-
What have you tried?
log in the Window Server, try all the commands in command line and worked fine -
Authentication method: Use Kerberos, give correct Ip and Real in the parameter storage:
But
**
But inside Kerberos parameter setting, there are no fields for the username and password?** -
Before use AD commands, just have PowerShell commands log in a file, it works fine, as soon as uncomments out the AD commands, it give errors, See script and error:
this is the script:
param (
[Parameter(Mandatory = $true)]
[string]$STD_AD_DN,[Parameter(Mandatory = $true)] [string]$ThirdPartyID)
$LogFile = “C:\Scripts\tmpLog.log”
$LogDir = Split-Path $LogFile
if (-not (Test-Path $LogDir)) {
New-Item -ItemType Directory -Path $LogDir -Force | Out-Null
}$Timestamp = Get-Date -Format “yyyy-MM-dd HH:mm:ss”
$LogEntry = “$Timestamp | STD_AD_DN: $STD_AD_DN | ThirdPartyID: $ThirdPartyID”#Write to log
Add-Content -Path $LogFile -Value $LogEntry
#Assign new UPN with $ThirdPartyID + @my.bcit.biz
$newUPN = $ThirdPartyID + “@my.bcit.biz”
Import-Module ActiveDirectory
get-aduser $STD_AD_DN -server 142.232.177.199 | Out-File $LogFile -Append
#Set-ADUser -Identity $STD_AD_DN -UserPrincipalName $newUPN -Server dc1.bcit.biz -
What errors did you face (share screenshots)?
-
Share the details of your efforts (code / search query, workflow json etc.)?
-
What is the result you are getting and what were you expecting?
I would like when a student name change, Banner 3rd party ID changes, then UPN change automatically
Refer below document :
kerberos - Caching TGT from browser/other krb5 client - Stack Overflow
Let me know if it helps.
Are you using Parameter Storage for Authentication?
Yes, I am using Parameter Storage for Authentication.
What is the username format being used? It should be only username without domain (<username> instead of domain/<username>)
Username is not required to be in the format <domain or realm name>/<username>, it should only be in this format <username>.
Can you try with just identity_iq_svc instead of bcit.biz\identity_iq_svc?
Hello,
My parameter storage i just put the username without the domain!
Please, try to remove the Domain from parameter storage and see if the error changes!
This time I only use <username> without domain, still get this error:
{“result”:null,“warnings”:null,“error”:{“detailCode”:“500.1 Downstream Error”,“message”:{“locale”:“en-US”,“localeOrigin”:“DEFAULT”,“text”:“Unhandled Error: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.: ResourceUnavailable: ( CN=S00353226,OU=IDMUSERS,DC=BCIT,DC=BIZ:ADUser) [Get-ADUser], ADServerDownException”}}}
You know our ISC connect to Linux Server->Window Server, do I have to do something with Linux Server?
Thanks,
Susan
This time I only use <username> without domain, still get this error:
{“result”:null,“warnings”:null,“error”:{“detailCode”:“500.1 Downstream Error”,“message”:{“locale”:“en-US”,“localeOrigin”:“DEFAULT”,“text”:“Unhandled Error: Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.: ResourceUnavailable: ( CN=S00353226,OU=IDMUSERS,DC=BCIT,DC=BIZ:ADUser) [Get-ADUser], ADServerDownException”}}}
You know our ISC connect to Linux Server->Window Server, do I have to do something with Linux Server? I am not so familiar with linux setting for this case. I run my script directly from window server command line works fine. But through the workflow doesn’t work.
It’s a different error this time. It looks like it’s authenticating but errors out while executing AD commands
I see the script includes -Server <IP address>. Could you try removing that parameter, since the Kerberos details are already being passed from the workflow?
Also, what is the Linux server in between? Can you confirm whether you are specifying the Windows server’s IP address or hostname in the Connection Address field?
Oh, my gosh, thanks a lot, it works!!!
There were three issues:
- username was /, should be only.
- My PowerShell script used:
get-aduser $STD_AD_DN -server “xx xx xx xx”| Out-File $LogFile -Append
hightlight part should be removed. - The Window Server should use Kerberos instead of NTLM for the authentication type.