What actions are associated with the operations “updateUser”?

I need a solution

A user’s account has an operation entry for “updateUser” with a Status Code of “0” and Status Message of “Success”.

  1. Is this operation caused by end user or an administrator?
  2. Is this operation caused by an automated process within VIP Access Manager and its LDAP connectivity?
  3. What actions cause the “updateUser” operation entry?

I am unable to find documentation on VIP Access Manager that defines operation messages or terminology used by the application.

  • If this exists, please share with me so I don’t have to ask these inane questions.
  • If this doesn’t exist, come on Symantec….
0

Related:

  • No Related Posts

How to Use sAMAccountName and userPrincipalName at Same Time for User Logon with Active Directory

Make two LDAP server profiles pointing to the same LDAP server IP. All the values should be same in the configuration except one. The Server logon name attribute is different for both the profiles. One has ‘sAMAccountName’ and the other one will be ‘userPrincipalName’.

Now when the user tries to login with ‘domainusername’, they will be authenticated by the LDAP profile using ‘sAMAccountName’. And when they uses their email id, they will be allowed by the other LDAP profile.

To know how to create and bind LDAP authentication profiles please follow the instructions of this article: https://support.citrix.com/article/CTX108876

Related:

  • No Related Posts

Data Protection Advisor 6.4 : Unable to use 2 Factor authentication with LDAP in DPA

Article Number: 502102 Article Version: 3 Article Type: Break Fix



Data Protection Advisor 6.2,Data Protection Advisor 6.2 SP1,Data Protection Advisor 6.2 SP2,Data Protection Advisor 6.2 SP3,Data Protection Advisor 6.3,Data Protection Advisor 6.4

LDAP login to DPA fails when using 2 Factor Authentication.

LDAP 2 Factor Authentication is not supported in DPA.

This is not currently supported feature in DPA and there is no resolution at this time for this issue.

If this feature is required the environment then a Request For Enhancement (RFE) will need to be filed in order to have this feature added to DPA in the future. Please contact the local Dell EMC account team to file the RFE and provide updates on it’s status.

Please contact Dell EMC Technical Support for further details or information.

Related:

  • No Related Posts

7023371: Unable to change AD password if using restricted (non-domain Admin) rights

This document (7023371) is provided subject to the disclaimer at the end of this document.

Environment

Identity Manager Driver – Active Directory

Situation

Error when changing a user’s password in Active Directory when using a user with only limited rights in Active Directory. When using a user with Domain Admin rights in Active Directory, the password is changed successfully.
Error is as follows:
<output>
<status level=”error” type=”driver-general” event-id=”….”>
<message>Password set failed.</message>
<ldap-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>
<client-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>Insufficient Rights</client-err>
<server-err>00000005: SecErr: DSID-031A11D7, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</server-err>
<server-err-ex win32-rc=”5″/>
</ldap-err>
</status>
</output>

Resolution

This may be caused if the user does not have all the rights needed to change the password.
With Windows server 2016, you may find that additional rights are needed.
Also based on your security policies changes may be needed.
Below is one possible configuration that may work depending on the setup of the domain. Because of the countless ways a domain may be configured and the ways a driver may be configured, only suggestions may be made.
Grant the user the following permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set
Replication synchronization
Also the following delegation:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
It may also be caused if the user had ever been a member of a domain admin group or other security group that caused the user to receive the attribute admincount=1 in active directory. Even if the user is later removed from the security group, the attribute will often remain on the user.
Here is a command to check the user from a powershell prompt.
get -aduser <username> -Properties admincount
If admincount is set to 1, unless the driver is using a domain admin account, you will not be able to change the password.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7023291: SSPR Users locked out after LDAP certificates are updated

This document (7023291) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset
SSPR 4.x

Situation

Error 5017 authenticating to SSPR
Error 5059 – A certificate error has been encountered
Directory unavailable after certificates on the LDAP server were updated
Users unable to login after updating certs on LDAP server

Resolution

Reset the LDAP certificates by deleting and re-importing them through SSPR Config Editor
Steps if using SSPR Appliance:
  1. Open the SSPR Appliance (port 9443) https://server.whatever.com:9443
  2. Open Administrative Commands
  3. Select Unlock configuration
  4. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  5. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  6. Select Clear
  7. Select Import from server
  8. Save Changes
  9. Go back to the appliance (port 9443) https://server.whatever.com:9443
  10. Open Administrative Commands
  11. Select Lock configuration
Steps if using Linux (.war) or Windows (.msi) implementations of SSPR:
  1. Edit SSPRConfiguration.xml and set “configIsEditable” to true. It should look like this: <property key=”configIsEditable”>true</property> (for more detail see TID 7014954, “SSPR config manager not available” at https://www.novell.com/support/kb/doc.php?id=7014954
  2. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  3. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  4. Select Clear
  5. Select Import from server
  6. Save Changes

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices

  • On the Secondary Authentication Policies, add the LDAP_Mobile policy as top priority, followed by the RSA_NonMobile policy as secondary priority:

    User-added image

    Important! The session policy must have the correct Single Sign-on Credential Index, that is, it must be the LDAP credentials. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    Therefore you need two session policies, one for mobile devices and the other for non-mobile devices.

    For mobile devices session policy and session profile will look as shown in the following screenshot.

    To create session policy, navigate to required virtual server and, click Edit, go to policy section and click + sign:

    User-added image

    User-added image

    Choose Session option from the drop-down.

    User-added image

    Enter the desired Session Policy name and click + to create a new profile. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    User-added image

    User-added image

    User-added image

    For non-mobile device follow the same steps. Credential Index under Session Profile > Client Experience should be set to Primary which is LDAP.

    The expression should be changed to:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

    User-added image

    To create new profile for non-mobile user,click + sign.

    User-added image

    User-added image

  • Related:

    • No Related Posts

    Creating Swift accounts with LDAP or Active Directory

    Article Number: 487201 Article Version: 3 Article Type: How To



    Isilon,Isilon OneFS,Isilon OneFS 8.0

    BACKGROUND INFORMATION

    You can connect an Active Directory or LDAP group or user to an Isilon Swift account. For convenience, explanations of three of the main components are provided here:

    Swift user

    In a multi-protocol access scenario, a Swift user is a file system user who owns files in the Swift account. This user can be from an external authentication provider joined to the Isilon.

    Swift group

    In a multi-protocol access scenario, a Swift group is a file system group that owns files in the Swift account. Swift user/Swift group determines the ownership of files within the file system whereas the users assigned to the Swift account grant access to the account through the Swift protocol. This group can be from an external authentication provider joined the Isilon.

    Swift account

    A Swift account is the root of a Swift namespace and is the locus of administrative control. Swift accounts hold containers and containers hold objects. A Swift account must be provisioned in order for a user to add containers or objects. Access control in Isilon Swift is granted at the account level. Users authorized to access a Swift account can access any of the containers and objects within that account.


    ACCOUNT CREATION EXAMPLE

    When creating an Isilon Swift account in conjunction with Active Directory or LDAP, specific syntax is needed to specify the location of the user or group. For example, the syntax of <domain>\<user> and <domain>\<group> specifies to the Isilon where to look for that user and group. This information is placed into the template command: isi swift accounts create <Swift Account Name> <Swift User> <Swift Group>

    For example, using the Swift account name of SwiftTest, the Active Directory domain of example, the username of jsmith, and a group name of swift_users, the command is as follows:

    # isi swift accounts create SwiftTest example\jsmith example\swift_users

    The same syntax is used for adding a LDAP user and group. In the previous example, the difference would be to use the domain of LDAP is used instead of the domain of Active Directory.

    COMMAND OPTIONS

    There are additional options with the isi swift accounts create command that can also be utilized:

    –zone Specifies the access zone.

    –users Specifies the users who are assigned access to the Swift account. Specify –users for each additional user who must be assigned access to the Swift account.

    {–verbose | -v} Displays detailed information

    The template command looks like this:

    # isi swift accounts create <Swift Account Name> <Swift User> <Swift Group> –zone <zone name> –users <user1> –users <user2> -v

    Using example users and group the command is:

    # isi swift accounts create TestAccount root wheel –zone Access1 –users jsmith –users compadmin -v

    For additional information, please refer to the document: https://support.emc.com/docu65071_OneFS-8.0.0-Isilon-Swift-Technical-Note.pdf?language=en_US or https://support.emc.com/docu65065_OneFS_8.0.0_CLI_Administration_Guide.pdf?language=en_US.

    Related:

    • No Related Posts

    NetScaler Gateway, StoreFront and XenDesktop Integration Communication Workflow

    Topics

    1. Introduction

    2. Detailed Workflow

    1. Introduction

    In this article, we will talk about NetScaler Gateway+StoreFront+XenDesktop workflow. I will separate the workflow into 5 steps.

    1. SSL Connection
    2. Authentication
    3. Get the App/Desktop list.
    4. Click one app and get the ica file.
    5. Launch app/desktop.

    Back to top

    2. Detailed Workflow

    In this section, we will analyze the detailed workflow of the previous 5 steps. Here are my environment machines.

    Client: 10.107.197.250

    NetScaler: VIP: 10.107.197.243

    NSIP: 10.107.197.241

    Subnet IP: 10.107.197.242

    StoreFront: 10.107.197.236

    DDC/STA: 10.107.197.235

    VDA: 10.107.197.238

    Back to top

    2.1. SSL Connection

    This is the first step when user type the NetScaler Gateway vServer’s address into browser. We need to focus on the SSL handshake between client and server if any issue happens.

    Note: NSG means “NetScaler Gateway” in this article.

    User-added image

    a. Client_Hello

    Client_Hello is the first packet of the TLS handshake, we can check the following items in it:

    i. SNI

    ii. Cipher Suits

    iii. Protocol

    User-added image

    b. Server Hello

    Server hello is the response of client hello, used to negotiate the protocol version and cipher suite from client hello, these items are very important for subsequent encryption.

    User-added image

    c. Certificate

    Server sends its certificates to client, so that client can verify if the certificates are trusted or not.

    User-added image

    d. Key Exchange & Change Cipher Spec

    Most of SSL/TLS issues are happened in above 3 steps. The “Key Exchange” step is used to negotiate the master key and session key for the data encryption. And use “Change cipher Spec” step to enter the data encryption channel.

    User-added image

    e. HTTPs data (encrypted HTTP requests and responses)

    After handshake, client and server send HTTP requests and responses encrypted by the key negotiated in the SSL/TLS handshake.

    User-added image

    How to decrypt these HTTP data at client side? Check this article: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

    Back to top

    2.2. Authentication

    Commonly, customer uses LDAP domain authentication. In this article, I will use dual factor authentication as an example (LDAP+Radius).

    LDAP: AD

    Radius: freeradius

    User-added image

    a. Client type the user credential and send to NSG vServer.

    User-added image

    User-added image

    Note: Here I use the NSG’s private key to decrypt the HTTPs data.

    b. NSG communicate with LDAP server and Radius server to verify the user’s credential.

    b.1. bindRequest is sent to LDAP server to authorize NSG itself and LDAP server respond success. Here the user “administrator@donnie.com” is configured in NetScaler’s LDAP policy.

    User-added image

    b.2. searchRequest is sent to LDAP server to check the login user’s existence.

    User-added image

    b.3. LDAP server responds the searchRequest by searchResEntry, searchResEntry contains some LDAP info such as the login user’s group information.

    User-added image

    b.4. NSG sends a new bindRequest to LDAP server to verify the login user’s password.

    User-added image

    b.5. NSG verifies the token information with Radius server and server responses Access-Accept.

    User-added image

    c. NSG responses client with a normal 302 response and another 200 response to redirect the URL to StoreFront.

    User-added image

    d. User click “Login” again in the StoreFront page. A new login request sent to SF. Here user doesn’t need to type his username/password again.

    User-added image

    e. NSG communicates with SF to pass SF’s authentication.

    e.1. NSG sends the request to SF and SF responds 401 to ask NSG to perform authentication.

    User-added image

    e.2. NSG sends the user’s info to SF by using CitrixAGBasic authentication method.

    User-added image

    Note: they are base64 encoded, wireshark can decode them automatically.

    e.3. SF verifies the user’s username and password by contacting AD server with protocol Kerberos.

    User-added image

    e.4. SF returns 200 OK to NSG.

    User-added image

    f. NSG returns the same 200 OK to client.

    Back to top

    2.3. Get the App/Desktop List.

    User-added image

    a. Client sends the list request to NSG.

    User-added image
    b. NSG forwards this request to SF.

    User-added image

    c. SF sends callback message to NSG to get the vServer/Policy information. This is very useful when enable SmartAccess. If SmartAccess is not enabled. The callback address doesn’t need to be configured in SF.

    User-added image

    d. SF checks with DDC for the available Apps and Desktops related to this client. Note that the session policy information is here, it’s got from the previous callback request. So that DDC can use it’s Access Policy to determine the matched apps and desktops based on this.

    User-added image

    e. DDC responses the available Apps list to SF.

    User-added image

    f. SF converts the response into json format and sends it to NSG. Each object is for each app/desktop.

    User-added image

    g. NSG sends this response to client. Note that the ica file URL is also in this response.

    User-added image

    Back to top

    2.4. Get the ica file.

    User-added image

    a. Client sends the request to NSG to get the ica file.

    User-added image

    b. NSG forwards this request to SF.

    c. SF gets the VDA information from DDC. Such as IP, port info.

    User-added image

    d. DDC responses SF.

    User-added image

    e. SF contacts STA server to get the STA ticket information.

    User-added image

    f. SF generates ica file and sends it back to NSG.

    User-added image

    g. NSG forwards the response to client. The content is the same as step f.

    User-added image

    5. Client launch app/desktop

    User-added image

    a. Client sends ICA data to the same NetScaler vServer. This is not http protocol. Note that only Receiver 4.6 or above supports SNI.

    User-added image

    b. NSG verifies the STA ticket with STA server.

    User-added image

    c. STA server responses valid result and the VDA server’s info(IP+port).

    User-added image

    d. NSG connects VDA’s 1494 port for the virtual desktop data.

    User-added image

    e. NSG acts as a “proxy” between client and VDA.

    Back to top

    Related:

    • No Related Posts