Strategy of Kerberos WinServer2008r2 Active Directory group

Hi all

Need help bad in this. I'm trying to implement kerberos on my active directory. What I understand is kerberos is the default and the primary authentication protocol used when connected to a domain, but where and how do I configure kerberos settings in group policy? I managed to find configurations of kerberos in the "Local Group Policy Editor", but this would not push configurations to my clients right?

I want to disable NTLM authentication as well and once again I can found under local policies > security options, but they are all local policies right? Is it possible that I can disable NTLM on my active directory and ensure that these settings are applied to my both client computers?

Thank you so much in advance!
PS: Sorry if I got some of my facts wrong, I'm a student performs internship and my understanding in active directory is not as strong.

Server forums are more on the side the web site of Microsoft TechNet,
This is where you find people who know.

http://social.technet.Microsoft.com/forums/en-us/categories

Tags: Windows

Similar Questions

  • Administrator rights to the ACS using Active Directory groups

    Good afternoon

    We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

    Thanks in advance

    You can only use the locally stored accounts within the ACS.

  • Active Directory groups can be put into service in the FDMEE places?

    Hi experts FeeDMEE:

    We are upgrading to HFM/FDMEE 11.1.2.4.    We would like to use only the Active Directory groups for our security in Shared Services.

    I did a lot of audit looking at whether we can use security location FDMEE ad groups.  So far, the only way I found to make the security location uses the native approach (settings / security settings / security location...) Security by location, click on keep usergroup to set up groups).    But it doesn't seem to be an option if you create groups such as native or ad groups (FDMEE them creates only natively).

    Does anyone know if it is possible in FDMEE to use security of the location ad groups?

    Thank you
    Mark Smith

    I discovered that it is more possible for FDMEE create Aboriginal groups for the security of the location.

    However, Active Directory groups can be added as members of indigenous groups.   In this way, users should only be added to Active Directory groups.    The only maintenance is to add or remove groups active directory to or from the indigenous groups of FDMEE.

  • Portal administrators from Active Directory groups

    I want to add additional users with the status of "admin", so that more people can use the "Admin Console". I want to do this using Active Directory groups.

    Can anyone say if this is possible and how?


    Maybe it's in the documentation, but I couldn't find it.

    For now, it is not possible to assign the Admin role to a group of users. However, you can promote individual users to the Administrator role. You can search for a user name and click on the user name to view the details of a user. On the left side, you will see a role (s) and the 'User' text is clickable. When you click on that text you will be able to change the role.

  • Firepower does not work when using the Active Directory group as a rule filter access control

    I am PoV of Cisco ASA with the power of fire with my client. I would like to integrate the power of fire to MS Active Directory. Everything seems to work properly.

    -Fire power user agent installation to complete successfully. Connection to AD work fine. The newspaper is GREEN.

    -J' created a Kingdom in FireSight and you can download users and groups from Active Directory.

    -J' created a politics of identity with passive authentication (using the field I created)

    -Can I use the AD account "user" as a filter in access control rule and it work very well.

    However, if I create the rule of access control with AD Group', the rule never get match. I'm sure that the user that I test is a member of the group. Connection event show the system to ignore this rule and the traffic is blocked by the default action below. It doesn't look like the firepower doesn't know that the user belongs to the group.

    I use

    -User agent firepower for Active Directory v2.3 build 10.

    -ASA 5515 software Version 9.5 (2)

    -Fire version 6.0.0 - 1005 power module

    -Firepower for VMWare Management Center

    Any suggestion would be appreciated. Thanks in advance.

    Hello

    You should check the download user under domain option. Download the users once belonging to a group is specified on the ad and then test the connection.

    Thank you

    Yogesh

  • separate authentication and authorization for Active directory groups

    Hi all

    After a long search and failure, I write the question.

    I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits.

    We have configured Microsoft Active directory with LDAP.

    in LDAP, we have a core group which is say A and an is down there students and the two groups.

    According to the staff, there are many other groups and students, there are a lot of groups.

    I created a mobile application, it has a main page that is publicly accessible without username and password.

    in this home page, I have a list that contains two elements, personnel and another is a student.

    When one of the list item, the login screen appears.

    now I want to control when the user clicks on the staff list, only personnel should be authenticated.

    If the end user is a student, it doesn't have to be authenticated.

    the same goes for the student list item, if the end-user click on list of students, only students must be authenticated.

    someone please guide me, I'm failed in research and testing.

    Thank you.

    Kind regards.

    Hi Maahjoor,

    Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer:

    DECLARE
    
      -- Adjust as necessary.
      l_ldap_host    VARCHAR2(256) := 'hct.org';
      l_ldap_port    VARCHAR2(256) := '389';
      l_ldap_user    VARCHAR2(256) := 'cn=hct\itnew';
      l_ldap_passwd  VARCHAR2(256) := 'itnew';
      l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';
    
      l_retval       PLS_INTEGER;
      l_session      DBMS_LDAP.session;
      l_attrs        DBMS_LDAP.string_collection;
      l_message      DBMS_LDAP.message;
      l_entry        DBMS_LDAP.message;
      l_attr_name    VARCHAR2(256);
      l_ber_element  DBMS_LDAP.ber_element;
      l_vals         DBMS_LDAP.string_collection;
    
    BEGIN
    
      -- Choose to raise exceptions.
      DBMS_LDAP.USE_EXCEPTION := TRUE;
    
      -- Connect to the LDAP server.
      l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                                  portnum  => l_ldap_port);
    
      l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                          dn     => l_ldap_user||','||l_ldap_base,
                                          passwd => l_ldap_passwd);
    
      -- Get all attributes
      l_attrs(1) := '*'; -- retrieve all attributes
      l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                     base     => l_ldap_base,
                                     scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                     filter   => l_ldap_user,
                                     attrs    => l_attrs,
                                     attronly => 0,
                                     res      => l_message);
    
      IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
        -- Get all the entries returned by our search.
        l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                         msg => l_message);
    
        << entry_loop >>
        WHILE l_entry IS NOT NULL LOOP
          -- Get all the attributes for this entry.
          DBMS_OUTPUT.PUT_LINE('---------------------------------------');
          l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                                   ldapentry => l_entry,
                                                   ber_elem  => l_ber_element);
          << attributes_loop >>
          WHILE l_attr_name IS NOT NULL LOOP
            -- Get all the values for this attribute.
            l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                            ldapentry => l_entry,
                                            attr      => l_attr_name);
            << values_loop >>
            FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
              DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
            END LOOP values_loop;
            l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                    ldapentry => l_entry,
                                                    ber_elem  => l_ber_element);
          END LOOP attibutes_loop;
          l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                          msg => l_entry);
        END LOOP entry_loop;
      END IF;
    
      -- Disconnect from the LDAP server.
      l_retval := DBMS_LDAP.unbind_s(ld => l_session);
      DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
    
    END;
    /
    

    NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname."

    You can specify a specific attribute must be extracted from the user in order by changing line 33 of the:

    l_attrs(1) := '*';
    

    TO

    l_attrs(1) := 'title';
    

    Then you can write a function based on above the code to extract the attribute LDAP user as follows:

    create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2
                                                          , p_password in varchar2
                                                          , p_attrname in varchar2 )
    return varchar2
    as
    
      -- Adjust as necessary.
      l_ldap_host    VARCHAR2(256) := 'hct.org';
      l_ldap_port    VARCHAR2(256) := '389';
      l_ldap_user    VARCHAR2(256) := 'cn='||p_username;
      l_ldap_passwd  VARCHAR2(256) := p_password;
      l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';
    
      l_retval       PLS_INTEGER;
      l_session      DBMS_LDAP.session;
      l_attrs        DBMS_LDAP.string_collection;
      l_message      DBMS_LDAP.message;
      l_entry        DBMS_LDAP.message;
      l_attr_name    VARCHAR2(256);
      l_attr_value   VARCHAR2(256);
      l_ber_element  DBMS_LDAP.ber_element;
      l_vals         DBMS_LDAP.string_collection;
    
    BEGIN
    
      -- Choose to raise exceptions.
      DBMS_LDAP.USE_EXCEPTION := TRUE;
    
      -- Connect to the LDAP server.
      l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                                  portnum  => l_ldap_port);
    
      l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                          dn     => l_ldap_user||','||l_ldap_base,
                                          passwd => l_ldap_passwd);
    
      -- Get specific attributes
      l_attrs(1) := p_attrname;
      l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                     base     => l_ldap_base,
                                     scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                     filter   => l_ldap_user,
                                     attrs    => l_attrs,
                                     attronly => 0,
                                     res      => l_message);
    
      IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
        -- Get all the entries returned by our search.
        l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                         msg => l_message);
    
        << entry_loop >>
        WHILE l_entry IS NOT NULL LOOP
          -- Get all the attributes for this entry.
          DBMS_OUTPUT.PUT_LINE('---------------------------------------');
          l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                                   ldapentry => l_entry,
                                                   ber_elem  => l_ber_element);
          << attributes_loop >>
          WHILE l_attr_name IS NOT NULL LOOP
            -- Get all the values for this attribute.
            l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                            ldapentry => l_entry,
                                            attr      => l_attr_name);
            << values_loop >>
            FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
              DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
              l_attr_value := l_vals(i);
            END LOOP values_loop;
            l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                    ldapentry => l_entry,
                                                    ber_elem  => l_ber_element);
          END LOOP attibutes_loop;
          l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                          msg => l_entry);
        END LOOP entry_loop;
      END IF;
    
      -- Disconnect from the LDAP server.
      l_retval := DBMS_LDAP.unbind_s(ld => l_session);
      DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
      DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value);
    
      return l_attr_value;
    
    END fnc_get_ldap_user_attr_val;
    /
    

    Then create an Application AI_USER_AD_TITLE tell you item request-> shared components.

    Create following procedure to define the point of application on the connection of the user in your APEX application:

    create or replace procedure ldap_post_auth
    as
    
      l_attr_value varchar2(512):
    
    begin
    
      l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME')
                                                 , p_password => apex_util.get_session_state('P101_PASSWORD')
                                                 , p_attrname => 'title' );
    
      apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value);
    
    end ldap_post_auth;
    

    Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme

    Then modify the process in charge on your homepage to your application of PORTALS to:

    begin
    
        if :AI_USER_AD_TITLE = 'Student' then
            apex_util.redirect_url(p_url=>'f?p=114:1');
        else
            apex_util.redirect_url(p_url=>'f?p=113:1');
        end if;
    
    end;
    

    I hope this helps!

    Kind regards

    Kiran

  • 6.0 ESXi host Active Directory Group authentication works in the hull but no client

    Got a weird here.

    Add 6.0 host vSphere to Active Directory.

    Added a group of pub with the Administrator role.

    I can authenticate with an AD user account that is a member of this group of ads, using SSH or Shell access.

    I cannot authenticate with an account AD who is a member of this group of ads using the Web UI or Client vSphere linking directly to the host.

    If I add the domain user directly with the role of administrator on the host computer permissions, the Web GUI and vSphere Client will be authenticate using the user of the AD.

    What it looks like access using SSH/Shell, vSphere host can burst of belonging to a group and to authenticate, but using the GUI Web or vSphere Client he can't.  There are not a lot of sense to me.

    The hostd.log file has nothing in it which is very informative, just a line saying "status: success accepted password for the user", followed by the event 131: could not connect the user without permission.

    Hello

    If you are in 6.0 Update 2? Then, this article could describe your problem:

    https://KB.VMware.com/kb/2145400

    Please try the fix and let us know if it helps.

    -Andreas

  • Cisco CX - Active Directory groups

    Hello

    I'm starting a Cisco CX deployment. Our company has more than 1 k users. I create access policies, but I'm a little stuck on a problem. I can creat policies using the username but not the ad groups, I see that there is the option, but it does not work (it does not retrieve ad groups).

    The interface wonder what follows:

    Groups

    Users

    Identity objects

    Anyone got it to work?

    Make sure that your ads of research base is fairly low in the tree to display groups.

    By example, if your basic search are Corp./City/users, but your groups report directly to Corp, she probably won't find and shoot groups.

  • Add the Active Directory group to the ESXi host permissions

    I am trying to add a group of ads as an administrator directly to an ESXi host (not in vCenter).  I tried to use the following code:

    $domain = "mydomain".

    $group = "mygroup".

    $svcaccount = $domain + "\" + $group

    $folder = get-file-name "ha-folder-root".

    $authMgr = get-View Manager

    $perm = new-Object VMware.Vim.Permission

    $perm.principal = $svcaccount

    $perm.propagate = $true

    $perm.group = $true

    $perm.roleid = ($authMgr.RoleList | where {$_.}) ({Name - eq "Admin"}). RoleId

    $authMgr.SetEntityPermissions (($folder |)) Get - View). MoRef, $perm)

    I get the following error:

    You can not call a method on a null value expression.

    $authMgr.SetEntityPermissions < < < < (($folder |)) Get - View). MoRef, $perm)

    When it is connected to ESX the Manager Id is "Manager-ha-authmgr" you may not use the shorter expression of Get-View:

    $authMgr = Get-View AuthorizationManager
    

    The safe way to get the Manager display is via ServiceInstance object:

    $si = Get-View ServiceInstance
    $authMgr = Get-View $si.Content.AuthorizationManager
    

    Kind regards

    Yasen Kalchev

    PowerCLI Dev Team

  • ACS authentication with Active Directory based on ad groups

    Hello

    I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?

    Thank you

    Derek Velez

    Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).

    The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Multiple users Active Directory membership mapping group

    Hi all

    We got 4.2 ACS and two types of user access to our network:

    1_ we got some users in 'CiscoAdmins' Active Directory, corresponding group mapped Cisco ACS group is "switch Admins.

    2_ we also have some users in "VPN_Users' group Active Directory, corresponding mapped Cisco ACS group is"VPN_Users.

    In the "Command mapping" page on Cisco ACS 4.2, we put tte group 'CiscoAdmins' Active Directory mapping at the top "VPN_Users' Active Directory group mapping. So what happens is, if a user belongs to two "CiscoAdmins" and "VPN_Users" groups in Active Directory, users always goes in the "Switch_Admins" group in Cisco ACS.

    However for some users (who belong to two groups in Active Directory), we need to apply some IP allocation and specific authorization.

    The suggestiongs are welcome.

    Thanks in advance.

    Dumlu

    Yes, check ACS for belonging to the user group and it can determine if the user is a member of several groups and then map the corrosponding ACS group. Little additional material on the ACS group mapping

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html#wp940538#wp940538

    -

    Note: Please rate the answer if it helped

  • Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

    Hello

    I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

    I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

    I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

    Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

    Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

    Default: refuse

    In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

    But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

    My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

    The stages of monitoring:

    Measures

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - NetOp/NetAdm service policy

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - server RSA

    24500 Authenticating user on the server's RSA SecurID.

    24501 a session is established with the server's RSA SecurID.

    24506 check successful operation code

    24505 user authentication succeeded.

    24553 user record has been cached

    24502 with RSA SecurID Server session is closed

    Authentication 22037 spent

    22023 proceed to the recovery of the attribute

    24628 user cache not enabled in the configuration of the RADIUS identity token store.

    Identity sequence 22016 completed an iteration of the IDStores

    Evaluate the strategy of group mapping

    15006 set default mapping rule

    Authorization of emergency policy assessment

    15042 no rule has been balanced

    Evaluation of authorization policy

    15006 set default mapping rule

    15016 selected the authorization - DenyAccess profile

    15039 selected authorization profile is DenyAccess

    11003 returned RADIUS Access-Reject

    Thank you

    Christophe

    I think you need to do is to create a sequence of identity with RSA as a selection in

    Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

  • ACS 5.1 using Active Directory to manage the strategy of network device Admin

    Hi guys, we have configured an ACS 5.1 and integrated with active directory Win2K3, we created two AD groups to manage devices network for administrators and one for operators (read-only), so we have configured a device admin strategy and the two groups work very well, but now we are facing a little problem any user that exists in the AD can connect (user exec mode) network devices and we want to cancel the connection with politics, but we do not know how.

    Is there a way to get a user authenticated against acs internal or external group, but at the user level, everything as you can make it to GBA 4.X?

    Thanks for your help!

    Best regards

    Oscar

    Yes, you can change that, it's a profile of shell by default. You must create a new one with privilege level "not in use" and select the new profile of the shell (no Directors or Operartors) under Default Device Admin > authorization profile > edit and make changes.

    I hope this helps.

  • Active Directory kerberos authentication ticket control

    Hello

    Customer asked if Active Directory cartridge has the ability to control errors in Kerberos authentication ticket? For example when the user has too many groups in his account AD and the Kerberos ticket is larger at all an ad.

    Thank you

    Hi Miska,

    A search in eDocs reveals that there is Directory Services Performance view of health that includes:

    Kerberos Authentications. This counter displays the rate at which clients are using a Kerberos ticket to authenticate to the DC.     Authentication Requests. This graph displays the number of times per second that clients use a Kerberos ticket to authenticate to the DC.
    

    These parameters are evaluated for the Rule of authentication Kerberos LDAP:

    Purpose This rule monitors the number of times per second that clients use a Kerberos ticket to authenticate to a DC. An upward trend may result in issues with LDAP-dependent services
    

    These references appear to be the closest thing "the ability to control the Kerberos authentication ticket errors."

    Kind regards

    Brian Wheeldon

  • Why used to address changes Proxy stick of group policy for all users in Active Directory?

    We re-installed the Customer Site Proxy on a BDC service, we published all the strategies of Active Directory for the new DC IP address group however for many users in Internet Explorer LAN settings always keep coming back to the old address when adding in group policy, any ideas of what we missed?

    Hi MikeButterworth,

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet forum.

    http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

Maybe you are looking for

  • El Cpaitan10.11.6 to Sierra 10.12 no-go

    I have the iMac 24 inch 2008 w / OS X El Capital 10.11.6.   my attempts on the app store to download macOS Sierra abend w / "macOS version 10.12 cannot be installed on this computer.  by pressing the button "more"... nothing.  What gives? everything

  • My profiles are now hidden from me?

    In previous versions, I've always been able to plug the name of one of my Internet service providers in the search box in Windows 7 and he would get me the directories where my emails have been hidden. Today vital for adding some e-mails that arrived

  • Pilot the easy multimedia keys for Windows 8 required

    Hello where can I find the driver for the easy multimedia keys for Windows 8 x 64. The On / OFF button will not work. I can't turn off the light.It worked on Windows Vista x32Bits. screenshot herehttp://I60.Tinypic.com/dgo56h.PNG Thank you in advance

  • The HP Deskjet 3050 printer unable to print border less has J11

    Original title: my printer is HP Deskjet 3050 a J11 I can't do Boarder less impression

  • ENVY - automatic update failures

    For the last week or plus-automatique updates to apply when stopping. Every morning, they are cancelled. I don't know what are updates, or the place to go to get them.