanning helps detect nasty viruses! 20060125This posting was submitted with HTML in it

**
Dear Grooms Freerick,
I have ARDBC for LDAP and able to pull out LDAP data.
I have configured AREA for Active directory authentication.
I am checking by ARDBC using AD data
Regards
Srivathsa

"Grooms, Frederick W" wrote:

**
In your logs I see the following (from your config forms)...
ARDBC Host ldap-sg-atex-01.mis.amat.com
ARDBC User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
AREA Host vaughan.amat.com
AREA User DN rmdyadm

We use the same host here for both AREA and ARDBC (since it is the same Active Directory).

If ARDBC is working have you checked LDP against vaughan (or set your AREA host to the same as ARDBC)?

Fred




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 1:41 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Grooms Fredrick,
I tried with domainname\accountname. No luck. Is there anything to be installed/ configured? Remedy login does not know my OS domain login name right?
I used ldp utility. It is clearly authenticating.
Regards
Sri


"Grooms, Frederick W" wrote:

**
It looks like your rmdyadm service account is not being found correctly.

I have found that the ARDBC LDAP configuration likes the full Distingushed Name (DN) from Active Directory while the AREA LDAP configuration likes the WindowsDomain\LoginName combination.

i.e.
! ARDBC LDAP Configuration form has: CN=remedysvcacct,OU=System Users and Groups,DC=corp,DC=domain,DC=org
AREA LDAP Configuration form has: CORP\remedysvcacct

The vendor form Queries use the ARDBC LDAP configuration form data to log in and do the lookups. User logins use the AREA LDAP configuration form to login and search for the user so the user's password can be verified.

Fred




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Wednesday, March 15, 2006 6:26 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Matt,
The Error is "Invalid credentials". How can i debug this?
Pasting the part of the log
//
/* Wed Mar 15 2006 16:15:55.8130 */ Notif Mech Attribute
/* Wed Mar 15 2006 16:15:55.8130 */ Notif Mech Default 0
/* Wed Mar 15 2006 16:15:55.8130 */ IO timeout 40
/* Wed Mar 15 2006 16:15:55.8130 */ Connect timeout 35
/* Wed Mar ! 15 2006 16:15:55.8130 */ Entering ARPluginEvent (1)
/* Wed Mar 15 2006 16:15:55.8130 */ Entering UpdateConfiguration(0)
! ; /* Wed Mar 15 2006 16:15:55.8130 */ LoadSysConfigFile
/* Wed Mar 15 2006 16:15:55.8130 */ Configuration File D:\Program Files\AR System\conf\ar.cfg
/* Wed Mar 15 2006 16:15:55.8! 130 */ Host Name ldap-sg-atex-01.mis.amat.com
/* Wed Mar 15 2006 16:15:55.8130 */ Port Number 389
/* Wed Mar 15 2006 16:15:55.8130 */ Using SSL 0
/* Wed Mar 15 2! 006 16:15:55.8130 */ User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
/* Wed Mar 15 2006 16:15:55.8130 */ Certificate DB
/* Wed Mar 15 2006 16:15:55.8130 */ Page Size 10000
/* Wed Mar 15 2006 16:15:55.8130 */ Leaving UpdateConfiguration
/* Wed Mar 15 2006 16:15:55.8130 */ Leaving ARPluginEvent
/* Wed Mar 15 2006 16:16:59.6810 */ +VL AREAVerifyLoginCallback -- user shullahallix041396
/* Wed Mar 15 2006 16:16:59.6810 */ AREAVerifyLoginCallback
/* Wed Mar 15 2006 16:16:59.6810 */ ldapinit("vaughan.amat.com", 389)
/* Wed Mar 15 2006 16:16:59.6810 */ connect timeout previously: -1
/* Wed Mar 15 2006 16:16:59.6810 */ connect timeout used: 35000
/* Wed Mar 15 2006 16:16:59.6810 */ ldapsimplebind("rmdyadm", hidden)
/* Wed Mar 15 2006 16:16:59.9150 */ Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
/* ! Wed Mar 15 2006 16:16:59.9150 */ -VL FAIL

//
Regards
Sri

"Watson, Matthew (Melbourne)" wrote:

**
Have you turned on plugin logging? Add the following line into your ar.cfg file and enable plugin logging via the Admin Tool - it will give you a detailed output of what the LDAP plug-in is doing as you try to login:

Plugin-Log-Level: 400

Cheers,
Matt




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, 16 March 2006 11:00 AM
To: arslist@ARSLIST.ORG
Subject: Active Directory integration


**
Dear All,
I am doing the Microsoft Active Directory- SunOne directory service integration with ARS 6.3 patch 14 which is on win 2003.I have followed the Tips and tr! icks article and able to enter the data in the AREA LDAP configuration form.
Active directory Login/Password is correct and has the privileges. ! Search filter is correct.
I have checked the cross ref blank password as well as Authenticate unregistered users in the admin tool. I have created a user with blank password. External Authentication RPC number is 390695.
I have not installed any third party software apart from Remedy ARS remedy modules and plug-in on the server.
I am using Remedy client using my laptop and typing my OS domain account at login. Authentication is failed.
Then I tried using the account with blank password. Here too Authentication is failed.
Am I doing the testing in right way? Anything else has to be installed?
Plug-in is working because I can query my ldap objects and query the vendor form.



Regards
Sri

20060125This posting was submitted with HTML in it




Regards
Sri


Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it 20060125This posting was submitted with HTML in it





Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze. 20060125This posting was submitted with HTML in it

**
Sri:

What is the actual FQDN hostname for the AD server. i.e. bubba.junior.com? You HAVE to use this name. Is your server, if it is a Windows server and the AD system in the SAME domain? If your server is in a different domain, is it TRUSTED?

Are you using SSL to communicate to your server? If it is, you will need to take special steps as outlined in the document:

Using SSL for LDAP functionality

which is available from the Tips and Tricks archive at the Developer Community web site.


The user you are using to access AD MUST BE ON THE AD SERVER. You cannot use a domain account.

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:24 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
James,
I can pull the data using LDP. AD person told me that it is a Remdy's headache.Question is how my OS login name when entered in remedy's login name field is not authenticated. I thought just AREA LDAP configuration form entry, Admin tool config alone will complete the integration!!!.
Thanks
Sri

"McKenzie, James J C-E LCMC HQISEC/L3" wrote:

**
Sri:

This appears to be a permissions problem. Can you pull back any data with that user when you use LDP?

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of sri sri
Sent: Thursday, March 16, 2006 12:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it




Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it

**
Hi Sri,

We've been using the AREA LDAP plug-in for about three years, since v5.1.2, and haven't changed our configuration at all during our upgrades to 6.0, 6.0.1 and now 6.3. So it would definitely appear to be something in your config, or perhaps your install......

Matt




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Friday, 17 March 2006 8:28 AM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
HI Baxter, Andrew,
I tried this combination. Not able to login. LDP is getting the data.Any patch need to installed? I am on patch 14 for ARS 6.3
Regards
Sri

"Baxter, Andrew" wrote:

**
I would suggest you start by disabling the LDAP authentication plugin.
I just ran this test on my dev server here and what I found was the following:
The login name must equal the sam account name or the UPN
Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.

Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration

**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****
20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it





Relax. Yahoo! Mail virus scanning helps detect nasty viruses! 20060125This posting was submitted with HTML in it








**********************************************************************
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you have received this communication in error, please notify us immediately by return e-mail with the subject heading "Received in error" or telephone +61 2 93357000, then delete the email and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.

KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses.

KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such.

Liability limited by a scheme approved under Professional Standards Legislation.

This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com for more information.
**********************************************************************

20060125This posting was submitted with HTML in it

**
Sri:

The more information you give, the more we can give. You have to have an AD account on the AD server. Not just a Domain Account.

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:28 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
HI Baxter, Andrew,
I tried this combination. Not able to login. LDP is getting the data.Any patch need to installed? I am on patch 14 for ARS 6.3
Regards
Sri

"Baxter, Andrew" wrote:

**
I would suggest you start by disabling the LDAP authentication plugin.
I just ran this test on my dev server here and what I found was the following:
The login name must equal the sam account name or the UPN
Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.

Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration

**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****
20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it





Relax. Yahoo! Mail virus scanning helps detect nasty viruses! 20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it

**
Matt:

Is your account a domain account or an account actually on the server. If I remember correctly, the account has to be directly on the server and not a domain account.

James McKenzie


-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]On Behalf Of Watson, Matthew (Melbourne)
Sent: Thursday, March 16, 2006 2:35 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Sri,

We've been using the AREA LDAP plug-in for about three years, since v5.1.2, and haven't changed our configuration at all during our upgrades to 6.0, 6.0.1 and now 6.3. So it would definitely appear to be something in your config, or perhaps your install......

Matt




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Friday, 17 March 2006 8:28 AM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
HI Baxter, Andrew,
I tried this combination. Not able to login. LDP is getting the data.Any patch need to installed? I am on patch 14 for ARS 6.3
Regards
Sri

"Baxter, Andrew" wrote:

**
I would suggest you start by disabling the LDAP authentication plugin.
I just ran this test on my dev server here and what I found was the following:
The login name must equal the sam account name or the UPN
Since you are in a single domain you are lucky. The authentication does not appear to work if you use the domain\ as part of the logon.

Using either my UPN or just my SAM Account name with no domain prefix it works just fine for me.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration

**
Dear Baxter Andrew,
Thanks for your reply.
Yes. My ARS is installed as a domain member.
I have a single domain.
I checked with cross reference password and without. No luck. But i am using my domain login name to test. i used ldp utility to get connected and bind. It is passed.
I can see it is not authenticating using Remedy.
Regards
Sri

"Baxter, Andrew" wrote:

**
If you are attempting to integrate AR authentication with AD the following are the steps I would recommend:
Install ARS on a Windows server as a domain member
If you have more than one domain, ensure there is a trust relationship between the domain with your AR server and your user accounts
Check the box to cross reference blank passwords
You do not need the ldap plugin to authenticate windows users on AR Server running on a windows server if the above qualifications are met.

If you only have a single domain, then you need not worry about trust relationships since a domain member in a single domain will be able to query user accounts.

The LDAP authentication plugin is intended for use on UNIX systems to be able to read AD, but that is not needed in a windows server environment.

Thanks,
Andrew Baxter
Manager, Information Technology
w. (781) 902-6026
f. (781) 902-6002



20060125This posting was submitted with HTML in it
! ****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****
20060125This posting was submitted with HTML in it





Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
****This e-mail is sent by Hudson Highland Group, Inc., or one of its subsidiaries, and may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.****

20060125This posting was submitted with HTML in it





Relax. Yahoo! Mail virus scanning helps detect nasty viruses! 20060125This posting was submitted with HTML in it








**********************************************************************
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you have received this communication in error, please notify us immediately by return e-mail with the subject heading "Received in error" or telephone +61 2 93357000, then delete the email and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.

KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses.

KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such.

Liability limited by a scheme approved under Professional Standards Legislation.

This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com for more information.
**********************************************************************
20060125This posting was submitted with HTML in it

20060125This posting was submitted with HTML in it