Active Directory virtualization - security for AD VMDK
Hello
I'm an Active Directory server virtualization project manager. Currently, they are all physical, and my approach is to build virtual computers costs running 64-bit Windows 2003 R2 with sufficient storage space and disk. The actual creation of the VM is not a problem. But what is a problem for our security people and AD ops team is to protect the vmdk and associated files.
The current VSI (Virtual Server Infrastructure) has each computer virtual using a LUN for the OS disk (c :)) drive and another logic unit number for the Page file/temp files.) Data files are also placed on a separate logical unit number. Now, the question arises since all virtual machines for a single blade (host ESX, BL685 HP) server are placed on the same logical unit number, there will be a mixture of files of the type of server (apps, SQLs, ads, etc.) in the data store. This means that C readers for all the virtual machines on this blade are running under the same security policy.
If lock us the data store for the people of AD and other approved people, then the people to support normal ops (in another country) do not receive access to files. Only the AD team has right of ads and domain controllers, so I will try to reproduce this security model.
So my idea is to have specific data only for ads stores; provide one for the C: drive (SysVol, etc.) and the other for Page files. Then I can lock these and let others to their current level of security.
Does this sound logical? Feasible? Prefferable?
That others make about it? Or is it overkill?
Thank you very much
Mark-Allen
My guess is that only the AD team would never start/stop/etc a virtual machine, then maybe that's possible.
You can create a custom role on your permission vcenter and delegete for some users, who will not have access to certain virtual machines!
Tags: VMware
Similar Questions
-
An error occurred when DNS was questioned about the resource record (SRV) service location used to locate a domain controller Active Directory (AD DC) for the domain 'HAMI. LOCAL ".
The error was: "an existing connection was to be closed by the remote host".
(0 x 00002746 WSAECONNRESET error code)The query was for the SRV record for _ldap._tcp.dc._msdcs. HAMI. LOCAL
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Forums TechNet Windows 7 Technet.
Here is the link:
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threadsHope this helps
-
I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:
-J' set an Active Directory authentication provider
-changed it's order in the list of authentication providers so that it is first
-l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:
<sec:authentication-provider xsi:type="wls:active-directory-authenticatorType"> <sec:name>MyOwnADAuthenticator</sec:name> <sec:control-flag>SUFFICIENT</sec:control-flag> <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception> <wls:host>10.20.150.4</wls:host> <wls:port>5000</wls:port> <wls:ssl-enabled>false</wls:ssl-enabled> <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal> <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn> <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted> <wls:cache-enabled>false</wls:cache-enabled> <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn> </sec:authentication-provider>
I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.
After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.
Here's what I see in the log file:
<BEA-000000> <LDAP Atn Login username: tadmin> <BEA-000000> <authenticate user:tadmin> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> <BEA-000000> <DN for user tadmin: null> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> <BEA-000000> <DN for user tadmin: null> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229) at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:
#!SEARCH REQUEST (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.324 # LDAP URL : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user)) # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass" # baseObject : CN=wl,DC=at,DC=com # scope : wholeSubtree (2) # derefAliases : derefAlways (3) # sizeLimit : 1000 # timeLimit : 0 # typesOnly : False # filter : (&(cn=tadmin)(objectclass=user)) # attributes : objectClass #!SEARCH RESULT DONE (145) OK #!CONNECTION ldap://10.20.150.4:5000 #!DATE 2014-01-23T14:52:09.356 # numEntries : 1
(the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)
As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.
I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.
So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?
I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»
Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).
Here are some other things I tried, but doesn't change anything:
-other attributes '-FS' were not resolved, so I tried their initialization to a value
-J' tried other users defined in AD LDS, not tadmin
-in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin
-J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
Any thoughts?
Thank you.
In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.
See also:
Re: could not connect to the WLS console with the user of the directory
-
Dear Experts,
Is it possible to configure replication of SAN (active-passive) integrated security for oracle for oracle?
To get the RTO < 60 seconds
- If the primary host fails, the remote site should have the option to start the oracle database.
- Sites are geographically remote.
SAN storage replication, can it be used in my scenario?
- I have no option to implement oracle Data Guard as its very expensive.
Is that what someone achieved something similar with SAN storage replication?
- I have oracle SE.
- It is obvious that the all-flash backup can be quick.
What should be the strategy to have DR site get a few seconds, if the primary site failed for some reason any
- Daily incremental backup with RMAN. And archive backup runs for every 1 minutes
- To have the site of DR upward and running within 60 seconds, it still requires too much time to restore the database on remote site and have archive APPLIED setpoint
- What could be the solution with san replication? RTO is 60 seconds
Thanks and greetings
SAN storage replication, can it be used in my scenario?
I have no option to implement oracle Data Guard as its very expensive.
--> If you want to use the data that it is free of CHARGE, additional license is not required for normal data guard
--> additional license is only for the ADG
Is that what someone achieved something similar with SAN storage replication?
I have oracle SE.
It is obvious that the all-flash backup can be quick.
--> Here, I understand that if oraclle EA is going to be expensive
--> Again, you can use manual standby
--> What you are looking for SAN replication, you will need to check with the storage vendor
--> If your intention is to check with oracle storage, then this may be the correct discussion room
What should be the strategy to have DR site get a few seconds, if the primary site failed for some reason any
Daily incremental backup with RMAN. And archive backup runs for every 1 minutes
To have the site of DR upward and running within 60 seconds, it still requires too much time to restore the database on remote site and have archive APPLIED setpoint
What could be the solution with san replication? RTO is 60 seconds
--> If your intention is to check with oracle storage, then this may be the correct discussion room
Check in this
https://community.Oracle.com/community/Server_%26_storage_systems/storage
-
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
Hello
I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)
I create several groups within the Active Directory server, I try to give to users for their groups different access rights.
I tried to define an access policy "NetOp/NetAdm" and two authorization rules:
Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0
Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0
Default: refuse
In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.
But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.
My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?
The stages of monitoring:
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - NetOp/NetAdm service policy
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - server RSA
24500 Authenticating user on the server's RSA SecurID.
24501 a session is established with the server's RSA SecurID.
24506 check successful operation code
24505 user authentication succeeded.
24553 user record has been cached
24502 with RSA SecurID Server session is closed
Authentication 22037 spent
22023 proceed to the recovery of the attribute
24628 user cache not enabled in the configuration of the RADIUS identity token store.
Identity sequence 22016 completed an iteration of the IDStores
Evaluate the strategy of group mapping
15006 set default mapping rule
Authorization of emergency policy assessment
15042 no rule has been balanced
Evaluation of authorization policy
15006 set default mapping rule
15016 selected the authorization - DenyAccess profile
15039 selected authorization profile is DenyAccess
11003 returned RADIUS Access-Reject
Thank you
Christophe
I think you need to do is to create a sequence of identity with RSA as a selection in
Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service
-
Replication Active Directory for ReadyNas
After you create a security group in Active Directory, how long should I wait before I can see this group when you use the ReadyNas interface? I created a group via AD but when I search for it through the ReadyNas interface is not appear after 10 minutes so far.
Hi prcist,
Please confirm that the problem has been resolved. Please continue to ask questions, share ideas and suggestion in the community.
Kind regards
BrianL
NETGEAR community -
domain with the active directory security / user name
Hello
I use weblogic 12 c, I create the provider for active directory in myrealm like going to the console >security domains>suppliers > New and I put specific provider and I don't have a ADF application using security ADF taking Kingdom deployed to the same server, weblogic, its work well with username and does not work with the id of the user for example if the user as described below:
User ID Username Password aa123 Test user XXXX bb123 Test User2 XXXX its fine work when put the username: User of Test or Test User2 but does not work with aa123 or bb123 how I let provider to keep the user id instead of the username?
for the user name attribute active directory samAccountName, can you please try that instead of CN?
If it doesn't work, can paste you the information from the user, you can use the ldifde command to export the user to Active Directory.
I hope this helps.
-Faisal
-
Advanced Security with Active directory
Hello guys,.
should I ASO the license if I use an external authentication and the clients are connecting with the credentials of MS Active directory? Thank you!
Gytis
Guys,
Here you go: "network encryption (network encryption native and SSL/TLS) and strong authentication (Kerberos, PKI and RADIUS) services are no longer part of the Oracle Advanced security features and are available in all editions under license of all the supported versions of the Oracle database."
http://docs.Oracle.com/database/121/DBLIC/options.htm#DBLIC143
Looks like that ASO is no longer necessary.
PS. though even the documentation is for Oracle 12 c local support confirmed that this also applies to earlier versions.
Gytis
-
Active Directory for authentication - authorization database
Hello
I searched a lot but could not find a way to work to do and I have Weblogic Server 10.3.4. My problem is; I currently have an Authenticator SQL read-only which validates the name of user and password and he also holds a group membership of those users. Thus, the when users are connected to our Flex application, they are authenticated and authorized through this security provider. Now, I want to * move the part name validation of username/password to Active Directory * and group membership and other roles etc will stay in the read-only SQL authenticator. To do this, I added the second security provider to my Kingdom which is Active Directory Authenticator, but right now because users are authenticated via Active Directory roles, the etc group memberships do not come to the user, resulting in not to be able to call EJB.
So my question is, How can I manipulate simply authenticate users to Active Directory and other parties (roles, groups) of database (in the database I don't store the password more meaningless it longer)? Do I have to write a custom provider to do this, if this is the case can show you a way to work from the merger of two suppliers of security?
Thank you.Yes, you will need to create a security provider for this.
-Faisal
http://www.WebLogic-wonders.com -
Principal name for Active Directory "domain users".
Hello
I integrated successufully Weblogic & Active Directory Kerberos (SINGLE sign-on). I tested a web application and successifully logined with authentication.
The system automatically recognizes my Active Directory user name. It worked.
For authentication in my weblogic.xml I used
< security-role-assignment >
Admin > role name < < / role name >
Kursat < SPN > < / main-name >
< SPN > Fenerbahçe < / main-name >
< / security role assignment >
Now I am trying to allow all domain members authenticate my request. For my application, I need only the usernames of the directory an actress for them.
To do this, I removed "Chris", "fenerbahce" of my weblogic.xml
Kursat < SPN > < / main-name >
< SPN > Fenerbahçe < / main-name >
I added
users in domain < SPN > - < / main-name >
rather than write all users in the domain.
However, I could not authenticate. I got the "Error 403 - Forbidden".
Y does it can someone help me?test by creating a domain users groups and use it as your primary name in your weblogic.xml
-Faisal
http://www.WebLogic-wonders.com -
Installation of Active Directory LDAP for the editor
I hope it is easy.
I have 10.3.4.1 BEEP and answers/dashboards. Answers/dashboard currently use active directory for authentication. I would like to do the same thing with BEEP.
How can I do?
Since I have now two products I have to go to a place of business?
Article links would be fine. There is nothing in the manual of the editor on LDAP or Security (really). The websites I found display a file xml with a series of parameters, but they seem to refer to an earlier version of publisher.
Should be easy points.Did you check this: http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188.pdf?
Your version is 10.1.3.4.1?
Thank you!
-
Active Directory - join the domain for multiple devices
Hi all
I need your expertise to advice me how join domain for multiple devices.
Currently my organization have more than 10,000 computers are made up of Windows XP, 7, 8 and 10.
We will deploy new Active Directory server in the data center.
Currently, we plan to go every computer/devices to perform a field joints. This method will take much time to complete the 10,000 devices.
is there another method to do this?
is there a method that all devices will join automatically field when it is connected to the corporate network.
Thank you.
Hello
Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
What are the conditions for launching a server active directory?
I need to install a server from domain to employees on my business what should I need?
My information is that I need a server such as a hardware and Windows Server software.
Should I have any other license to connect all computers exist to this server active directory?
This community is for consumers, not technical professional of computer science. I would ask you to ask your question in the official COMPUTING community at http://technet.microsoft.com.
-
Hi, personal related Qus with several user accounts in active directory for a different purpose, at the time of employees who leave employment what is the easiest way to track and disable all the user id created for him? sort of put a link if I disable the main account, other accounts will be disabled?
Active directory and the server are better asking questions about Technet. http://social.technet.Microsoft.com
-
EventID: 1206 Event Source: Active Directory Web Services ADWS failed to determine whether the computer is a global catalog server. What will be the solution for this.
Hi K jtm,.
Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en/category/WindowsServer/
Maybe you are looking for
-
This is a new experience for me (allows me to simply call a novice), and I think it would be easier for me to do an import in bulk, rather than one at a time, or worse, manual entry of all the... I exported all of my contacts in webmail in multiple v
-
An array of doubles of unbundling
Hi Forum, I need to measure current of 20 channels, so I combined the values of shared variables (one for each channel) 20 tabular, then send to a network variable to transfer data of A.i to B.vi. And then on B.vi, I use 'ungroup by name' to unbundle
-
No sound on acer laptop windows xp
I broke the mouse left click on my acer aspire 5110... now, I click on the little metal button to access left click. However, oddly ENOUGH, my sound no longer works... after it's sound card near the mouse?
-
How I difficulty upper and lower filters so my cd / dvd drives work?
I have cd and dvd readers built in and an external cd/dvd burner / reader and none are able to read or write properly. I have a Dell Dimension 4300. under xp. Long time there is a similar problem happened and upper / tiny filters necessary twisted, b
-
You are using Linux, warranty expires?
If I install Linux on the router. The warranty expires? I'm not sure. Thank you