Thanks ColorNila
When you try to configure SSO in MOSS, it may fail with an error like this one:
User CONTOSO\SSO failed to configure the single sign-on server. The error returned was 0x80070995. Verify this account has sufficient permissions and try again.
It sounds like the SSO service account contoso\SSO seems to have permissions, huh? Here are the troubleshooting tips for the issue:
Variables:
Let us consider the following details (variables :) ) for this issue scenario:
Farm service account: contoso\SPSVC
SSO administrator account: contoso\SSO
FQDN name of the SharePoint server: MOSSBOX.contoso.com
Step 1: Confirm SSO accounts are set with correct permissions
As mentioned in Plan for single sign-on (http://technet.microsoft.com/en-us/library/cc262305(office.12).aspx#section4) , make sure the SSO accounts are set with correct permissions / privileges. It is one of the important steps for the troubleshooting of the issue.
Step 2: Confirm whether the name resolution works correctly
Let us find out the current logged on Domain information using the command: Set U
From command line, type: set u
The result may be something like this:
USERDNSDOMAIN=CONTOSO.COM
USERDOMAIN=CONTOSO
USERNAME=SPSVC
USERPROFILE=C:\Documents and Settings\SPSVC
Now let us find the logged on domain controller information using the command: Set L
From command line, type: set l
The result may be something like this:
LOGONSERVER=\\DC1
At this stage, let us find out the PDC emulator role holder in the domain using the command: netdom
From command line, type: netdom query fsmo
The result may be something like this:
Schema owner Box1.CONTOSO.com
Domain role owner Box1.CONTOSO.com
PDC role DC1.CONTOSO.com
RID pool manager Box3.CONTOSO.com
Infrastructure owner Box3.CONTOSO.com
The command completed successfully.
According to the above command line, the PDC emulator role is set with DC1.CONTOSO.com
That said, let us use the command nltest which uses DNS queries to resolve the PDC emulator in the same way that any application would resolve.
From command line, type: nltest /dcname:contoso
You may get a result something like this:
NetGetDCName failed: Status = 2453 0x995 NERR_DCNotFound
**************************************************************
Thanks Daniel Petri
- On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:
- Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
- Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
- Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
- At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
- Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
- You will receive a warning window asking if you want to perform the seize. Click on Yes.
No comments:
Post a Comment