SPNego and Windows domain
Hi,
just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?
Hi Yonko,
thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are <i>host.globalcompanyname.com</i>
interesting enough, we cannot logon using [email protected]
None the less, I'll double check using TweakUI.
Cheers
Marcel
Similar Messages
-
I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
Leap authentication is successful, while windows domain logon not.
Not to say using a "normal" NIC that logon succeed.
Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
However, after canceling the windows domain logon I have normal connectivity with the entire network.
Someone experienced that? Any help will be greatly appreciated.
Antonio TassoneSure.
My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
Looking the Radius server log, I found an error like " xxxxx DLL rejected".
Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
I regret I can't be more precise.
Regards. -
Machine authentication by certificate and windows domain checking
Hi,
We intend to deploy machine?s certificate authentication for wifi users.
We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
We intend to use EAP-TLS :
- One CA server.
- each machine (laptop) retrieves its own certificate from GPO or SMS
- the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
- ACS version is the appliance one
- one ACS remote agent installed on the A.D.
- when a user intends to log on the wifi network :
- the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
- the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
Am I right about these previous points ?
And then my question is : is it possible to check that the machine is also included in the windows domain ?
That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
Thanks in advance for your attention.
Best Regards,
ArnaudHi Prem,
Thanks for these inputs.
I've passed the logs details to full, performed other tests and retrieved the package.cab.
I've started investigating the 2 log files you pointed.
First, we can see that the requests reach the ACS, so that's a good point.
Then, I'm not sure how to understand the messages.
In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
But I'm not sure this NAP problem to be the root cause of my problem.
And when no NAP is matched, then the default action should accept.
We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
I don't know what CSDB is.
I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
I copy below an extract of the auth.log.
I also attach parts of auth.log and RDS.log.
If you have any ideas or advices ?
Thanks in advance for your attention.
Best Regards,
Arnaud
AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046 -
Hi All,
In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
Apprecaite quick help on this.
-SatishcpUnfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
My guess Remote Agents for Windows / Solaris works with Appliances alone. -
Parallels Desktop and Windows Domain
Ive installed Parallels 3 onto my MacBook and am now using Windows XP Pro.
Ive tried to join my Windows OS to my domain on our Windows 2003 Server but the computer cannot find the domain. I think its something to do with the network connection with the Mac preventing the outward connection.
Anyone know how to use a Windows Domain through Parallels 3?
PLease helpI would suggest changing the network settings in parallels so that your virtual host is getting an IP address straight from your companies DHCP server.
Dont use shared networking but bridged networking. -
802.1x and Windows Domain Controller with ACS
Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
Thanks a ton in advance
JustinI as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
Thank you,
John... -
Hello,
We've had SPnego integrated authentication for Windows working with our EP for sometime.
Our company is moving to W2k8 domain and dc's (kdc's) for this question.
When one of our kdc functional servers has been replaced, it appears that the SPNego authentication function has started to fail upon restart of the Java\EP system.
Can anyone provide any info as to what might need to change for the continued use of the SPNego authentication against a W2k8 kdc?
Upon pointing the java\ep system back to a w2k3 kdc the implementation continues to work. So it looks to be windows version related.
Appreciate any help. Not seeing much from SAP areas possibly related to this?
RickHi,
>the Windows 2008 R2 server does not support DES encryption by default. So you have to enable it manually
This workaround works but is not secure : DES has been abandonned for default because it has been conpromised.
The real solution is to use the new SAP SPNEGO/Kerberos implementation which is able to use RC4 or AES.
If you cannot because of an unsufficient relaase or SP level, you have to do like we had to do in my company : buy a third party product which is able to use RC4 even for Netweaver 7.0 J2EE.
The security team has forbidden the use of DES in my company...
Regards,
Olivier -
Android, Ipad authentication under windows domain environment
I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
I hope you can help me to clarify my doubts.
Regards.
Daniel EscalanteClient Provisioning for Android you can refer thease guides:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10 -
Hello
We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD). Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
http://technet.microsoft.com/en-us/library/cc772007.aspx
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE and Two distinct Windows Domains
All,
I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
Any help would be greatly appreciated
Thanks
SimonHere's the list of which methods are supported when using different kinds of user databases :
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140 -
Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server
im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
Nitin Gaurav
[email protected]Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
the new AD functionality available in 2008.
Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
AD and upgrade the functionality levels yourself. -
WAAS 4.1.15b and two windows domain
Hi
I have two data centers and two windows domains (lets call them X and Y)- in data center X I have to WAE - CM and Core, in date center Y I have one configured as Edge and Core as well (peple in data senter Y have to access to resources in doman X).
In all remote offices are WAEs configured as Edge. Ale WAE are added to domain X.
All prepositions in domain X works fine.
I have created secound CoreCluster for domain Y, added WAE in date center Y as Core and one WAE in remote office as Edge to this CoreCluster, but preposition doesn't work.
On Edge WAE In logs /local1/logs/actona/RxLogging.log i can find only this:
[2010-03-25 14:35:58,765][ INFO] - Preposition ID 929205 started on \\serverY\testfolder\.
[2010-03-25 14:39:59,303][ INFO] - Prpositioned files under \\serverY\testfolder\ (task 929205): File server disconnection - scanned 0 files, up
dated 0 files, 0 bytes 0 directories.
[2010-03-25 14:39:59,323][ INFO] - Preposition ID 929205 failed, reason: Completed with error(0 files with errors).
I can ping this serverY from this WAE.
The question is:
Is it possible to create preposition for two windows using this infrastructure ?
ps. I have to use lagacy services.
I hope that this is not so complicated
Thanks in advance
jamesJames,
Thanks for the log files. In the Tx.internal.log file, there is the following entry:
2010-04-15 12:08:28,952 WARN (actona.cifs.fsclient.FileSystemClient:1799) TP-1 - Terminating caller due to disconnect: error=13caller=TYPE_START_SESSION [cookie=null]
This message and error code means that the WAFS Core was unable to open a socket to the origin file server you are trying to preposition content from. Can you please verify the following from the CLI of the WAAS device running the WAFS Core service:
Verify name resolution - dns xchn.i.shadm
Verify IP connectivity - ping xchn.i.shadm
Verify TCP connectivity - telnet xchn.i.shadm 445
Thanks,
Zach -
Mac OS X 10.6 Setting up and Printing to Windows Domain Printers
Hi Guys,
I have a Windows Domain currently running here at work. I am running a print server on one of our Windows 2003 Servers.
I have successfully joined 4 Mac Pro machines to the domain. They are all logging on to the domain and can access shares etc.
My problem is that I wish to add the networked printers that appear on the domain print server to the Mac Pros.
When i go to System Preferences > Print and Fax then click the + button. I see a list of all the printers that are exclusively installed on the Windows Print Server.
Some are listed in the Add Printer window as Bonjour and some Open Directory. The Bonjour items I can add fine, its the Open Directory ones that are causing me problems.
How can I add these printers to each machine without manually installing the drivers for each printer on each Mac. Why am I seeing some Bonjour listed printers and some that are not?
Any help would be very much appreciatedSome are listed in the Add Printer window as Bonjour and some Open Directory. The Bonjour items I can add fine, its the Open Directory ones that are causing me problems.
How can I add these printers to each machine without manually installing the drivers for each printer on each Mac.
The answer depends on what printer description language (PDL) these Windows shared printers support. If they are Postscript then it is possible that a PPD for the printer may already exist on the Mac and so all you need to do is select it from the Print Using menu. And if the PPD is not present then you can still select Generic Postscript. But the thing to note is that since you are sharing the queue from Windows, rather than connecting directly to the printer (as you are doing with the Bonjour printer) then the Mac does not know what the printer is so you still need to manually select the correct printer on the Mac.
If the printer is not Postscript and requires a proprietary printer language then would have to manually install this driver on every Mac. And even with this driver installed on the Mac there is no guarantee that it will work via the Windows share. Many vendor drivers are written for direct communication to the network printer. Sticking a Windows queue in between stops the Mac driver from communicating with the printer and this in turn stops the Mac from printing. So if you can tell us what printer models you have then we can provide better information.
Why am I seeing some Bonjour listed printers and some that are not?
Not all network printers support Bonjour. Often only newer models of business printers support this protocol, while it is more prevalent in consumer printers. And what you are seeing is a multicast coming directly from the printer. So if you don't want the users to bypass your Windows print server and connect directly to these printers, then you may not want them broadcasting their presence.
But the benefit of the printer using Bonjour is that they are able to communicate with the Mac what they are and this helps with the Mac determining which printer driver to use, so as you have noted the setup for the Bonjour printer on Mac is easy, because it helps the help with selecting the correct driver.
Hope this helps with your questions. Please reply if you need more information -
WIndows 7 and Windows 2008 authentication failed in Windows 2003 Domain
Hi,
We have Domain with Windows 2003 and recently Windows 2008 Doamin controllers also added.
We are facing authentication failure for Windows 7 and Windows 2008 Domain members when user is trying to login.
Schema Master is on Windows 2003 and remaining roles on Windows 2008 Domain controller.
Windows XP clients login is working fine.
Problem si for Windows 7 and Windows 2008 Domain members login.
Any hint/solution will be really great help.
Pls share if you have any solutions.
Regards:MaheshHi,
I found some more details about issue
Below are the events getting generated. It looks like due to encryption mismatch with Windows 2003 Domain and Windows7 and Windows 2008 clients. However i am looking for solution if someone tested this case.
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 08/06/2014
Time: 9:41:04 AM
User: N/A
Computer: AAAAAA
Description:
While processing an AS request for target service krbtgt, the account ADDADA$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 17. The accounts
available etypes were 23 -133 -128 3 -140.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 08/06/2014
Time: 9:34:17 AM
User: N/A
Computer: AAAAAA
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ADADDFHDHDH$. The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAINNAME.COM), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Regards:Mahesh -
Windows Domain login and timer
We are binding several Macs to the windows domain here. That really hasnt been an issue, we used Centrify Express, and that went fine. Users can log into the domain no problem. All the Macs were built with a service account (UID svc-account) similar to an admin account on windows. Any user can sit down at a Mac and if they enter good domain credentials they get logged in.
But when a mac is first powered on, and gets to the login screen, the svc-account is first presented, then after about 10 sec, a little arrow appears. by clicking on the arrow, you can choose "other user" and log in with domain credentials. Is there a way to shorten this timer, or default to "other user", or default to any domain user account?We are binding several Macs to the windows domain here. That really hasnt been an issue, we used Centrify Express, and that went fine. Users can log into the domain no problem. All the Macs were built with a service account (UID svc-account) similar to an admin account on windows. Any user can sit down at a Mac and if they enter good domain credentials they get logged in.
But when a mac is first powered on, and gets to the login screen, the svc-account is first presented, then after about 10 sec, a little arrow appears. by clicking on the arrow, you can choose "other user" and log in with domain credentials. Is there a way to shorten this timer, or default to "other user", or default to any domain user account?
Maybe you are looking for
-
How can two users work on iMovie? My husband is working on a memorial video for a family member who passed, I plan to edit but he had to take his computer to work. I have the iMovie project on a zip drive. How do I get it to open in my imovie?
-
How To Deploy in Application Server 9?
Hi. I'm a new comer for EJB. I'm using the Newest version of EJB SDK. I'm trying to deploy my Hello World Application but I do not know how... My codes are as following. HelloHome.java import java.rmi.*; import javax.ejb.*; public interface HelloHome
-
"loopback" counter output without wiring
Cross posted from another forum for more visibility: Basically, I have a counter output being generated on a trigger line. It's just a pulse at defined intervals of 1 hz. The problem is, the card that is generating the output needs the trigger itself
-
Bug in Aggregate Persistence Wizard with multiple hierarchies
Hi, Let's say you have a dimension with 2 hierarchies. In example: product -> subcategory -> category -> all products product -> subtype -> type -> all products Then you run the "Aggregate Persistence Wizard" and generate the code for 2 aggregations,
-
Adobe qt 32 server keeps crashing on CC 2014
My project plays fine for a period of time and then suddenly there is nothing playing in the player monitor. Program won't close completely and I have to Force Quit and restart. Works okay for a while and then the same thing. Been on the phone with