802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

Similar Messages

• 802.1x Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• About 802.1x port authentication using TACACS+

  Hi
  I have some question. Please help me. Thanks.
  Question1. May I use that 802.1x port authentication using TACACS+
  Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
  Any help would be greatly appreciated.
  Thanks.

  Thanks to you.
  Where to find the documents about Tacacs+ doesn't support EAP?
  I cast more time and I cannot find the documents.
  Please help me....
  Thanks.

• ADFS single sign-on with office 365 and multiple forests

  I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
  to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
  to achieve single sign-on?

  Hi,
  Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
  Multi-forest and Multi-tenant scenarios with Office 365
  http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
  Hybrid Deployment Prerequisites
  http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
  SupportMultipleDomain switch, when managing SSO to Office 365
  http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
  For more information about Office 365, I suggest you refer to Office 365 community below:
  http://community.office365.com/en-us/f/default.aspx
  Best Regards,
  Amy

• 802.1x Wireless Implementation with NPS - Guest computers access

  Hi guys,
  I have a 802.1x network using NPS services in Windows server 2012 that I am testing right now with Windows 7 machines. Everything seems to be fine with corporate computer (connection and authentication are good). But I have an issue with guest computer (i.e
  personal laptop). I am able to connect to my Enterprise wireless connection using my corporate credentials. Even if my personal laptop don't have any corporate certificate, the connection is granted because I use my credentials. Is there a way to use User
  certificate AND computer certificate for wireless at the same time? So that personal laptop will not have access to the enterprise wireless network even if I enter my corporate credentials. 
  Let me know if you need more information.
  Thank you

  Hi,
  One way to solve it would be to only allow "Domain Computers" or another computer Group in the NPS policy and then create a corresponding Group policy to only authenticate to the wireless with the computer account.
  Another way would be to actually use the user certificate (instead of secured password that you are using now). That would require you to autoenroll user certificates though.
  See screenshots above on alternative 1 and 2.
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Best way Of providing user authentication using ADF security...

  Hi,
  I have a web application . I want to implement to ADF security to the application.. What is the best approach of doing this? I have the user information in the database tables along with the roles and other information. I want to these tables for authorization ?
  What is the best approach to do this? It would be great if u could help ..
  I ma using 11g release 2
  Thanks in advance.
  Rakesh

  Hi,
  Thanks for the quick response.
  I have been looking at the post but i found one of the forum post in which the person was saying the SQLAuthentication doesnt work ..
  "Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
  This is feedback I got in SR 3-4124753004 :
  "If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
  related bugs are :
  - bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
  - enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"
  related forum threads are :
  - "ADF Security : identity store : tables in a SQL database"
  - "OPSS : addMembersToApplicationRole : The search for role failed"
  regards
  Jan Vervecken"
  Is this true?
  Rakesh

• Cannot open document because Office keeps trying to sign in to Office 365 with the wrong account

  Problem: I cannot open Office documents from SharePoint on Office 365 because Office tries to sign in with my Microsoft account instead of my Office 365-account.
  History
  When we started the project, I did not have an Office 365-account yet for the organization I was working for. To get temporary access to SharePoint a colleague invited me on my Microsoft Account to gain access to SharePoint. This worked fine and I
  was able to access SharePoint. A few days later I received my official Office 365 account, so I also got e-mail etc. Because I now have an official Office 365 account, we removed my Microsoft Account from SharePoint. So now I only have access to SharePoint
  with my Office 365 account.
  The problem is that I can no longer open documents in Office. In the web version everything works fine, but if I want to open a document in for example Word, it says the document cannot be opened. Sometimes it shows a screen which says "Something
  went wrong". If I click through to go back to the website, it show me that it tried to login with my Microsoft Account and that this account does not have access to the site. It suggests to sign out and login with a different account, but this leads to
  a page that does not exist. I cannot figure out how to make Word use my Office 365 account.
  What I have already tried
  -Remove all my browser history and temporary files
  -Add Office 365 as a connected service in Office. I can sign-in with my Office 365 account and the location is added, but I still cannot open documents.
  -Tried a different pc. But because Office syncs al my settings, I got the same problem on all my pc’s.
  -Removed all my Windows credentials via the credential manager in the control panel. If I also remove the credentials for my Microsoft Account, Office cannot sign in anymore. At this point, if I try to access SharePoint, it asks me for my credentials
  and I have access to the documents. However, if I restore my Microsoft Account in Office again by entering my password, the problem is back.
  -As a work around I can add my Office 365 account as a separate Office account. I have access then, but it is really annoying because every time I want to open a document, I have to open Word, switch accounts, close Word and open the document. It is
  not capable of automatically selecting the account to use.
  Conclusion and question
  I have also worked with other Office 365 organizations which I can easily add to the connected services in Office and they work fine. So somehow Office has linked my Microsoft Account to this organization of Office 365 and it refuses to use the correct
  account. Does anybody know how to unlink my Microsoft Account from this Office 365 organization so that I can use the correct account?

  Try these steps from the source linked below:
  Stop connecting to a connected account
  You can stop connecting to a connected email account in Outlook Web App by removing the connection.
  In Outlook Web App, click Settings >
  Options > Account > Connected accounts.
  Under Account Name, select the account you want to stop connecting to.
  Click Delete to remove the connection.
  Click Yes in the dialog box to confirm that you want to stop connecting to the account.
  http://office.microsoft.com/en-us/support/connected-accounts-HA102836325.aspx

• 802.1x Wireless Authentication with 10.8.4 Build 12E3067

  Hello All,
  Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
  Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
  New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
  Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
  Troubleshooting:
  -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
  -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
  -Restarted domain controllers. Issue continues.
  Any thoughts or questions would be appreciated.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• 802.1x wireless authentication not working via RADIUS

  I've tried to implement 802.1x authentication in a windows 2012 domain environment using protected-EAP authentication. I read through guide after guide and still i am unable to get it to work. I'm confident the server side and WLC config is all correct. I have run the command debug client d0:df:9a:f6:30:40 which is my test laptop and i can see the WLC sending EAP-Request/Identify messages but it seems it never gets a reply. I have attached a copy of the debug. 
  Please can someone help me if possible?
  Laptop > AP > WLC > RADIUS SERVER

  Hmmm, peap. So PEAP requires the server be validated via a certificate trust. Did you download the WLC certificate and install it on the client (use self-signed cert), or did you install a new certificate on the WLC? In either case your client has to "trust" the Certificate Authority who signed the certificate used by the authentication device. If you use the self signed certificate you have to download the cert from the WLC and install on the client to validate the server, then the client is validated on the WLC with windows credentials or a saved username/password.
  Are you trying to do single sign-on? Is the client a member of the domain? Does the user belong to the domain? Did you do the certificate stuff above? if you need to test this without validating the server (JUST FOR TESTING PURPOSES) you can go under the WLAN profile on the client chose security, settings and uncheck validate server certificate. Then on user credentials verify you are using the correct client credentials on the client and try again. 
  If this works the certificate is the issue, you can troubleshoot from there. You DO NOT WANT TO LEAVE validate server certificate unchecked as that can create a BIG SECURITY HOLE. Just based on your description I am leaning towards a cert issue. If you can provide more details, would be great. Screenshots of your client EAP-PEAP setup, screenshot of windows cert store showing trusted root certification authorities with trusted CA your WLC is using. 
  Do you ever see logs on the AD server, with login attempts? If not the client is not able to verify the WLC's certificate and therefore won't send credentials. 
  LDAP configuration is pretty straightforward, if you just want to test this for the first time and are having issues with just getting a PEAP client to work you can attempt with a LOCAL EAP user on the WLC to verify the client and WLC are correct then add the LDAP server as Authentication Source, just ensure your server priorities are correct if you do this.
  Hopefully this helps
  ~Please rate useful post~

• 802.1x supplicant authentication using a wired LAN.

  We are in the process of creating a test enviroment to test 802.1x within our organisation.
  We have a mixed Windows/OSX client enviroment and a W2k3 backend structure (Active Directory, Radius).
  Phase one of the testing invloves wired only connections and authentications. The windows clients authenticate fine with the Radius server, which is connected to our test Active Directory.
  The OSX clients (10.3.9, 10.4.3 and 10.4.11) have been bound to active directory and users can login ok if 802.1x is turned off.
  When 802.1x is turned on the users can authenticate ok using the internet connection app to setup an 802.1x session.
  However, it would be advantageous if we could also get the MAC to authenticate itself as a known system before any users log in (the Windows clients do this already).
  Is this possible for OSX?
  Is it because we are using Active Directory for the Macs?

  Did you ever figure out a resolution to this? I'm facing the same problem. 802.1x authentication does not work for the system profile and I have to login and manually click the connect button for 802.1x.

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  You've posted in the wrong forum. This is Feedback about Discussions. Try Networking and the Web maybe.

• Using Lync server 2010 with office 365 email in the cloud

  We have a 5 year old install of Lync server 2010 in house that interacts with a local install of exchange 2008 via unified messenger. If down the road we want to try email in the cloud like office 365 can we still keep our local Lync server install? Thanks in advance.
  This topic first appeared in the Spiceworks Community

  I am reporting back with my solution.  I can now confirm that one can have Lync servers on-premises with Exchange Online using Office 365 and the Lync Phone Edition devices will work.  Contact search, calendar (although it only shows the day's
  Lync meetings), and visual voice mail all work.
  Summary of fix: AD FS certificates have to be issued by CAs that Lync Phone Edition trusts.
  The problem was when the Lync Phone Edition came back and tried to log in through AD FS.  Since we had single sign-on with Office 365 set up before we even ventured down the Lync path, the certificates for AD FS weren't issued by a CA that Lync Phone
  Edition trusted.  Getting new certificates solved the issue.  (They were issued by the same CA that did the "external web" certificate on the Lync Front End in case that matters.)
  I tried hard to get the phones to trust the original certificate first, putting it in Active Directory using the
  certutil -dsPublish method, putting the original CA on the Lync Web Services trusted list using
  Set-CsWebServiceConfiguration.  But nothing seemed to work until I finally just gave up and got a new certificate issued.  I am now running without any certificates listed in Active Directory nor any explicitly listed in Lync's Get-CsWebServiceConfiguration
  and it works great.
  The Technet articles are woefully out of date when it comes to the trusted CA list, but here's a link to the list of trusted CAs (with the updated firmware): http://blog.schertz.name/2014/10/lync-phone-edition-and-public-certificates/ 

• Change in SharePoint DNS breaking remote authentication code through office 365 login

  Hi,
  I have a website that connects to a SharePoint online site in order to access content from there. The authentication is done through the Office 365 login. In order to do that, I composed the following URL:
  "https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=3&rver=6.1.6206.0&wp=MBI&wreply=https://www10226.sharepoint.com/_layouts/15/landing.aspx?Source=" + window.location
  so that the window.location is returned to after the authentication is done. It worked so far, but today I encountered the following problem: https://www10226.sharepoint.com now says page cannot be found, DNS lookup failed. Apparently the correct
  address is now https://www10501.sharepoint.com . Does anybody know about this sort of change? Is it a one time thing or it happens on a regular basis? How can I get the right DNS dynamically so my code won't be affected by changes like this
  one in the future?
  Any help is highly appreciated.

  Hi, Jason, and thank you for the answer.
  I am not the global administrator. The problem is that I want an universal problem for any SharePoint Online site that will be accessed by the users - A link like the one above, authenticating the user to SharePoint Online via Office 365 and then returning
  to my website.
  I composed the URL above by simply looking at what redirects Office 365 does when I try to log in into my SharePoint Online site. At that moment I understood that wreply=https://www10226.sharepoint.com/_layouts/15/landing.aspx
  was an universal authentication endpoint, but then the address changed and it was https://www10501.sharepoint.com,
  and currently it is https://www10706.sharepoint.com
  . I am confused by these changes. Do you mean to tell me that this part www10706 is specifically only to one SharePoint Online site and that if you tried to authenticate to a different SharePoint address than mine, it wouldn't work? If so, how should
  the URL be in order to achieve what I want, authentication and returning to website, having the security token attached to the request?
  I came across this article http://community.office365.com/en-us/w/domains/sharepointcname.aspx, but I am unsure whether it has to do with the changes I am experiencing. I tried putting the SharePoint address inputted by the user in the wreply parameter
  (such as wreply=https://www.ALIAS.sharepoint.com) but after
  the authentication it just remains on the SharePoint page, without returning to my website.
  Please advise, I need to find a solution to this.
  Cheers!