SSO behavior should multi domain

Similar Questions

• Host multi-domain phone Cisco C2960-mode does not go to the field of voice

  Hello world

  I'm working on the deployment of dot1.x through our company. I'm stuck on configuring Cisco phones to go on one VLAN correct when the multi domain host-mode option is used. I tried on two C2960 switch with two different images. No matter what I do, the phone is going to area: DATA and unable to connect to the network as more likely, it is a wrong VLAN. Poster as authenticated port ISE and MAB works very well. When I set up stream host-mode, the phone Gets a VLAN correct and can top to the network.

  Here is what I use:

  • C2960S-48-i/s-L with C2960S-UNIVERSALK9-M or if C2960 with c2960-lanlitek9 - tar.150 - 2.SE7
  • Phone Cisco 7960 and 7962
  • ISE 1.3.0.876

  Here is the current port configuration:

  GigabitEthernet1/0/1 interface

  switchport access vlan 2

  switchport mode access

  switchport voice vlan 703

  multi-domain of host-mode authentication

  authentication order mab dot1x

  authentication priority dot1x mab

  Auto control of the port of authentication

  periodic authentication

  MAB

  dot1x EAP authenticator

  dot1x tx-time 10

  spanning tree portfast

  end

  Here is the output of logon authentication show inter Gig1/0/1

  MAC address: 0013.1a58.xxxx

  IP address: unknown

  Username: 00-13-1A-xx-xx-xx

  Status: Authz success

  Area: DATA

  Oper host mode: multi-domain

  Oper control dir: in

  Authorized by: authentication server

  Policy of VLAN: n/a

  The session timeout: 5400 s (local), remaining: 5384 s

  Delay action: authenticate again

  Idle timeout: N/A

  The common Session ID: 0AF301450000000C001F3391

  ACCT Session ID: 0x00000010

  Handle: 0x0400000D

  Thanks for your help.

  Looks like youre missing the device class = attribute in your profile authz voice.

• MAB authentication fails on the port of multi-domain: dead result of authentication "server."

  Hi all

  First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.

  I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.

  Switch = 48-3560G IOS version 12.2 (55) SE1

  RADIUS = Freeradius (version 2.1.10)

  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

  On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected

  The switch configuration:

  AAA new-model
  !
  Group AAA dot1x default authentication RADIUS
  Group AAA authorization network default RADIUS
  AAA accounting delay start
  start-stop radius group AAA accounting dot1x default
  start-stop radius group AAA accounting network default
  !

  interface GigabitEthernet0/29
  235 a description
  switchport access vlan 4
  switchport mode access
  switchport voice vlan 2
  load-interval 30
  bandwidth share SRR-queue 10 10 60 20
  queue-series 2
  priority queue
  action retry authentication event 0 failure allow vlan 7
  action of death event authentication server allow vlan 4
  living action of the server reset the authentication event
  multi-domain of host-mode authentication
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  Auto qos voip cisco-phone
  spanning tree portfast
  service-policy input AutoQoS-Police-CiscoPhone
  !

  dead-criteria 5 tent 5 times RADIUS server
  RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
  RADIUS server key 7 xxx
  RADIUS vsa server send accounting
  RADIUS vsa server send authentication

  Radius response: (for the full reply see attached RADIUS - response.txt)

  Sending acceptance of access to the port id 98 to 10.1.1.207 1645
  Cisco-AVPair = "Tunnel-Type = VLAN.
  Cisco-AVPair = "Tunnel-Medium-Type = 802.
  Cisco-AVPair = "Tunnel-private-Group-ID = 7.
  Cisco-AVPair = "Tunnel-preference.

  That's why access accept with assignment data VLAN

  Debugging on the switch :

  001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
  001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
  001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
  001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
  001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
  001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
  001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
  001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
  001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
  001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
  001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
  001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
  001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
  001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
  001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
  001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
  001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

  So RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.

  Help would be appreciated!

  Chris

  Hi Chris,

  In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
  http://Tools.Cisco.com/Squish/d1791

  or using the pair of cisco-av according to the link:
  http://Tools.Cisco.com/Squish/8Bd61

  As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
  Debug RADIUS
  Debug authentication of all the
  debug functionality of authentication all

  As a result the customer authentication event, also benefit from the following switch:
  display the interface authentication sessions

  I met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.

  When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:

  RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL

  So the 2nd link, with the changes:
  Cisco-avpair = "tunnel-type(#64) = VLAN (13).
  Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
  Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.

  If you still have a question, please include the output of debug/display above which will shed light on the problem.

  Thank you
  Alex

• 802.1 x multiple multi-domain-workstation

  Hello

  I configured successfully my switch for 802. 1 x with multichannel-domain name. The IP phone and the workstation is assigned to ther VLAN respective. My problem is when I connect a sepearet hub to a switch port with several workstations connected to the hub. I can't get a mac address to access the network. The following features are limited to have the connection.

  Is there a configuration that I can apply to change the default behavior to allow only a unique mac address by domain on the switch port?

  Thank you

  Well, you can use the multiple-authentication mode.

  Multiple authentication mode (multiauth) allows a customer on the voice VLAN and several clients authenticated on the data VLAN. When a hub or access point is connected to an 802. 1 x enabled authentication mode multiple port provides enhanced security mode multiple-host by requiring authentication of each connected client. For non - 802.1 x devices, you can use the web authentication or authentication MAC workaround as the fallback for individual host authentication method authenticate different hosts via different methods on a single port.

  Multiple authentication mode is limited to eight authentications (hosts) per port.

  Multiple authentication mode also supports the MDA functionality on the voice VLAN by assigning authenticated devices either a data or voice VLAN, depending on the authentication server received VSA attributes.

  VERY IMPORTANT: When a port is in multiple authentication mode, all features of assignment VLAN, including the assignment provided RADIUS server the VLAN, VLAN Guest, the Inaccessible authentication bypass road and authentication failed VLAN do not activate.

  Here are the configuration commands:

  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Behavior "Recall multi-function.

  
  

  Hello Bernd,

  There are a few options for you.  If you do not have one of your windows in the display by tabs, you can go to Options' environment and then uncheck the "Show workspace tabs.  Otherwise, the first time that you open a panel of function and it is shown in actual size you can go to the window menu and select "release all Windows FP".  This will remove the windows control panel function, and each new multi-function open window will remain off-station.  If you want to dock them, you can simply return to the window menu and select "confine all windows of FP.

  NickB
  National Instruments

• Rollover behavior should not

  I have a flipping animation that uses the clip to reveal the text. When she spotted in the browser, it shows the mouseover state initially and I roll over button once for the behavior to be as expected.

  Here is an example with a symbol: mouseenter mouseleave.zip - Box

• VMWare Security Gateway - Multi domain?

  Hi all

  I use NAT for a client and I need to publish my gateway security with another URL? Is this feasible?

  And how to do it? Can I add an additional line in the locked.properties file?

  Thank you very much

  David

  Do you mean the external URL? If Yes, then no!

  Kind regards

  Christoph

  Don't forget to assign points if this answer was helpful for you.

  Blog:

  http://Communities.VMware.com/blogs/Dommermuth | http://www.thatsmyview.NET/

• Is this multidomain or cross domain SSO?

  Hi all
  
  There are two servers in the intranet.
  
  Server1.test.NET
  Server2.test.com
  
  So we have areas cookie: test.net & test.com.
  
  There are several areas SSO or cross domain SSO?
  
  Thank you
  
  Published by: 859875 on May 27, 2011 06:57

  Hello

  It's okay... people usually merges between these two. However, it's not his fault so many books and online references also count them in the same compartment. His words using the correct terminology.

  With your question, test.net and test.com will be the example of sso multdomain in most cases with quite obvious reason that for most, both are in the same intranet.
  The choice is still flexible, if it isn't within the intranet and reckoned to cross the field (However, this case is quite rare).

  Yet once, multi domain and cross terminologies of the field are against the logical concepts and not fixed with examples. You could make that your decision based on your example.

  Hope this helps,

• Profile Manager - failed to install the remote access profile in the domain environment & multi-Active Network Directory

  Hi all

  I am a COMPUTER administrator for a college and I am trying to fix what seems to be the last hurdle in getting the Profile Manager works correctly.

  I worked for a while now trying to get the Profile Manager capable of pushing the device and profiles for Mac in our group network environment. I was able to operate intermittently, but not often. Most of the time I'm unable to install the remote management profile.

  When you try to install the remote management profile, I give myself one of the two errors-

  The first error is:

  The Installation of the profile failed.

  The «TeleManagement (com.apple.config. » profile (Server.FQDN.mdm:GUID) "could not be installed because of an unexpected error < MDMResponseStatus:500 >

  (Obviously server.fqdn and GUID are placeholders for their actual values)

  

  The second mistake is:

  The Installation of the profile failed.

  Failed to contact the Protocol SCEP server to ""http://server.fqdn: 1640/CEP / "."

  

  The server Mac OS X 10.11.4 works

  OS X Server is version 5.1

  Client Mac is for most running 10.10.4

  Here's a quick run down on the environment and the steps I have already taken to solve the problem.

  • The network is an Active Directory with several networks multi-domain environment. I mainly work with two different networks, each associated with one of the two areas.
  • The Mac server hosting the Profile Manager is a Mac Pro. The two network cards is used, each on one of the two networks. The Mac server is joined to the domain in the primary forest.
  • I opened all the ports and IP ranges for Apple's Push Notification service for two on our firewall and tested networks between the two networks to ensure that the AFN is accessible.
  • I created a static DNS entry for the server in the DNS zone for the main domain. I also have a separate DNS zone for the DNS record for the interface on the secondary network. I also confirmed that Macs see the correct IP address of the Mac server for their network.
  • I tried to change the settings for network access for the Profile Manager. The first error seems to happen when the Profile Manager are restricted to the network the Mac client is not connected. This same error also occurs if I open Manager profile access to "all networks".
  • I have experiemented with the different certificate types. In general, I use the self-signed certificates that are generated automatically. In this scenario, I install the profile Trust first (which works seamlessly regardless of network or domain). I also tried to use a certificate for Code signing signed with our own CA to sign the profile of remote management. The same errors will occur no matter what certificates are used.
  • The second error occurs when the access profile manager is limited to the same network that is connected to the Mac client
  • I ran Wireshark captures on several client computers, as well as on the Mac server interfaces and haven't seen any traffic blocked or rejected that seemed related to the Profile Manager
  • I've deleted and rebuilt my OD master
  • I also scoured newspapers for clues Profile Manager and haven't found much
  • In addition, I have also studied the problem and error codes/etc widely and have not found a lot of useful information
  • I don't know there are any other troubleshooting steps I took as well, but I've been question bout this for awhile and I don't remember everyone.

  That's a strange thing - I had it working for Mac on the main network and the domain. However, I discovered that the Mac on the secondary network and the field was unable to download the profile of remote management. This is when I started to change the Profile Manager, access network, which eventually introduce the problem on Macs connected to the primary/field of experimentation network. Change access return settings in Profile Manager does not restore functionality for pimps who worked.

  Another thing odd in this test scenario all - Mac on the network high school/area would not install remote profile unless management I temporarily moved it to the main network (I do not untie / reassign to one the main domain on these Macs) I could get the profile of remote management to install and then pushing profiles has worked. Even more strange, it's the Mac that I had to move temporarily secondary network to the main network to allow remote management profile install only works always as long as the Profile Manager are restricted to the secondary network and 'the Mac'. However, Macs in the same room, on the same network in the same field, using the exact image even get the errors described above.

  The only thing I have not yet done is delete/reconstruction Profile Manager. I would really like to avoid this if possible. Solutions that involve something like Casper or other software integration AD for Macs are also a non-starter.

  I'm happy to elaborate if necessary. I appreciate the help.

  Okay, I think I can find the root cause.

  Before this discovery, I had completely rebuilt Profile Manager. Now, I managed by pushing the management profile remote for Mac in the two fields/networks. However, many of them still refuse to install remote management profile.

  Macs who encounter the problem are all were imaged using NetRestore using an image captured from an another similar iMac. IMac even that was used to build the image has now been reassigned in a test of Mac. I found that when you attempt to register one of the Mac who had received this image it shows already as "registered" when you go to "mydevices" on my Mac server. I also noticed that they all have the serial number of the test Mac when viewing their "register". Among the issues of Macs, I activated the lock of the device from the page "mydevices" for the so-called problematic Mac registered (showing the serial number of the iMac used to create the image) and it locked the iMac used to create the image - not the Mac issue.

  This tells me that the CID (or Mac equivalent) is set on the Mac CID used to create the image for all of the Mac said image was deployed to. If it's a Windows box I have a sysprep prior to deployment or could perform a rearm after the fact. I am unaware of how to perform similar functions in OS X.

  I tested also since on some Macs that do not have this image, and they are able to register and install the profile of Managing remotely with success.

  If anyone has any suggestions on how to reset the CID (the computer ID) under OS X, I'd appreciate it. Thank you.

• OAM 10.1.4.3.0 multidomain SSO

  Hi all

  I am currently having need to know if the multi-domain SSO is supported in 10 g as in 11 g?

  I work with a client who wishes to implement multi-domain SSO and I believe that this is supported in 10.1.4.3.0. My understanding is that the session token and ObSSOCookie will be created for each area, so for the example of an area would be 1 . domain1.com and area 2 would be . portal.domain2.com field.

  I think it is based on a common cookie domain.

  My question is that users authenticated to the domain 1 once the sale related to the field of access 2 standards body would break and therefore be invited to log back in and even the opposite effect.

  Thank you very much

  Yes Multi domain sso is possible.

  A single domain. Domain1.com would act as domain authentication. This area is responsible for authentication, also known as the farm of connection. Application of authentication in other areas (domain2.com, domain3.com) would come to domain1.com for authentication.

  I hope this helps.

  Concerning

  Aakash

• Remove the failed site/server SSO vmdir (SSO 5.5)

  Hello

  is there a way to delete a Server/Instance failed SSO to a multi-Side deployment?

  Navigation via JXplorer the vmdir, I can find a server failing under:

  CN = VC03. DOM.local, ou = Domain Controllers, dc = vsphere, dc = local

  and a Site that failed here:

  CN = RZ2, cn is Sites, cn = Configuration, dc is vsphere, dc = local

  No idea how to remove the failed server / Sites?

  Thank you

  Jens

  Please spend attached SSO best practices document, page 43 content is related to your query.

• VCenter SSO account does not see vcenter inventory

  Hi, I recently got an error on my VMware View deployment, which led me to the KB here:

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2050369

  "However, if I connect my web vSphere client with my own credentials (domain administrators), I apparently do not have full administrator rights to the web client, because I don't see anything under ' Sign-On and discovery."

  If I have connection with admin@system-domain, to the same URL, I don't see any inventory, it seems Vcenter is not correctly connected or something. However I am connected to the same exact URL https://myvcenterserver:9443 / vsphere client

  Any thoughts?

  * edit * sorry, forgot to mention it's vCenter version 5.1.0 880146. Thank you.

  Post edited by: Mike Crampton

  Sorry I'm a bit confused.

  When you connect with the domain account, you see no SSO and discovery, but you see the inventory?

  But when you connect with admin@system-domain you see the SSO and the discovery, but you do not see the inventory?

  It seems perfectly fine to me.

  The domain account is the administrator account which can see the inventory.

  The SSO administrator (admin@system-domain) is the account that sees the Configuration under SSo and discovery.

  Just checked with my environment. This is exactly how it should be.

• SSO installed with reverse lookup failure

  We are preparing for the upgrading of our existing environment vSphere 5.0 to 5.1 vSphere.  I have tried a simulacrum of SSO Server installation and have also run the pre-installation of SSO control script and we discovered a problem in our environment.  To explain the problem I need to provide some documentation on configuring DNS in our environment.

  There are two DNS solutions in our environment, Corporate DNS (UNIX) and DDNS (Dynamic DNS - Active Directory).  DDNS was deployed with the introduction of the ma, before all systems use DNS Corporate.  When introducing DDNS DNS services have not been migrated, rather DDNS is used only by the AD and Windows Client/Server environment. In addition, DDNS is not configured for reverse DNS resolution, all these applications are forwarded to the Corporate DNS.

  As you may or may know is not one of the conditions for the deployment of SSO to have a reverse lookup DNS configured and for each DC and the UNIQUE server authentication has a properly configured PTR record (http://kb.vmware.com/kb/2033880).  Since we don't use DDNS for reverse resolution PTR records are nonexistent.  Therefore, installing SSO up warning about the failure reverse DNS and the pre-installation script displays warnings re 'IP address name Check' SSO for the SSO Server and each domain controller in the domain.

  We are wondering if anyone else has encountered this problem? and if so what they did to solved the problem

  any help would be appreciated

  Hello

  You can find UNIQUE authentication Setup performs a lookup on each interface on the server and therefore launch a mistake say an interface "backup" that don't have not may not reverse DNS entries.

  If you are able to provide a manual reverse lookup on the IP address that you have on the same subnet for vCenter, you should be able to continue without a problem.

  See you soon,.

• SSO can survive a simple reboot... correction may not survive a change of password!

  I built a development environment 5.1 with some hosts and vcenter running on a virtual machine to Windows 2008r2 (on another cluster). I run all services, including SQL express on the virtual computer. After many fits and starts, I had a decently vcenter running service. Today, I had to restart vcenter because it was dog slow (thank you JAVA!) and add some more memory.

  Now I'm unable to authenticate via the web client or the client. I restarted the authentication service UNIQUE ("thank you" to name this service from vcenter unlike ALL the other vmware services) by Ko 2033137.

  Heavy customer error is: "a general error has occurred: allow exceptions.

  Web client error is: The authentication server has returned an unexpected error: ns0:RequestFailed: unable to connect to the source of the identity. Possible reasons include the name of user or password, connection refusal, connection timeout or inability to resolve the host name. The error can be caused by a source of identity with a malfunction.

  Judging by the plethora of threads on SSO on the forums I'm going out on a limb and say this service "is not ready for primetime" and I'm sure glad that I don't have a production on 5.1 environment yet!

  I need the light bulb emoticon! So after almost 20 years in it I need to know when things break after changing a password, I should be suspicious that the creds would be hidden.

  So, if I was able to connect to the web client as the SSO admin admin@System-Domain and go to Administration > SSO > Configuration and click on change the identity of AD source, my domain account high I changed my password this morning is in this dialog box. I was told by support of vmware on a ticket last month that these credentials were used on the first connection to ldap... how he was wrong. Looks like I need to use an account that password does not change every 90 days!  Put my new password in this field vcenter work very well with domain accounts. I don't think that it would make a difference to that join the domain.

  SSO indeed play a role in the connectivity of customers.

  Ron

• Questions, communicate with a Windows domain controller

  I thought at first my user had a problem with Keychain and had finally called Apple Tech Support.  While on the line with Apple, we proved that it was not a question of Keychain, but rather a problem of communication with a windows domain controller. The key elements are:

  * Multiple users and Macs are members of an Active Directory multi-domain forest

  * iMac is a 27-inch, mid-2011w / 8 GB RAM

  * OS X 10.11.2 (updated 10.11.3)

  * Question appears isolated to this iMac (currently). All other iMac, Macbook Pro and Mac Pro is currently very well, several VIRTUAL LANs, and a MacBook connected to the connection of network iMacs can communicate properly with the domain.

  * iMac seems not to contact no matter what domain controller when connecting, but connects to the resources of the network and domain controllers, after login. Permissions and access to the resources appear normal after login.

  * User (s) cannot change passwords for mobile accounts or login with new mobile accounts, but accounts/passwords cached work very well.

  * iMac uses Symantec EndPoint Protection for Mac (anti-virus) – REQUIRED BY THE POLICY.  I can't change.  I have come off for the test, but must replace as soon as the test is completed. This policy is set at a level about five grades of remuneration above me.

  * It isn't really everything off the coast of the wall software installs on the computer.  The full Adobe Creative Cloud subscription is responsible, but so it is on just about every other mac I support.

  The steps that have taken place:

  (1) about a month ago, the user went to change his password, but wouldn't go to change password at the login window.  We were able to change their password on the network and could use the new password to connect to the network Active Directory controlled resources. We can connect to resources network successfully with the new password, after we connect locally with the old password.

  (2) we get the red ball (the network resources are not available) to the login window. We are basically connecting with identification and passwords cached information.

  (3) if we try to change their password through the system preferences / users and groups / / password Chang, we get the message that no domain controller is available.

  (4) initially thought that it was a matter of trousseau, and we ended up calling Apple support, since Keychain first aid is no longer available in 10.11. Apple-Advisor while that remote, showed where it was not a question of Keychain because we could not change the password on the domain, because the iMac didn't communicate with a domain controller.

  (5) while on the phone with Apple, we reset SMC and NVRAM without success.

  (6) If you are going to untie the iMac in the domain, a message that the system cannot communicate with a domain controller.

  (7) today, thinking that maybe there was a hardware problem with the ethernet connection, tried to use the private WiFi network. Still would not communicate with a controller domain, but, as if using the wired, could connect to network resources. This happens independently attempted account.

  (8) used a MacBook on its network without any problem, it is not the connection port or switch

  (9) moved his iMac to another connection on one VLAN different. Same question.

  I'm open to suggestions. I have two days to work on this subject, around the planning of production of the user, while I'm off site for a week.

  10) thinking that maybe it was something that happened with 10.11.2, he improved to 10.11.3 today. No change.

  I don't want to try to clean and recharge its iMac, in the hope that this clears up the issue.

  ANY SUGGESTIONS?

  A few additional tests.

  (1) Symantec deleted using Symantec CleanWipe, without modification. Has been reinstalled after additional tests and a reinstallation of the operating system.

  (2) being ran reports, visualization and research now, but nothing is really coming out as noticeable. Only problem seems to be a helper of Adobe

  (3) use a bootable USB key and had no problem with the thumb drive version, this isn't somehow a hardware problem.

  4) entered the recovery partition and the re-installed El Capitan, in the hope that perhaps, is a pilot or something in the protocol stacks have been corrupt, a reinstall would correct. Reinstall has not corrected the problem.

  I'm really strongly leaning towards here is something in a plist or somewhere configuration file that is corrupted, but I don't know where this would be right now.  Will continue research and testing. Last resort will be a wipe up to bare metal and a clean install. I will not migrate the profile of the user, but only its working files.