802.1X failure on win 7 non-domain clients

Hello,
I have a WLC 2504(code 7.0.235) installed and two AP 3502 (local mode).
RADIUS Server is a IAS runnning on my AD server.
I had a domestic AP before Cisco solution, using the same RADIUS server and everything was ok.
After migration Windows 7 domain clients and Apple devices connects without issue. However when I try to connect non-domain windows 7 clients into wireless network (802.1X) and got failure. Apple devices out of domain can connect, certificate pop-up appears and connection flows.
I check certificates and everything looks ok for me. I remove a windows 7 client from domain and test it too, an got the same error. Certificate are install on windows 7 clients.
Could Cisco controller interfering in this authentication process ?
Can someone give me a direction ?
Thanks Eder

The WLC is configured for 802.1x, its the IAS you need to look at and see if its setup to use EAP-TLS, which requires a certificate on the client side. You also have to see if your policy is for machine authentication or not. Take a look at the failure logs in IAS as that will give you a better understanding of what is happening.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Similar Messages

App-V 5 over https for non-domain clients

Hello, Is this scenario possible?

Hi,
here's how I have it set in my lab. Your mileage may vary, but hopefully this should give you all the different components of how I managed to get it to work, and allow you to try something similar.
Firstly, my publishing server is: HTTPS://CSC-APPV5.CSC.local:8016
I have an application published through the app-v console, with the package URL configured to be:
HTTPS://CSC-APPV5.CSC.local/APPVSHARE/Notepadplusplusx86/notepadplusplusx86.appv
This is published to the AD group CSC.local\notepadplusplus, of which the user CSC.local\appvuser is a member of.
On my Windows 8 non domain joined computer, Press Start, type "credential manager", and click on this option under settings.
Click on "Windows Credentials", then click "Add a Windows credential".
It will ask you for the Internet or network address. Based on the information I stated earlier, I entered the address: CSC-APPV5.CSC.local
for User name, I entered: CSC.local\appvuser
and lastly for password I entered the current valid credentials for this user.
To test this, I then browsed to the publishing server mentioned above, but found that it still prompted me for a password (but remembered the user ID I had specified), and that the app-v client would not sync through powershell.
I then added http://csc-appv5.csc.local into this devices local intranet zone (im sure you can avoid this step by adjusting a various number of settings, this was just the first quick test I performed).
Browsing to the publishingserver address now no longer prompted for a username/pw - correctly showing the application published to this user. I then performed a restart (unlikely to be required, but I just wanted to have a clean run from a user perspective),
and straight away, there was my shortcut to the appv application, and running it resulted in the normal streaming you would expect.
The one thing I will add is I was very particular around fully quilifying everything, to eliminate this as a potential issue, and would be one of the first places I would start if you are attempting to troubleshoot why you were not able to get this to work.

Windows Domain Controller certificate for non domain clients

Hi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
Regards

Hi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
Not sure that what you want to achieve here.
However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Non-Domain computers via VPN

I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
If u r using an external server for validating the incoming users, u must go for aaa server externally.
For a complete detail of deploying vpn with ipsec,
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

Network Policy Server windows 7 non domain wireless clients could not connect (Event id 6273 reason code 265)

Hi,
We have successfully configured network policy server on windows server 2012 and all wireless clients could connect to our network except windows 7 and xp non domain clients.The clients that are successfully authenticated includes windows 8,mobile users
(andriod + iOS) domain as well as non domain clients.If we join windows 7 pc to the domain it successfully connects but non domain clients could not connect.We have large number of windows 7 users that have their own laptop machines and we dont want
each laptop to join the domain.
On server event 6273 generated with reason code 265 "The certificate chain was issued by an authority that is not trusted".Plz help how to resolve this issue.I have searched on the internet but no proper solution found.

Hi,
According to the error message, it seems that you used certificate-based authentication methods and the non-domain computers has no Trusted Root Certificate for the CA that enrolled the certificate for the NPS.
For more detailed information, please refer to the links below:
Certificates and NPS
Manage Trusted Root Certificates
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

PEAP authentication for domain & non-domain computers

Hello Everyone,
Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
"AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a 3rd party SSL certificate installed on the NPS server.
Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem.
Any suggestions would be greatly appreciated.
Thanks,
Ali.

Hi Ali,
That’s all part of the wonderful world of wireless on Windows.
When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
There isn’t an easy way to support non-domain windows systems on a domain integrated one.
You might want to try adding another SSID.
You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

Scom monitoring non domain computers

hello experts
i have scom 2012 and want to monitor non domain computers (servers in dmz)
i have created new template in ca server then create new certificates for dmz server and scom rms server.
now i have connection between two servers but there is an authentication error.
hear are logs.
please help
log from dmz computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 29/09/2014 10:54:51
Event ID: 20071
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.somebank.am
, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which
indicate a failure to authenticate.
Event Xml:
<Event xmlns="">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">20071</
EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
<EventRecordID>2163</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>SRV-AB-WWW1.somebank.am</Computer>
<Security />
</System>
<EventData>
<Data>scom.somebank.am</Data>
</EventData>
</Event>
scom rms computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 29/09/2014 11:18:57
Event ID: 21010
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">21010</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
<EventRecordID>1269145</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>SRV-SCOM1.somebank.local</Computer>
<Security />
</System>
<EventData>
<Data>192.168.169.40:53552</Data>
</EventData>
</Event>
telnet to 5723 port from dmz server to scom rms server is ok

PS C:\Users\administrator.AMERIABANK> C:\Users\administrator.AMERIABANK\Desktop\1.ps1
This script will inspect Local Machine certificate
store and registry settings. This will take several seconds...
Script will check certificates to match the following requirements:
        Subject equals computer FQDN
        Certificate is time valid
        Certificate has private key and it supposed for computer certificate
        KeySpec is set to 1
        Certificate Application Policies (in former EKU) contains both Server and Client Authentication
WARNING: OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in
WARNING: LocalComputer store or not match all certificate requirements.
To resolve this issue, obtain new certificate from trusted Certification Authority
using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
and install it by running the following command: MOMCertImport /Subject SRV-SCOM1.ameriabank.local

Non Domain Computers Becoming Master Browser

Hello,
I am troubleshooting an issue with the master browser service when an external user connects his workgroup laptop to our domain network and wins the election.
The network consists of a domain controller which has the following registry settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster = True
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList = Yes
All the client computers that are connected to the domain have IsDomainMaster = False and MaintainServerList = No.
When an external user connects to the network with a laptop that isn't part of the domain it causes a master browser election and wins. All the servers and client computers list only media devices instead of all the computers and servers on the network.
Is there a way to prevent non domain computers from becoming the master browser without changing registry settings on that computer?
Thanks
Jon

Hello,
The TechNet Wiki Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
Please note that this forum exists to discuss TechNet Wiki as a technology/application.
As it's off-topic here, I am moving the question to the
Where is the forum for... forum.
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book:
Windows PowerShell 2.0 Bible
My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

DNS working intermittently for non-domain joined machines

I have a small single Server 2012 based network, with about 90% windows clients. DNS is running on the Windows Server 2008 machine, but DHCP is provided via a unix based firewall machine. Within the DNS configuration I have all of my windows
clients (mostly Windows 8.x clients, but there are a few Windows 7 ones as well) and a few *nix ones as well. All of the Windows clients are domain joined, except for one machine which is currently running Windows 10 preview, though it was a Windows
7 machine originally. In the DNS configuration I have a number of statically entered A records, used to give my *nix machines a name on the local network.
When trying to access systems by name (via ping or by other services), there is a very consistent behavior - my domain joined machines are able to resolve all names 100% of the time without any issues. However, the non-domain joined machines, both
Windows and not, are consistently inconsistent. To be more precise, when I try to resolve a name it will randomly work and randomly not. IP setup and configuration looks correct, meaning they have valid IP, DNS is set to my Windows Server,
default gateway, etc. are all correct. Pinging external machines (ie google.com, etc.) works 100% of the time, but trying to ping any internal machine is a total crap shoot. The only exception to this is the Windows Server 2012 machine itself,
which always works.
From past experience I know that the moment I join a machine to the domain all of the DNS issues goes away, which is fine for the Windows boxes but not so much for the rest. I also have visitors occasionally come by, who I cannot expect to join my
domain just to make things work normally.
This network originally started life out as Windows Server 2003 domain, but was upgraded to 2012 about two months ago. I have been seeing this problem for years, but have always assumed it to be a Server 2003 issue and figured it would go away when
I upgraded. Nope...
Any ideas as to the cause of this and what I can do about it?
Thanks,
peter

Its really weird - I can ping an address and not have it work, then do a NSLookup of the same address against my DNS server and it resolves just fine. Take a look at this screen copy below:
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>nslookup apollo.bakonet.local 192.168.124.9
Server: orac.bakonet.local
Address: 192.168.124.9
Name:    apollo.bakonet.local
Address: 192.168.124.27
C:\Users\Peter>ping apollo.bakonet.local
Ping request could not find host apollo.bakonet.local. Please check the name and try again.
C:\Users\Peter>ipconfig /all |more
Windows IP Configuration
   Host Name . . . . . . . . . . . . : Win10
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bakonet.local
Ethernet adapter Ethernet:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-21-CC-65-1B-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : A0-88-B4-A2-41-81
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix . : bakonet.local
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
   Physical Address. . . . . . . . . : A0-88-B4-A2-41-80
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fc47:8a91:6b25:bd0e%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.124.64(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, January 5, 2015 7:34:47 PM
   Lease Expires . . . . . . . . . . : Tuesday, February 3, 2015 7:15:20 PM
   Default Gateway . . . . . . . . . : 192.168.124.1
   DHCP Server . . . . . . . . . . . : 192.168.124.1
   DHCPv6 IAID . . . . . . . . . . . : 60852404
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C6-18-82-00-21-CC-65-1B-8F
   DNS Servers . . . . . . . . . . . : 192.168.124.9
                                       24.229.54.212
                                       216.144.187.199
   Primary WINS Server . . . . . . . : 192.168.124.9
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : EC-55-F9-F5-14-76
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Does this actually make sense? Obviously the DNS server is online, it works and when a lookup is requested directly it works, and the DNS server is listed as first in the IP configuration. So why would it not work?!

Lync for Mac 2011 - non-domain user logins

How can a non-domain (external) mac user join a lync meeeting? We've installed the client, they have a live.com account (and a skype login if that can help), but we can't login using their live.com id, always returning a failed login error message (check
password, username ...).
Authentication is set to non kerberos, manual config, using TLS with this server:
sipdir.online.lync.com:443
logs follow:
Microsoft Lync 14.0.7 (131205)
MacOS version 10.9.1 (build 13B42)
2014/02/25 21:16:49.330 SIPService::OnEvent(IApplicationLayerEvent &), type: 0, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.075 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 0, newState: 10, direction: 0
2014/02/25 21:16:50.082 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.084 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.477 Office Communications Server LOGON STARTED: USER = {[email protected]}
2014/02/25 21:18:00.478 SIPService::Logon
2014/02/25 21:18:00.514 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.755 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.756 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.785 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 10, newState: 20, direction: 0
2014/02/25 21:18:00.817 InternalConnect, NLResolveAddress returned: 0
2014/02/25 21:18:00.819 IsLocalAddress, 'sipdir.online.lync.com' is not a local address
2014/02/25 21:18:00.819 FShouldUseProxy, is returning 1
2014/02/25 21:18:00.819 Connecting to sipdir.online.lync.com (port 443)
2014/02/25 21:18:01.513 InternalConnect, NLCreateConnection returned: 0,
2014/02/25 21:18:01.514 InternalConnect, NLCopyConnectionBinding returned: 0,
2014/02/25 21:18:06.041 FShouldUseProxy, is returning 1
2014/02/25 21:18:06.836 FShouldUseProxy, is returning 1
2014/02/25 21:18:10.802 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 0
2014/02/25 21:18:10.802 Login (1) failed with error: (0.0)
2014/02/25 21:18:10.976 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 6
2014/02/25 21:18:10.983 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x80ef0191, oldState: 20, newState: 10, direction: 1
2014/02/25 21:18:10.983 void SIPService::OnLogoffResult(HRESULT), hr: 0x80ef0191
2014/02/25 21:18:10.986 void SIPService::LogoffEx()
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 2, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.990 SIPService::OnEvent(IApplicationLayerEvent &), type: 8, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.998 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0

Judging by your post (because you are using sipdir.online.lync.com) are you a Lync Online subscriber? Or does the user only have a Windows Live/Skype account?
Basically if you're using Lync Online, you can just sign-in using your Lync Online user name, which will either be something like [email protected] or if you have set custom domains it will just be [email protected]
It won't work with Skype/Windows Live accounts.
If you have an on-premise Lync externally you will connect through your Edge with the Mac client, or if inside the LAN you may need to install the root certificate from your internal Certificate Authority if you're using an internal issued rather than public
(GoDaddy, Verisign, Digicert, etc.) certificate.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced

Change default key size on non Domain joined CA.

Hello,
I have one standalone non domain joined CA I would like to change the default key size of all issued certs to 2048. Since it is a stand along, there are no AD template to modify. Can this be changed in the registry?
Shawn

CAPolicy.inf is the way to go.
See the following thread
http://social.technet.microsoft.com/Forums/windowsserver/en-US/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period?forum=winserversecurity
Hth, Anders Janson Enfo Zipper

Premiere and Photoshop CC Crashes at launch on a Domain Non-Domain Admin Computer

On Windows 7 Domain computer lab as a non domain admin but local admin, program launches and then closes with the error codes below. As domain admin account, it works fine. This is a K12 education institution, so giving student's domain admin status is unacceptable. Please advise, any help is greatly appreciated.
FYI, things i have tried:
Integrated graphics cards, I have uninstalled and re-installed drivers. No luck. I have also made the pslog.txt file and given appropriate permissions to all users.
Error Codes:
Windows Error Code - Application error
Faulting application name: Adobe Premiere Pro.exe, version: 8.0.1.21, time stamp: 0x53c7b17f
Faulting module name: dvaui.dll, version: 8.0.1.21, time stamp: 0x53c76970
Exception code: 0xc0000005
Fault offset: 0x00000000002f4e39
Faulting process id: 0xf28
Faulting application start time: 0x01d01a2c32635355
Faulting application path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\Adobe Premiere Pro.exe
Faulting module path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\dvaui.dll
Report Id: 924f6336-861f-11e4-821e-0024811149b1
Fault bucket 45383478, type 20
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Windows Information - Windows Error
Problem signature:
P1: Adobe Premiere Pro.exe
P2: 8.0.1.21
P3: 53c7b17f
P4: dvaui.dll
P5: 8.0.1.21
P6: 53c76970
P7: c0000005
P8: 00000000002f4e39
P9:
P10:
Attached files:
C:\Users\esdstudent\AppData\Local\Temp\WER9443.tmp.WERInternalMetadata.xml
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Adobe Premiere P_ad637fa2c8bd70d3e74771b4be53569c25a980_00c3bab6
Analysis symbol:
Rechecking for solution: 0
Report Id: 924f6336-861f-11e4-821e-0024811149b1
Report Status: 0

I think you have answered your own question... you must have BOTH types of user accounts set to Administrator
This is an open forum with a mix of program users and Adobe staff, not Adobe support... you need Adobe support
Adobe contact information - http://helpx.adobe.com/contact.html may help
-Select your product and what you need help with
-Click on the blue box "Still need help? Contact us"

Non-Domain joined clients connect to server initially but cannot connect via Launchpad

Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed.
Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box.
Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
http://<server ip>/connect , but not http://<servername>/connect
). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
Any Services to check? Firewalls exceptions to ensure? Advice?
EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline.

Sounds like name resolution issue to me.
Are all your clients set to use the IP of the Essentials Server for their primary DNS?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

Non-domain emails

We have found a need for users in the company, whom for whatever reason, cannot access their domain email, and need to send a message to helpdesk. As is stands right now, the service manager will not take emails from outside the domain and create a ticket
for our helpdesk. Q: 1. is there a way to configure Service Manager to allow non-domain emails. 2. is this a setting within the Exchange server, or does this even exist?
Jerome Reafs

Hi,
The SCSM Exchange Connector has an option 'Only process emails from users in CMDB'. Uncheck it and EC will create a new user for every email sender not presented in the CMDB.
Cheers,
Marat
Site: www.scutils.com Twitter:
LinkedIn:
Graveyard:

802.1X failure on win 7 non-domain clients

Similar Messages

Maybe you are looking for