Citrix Content Collaboration Connector SSO for Network Shares and SharePoint on‐prem

Summary of items

  1. SharePoint Configuration
  2. NetScaler (internal load balancer) Configuration
  3. Configure SplitDNS
  4. Configure Citrix Storage Zone
  5. AD Delegation
  6. Browsers

SharePoint Configuration

Set the SPN for the SharePoint service account

Note:

This is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

  1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
  2. Type the following:

SetSPN -S HTTP/SharePoint domainserviceaccountname

SetSPN -S HTTP/SharePoint.domain.com domainserviceaccountname


Note:

KCD work is not required for the Network Connectors, this will be using NTLM.

SharePoint Configuration

  1. On the Central Administration page, under Quick Launch, click Security, and in the General Security section click Specify authentication providers.
  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
  3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
  4. In the IIS Authentication Settings section, select Negotiate (Kerberos). Note: If you select Negotiate (Kerberos) you must perform additional steps to configure authentication (below).
  5. Click Save.

NetScaler (internal Load balancer) Configuration

The reason for this configuration is to split the to split the External and Internal traffic. Where AAA authentication is being used for external user authentication to Connectors, AAA is not a necessity for Internal use, especially where Web Access to Network shares/SharePoint SSO are required via web browsers.

Note:

AAA requires a NetScaler Enterprise and above license to use.

If the NetScaler wizard has been used to configure a storage zone, then you would typically see LBVIPs bound to a Content Switch, such as:

_SF_CS_ShareFile = External Content Switch

The External config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 3 x LBVIP’s
    • ShareFile Data LBVIP
    • Connectors LBVIP with AAA enabled
    • OPTIONS LBVIP.


Note:

If Web Access to Connectors are required then additional configuration is needed in addition to the wizard, which adds the OPTIONS LBVIP to the Content Switch. Please see this article in section “
Configure NetScaler for restricted zones or web access to Connectors ”.

Now we would need an additional configuration to route the internal traffic. This would typically be a Load Balancing virtual server (LBVIP) rather than a Content Switch. In this instruction we are going to:

  • Create the Server(s) – create a connection to all the storage zone controllers within a single Zone.
  • Create a Service Group – group the servers into a group
  • Create an LBVIP – create the Load Balancing virtual server

Create the Server(s)

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Server.
  3. Input the IP Address of the Citrix storage zone controller
  4. Click Create.
  1. Repeat for all storage zone controllers.

Create a Service Group

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Service_Group.
  3. Protocol: SSL
  4. Click OK.
  1. Click on Service Group Members.
  2. Select Server Based option then click on Select Server.
  1. Click the checkboxes on each of the storage zone controller servers and then click Select
  2. Enter Port*: 443.
  1. Click Create.
  2. Click OK to continue
  3. Click Done.

Create an LBVIP

  1. Log into the NetScaler and browse to:
  1. Click Add to create the storage zone LBVIP:
Name: SZ_LB_INTERNAL

Protocol: SSL

IP Address Type: IP Address (this should be internally accessible)
  1. Click OK.
  1. Under Services and Service Groups, click the Virtual Server Service Group Binding option
  2. Select the Service Group created earlier and click Bind.
  1. Click OK.
  2. Attach wildcard certificate.
  1. Click Bind.
  2. Click OK and Done.

Configure SplitDNS

Configure SplitDNS to resolve to the new Internal LBVIP (ie SZ_LB_INTERNAL), which is important as you need to direct traffic internally to the internal load balancing vserver created in the previous step. If this is done via Active Directory in your environment, here are some example below.

Configure DNS in AD

  1. Log into the Domain Controller and open dsa.msc.
  2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (sz.company.com)
  3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
  4. Enter the IP, this should be the one of the Internal LBVIP (i.e. SZ_LB_INTERNAL) created in the previous section
  5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

Configure Citrix Storage Zone

StorageZone Controller IIS changes

Network Connectors only:

  1. Log onto the StorageZone Controller(s) and open IIS.
  2. Click on the Default web site then to the CIFS virtual directory.
  3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
  4. Right-click on the Windows Authentication option and select Providers.
  5. Highlight NTLM and Move Up to the top of the list. Click OK.
  6. Ensure Basic Authentication is set to Disabled.

SharePoint KCD only or either with Network Connectors:

  1. Click on the CIFS virtual directory, then on Authentication.
  2. Ensure Anonymous and Windows Authentication are Enabled.
  3. Right-click on the Windows Authentication option and select Providers.
  4. Highlight Negotiate and Move Up to the top of the list. Click OK.
  5. Repeat for the SP virtual directory.
  6. Ensure Basic Authentication are Disabled on both.

If using port 80 on your StorageZone Controller for Load Balancing communication, refer to the AD Delegation section.

  1. If using port 443, then on the StorageZone Controller, then right-click the Default Web Site and select Edit Bindings.
  2. Add a new binding on port 443, assign the IP address, and insert a host header (just the first part of your storage zone FQDN, i.e. where FQDN=sz.company.com, then input only sz in the hostheader).

AD Delegation

Changes might need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added.

Example:

Note:

Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.

Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.

Browsers

Internet Explorer

  1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:
Citrix Content Collaboration URL – e.g.: subdomain.sharefile.com

FQDN StorageZone – e.g.: sz.company.com

FQDN of AAAVIP – e.g.: aaavip.company.com

Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
  1. Open GPMC and select the GPO controlling the behaviour of IE.
  2. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
  3. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:
Note: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

1 – Intranet zone – sites on your local network.

2 – Trusted Sites zone – sites that have been added to your trusted sites.

3 – Internet zone – sites that are on the Internet.

4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.
  1. For external IE browsers, extra configuration is required as follows:
Click on the Internet/Custom Level and ensure that:
  • Miscellaneous/Access data sources across domains is Enabled.
  • User Authentication/Log on/Prompt for Username and Password is selected.
  1. Click OK twice.

Firefox

  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter: about:config
This opens the configuration interface. You may need to agree to a security warning in order to proceed.
  1. Double-click the line labelled automatic-ntlm-auth.trusted-uris and enter the following:
ShareFile site – subdomain.sharefile.com

FQDN StorageZone – sz.company.com

FQDN of AAAVIP – aaavip.company.com

Note: Separate individual URLs with commas, but do not put spaces between them, for example:

subdomain.sharefile.com, sz.company.com

  1. Click OK when you’re finished.
  2. Double-click the line labelled negotiate-auth.trusted-uris.
  3. Enter the same information you entered in step 2 with the URLs separated by commas and with no spaces.
  4. Click OK.

Chrome

This should work. CORS should be enabled by default on Chrome but you can add the plugin to Chrome here .

Related:

  • No Related Posts

How to Collect Diagnostic Bundle Files from a NetScaler Appliance

Complete the following procedure for MPX and VPX appliances:

Complete the following procedure for SDX appliances:

Running the Collector Script in NetScaler Software Release 9.2 and Later

To obtain the collector file by using the NetScaler GUI, complete the following procedure:

Note: In NetScaler software release 9.2 and later, you can run the showtechsupport script from the Graphical User Interface (GUI) and the Command Line Interface (CLI).

  1. Open the Configuration Utility with the NetScaler Management IP address from a web browser.

  2. Expand the System node.

  3. Select the Diagnostics node.

  4. Click the GenerateSupportFile link under the Technical Support Tools section.

To obtain the collector file by using the NetScaler CLI, complete the following procedure:

Download the file from the appliance using a Secure FTP (SFTP) or Secure Copy (SCP) utility, such as WinSCP, and upload it to Citrix Insight Services for analysis.

Note: In NetScaler software release earlier than 9.0, the collector script must be downloaded separately and executed.

Note: In case of Netscaler in Cluster deployment please use the following CLI command to generate the collector file:

> show techsupport -scope CLUSTER

This will collect show techsupport information from all nodes in the cluster and compress the files into a single archive.

In order to generate the collector file from Graphical User Interface (GUI) please select “Partition” option from the Scope

  • Click Run and wait for the script to generate the collector archive.

  • After the appliance generates the collector archive, download and save the file on your local computer before uploading it to Citrix Insight Services.

    1. To obtain the collector file by using the CLI, run the following command:

      show techsupport

      After the appliance generates the collector archive the location of the file is displayed as shown in the following screen shot:

      User-added image

      The file is stored in /var/tmp/support and you can verify this by logging in to NetScaler and running the following command from a shell prompt:

      root@NS# cd /var/tmp/support/

      root@NS# ls -l

      total 2drwxr-xr-x 7 root wheel 512 Sep 25 15:38 collector_P_10.10.1.1_25Sep2014_15_38root@NS#

Uploading and Running the Collector Script on a NetScaler Appliance

To upload and run the updated collector script on a NetScaler appliance, complete the following procedure:

  1. Copy the updated collector script showtechsupport.pl (attached with this article) to the /nsconfig directory of the NetScaler appliance. Use an SFTP or SCP utility, such as WinSCP, to copy the file to the NetScaler appliance.

  2. Run the following commands from the CLI of the appliance:

    > shell

    # cd /nsconfig

    # chmod +x showtechsupport.pl

    # ./showtechsupport.pl

  3. Switch to the CLI of the appliance.

  4. Run the following command to create log files for analysis:

    > show techsupport

    The collector_<NSIP>_<P/S>_<DateTime>.tgz file is created in the /var/tmp/support directory of the appliance.

    Note: You must then upload the .tgz file to Citrix Insight Services for analysis.

  5. If you must uninstall this script, run the following commands from the CLI of the appliance:

    > shell

    rm /nsconfig/showtechsupport.pl

Collecting a Full Diagnostics Bundle from NetScaler SDX

  1. Open the NetScaler SDX Configuration Utility with the NetScaler SDX Management IP address from a web browser.

  2. Expand the Diagnostics node.

  3. Select the Technical Support node.

  4. Click Generate Technical Support File.

  5. Select Appliance (Including Instances) from the drop-down menu.

  6. Click Add.

  7. Select one or more instances to add in.

  8. Click OK. Wait for the process to complete.

  9. Select the bundle name that was generated and then click Download.

  10. Upload the bundle file to Citrix Insight Services.

For information on collecting/deleting NetScaler SDX support bundle using CLI/serial console refer to Citrix Documentation.

Related:

  • No Related Posts

How to Convert PFX Certificate to PEM Format for Use with NetScaler

Complete one of the following procedure to convert PFX certificate to PEM format for use with NetScaler:

NetScaler Wizard

Complete the following procedure to convert a PFX certificate to PEM format using NetScaler Wizard:

  1. Navigate to Traffic Management, Select the SSL node.

  2. Click the Import PKCS#12 link.

    User-added image

  3. Specify a file name you want for the PEM certificate in the Output File Name field.

  4. Click Browse and select the PFX certificate that you want to convert to PEM format. Some users prefer to upload the certificate to /ncsonfig/SSL directory and use it from there. If PFX certificate is stored on NetScaler then choose option Appliance and if it stored on your workstation then use Local.

    User-added image

  5. Specify the Import Password.

  6. Click OK.

    User-added image

  7. If the file is encoded, then select DES or 3DES as the Encoding Format:

    User-added image

  8. Specify the PEM Passphrase and the Verify PEM Passphrase.

  9. Click the Manage Certificates / Keys / CSRs link to view the converted PEM certificate files.

    User-added image

  10. You can view the uploaded PFX file with the converted PEM file.

    User-added image

  11. Expand the SSL node.

  12. Select the Certificates node.

  13. Click Install.

  14. Specify a Certificate-Key Pair Name in the Install Certificate wizard.

  15. Browse to the PEM file for both the Certificate File Name and Private Key File Name.

  16. Specify the Password.

  17. Click Install.

    User-added image

  18. Bind the certificate key pair to an SSL load balancing virtual server or NetScaler Gateway virtual server.

OpenSSL Utility

If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto the NetScaler Gateway, you must convert the PFX file to unencrypted PEM format.

You can use the open source utility OpenSSL to perform the conversion from PFX to PEM. Download a Win32 distribution of OpenSSL from Win32 OpenSSL.

You might also need C++ redistributable files if you want to use OpenSSL. Download this from Microsoft Visual C++ 2008 Redistributable Package (x86).

To convert a PFX file to a PEM file, complete the following steps on a Windows machine:

  1. Download and install the Win32 OpenSSL package from Win32 OpenSSL.

  2. Create a folder c:certs and copy the file yourcert.pfx into the c:certs folder.

  3. Open command prompt and change into the OpenSSLbin directory:

    cd %homedrive%OpenSSLbin

  4. Run the following command to convert the PFX file to an unencrypted PEM file (all in one line):

    openssl pkcs12 -in c:certsyourcert.pfx -out c:certscag.pem –nodes

    User-added image

  5. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.

    User-added image

  6. Point a browser to the NetScaler Gateway administration portal or HTTPS port 9001: https://netscaler-gateway-server:9001.

  7. Log on as root. The default password is rootadmin.

  8. Click the Maintenance link at the top of the page.

  9. Click the Browse button next to the Upload Private Key+Certificate (.pem) field. Browse to the c:certscag.pem file and click Upload.

  10. Restart NetScaler Gateway for the new SSL certificate to be applied.

Related:

  • No Related Posts

Outlook Plugin User Guide

TIP!

The ShareFile Outlook Plug-in is now Citrix Files for Outlook. The information presented here applies to the latest version of Citrix Files for Outlook and can be referenced for previous versions of ShareFile Outlook Plug-in. To get the latest version of Citrix Files for Outlook, visit https://dl.sharefile.com/CFO.

The ShareFile Plugin for Microsoft Outlook allows Employee users to insert links to files, upload and send new files, and request files directly from Microsoft Outlook email messages. Additionally, you can choose to send all attachments or all attachments of a particular size via ShareFile rather than your internal email server.

Although a network connection is not required to install the Outlook Plugin, a network connection is required to authenticate and use the plugin to send links and files.

Note: The ShareFile Outlook Plugin cannot be used by Client users

Supported languages: English, French, German, Spanish, Japanese, Korean, Dutch, Russian, Portuguese (Brazil) and Simplified Chinese.

Still haven’t installed the plugin? Click here for installation instructions.

Article Contents

Basics Features Troubleshooting


Getting Started

After installation and setup, you will notice three new buttons on the message ribbon when composing a new email: Convert Attachments, Attach Files, and Request Files.

User-added image

Clicking one of these buttons will insert a temporary (non-functioning) link into your email. The link will be finalized and functional only after you click Send.


Attach Files

The Attach Files button allows you to attach files from both your PC and your ShareFile account.



From PC

User-added image

From PC – attach files stored on your computer to your email message. When you select this option, you will be able to select the files that you wish to attach to this email. Files uploaded from your computer using this method will be uploaded to the File Box of your ShareFile account. If you would like to use different ShareFile options for this specific email, select Use Custom Settings. After attaching the desired files and composing the email, click Send to send the email. The plugin will upload the files and convert the temporary link to a functioning link in the Outbox. Then Outlook will send the email containing the link to the indicated recipient.

Emails sent using this option will stay in your Outbox longer than normal after you click send as the files must first be uploaded to ShareFile.The amount of time this takes will depend on the speed of your Internet connection and the size of the attachments. Please do not close Microsoft Outlook until your upload is complete. ShareFile recommends that you do not upload extremely large files (more than 500 MB) to your ShareFile account through the plugin. You will have better, more reliable results logging into and using the ShareFile web application for large file uploads. You can then attach these large files from your ShareFile account using the From ShareFile option detailed below.



From ShareFile

User-added image

From ShareFile – attach files stored in your ShareFile account. Check the boxes to select the files and folders you want to attach to your email. Once you have selected the file and clicked OK, the file will be inserted into the body of your email as a temporary link. If you would like to use different ShareFile options for this specific email, select Use Custom Settings. After attaching the desired files and composing the email, click Send to send the email. The plugin will convert the temporary link to a functioning link and Outlook will send the email containing the link to the indicated recipient.

From ShareFile uses less bandwidth and storage as you are not uploading new data to your account.



Revoke Access from Outlook Message

Once you have shared a file using the ShareFile Plugin, you can revoke your recipient’s access to the files from within Microsoft Outlook. To do so, navigate to your Sent Messages in Microsoft Outlook and locate the email you sent your recipient. When viewing that message, locate the ShareFile Plugin header at the top of the message. Click the Revoke Access button. Once you confirm, the recipient will no longer be able to access the files via the email message. Revoking access does not prevent your recipient from viewing the file if they have already downloaded it.

User-added image



Request Files

User-added image

Request Files – insert a text link into the body of your email message. Your recipient will be able to click on the generated link and upload a file to your ShareFile account without downloading any software or signing up for an account. You can customize this automatically generated link in the Options menu.

Uploaded files are sent to your File Box. If you would like to change the upload destination for this specific email message, select Use Custom Settings. Once you have selected Use Custom Settings, you will be presented with a pop-up window that allows you to change the settings for the link. By clicking Edit to the right of Upload file to, you can select a new folder from your ShareFile account. Any changes made will only affect the link that you are sending in this individual email only.



Convert Attachments

User-added image

Convert Attachments – Convert normal file attachments to a secure ShareFile link. This option will only appear on a new message and will not be clickable unless there is an existing attachment on the email. After clicking Convert Attachments and composing the desired email, click Send to send the email. The plugin will upload the files and convert the temporary link to a functioning link. Then Outlook will send the email with the link to the indicated recipient.

Emails sent using Convert Attachments will stay in your Outbox longer than normal after you click send as the files must first be uploaded to ShareFile. The amount of time this takes will depend on the speed of your Internet connection and the size of the attachments.

Sending Large Files

ShareFile does not recommend converting extremely large files (more than 500 MB) via the plugin. You will have better, more reliable results logging into and using the ShareFile web application for large file uploads. Once you have uploaded the large file to your ShareFile account, you can then send the large file by attaching it to an email message using Attach Files From ShareFile.



Initiate Feedback and Approval Workflow

This feature is available on the ShareFile Plugin for Outlook, version 4.3 or later.
Click here for information on how to use this feature from within Outlook.


Features


Add a Request a File Link to Your Outlook Signature

1. Open a New Outlook Email Message.

2. Click the Request Files button, then Use Custom Settings.

  • Configure the options to your liking, designate your preferred uploading destination, and don’t forget to adjust your expiration settings! Click OK to generate the link.

User-added image

3. Highlight the newly generated Request a File link, right-click and select Copy.

User-added image

4. Click Signature in the ribbon and edit the Signature you wish to add the link to. Paste the Request a File link into the signature.

User-added image

5. Click OK to save the changes to your signature.


Using “Send To” with the ShareFile Plugin

You can also choose to send files using the plugin by right-clicking the files in your web browser screen or desktop. To do so, right-click on a file or folder and select Send to in the drop-down menu that opens. Next, click Mail Recipient with ShareFile. This will open a new Outlook message with a temporary link to the file already created.


Save Attachments to ShareFile

You can now save an email attachment directly into your ShareFile account in just a few clicks. To do so, right-click the attachment in your Outlook message and choose the Save to ShareFile option. Use the folder tree to select an upload destination on your account, then click OK. Your file will be uploaded to ShareFile.

User-added image



Protected Sharing Support

Specific ShareFile accounts can send a file with Protected Sharing options using version 4.0 or later. Use this feature to protect file access even after the file has been downloaded by your user. This feature may only be configuring by using the Use Custom Settings option. Click here for additional information on Protected Sharing.


Incompatible Add-Ins or Services

The ShareFile Outlook Plugin is not supported with any 3rd party service or add-in and cannot be guaranteed to function properly when used in conjunction with other add-ins. This includes meta-data scrubbers, SmartVault, iTunes, Grammarly and other add-ins. While frequently encountered add-ins may be specifically mentioned in this article, this article should not be treated as a final list of incompatible add-ins.

  • If you are using an antivirus program such as Kaspersky or McAfee, please take steps to add ShareFile as an exception to your apps.
  • Metadata Scrubbers may interfere with the ShareFile Plugin for Microsoft Outlook. It is recommended that any metadata scrubber add-ons be disabled in order for the ShareFile Plugin to function properly.
  • Likewise, Exchange Alternatives (such as Kerio Connector) are not compatible with the ShareFile Plugin and may block the plugin from functioning correctly. ShareFile recommends disabling these add-ons.




Contacting Support

Need help? You can find a link to contact the Support team directly through the Outlook Plug-in. To do so, click the Plugin Options button in your Outlook ribbon to open the Options menu.

Next, click the Help button and click Get Support. This will open your browser to the Help Center where you can search the Support Knowledge Center, or contact the Support team.


Sending Large Files

We do not recommend uploading extremely large files (more than 500 MB) to your ShareFile account through the plugin. You will have better, more reliable results logging into and using the ShareFile web application for large file uploads. Once you have uploaded the large file to your ShareFile account, you can then attach these large files to an email message using Attach Files From ShareFile.


Rich Text Format

The ShareFile Outlook Plugin does not support Rich Text Format messages.

Uninstall ShareFile Outlook Plug-in with default uninstaller

Windows 7 Users

  • Click on Start at the bottom left of the screen
  • Select Control PanelUninstall a program link.
  • Search for ShareFile Outlook Plug-in in the list, right-click it and select Uninstall.
  • Follow the instruction to finish the removal.
  • Restart your computer.

Windows 8 Users

  • Hover the mouse pointer in the lower right corner to see Win8 side menu.
  • Go to Settings > Control Panel > Uninstall a program link.
  • The rest are the same as those on Windows 7.

Related:

  • No Related Posts

How to Implement RSA Authentication for NetScaler Gateway

The following procedure details how to configure NetScaler Gateway with RSA Authentication Manager Version 6.1 and Steel-Belted Radius installed on a Windows server:

RSA Server Configuration Steps

Note: If the RSA RADIUS Server component is not installed, consult the RSA RADIUS Server 6.1 Administrator’s Guide for further instructions.

  1. On the RSA server, go to Start > Programs > RSA Security and launch RSA Authentication Manager Host Mode. The RSA Authentication Manager 6.1 Administrator window opens.

  2. Go to RADIUS and choose Manage RADIUS Server in the drop-down menu.

    The RSA RADIUS — Powered by Steel-Belted Radius (RSA) window opens.

    User-added image

  3. In the right pane of the RSA RADIUS window, right-click RADIUS Clients and click Add. The Add RADIUS Client window opens.

    User-added image

  4. Provide the following configuration settings:

    • Name: Type the name of the NetScaler Gateway Server.

    • Description: Type a description (not mandatory).

    • IP Address: Type the NetScaler IP (NSIP) address of the NetScaler Gateway.

    • Shared secret: Type the shared secret between NetScaler Gateway and the RADIUS server.

    • Make/model: Choose – Standard Radius – from the drop-down menu.

  5. Click OK. The Add RADIUS Client window closes.

  6. Close the RSA RADIUS – Powered by Steel-Belted Radius (RSA) window.

  7. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image

  8. Configure the following settings for your NetScaler Gateway device:

    • Name: Provide the Fully Qualified Domain Name (FQDN) of the NetScaler Gateway device. After providing the FQDN, press the TAB key and the Network address field should populate itself.

    • Network address: If this field does not populate itself, provide the NSIP of the NetScaler Gateway.

    • Agent Type: Select Communication Server.

      Select the Open to All Locally Known Users check box. If all the users imported on the RSA server are not allowed, click User Activations… and import the users that are allowed to authenticate through the NetScaler Gateway.

  9. If not already present, create an Agent Host entry for the RSA server itself. Refer to the following screen shot:

    User-added image

  10. Configure the following settings for your RSA server:

    • Name: Provide the FQDN of the RSA server. After providing the FQDN, press TAB and the Network Address window should populate itself.

    • Network Address: If it does not self-populate, provide the IP address of the RSA server.

    • Agent Type: Select RADIUS Server.

Additional configuration steps on the RSA server

  1. Import users (through Lightweight Directory Access Protocol (LDAP) synchronization) or create local users.

  2. Assign token to users.

  3. Consult your RSA product documentation for more information on how to finalize the RSA server configuration.

NetScaler Gateway Configuration Steps

  1. In the Citrix NetScaler Gateway Configuration Utility, go to NetScaler Gateway > Policies and select Authentication.

  2. On the right pane in the Authentication window, click Add. The Create Authentication Server window opens. Refer to the following screen shot:

  3. Select Radius and then choose Server in the right pane.

    User-added image

    User-added image

  4. Configure the following settings for the NetScaler Gateway to connect to the RADIUS server:

    • Name: Type a name for the configured authentication server

    • Authentication Type: Select RADIUS.

    • IP Address: Type the IP address of the RSA server.

    • RADIUS Key: Provide the key configured as the Shared Secret in the RSA RADIUS Client configuration.

  5. Click Create. The Create Authentication Server window closes. An entry with the name of your authentication server should appear in the right pane of the GUI.

  6. Click the Policies tab and click Add. The Create Authentication Policy window opens. Refer to the following screen shot:

    User-added image

    User-added image

  7. Configure the following settings for the authentication policy:

    • Name: Type a name for the authentication policy.

    • Authentication Type: Select RADIUS.

    • Server: Select the authentication server configured in Step 3.

    • Named Expressions: Click the right drop-down menu next to General and select ns_true. Click Add Expression. The “ns_true” string should appear in the Preview Expression window.

  8. Click Create. The Create Authentication Policy window closes. An entry with the name of the policy appears in the right pane.

  9. In the left pane, go to NetScaler Gateway > Virtual Servers.

  10. Double-click the VPN virtual server on which you want to use RSA authentication. The Configure VPN Virtual Server window opens.

  11. In the Configure NetScaler Gateway Virtual Server window, click the Authentication tab.

  12. In the Authentication window, select the Primary radio button as the primary authentication mechanism.

  13. The authentication policy created in Step 6 should appear.

  14. Bind the policy to your NetScaler Gateway Virtual Server by selecting the policy from drop-down list.

    User-added image

Corresponding CLI Configuration Steps

  1. Add the RADIUS authentication server by issuing the following commands:

    add authentication radiusAction <name> -serverIP <IP> -radKey <key> -encrypted

    add authentication radiusAction SBR_RSA -serverIP 10.10.0.27 -radKey people –encrypted

  2. Add a RADIUS policy and choose the existing RADIUS server configured above by issuing the following commands:

    add authentication radiusPolicy <name> <expression> <RADIUS server>

    add authentication radiusPolicy RSA_Pol1 ns_true SBR_RSA

  3. Bind the session policy to a VPN vserver by issuing the following commands:

    bind vpn vserver <name> -policy <policy name>

    bind vpn vserver testvpn -policy RSA_Pol1

The following procedure details how to configure Access Gateway, Enterprise Edition with RSA ACE/Server version 6.0 and the RSA ACE/Server RADIUS deamon:

RSA ACE/Server version-specific settings

The RSA ACE/Server deamon listens on User Datagram Protocol (UDP) port 1645 by default. The following procedure describes how to change the listener port. Changing the RADIUS listener port is not required; the NetScaler Gateway allows you to set the port value for the listener port of the RADIUS server.

RSA Server Configuration

If you do not have the RSA RADIUS Server component installed, consult the RSA ACE/Server 6.0 for Windows Installation Guide for instructions.

  1. On the RSA server, go to Start > Programs > RSA ACE Server and click Database Administration – Host Mode.

  2. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image

  3. Configure the following settings for your NetScaler Gateway device:

    • Name: Provide the FQDN of the NetScaler Gateway device. After providing the FQDN, press TAB key. The Network Address field should populate itself.

    • Network Address: If this field does not populate itself, provide the NSIP of the NetScaler Gateway.

    • Agent Type: Select Communication Server.

      Select the Open to All Locally Known Users check box. If not all the users imported on the RSA server are allowed, click User Activations… and import the users that are allowed to authenticate through the NetScaler Gateway.

  4. Click Assign/Change Encryption Key… The Assign/Change Encryption Key window opens. In the Key field, provide the shared RADIUS key between the NetScaler Gateway and the RSA RADIUS component.

    User-added image

  5. Create an Agent Host entry for the RSA server itself if it has not been created already.

  6. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

    User-added image

  7. Configure the following settings for your RSA server:

    • Name: Provide the FQDN of the RSA server. After providing the FQDN, press TAB. The Network Address field should populate itself.

    • Network Address: If this field does not populate itself, provide the IP address of the RSA server.

    • Agent Type: Select Net OS Agent.

Complete the following procedure if you need to change the default port configured on the RSA server for RADIUS:

  1. Go to Start > Programs > RSA ACE Server > Configuration Tools and click Configuration Management.

  2. The RSA ACE/Server Configuration Management window opens. Click Edit. A REMINDER window opens with further instructions.

  3. Read the instructions and click OK. The RSA ACE/Server Configuration Management window opens.

  4. In the Services section, type 1812 in the RADIUS field under the Port Number column. Refer to the following screen shot:

    User-added image

  5. Click OK to save the settings and close the window.

  6. Open the Service node and restart the RSA ACE/Server RADIUS deamon.

Related:

  • No Related Posts

Uninstall Symantec without password

I need a solution

I applied Policy to prevent any user from unistalling the SEP without password, but user still can unistall the SEP without asking for password,

i am sure there is no problem in applying the policy, i applied as follow > 

  1. Click Clients
  2. Select Policies tab.
  3. Click on General Settings.
  4. Select Security Settings tab.
  5. Select Require a password to uninstall the client
  6. Type the <password> in the box.
  7. Click OK.

Note: user when try to stop SEP service “SMC-Stop” , he can’t because it’s asking for a password, i don’t know why it’s not working with unistall the application.

windows version 10 “1709 & 1803”

0

Related:

  • No Related Posts

Add a Request a File Link to Your Outlook Signature

Add a Request a File Link to Your Outlook Signature

1. Open a New Outlook Email Message.

2. Click the Request Files button, then Use Custom Settings.

3. Configure the options to your liking.

4. For the purposes of placing a secure link in your signature, the Sign In requirement cannot be used. “Sign In” requires that the recipient of your email message (the To field) be a user on your ShareFile account. Since many different recipients can access your signature link once its done, ShareFile cannot specify which user should be created as a user on your account, and will display an “Invalid Link” error when trying to send any email containing the link you generated using the Sign In option.

5. Don’t forget to adjust your expiration settings!

6. Click OK to generate the link.

User-added image
User-added image

3. Highlight the newly generated Request a File link, right-click and select Copy.

User-added image

4. Click Signature in the ribbon and edit the Signature you wish to add the link to. Paste the Request a File link into the signature.

User-added image

5. Click OK to save the changes to your signature.

Related:

  • No Related Posts

Configure RDS Licenses for XenApp

Following 2 GPOs should be configured for licensing server and license type for RDS.

Apply policy: Computer configuration>Windows component>Remote Desktop Services>Remote Desktop Session host>Licensing

1. Use the specified Remote Desktop License Server

2. Set the remote Desktop Licensing mode

Also, perform below steps to configure RDSH server:

Install Remote Desktop Licensing

1) In Server Manager, open the Manage menu and click Add Roles and Features.

2) Click Next until you get to the Server Roles page. Check the box next to Remote Desktop Services and click Next.

3) Click Next until you get to the Role Services page. Check the box next to Remote Desktop Licensing and click Next.

4) Click Add Features if prompted.

5) Then finish the wizard to install the role service.

Activate Remote Desktop Licensing

1) After RD Licensing is installed, in Server Manager, open the Tool menu, expand Terminal Services and click Remote Desktop Licensing Manager.

2) The tool should find the local server. If it does not, right-click All servers, click Connect and type in the name of the local server. Once the local server can be seen in the list, right-click the server and click Activate Server.

3) In the Welcome to the Activate Server Wizard page, click Next.

4) In the Connection Method page, click Next.

5) In the Company Information page, enter the required information and click Next.

6) All of the fields on the Company Information page are optional so you do not have to enter anything. Click Next.

7) In the Completing the Activate Server Wizard page, uncheck the box next to Start Install Licenses Wizard now and click Finish. Since the session hosts will be configured to pull Per User licenses, there is no need to install licenses on the RD Licensing Server.

8) In RD Licensing Manager, right-click the server and click Review Configuration.

9) Ensure you have green check marks. If the person installing Remote Desktop Licensing does not have permissions to add the server to the Terminal Server License Servers group in Active Directory, ask a domain admin to do it manually. If you have the proper permissions, click Add to Group.

10) Click Continue when prompted that you must have Domain Admins privileges.

11) Click OK when prompted that the computer account has been added.

12) Click OK to close the window.

Remote Desktop Licensing Configuration

Do the following on your 2012 R2 Remote Desktop Session Hosts. The only way to configure Remote Desktop Licensing is using group policy (local or domain).

1) For local group policy, run gpedit.msc.

2) Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

3) Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the XenDesktop Controllers. Click OK.

4) Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.

5) In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.

6) The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.


NOTE: The group policy should point to your RD licensing servers. if you installed it on your Controllers then you would specify them. Otherwise specify the RD Licensing server names.

Related:

  • No Related Posts

7018598: Quickstart Guide: Setting up Active Directory Single Sign-On (SSO) with a GroupWise 2014 R2 SLES11 Linux Post Office

Assumptions:

a. For the example purposes of this document, it is assumed thatthe GroupWise Linux Post Office Server fully qualified hostname is“bperez13.bperez11.gwlab.com” and that the Active DirectoryDomain Server fully qualified hostname is “bperez11.gwlab.com”. Substitute your hostnames as appropriate.

Inthis example the User in Active Directory and the GroupWise UserID is“aduser1” that we will work with. Your SLES11 server is upto date on patches.

b. It is assumed that in your Microsoft Active Directory Server,DNS Manager, that you have a DNS “zone name”, in thisexample, of “bperez11.gwlab.com”, but substitute yourDNS zone name, that way you will not have to make changes to theGroupWise Linux server hostname and POA agent settings hostname onthat server.

c. It is assumed that you have or will have a DNS “A”Record (on your Microsoft Domain Server) of , in this example,bperez13.bperez11.gwlab.com, substitute your GroupWise server fullyqualified hostname as needed. So in this example in theMicrosoft Domain Controller Server, in the DNS application, under”Forward Lookup Zones”, you would have defined a DNS zonecalled “bperez11.gwlab.com” and under this zone you wouldcreate a DNS A record that would have a “Host” name of”bperez13″ and a “Fully qualified domain name (FQDN)of “bperez13.bperez11.gwlab.com” along with the ip addressthat resolves to bperez13.bperez11.gwlab.com. Make the propername substitutions as you need.

d. It is assumed you are working with a Microsoft Windows 2012 R2Server.

e. It is assumed that you have created an Ldap Directory and LdapServer in the GroupWise Web Admin Console under SYSTEM, “LdapServers” by following the steps listed in Section 6.1 , steps 1thru 6 of this URL :

https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b199manl.html

andthis section 6.2.1, steps 1 thru 6 of this URL :

https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b199mao7.html

f. It is assumed that you have imported the Active Directory usersinto GroupWise, that will be using the Single Sign-On (SSO) feature. So these users are associated with the Active Directory serverlisted in the Ldap Servers.

g. Lastly it is assumed on your Active Directory Windows Server 2012 R2box, in “Active Directory Users and Computers”, View, that youhave “checked”, “Advanced Features”.

NOTE:

Sinceyou will be changing the Security setting for the Post Office Agent,consider doing this on a Friday night after hours to minimize userimpact. Or you could certainly test this procedure on aGroupWise Test server, that is not production, until you arecomfortable that it will work as you expect.

NOTE:

Havea full complete backup of the GroupWise System before performingthese steps, in case there are any Issues. However these stepsworked correctly for me on my SLES11 GroupWise Server and Windows 7workstation with the GroupWise 2014 R2 Windows client.

NOTE: For any additional GroupWise servers that you want to haveSingle Sign-On functionality with Active Directory then you wouldjust repeat the steps in this Technical Document for each additionalLinux server where there is a GroupWise Post Office.

Stepsto Follow :

ForLinux Post Office Server you will have to “Join” theWindows Server Domain Controller and make the below changes NOW :

1. You need to know the current fully qualifiedhostname for the Linux GroupWise Post Office Server, let”s sayit is:

a. bperez13.bperez11.gwlab.com

2. You need to know current fully qualified hostnamefor your Active Directory Domain Server, let”s say it is:

a. bperez11.gwlab.com

3. Then the Linux Post Office Server will likelyneed a change to it’s listed “Name Server” in YAST, in thisexample: ( The Windows Domain Controller )

a. I.P address of the Windows Domain Controller

b. To make this “Name Server” change go to Yast,Network Devices, Network Settings,

andin the Hostname/DNS tab, the “Hostname” would have to be”bperez13“, no

quotes,and the “Domain Name” would have to be : “bperez11.gwlab.com”, no quotes. As

appropriatein your situation, change it NOW.

c. AND in this same tab, the “Name Server 1″would have to have ONLY the ip

addressof your Active Directory Domain Controller. Do not have anyvalues for

“NameServer 2” and “Name Server 3” . The “DomainSearch” list box to the

rightwould have to show – “bperez11.gwlab.com”, no quotes. Asappropriate in your situation, change it NOW.

d. The Routing tab, the “Default Gateway”,would of course have to be filled out correctly

foryour network environment. CLICK OK and exist YAST.

e. The result would be that when you go to a terminal as”root” on the Post Office

Server,you should at least be able to PING internal and external ipaddresses or hostnames to make sure you have proper ip connectivity.

4. Go to the below documentation URL for “ConfiguringSingle Sign-On with Active Directory” (54.2):

a. https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/b1f0s9uy.html

b. With the above GroupWise documentation URL, under thesection “Configuring Single Sign-On with Active Directory”(54.2), we will go over the listed first 4 bullet points inorder:

c. For the 1st bullet point, make sure both the POA LinuxServer and the User Windows Workstation are joined to the sameActive Directory Domain:

i. On the Linux box where the Post Office is located,Click Computer, Yast, Network Services, Windows Domain Membership, onMembership “Domain or Workgroup”, type the fully qualifiedhostname NOW for your Active Directory Domain Controller, in thisexample, but substitute yours :

“bperez11.gwlab.com”

ii. Click the Expert Settings button, for the KerberosMethod select “system keytab”, then Click OK.

iii. Click the “NTP Configuration” button, toensure time synchronization between the Linux Post Office Server andthe Active Directory Domain Server, as needed, set the Time server. Click ADD, Click Next, Type in an appropriate local or publicTime Server, Click Test, Click OK after it responds correctly, ClickOK, then OK again. Click the JOIN button in upper right ifpresent, otherwise Click OK. ClickOK again. You should see a dialog that pops up that says “Thishost is not a member of the domain <bperez11>”. Youwill see another dialog that says “Join the domain <bperez11>?”, Click Yes. Inthe resulting dialog put in the Windows domain controller“administrator” username and password and CLICK OK.

iv. Your Linux Server is now Joined to the Active DirectoryServer.

v. To Join the User Workstation, Go to the Windows PC, Itis assumed you are not yet joined. On either Windows 7 orWindows 8.1, or Windows 10:

1. Right click the Network Icon in the Windows Tray,select “Open Network and Sharing Center”, select “ChangeAdapter Settings”, Right Click the appropriate Network Card,Highlight “Internet Protocol Version 4 (TCP/IPv4)” andClick Properties.

2. For the “User the following DNS Serveraddresses:”, for the “Preferred DNS server”, type theIP address of your Active Directory Server. Click OK then CLOSE.

3. Now to actually Join to the Active Directory Server, goto :

a. Windows 7 workstation, Click Start, Right Click”Computer”, Properties, Advanced System Settings, ComputerName tab, to Change to a Domain, click the Change button.

b. For the Member Of : Domain , list box , type the fullyqualified hostname of the Active Directory Server (example,bperez11.gwlab.com). Click OK. Supply the appropriateActive Directory credentials, Click OK, then you should successfullyJoin and get a confirmation on this. Click OK. Click OKagain to RESTART your computer as required by Windows. I assumeyou will Click RESTART NOW.

c. When the Workstation reboots, you will come to aWindows Logon dialog, type for the Username:

i. The name of your Windows Domain ServerA.D. UserName,example, in this case is “BPEREZ11aduser1”

ii. Type the password for this Active Directory User andLOGIN

d. To confirm your credentials that the GroupWise SingleSign-On depends on, to go a DOS Window (cmd) and type “whoami”,it should respond with, in this example:

bperez11aduser1

e. Close the DOS Window.

f. Now for the 2nd bullet point listed in the aboveDocumentation URL:

“Makesure the POA object has the DNS fully qualified domain name insteadof the IP address :

Inthe GroupWise Admin Console > Post Office Agents > select thePOA

>Agent Settings > TCP/IP Address Field.” :

Inthis example, the value should already be: “bperez13.bperez11.gwlab.com”. Make this changeas needed NOW if necessary. Remember no I.P. Address, just thehostname.

g. For the 3rd bullet point of the Documentation URL :”Enable LDAP authentication in the GroupWise Admin Console >Post Offices > select the PO > Security tab. Make sureyour A.D. Ldap Server name is selected here. Refer to aboveAssumptions point “e” for details if needed.

h. For the 4th bullet point of the DocumentationURL: “Select Network authentication (eDirectory or ActiveDirectory) in the Admin Console > Post Office Agents > selectthe POA > Client Options > Security tab. Do this changenow. Remember to Click on SAVE.

Nowit”s time to move on in the Documentation to Section 54.2.2,”Linux POA”, there are 7 bullet points :

5. For the 1st of 7 bullet points, “Make sure thatall krb5 rpms are installed on the server”. This meansthat you should check in YAST, Software Management, search, type”krb5″, no quotes and click the SEARCH button.

a. Youshould have “checked” “krb5”, “krb-32bit”,AND “krb5-client”, if you don’t have all of these check offthe missing one and CLICK the ACCEPT button in the lower right of thedialog. Exit YAST.

b. Youcan also check what krb5 libraries you have installed by going to thelinux terminal as “root” and issuing the command:

a. rpm-qa | grep krb5

b. youshould see: krb5-client-<versionNumber>,krb5-<versionNumber>, and krb5-32bit-<versionNumber>

6. 2nd bullet point, “Make sure that the Linux serverpoints to the AD Server as it”s DNS Server” :

Wealready did this. Next step.

7. 3rd bullet point, “Join the Linux POA server tothe Windows Domain by”.” :

Wealready did this. Next step.

8. 4th bullet point, refer to this example file instead tocheck and verify what is configured in the file, modify NOW asappropriate for your environment, note the lines that are offset,they are “tabbed” not spaces, note the case of letters :

vi/etc/krb5.conf :

[libdefaults]

default_realm= BPEREZ11.GWLAB.COM

clockskew= 300

[realms]

BPEREZ11.GWLAB.COM= {

kdc= bperez11.gwlab.com

default_domain= bperez11.gwlab.com

admin_server= bperez11.gwlab.com

}

[logging]

kdc= FILE:/var/log/krb5/krb5kdc.log

admin_server= FILE:/var/log/krb5/kadmind.log

default= SYSLOG:NOTICE:DAEMON

[domain_realm]

.bperez11.gwlab.com= BPEREZ11.GWLAB.COM

bperez11.gwlab.com= BPEREZ11.GWLAB.COM

9. 5th bullet point, at a terminal on the Linux PostOffice Server, as “root”, issue this command NOW : NOTthe command in the documentation, unless it is the same :

a. net -Uadministrator@<activeDirectoryFullyQualifiedHostName> adskeytab add groupwise

b. Type the password for Active Directory “administrator”user

c. At the terminal on the GroupWise Linux server, cd to/etc, then issue the command “klist -k”, no quotes, youshould see among other content, as in this example, yours will bedifferent : 5 or so lines that show :

i. <a number>groupwise/bperez13.bperez11.gwlab.com@bperez11.gwlab.com

ii. You MUST see this fully qualified domain name, yourswill be different, that is to the left of the “@”character, “bperez13.bperez11.gwlab.com”

10. 6th bullet point, Make sure that the /etc/krb5.keytab file isreadable by the user that is running the GroupWise POA on the server.

Soif you run the GroupWise agents as “root”, or another

user,then that user must have ownership of this file.

Sowhen you go to the /etc/ directory on the Post Office Linux Serverand issue the command, as “root”, “ls -lkrb5.keytab” , no quotes.

Youwill see the owner of the file, root is the owner here :

a. -rw- – – – – – – 1 root root 2027 Jan 2215:16 krb5.keytab

b. And to compare who is running the POA process, issuethe command at the

terminal: “ps -eaf | grep gwpoa”, no quotes, the owner is in thefirst left most column.

Ifit says “root” then there is a match and the ownership ofthis file is good. If there is not a match, then you MUSTchange the ownership of the krb5.keytab file NOW with this command ,to match the user who is running the POA agent, at the /etc/directory :

“chown<userNameWhoRunsPOA>:users ./krb5.keytab”, no quotes.

c. I assume that If this is the “root” user,then “root” is part of the “root” group. Ifthe user is not the “root” user then, let”s say theuser is called “gwuser”, I assume that “gwuser”is part of the Linux group called “users”.

Thenyou must assign the appropriate user and group file permissions. Asappropriate do this NOW : either :

i. cdto the /etc/ directory, and issue the below commands NOW :

ii. chmod ug=rwx ./krb5.keytab

11. ( Optional ) 7th and final bullet point, “Create aGroupWise Name Server in DNS”. If you do not do this,users need to know the IP address and port number to connect to thePOA.

a. It is recommended you follow this technical document toaccomplish this by creating a Microsoft Service Connection Point(SCP), which has similar functionality to ngwnameserver :

https://support.microfocus.com/kb/doc.php?id=7023422

12. Note: In this example situation, when you start the GroupWiseWindows Client the first time after enabling Single Sign-On, youshould see the “Micro Focus GroupWise Startup” dialog, andin this dialog you “should” see “Connecting to Post Officeat : bperez13.bperez11.gwlab.com: 1677″. Substitute yourhostname for GroupWise. If you do not see the correct hostnameor you see an ip address, then just click CANCEL and correct the”Address” list box to show your GroupWise hostname, fillout the rest of the information needed in this dialog and CLICK OK. Now when you successfully login, it will remember your credentialsand the next time you attempt to login to GroupWise you should not beprompted for your password.

ClosingComment:

Ifyou follow this Document and if you have a problem where you arestill prompted for a password when attempting to login to theGroupWise Windows client and if you are on SLES11, it could be thatyou may have an older version of the linux Kerberos “krb5″files, you can review this TID on how to check on and correctthis issue :

https://support.microfocus.com/kb/doc.php?id=7021409

Otherthings to check if you still are prompted for a password:

1. Besure to verify that the “root” user owns the “/etc/krb5.keytab”file on the GroupWise Linux Post Office Server and has RWXpermissions, and also the group “root”. One command thatwill set this as described is :

a. Chmodug=rwx ./krb5.keytab

2. Verifyon the Windows Domain Controller server (Windows Sever 2012 R2), inthe application “Active Directory Users and Computers”, under theActive Directory Organization called “Computers” has an objectcalled the name of your GroupWise Linux Post Office Server name. Under this object, go under Properties, Attribute editor tab, youshould have an attribute called “servicePrincipalName”. Ifyou edit this attribute, you should see among other things,“groupwise/bperez13.bperez11.gwlab.com” . No quotes, andsubstitute your GroupWise Post Office Server hostname.

3. Fromthe perspective of the user, in Windows, in the GroupWise Windows14.2.2 client, click on Tools, Options, Security, Password tab, atthe bottom you should have a checkmark in the checkbox “No passwordrequired with eDirectory”. If you do not, Single Sign-On willnot work. If it is not “checked”, just type in yourpassword in the “Old password” listbox, then the checkbox willnot be greyed out, so you can check it. Then click APPLY andOK. Then exit the GroupWise Windows client and re-login.

4. Alsoon the user Windows workstation, go to the Dos Window ( cmd ) , andcd to : c:windowssystem32 , then type the command “klist” noquotes, you should see among other things a reference to theGroupWise Kerberos ticket, for me is shows :

Client: aduser1 @ bperez11.gwlab.com

Server: groupwise/bperez13.bperez11.gwlab.com @ bperez11.gwlab.com

KerbTicketEncryption Type: RSADSI RC4-HMAC(NT)

TicketFlags 0x40a10000 -> forwardable pre_authent name_canonicalize

StartTime: 1/9/2018 8:01:23 (local)

EndTime: 1/9/2018 16:31:30 (local)

RenewTime: 1/16/2018 6:31:30 (local)

SessionKey Type: RSADSI RC4-HMAC(NT)

5. If Single Sign-On is till not working, (you are being prompted for apassword, then do the below, after hours, so not to potentiallyaffect Post Office users, you will be toggling some settings underthe Post Office and POA objects :

a. In the GroupWise Web Admin Console, under the Post Office object,Security tab, it is assumedyou have “LDAP Authentication” turned on and that the “SelectedLDAP Servers” has a list of at least 1 Ldapserver. Do this NOW, highlight the LDAP server that is used withthis Post Office’s Single Sign-On process and CLICK the right arrowto move it to the “Available LDAP Servers” list. CLICK SAVE. Then CLOSE. Now go back to this same setting and put the LDAP serverback in the “Selected LDAP Servers” list and CLICK OK.

b. In this same area CLICK the the “Client Options” button tat thetop, Security tab, and it is assumed you currently have the checkboxchecked “Network authentication (eDirectory or Active Directory). Remove the checkmark on this setting. Click OK. Now go back to thissame setting and CLICK the checkbox “Network authentication(eDirectory or Active Directory)” AND LOCK IT, by clicking on theLOCK to the right. CLICK OK. Click SAVE at the bottom left, thenCLOSE.

c. Restart the affected POA at the GroupWise linux server terminal as“root”, issue : rcgrpwise status, you will see among otherthings : Assume your Post Office is called “provo” and yourdomain is called “utah” :

Checkingstatus [provo.utah] running”

Soissue the command : “rcgrpwise restart provo.utah”, no quotes.

Hopefullynow Single Sign-On is now working at your Windows 7, 8 or 10workstation that is configured as described in this document.

Related:

VNX: How To Remove a LUN from a Storage Group (User Correctable)

Please follow the steps below

1- Login to Unisphere and select the array serial number

2- Click on the system Tab

3- Click on the Host Tab

4- click on Storage Group

5- Highlight the desired Storage Group, then click on Properties

6- A new pop up window will appear, choose the LUN Tab

7- At the bottom half you will see the LUNs that are in that Storage Group, click on the LUN you wish to remove to highlight it

8-Click on the “Remove” button to remove it. (you may not receive an alert asking if you are sure)

9- Click Apply, or Okay to confirm


Below is a video demonstration of the same

https://www.youtube.com/watch?v=P3xudqZ2bBM

Related:

  • No Related Posts