**
Sri,

I just got finished working with what appears to be a very similar problem.

In your AREA User Search Filter field are you using the filter cn=$\USER$ ? I found that AD was not storing all user objects with a consistently formatted cn value. For example, our cn value was formatted similarly to cn=Remedy\ Service Account (Service Account), nothing like the actual login name cn=rmdyadm. So, the User Search Filter filter was not matching up. AD consistently stores the userPrincipalName value though, in our case at least.

You might give this a try. Use the LDP tool to bind to the AD server just as before. View > Tree, view the defaultNamingContext, the simplest one DC=amat,DC=com. Click Browse > Search, enter DC=amaet,DC=com in the Base Dn field. Enter (cn=rmdyadm) in the Filter field. Search. The result may or may not be zero. If it is zero and in fact you are using cn=$\USER$ then you likely don't have a cn=rmdyadm in AD. Try another search for (userPrincipalName=rmdyadm@amat.com). See if that has any results. If it does then search out a few other user account names of ARS users, see if they return consistently.

We ended up going with a User Search Filter value of userPrincipalName=$\USER$@amat.com Maybe you can use a filter similar to that as well?

Here are some other things that I suggest you check, I didn't notice that anyone else had mentioned them.

Your ARS account, rmdyadm, it doesn't have a fixed license right? If I remember correctly, it can't have a fixed license. I go with read license. The password for the ARS rmdyadm account is blank/NULL right?

Don't use the AREA Group Membership fields, at least not until this problem is resolved.

Make sure that the AD server you are using in the AREA configuration actually has your rmdyadm user object! You could be using LDP.exe and actually authenticating against another server. The server that you are currently using may not be synched up with the other AD servers and not have all of the user objects, including rmdyadmn.

Good luck.

Charlie Wilson
ReachView Technologies




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 7:51 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Fread
I used same account in LDP. it worked. The same id is given in the AREA form.
Yes. i used differently. We need ARDBC to fetch the data from LDAP vendor form into SHR:People form(It is working) where as we need AD to authenticate the login name
Regards
Sri.

"Grooms, Frederick W" wrote:

**
When you used LDP to check that server did you use when you did Connections -> Connect? What user did you use when you did Connections -> Bind?

Go to your AREA LDAP Configuration form and set the Host name to the same one you have in your ARDBC LDAP Configuration form. (From your logs I can see that they are different).


In your logs I see the following ...
ARDBC Host ldap-sg-atex-01.mis.amat.com
ARDBC User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
AREA Host vaughan.amat.com
AREA User DN rmdyadm

Fred





From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Wednesday, March 15, 2006 6:26 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Matt,
The Error is "Invalid credentials". How can i debug this?
Pasting the part of the log
//
! ; /* Wed Mar 15 2006 16:15:55.8130 */ LoadSysConfigFile

/* Wed Mar 15 2006 16:15:55.8130 */ Configuration File D:\Program Files\AR System\conf\ar.cfg

/* Wed Mar 15 2006 16:15:55.8130 */ Host Name ldap-sg-atex-01.mis.amat.com

/* Wed Mar 15 2006 16:15:55.8130 */ Port Number 389

/* Wed Mar 15 2006 16:15:55.8130 */ User DN uid=rmdyadm,ou=special users,dc=amat,dc=com

/* Wed Mar 15 2006 16:16:59.6810 */ ldapinit("vaughan.amat.com", 389)

/* Wed Mar 15 2006 16:16:59.6810 */ ldapsimplebind("rmdyadm", hidden)

/* Wed Mar 15 2006 16:16:59.9150 */ Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
/* ! Wed Mar 15 2006 16:16:59.9150 */ -VL FAIL

//
Regards
Sri


20060125This posting was submitted with HTML in it




Regards
Sri



Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it
20060125This posting was submitted with HTML in it

**
So you are saying in you have an LDAP tree separate from your Active Directory tree? Here we use ARDBC LDAP to pull from the AD tree and we authenticate against the same AD with AREA.

In LDP, when you did the connect you used vaughan.amat.com. When you did the bind you used rmdyadm. Did you put anything in the Domain field? If so try putting that value in front of rmdyadm (i.e. if you put CORP in the Domain field in LDP use CORP\rmdyadm in the AREA LDAP configuration form.

One other thing to try is when looking at the data in LDP for the rmdyadm account, what is the sAMAccountName value. You might try putting that value in the AREA configuration form.

Fred



From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 6:51 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Fread
I used same account in LDP. it worked. The same id is given in the AREA form.
Yes. i used differently. We need ARDBC to fetch the data from LDAP vendor form into SHR:People form(It is working) where as we need AD to authenticate the login name
Regards
Sri.

"Grooms, Frederick W" wrote:

**
When you used LDP to check that server did you use when you did Connections -> Connect? What user did you use when you did Connections -> Bind?

Go to your AREA LDAP Configuration form and set the Host name to the same one you have in your ARDBC LDAP Configuration form. (From your logs I can see that they are different).


In your logs I see the following ...
ARDBC Host ldap-sg-atex-01.mis.amat.com
ARDBC User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
AREA Host vaughan.amat.com
AREA User DN rmdyadm

Fred





From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Wednesday, March 15, 2006 6:26 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Matt,
The Error is "Invalid credentials". How can i debug this?
Pasting the part of the log
//
! ; /* Wed Mar 15 2006 16:15:55.8130 */ LoadSysConfigFile

/* Wed Mar 15 2006 16:15:55.8130 */ Configuration File D:\Program Files\AR System\conf\ar.cfg

/* Wed Mar 15 2006 16:15:55.8130 */ Host Name ldap-sg-atex-01.mis.amat.com

/* Wed Mar 15 2006 16:15:55.8130 */ Port Number 389

/* Wed Mar 15 2006 16:15:55.8130 */ User DN uid=rmdyadm,ou=special users,dc=amat,dc=com

/* Wed Mar 15 2006 16:16:59.6810 */ ldapinit("vaughan.amat.com", 389)

/* Wed Mar 15 2006 16:16:59.6810 */ ldapsimplebind("rmdyadm", hidden)

/* Wed Mar 15 2006 16:16:59.9150 */ Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
/* ! Wed Mar 15 2006 16:16:59.9150 */ -VL FAIL

//
Regards
Sri




Regards
Sri

20060125This posting was submitted with HTML in it

**
Dear All,
First i thank all list users who really helped me in this venture of AD integration with ARS. The LDAP Problem is Solved. Thanks to Doug. He helped us to crack the problem. Simply great person he is. He changed the User DN to
CN=rmdyadm,OU=Special-Users,DC=amat,DC=com

It started working. Some times i feel AD is so crazy. I never expected that AD behaves this way.
Regards
Sri

Charles Wilson wrote:

**
Sri,

I just got finished working with what appears to be a very similar problem.

In your AREA User Search Filter field are you using the filter cn=$\USER$ ? I found that AD was not storing all user objects with a consistently formatted cn value. For example, our cn value was formatted similarly to cn=Remedy\ Service Account (Service Account), nothing like the actual login name cn=rmdyadm. So, the User Search Filter filter was not matching up. AD consistently stores the userPrincipalName value though, in our case at least.

You might give this a try. Use the LDP tool to bind to the AD server just as before. View > Tree, view the defaultNamingContext, the simplest one DC=amat,DC=com. Click Browse > Search, enter DC=amaet,DC=com in the Base Dn field. Enter (cn=rmdyadm) in the Filter field. Search. The result may or may not be zero. If it is zero and in fact you are using cn=$\USER$ then you likely don't have a cn=rmdyadm in AD. Try another search for (userPrincipalName=rmdyadm@amat.com). See if that has any results. If it does then search out a few other user account names of ARS users, see if they return consistently.

We ended up going with a User Search Filter value of userPrincipalName=$\USER$@amat.com Maybe you can use a filter similar to that as well?

Here are some other things that I suggest you check, I didn't notice that anyone else had mentioned them.

Your ARS account, rmdyadm, it doesn't have a fixed license right? If I remember correctly, it can't have a fixed license. I go with read license. The password for the ARS rmdyadm account is blank/NULL right?

Don't use the AREA Group Membership fields, at least not until this problem is resolved.

Make sure that the AD server you are using in the AREA configuration actually has your rmdyadm user object! You could be using LDP.exe and actually authenticating against another server. The server that you are currently using may not be synched up with the other AD servers and not have all of the user objects, including rmdyadmn.

Good luck.

Charlie Wilson
ReachView Technologies




From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Thursday, March 16, 2006 7:51 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Fread
I used same account in LDP. it worked. The same id is given in the AREA form.
Yes. i used differently. We need ARDBC to fetch the data from LDAP vendor form into SHR:People form(It is working) where as we need AD to authenticate the login name
Regards
Sri.

"Grooms, Frederick W" wrote:

**
When you used LDP to check that server did you use when you did Connections -> Connect? What user did you use when you did Connections -> Bind?

Go to your AREA LDAP Configuration form and set the Host name to the same one you have in your ARDBC LDAP Configuration form. (From your logs I can see that they are different).


In your logs I see the following ...
ARDBC Host ldap-sg-atex-01.mis.amat.com
ARDBC User DN uid=rmdyadm,ou=special users,dc=amat,dc=com
AREA Host vaughan.amat.com
AREA User DN rmdyadm

Fred





From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of sri sri
Sent: Wednesday, March 15, 2006 6:26 PM
To: arslist@ARSLIST.ORG
Subject: Re: Active Directory integration


**
Hi Matt,
The Error is "Invalid credentials". How can i debug this?
Pasting the part of the log
//
! ; /* Wed Mar 15 2006 16:15:55.8130 */ LoadSysConfigFile

/* Wed Mar 15 2006 16:15:55.8130 */ Configuration File D:\Program Files\AR System\conf\ar.cfg

/* Wed Mar 15 2006 16:15:55.8130 */ Host Name ldap-sg-atex-01.mis.amat.com

/* Wed Mar 15 2006 16:15:55.8130 */ Port Number 389

/* Wed Mar 15 2006 16:15:55.8130 */ User DN uid=rmdyadm,ou=special users,dc=amat,dc=com

/* Wed Mar 15 2006 16:16:59.6810 */ ldapinit("vaughan.amat.com", 389)

/* Wed Mar 15 2006 16:16:59.6810 */ ldapsimplebind("rmdyadm", hidden)

/* Wed Mar 15 2006 16:16:59.9150 */ Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
/* ! Wed Mar 15 2006 16:16:59.9150 */ -VL FAIL

//
Regards
Sri


20060125This posting was submitted with HTML in it




Regards
Sri


Yahoo! Mail
Use Photomail to share photos without annoying attachments. 20060125This posting was submitted with HTML in it 20060125This posting was submitted with HTML in it



Regards
Sri




Yahoo! Travel
Find great deals to the top 10 hottest destinations! 20060125This posting was submitted with HTML in it