Account Locked Unable to check results !!!

Similar Messages

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• Error at install NSP - FSL-01001  Unable to check existence of account

  Hi all, 
  I need very urgent help. 
  I installed the NSP system one time and uninstalled it again.
  Now I tried to reinstall it again and allways get the error FSL-01001  Unable to check existence of account localhostSAP_LocalAdmin. Any hints or ideas.
  It is a local installation, all admin rights are available. Same environment like at the first installation, which was OK. Also the change of the system name did not help.
  Any hints? 
  Here ist the logfile:
  Handling account  
  TRACE      syxxsyshlp.cpp:75
             syslib::traceOSError(const iastring &, int, DWORD, const iastring &)  
  System call failed. Error 2453 (Domänencontroller für diese Domäne konnte nicht gefunden werden. 
  ) in execution of system call 'NetGetDCName' with parameter (NULL, localhost), line (1075) in file (synxcaccmg.cpp). 
  TRACE      synxcaccmg.cpp:766
             CSyADsPath::fromString(localhostSAP_LocalAdmin)
  Account localhost/SAP_LocalAdmin has ADS path 'WinNT://localhost/SAP_LocalAdmin' 
  INFO[E]    2005-11-19 14:07:50 synxcgroup.cpp:684
             CSyGroupImpl::isExistingOnOS()
  Unable to check existence of account localhostSAP_LocalAdmin. Verbindung wurde nicht hergestellt, weil ein identischer Name bereits im Netzwerk vorhanden ist. Wählen Sie "System" in der Systemsteuerung, um den Computernamen zu ändern, und versuchen Sie es erneut. 
  TRACE      iaxxejsexp.cpp:208
             EJS_Installer::writeTraceToLogBook()
  AccountMgt.createGroup(localhostSAP_LocalAdmin, ) 
  TRACE      syxxsyshlp.cpp:75
             syslib::traceOSError(const iastring &, int, DWORD, const iastring &)  
  System call failed. Error 2453 (Domänencontroller für diese Domäne konnte nicht gefunden werden. 
  ) in execution of system call 'NetGetDCName' with parameter (NULL, localhost), line (1075) in file (synxcaccmg.cpp). 
  TRACE      synxcaccmg.cpp:766
             CSyADsPath::fromString(localhostSAP_LocalAdmin)
  Account localhost/SAP_LocalAdmin has ADS path 'WinNT://localhost/SAP_LocalAdmin' 
  ERROR      2005-11-19 14:07:55 synxcgroup.cpp:684
             CSyGroupImpl::isExistingOnOS()
  FSL-01001  Unable to check existence of account localhostSAP_LocalAdmin. Verbindung wurde nicht hergestellt, weil ein identischer Name bereits im Netzwerk vorhanden ist. Wählen Sie "System" in der Systemsteuerung, um den Computernamen zu ändern, und versuchen Sie es erneut. 
  TRACE      iaxxejsbas.hpp:270
             EJS_Base::dispatchFunctionCall()
  JS Callback has thrown std::ESyException: ESAPinstException: error text undefined 
  TRACE      iaxxcwalker.cpp:301
             CDomWalker::processStep()  
  An error occurred while processing service SAP NetWeaver '04 Support Release 1> ABAP System> MaxDB> Non-Unicode> Central Instance Installation. You may now
  press the 'View Log' button to get more information about the error.
  stop the task and continue with it later.
  reset your input for the current task. In this case, SAPinst will permanently remove all installation files from the installation directory. This gives you the opportunity to restart from scratch.
  Log files are written to C:Programmesapinst_instdirNW04SR1WEBAS_ABAP_ADA_NUCCI.
  TRACE      iaxxgenimp.cpp:845
             showDialog()
  waiting for an answer from gui 
  TRACE      iaxxcnclhd.cpp:92
             doHandleDoc()
  ACTION_STOP requested 
  WARNING    2005-11-19 14:07:57 sapinst.cpp:1302
             CSapInst::cancel()
  Installation canceled by user request.

  Hi,
  I got same problem. I tried all above replies, still I got same error.
  Error
  FSL-01001   unable to check existence of account saptranshost\SAP_localAdmin. Access is denied
  ERROR 2020-04-28 09:08:56
  MOS-01131  Unable to create account ACCOUNTNAME=saptranshost\SAP_LocalAdmin ACCOUNTTYPE=GROUP DESCRIPTION=SAP Local Administration Group MEMBERSHIPSEPARATOR=, OPMODE=CREATE . SOLUTION: Check whether you have permissions to create accounts.
  I logged in as local Administrator with Administration permissions. This user created by OS while installation.
  Urgent. Thanks in advance.
  Regards,
  Krishna

• Database account locked as it tries to connect different ports for 16 times

  I need a help in answering one of the issue encountered last week.
  I have created a database link and tried to access the information from a table using the program written in another language. The password provided was incorrect for that user while creating database link. So we expected that,while retrieving the data, Database connection has to be errored out as password provided is incorrrect.
  But unfortunately, user account was locked out. When i checked with DBAs they mentioned that it tries to connect 16 ports with in a min of time.we were shocked as it STOPS another scheduled jobs with that user. and affects production badly.
  As per the program, it has to connect only one time and yesterday we tried to execute the program in DBAs observation and it errored out as expected. Didn't tried for multiple ports.
  Now the question is, WHY the database connection established 16 times last week and caused user account locked. DBAs are unable to answer it. Any EXPERTs opinion on this would greatly appreciated.
  I have verified managing ports in oracle documentation, it was mentioned that if one port is busy it will try to connect to another port in the range of ports mentioned during the installtion. DBAs verified ports related file and it was blank. and they are not agreeing with this reason. Please HELP me in finding the correct REASON for this.
  is it a NETWORK issue or issue with DATABASE SERVER only?
  Thanks
  SSP
  Edited by: 960738 on Sep 22, 2012 9:13 PM

  960738 wrote:
  I need a help in answering one of the issue encountered last week.
  I have created a database link and tried to access the information from a table using the program written in another language. The password provided was incorrect for that user while creating database link. So we expected that,while retrieving the data, Database connection has to be errored out as password provided is incorrrect.
  But unfortunately, user account was locked out. When i checked with DBAs they mentioned that it tries to connect 16 ports with in a min of time.we were shocked as it STOPS another scheduled jobs with that user. and affects production badly.
  As per the program, it has to connect only one time and yesterday we tried to execute the program in DBAs observation and it errored out as expected. Didn't tried for multiple ports.
  Now the question is, WHY the database connection established 16 times last week and caused user account locked. DBAs are unable to answer it. Any EXPERTs opinion on this would greatly appreciated.
  I have verified managing ports in oracle documentation, it was mentioned that if one port is busy it will try to connect to another port in the range of ports mentioned during the installtion. DBAs verified ports related file and it was blank. and they are not agreeing with this reason. Please HELP me in finding the correct REASON for this.
  is it a NETWORK issue or issue with DATABASE SERVER only?
  Thanks
  SSP
  Edited by: 960738 on Sep 22, 2012 9:13 PMDBLINK is 100% oblivious to the fact any port exists.
  DBLINK only contains username, password & TNS Alias.
  can you post actual SQL & results?

• PC Users are unable to check Outlook while my (mac) Mail is open

  Ever since I upgraded to 10.4, whenever I have my Mail application open, the PC users are unable to check their IMAP mail through Outlook. The PC Users and myself are all using different accounts, but are checking the same server.
  At first, this seemed like it was a coincidence... but then I shut my powerbook and they could check their again. I have to use a web mail client to check my email when I am on the network at work.
  Any ideas to resolve this issue? Mail is set to check every 5 minutes.

  AA8 and AA9 allow Reader Rights so the user can save the form. This is restricted by the license to 500 uses. In the long run, the only advantage of the Reader Rights is for your users, not for you. You can always import the data into the form and have the same result as they had in the form. It is not necessary to transmit the full form to you, only the data. If you were developing a web form that would likely exceed the 500 uses, you would have to negotiate a price with Adobe for Reader Rights (thousands of $$ should be expected).
  If saving is important in a company environment, not online, then you may want to read the EULA carefully as to the exceptions. You will still have to have at least AA8.
  I guess the printing problem was answered.

• Unable to check for purchases problem . . .

  Hi,
  I mentioned this problem in another thread, but I think a new one is warranted.
  I too have received the "Unable to check for purchases" message after upgrading some songs using iTunes Plus. After allowing for the initial congestion to die down, it has now been over a month since I bought them, yet I still can't get the songs.
  But, my question is this. I emailed iTunes Customer Service, and I have received a reply requesting my billing details. I've checked, and this is information that Apple already holds. I'm a little suspicious about this request, here is the email:
  "I am sorry that you are not able to download your items that are currently in your download queue. To help troubleshoot this for you, I would like for you to reply to this email.
  In this email if you could please include the billing address associated with your account. I will also need your permission to test your account and reset your password.
  Once we have received this information, we will verify, reset your password and test your account. You will then receive a follow up email with you new password and the results of our test."
  Does this email sound realistic? Has anyone else received an email like this from iTunes Customer Service? I hope I can reset my password afterwards also.
  Yours (in paranoia)
  turkey101
  15" MacBook Pro, 2.4GHz Santa Rosa   Mac OS X (10.4.10)   12" Powerbook 1.5GHz G4 1.25GB, iMac 15 800MHz

  Yes, this email is realistic and not an uncommon reply (I also had such a reply when once I had a problem with the iTunes Store). The iTunes Store customer service rep sometimes needs to be able log into your account and check things when a problem arises, and it's something they can't do without resetting the password since they don't have access to your current password, they can only change it. So I don't think you need to worry.

• Incredibly weird issue, Win 7 account locked out

  Hi folks,
  Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.
  I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.
  Platform - WIN 7
  Pro 64 Bit
  Server - Win Server 2008 R2 Standard
  I have done the following -
  Cleared credential manager - NO DIFFERENCE
  Reset IE
  and cleared personal details during reset - NO DIFFERENCE
  Tested by logging
  onto another machine - NO JOY
  Recreated their login profile - NO
  DIFFERENCE
  Checked for logged on terminal services accounts - NONE LOGGED IN
  Connected devices ie. iPad, iPhone, Android - NONE
  I have checked
  on our DC's and have found the following -
  - System
  - Provider
  [ Name] Microsoft-Windows-Security-Auditing
  [ Guid]
  {54849625-5478-4994-A5BA-3E3B0328C30D}
  EventID 4776
  Version 0
  Level 0
  Task 14336
  Opcode 0
  Keywords
  0x8010000000000000
  - TimeCreated
  [ SystemTime]
  2014-01-14T12:43:53.301501000Z
  EventRecordID 2042599718
  Correlation
  - Execution
  [ ProcessID] 516
  [ ThreadID]
  29720
  Channel Security
  Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk
  Security
  - EventData
  PackageName
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  TargetUserName USER A
  Workstation
  XXXXXXXX
  Status 0xc0000234
  I do not think this is an issue with the users machine. The reason I say this is because for one the issue follows the user when they logon to another machine. The second thing is, I took the machine completely off the network, as in disconnected it. Reset
  the users account on the DC and just waited on the DC for 5 minutes. I double clicked into the users account again and under the account tab it was locked out again. What on earth could be causing this?
  Jeet S

  Event ID 4776 Status 0xc0000234 tells us there was a failed attempt because the account was already locked.
  - Have you searched the logs for what computer is doing the lockout?  
  - Is there a possibility that the user is still logged on a different workstation and has it locked?
  Maybe this can help:
  Get the user's distinguishedname:
  $DN = (get-aduser <username> ).distinguishedname
  The check the Object Metadata for that account to find out exactly what time and DC the account was locked out on:
  repadmin /showobjmeta <yourDC> "$DN"
  Look through the results and find the property for "LockoutTime"  (That'll tell you where to look)
  Chris Ream
  If you find my post to be helpful ( or the answer ), Please mark this post appropriately.  Thank you!

• Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"

  I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
  Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
  The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service.  This is apparent when executing a search, accessing
  the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site.  I've looked at the certificate assigned to that site and everything appears to be in order. 
  It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
  What I’ve tried so far:
  I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config.  Both appear to be configured correctly such that the root CAs can be validated.
  Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause.  I’ve also verified the service accounts reporting the error, do have access to the configuration database.
  Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
  MS Tech note.
  So far nothing has worked.  Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          2/20/2015 11:19:41 AM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:      
  User:          <SP SERVICE ACCOUNT>
  Computer:      <SHAREPOINTSERVER>
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
  CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
      <EventRecordID>1611121</EventRecordID>
      <Correlation />
      <Execution ProcessID="10212" ThreadID="10328" />
      <Channel>Application</Channel>
      <Computer><SHAREPOINTSERVER></Computer>
      <Security UserID="<SP SERVICE ACCOUNT>" />
    </System>
    <EventData>
      <Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
      <Data Name="string2"><STS CERT THUMBPRINT></Data>
      <Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
  </Data>
    </EventData>
  </Event>

  Hi Darren,
  This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
  In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
  $rootCert = (Get-SPCertificateAuthority).RootCertificate
  New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
  After running the above commands, perform an IISReset on all servers in the farm.
  More information:
  http://support.microsoft.com/kb/2545744
  Best Regards,
  Wendy
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Wendy Li
  TechNet Community Support

• Vendors Unable to Check-In Contract Documents (e-Sourcing 5.1 Patch 06)

  Vendors Unable to Check-In Contract Documents (e-Sourcing 5.1 Patch 06)
  When moving to patch 06 for e-Sourcing we found that Vendors were no longer able to check-in contract documents, even though they checked them out successfully.
  On Patch 05 this was not an issue with the exact same configuration.
  Has anyone had any encounters with this? 
  - Is there a permission that needs to be set to something specific?   I tried create/read/edit but that doesn't seem to work.
  Thanks.

  When working with a Master Agreement or Sub Agreement within e-Sourcing you can attach Contract Documents (Word files) that you and the vendor can collaboratively work on. 
  Just like a source control system you can check out a document to make edits to ensure that no one else makes edits at the same time.  You then must check back in the document to remove the 'lock'. 
  On patch level 06 we found that although Vendors could perform the Check-out procedure (On a Contract Document click Actions -> Check-Out) they are not permitted to then check-in the document (Actions -> Check-In).
  Buyside users do not experience any issues with check-out/in.
  Hope that helps clear up the issue.
  Thanks,
  Greg

• Unable to check-in or refresh iPads with iCloud passwords.

  I have 40 iPads and have recently been forced to upgrade to iOS 7 (because the users - students - did so on their own and a lot of issues occurred). I still can't believe that users are allowed to upgrade the OS (essentially the firmware) on loaned-out devices. It's an IT logistics nightmare.  What if iOS 7 did what the AppleTV 6 upgrade did?
  Anyway, if a user is assigned an iPad and they put their own iCloud account on the device, I am unable to check that device back in to Apple Configurator. I also am unable to successfully back it up or refresh the device.
  I've had the student in question delete the iCloud account but if all 40 students did that, I'd be going crazy. Imagine if it were 400 iPads instead of 40?
  Is there an easier way to allow students to utilize their own iCloud accounts to backup documents, etc, without requiring them to delete the account before I perform upgrades/mainenance? Is this going to happen every time or is this only happening because she upgraded to iOS 7 on her own?
  I've never been so frustrated with Apple as I have with this upgrade to 7. Allowing individual users to upgrade a kiosk device... and then not communicating about the new Configurator... and then FORCING upgrades when preparing new devices...  days of work lost and more days to come.

  We have had a similar problem as well - inCopy claims that an assignment is checked out, but the user cannot access it to check it  back in  or make changes.
  Did you guys ever figure out a fix?

• J_security_check, JAAS, password expiration, account locking and portals

  J2EE form-based authentication will redirect an unauthenticated user trying to connect to a secured resource to a login page and will 1) send the user to the originally requested page upon successful authentication OR 2) send the user to the error page in the event of authentication failure. There are a couple of problems that I have with this implementation - not with j_security_check specifically, but with the pattern generally.
  There are several events that a Portal must manage beyond simple authentication validation. Specifically
  - Notify a user after successful authentication that their account has been locked and they must contact someone to get it unlocked.
  - Notify a user after successful authentication that their password is about to expire and offer them a choice between changing their password immediately or proceeding to the requested resource.
  - Notify a user after successful authentication that their password has expired and require that they change it before proceeding to the requested resource.
  - Notify a user after successful authentication that they don't have rights to access to the requested resource even though they've been successfully authenticated and offer to redirect them to a page that they are authorized to access.
  I am currently investigating a scheme to solve these problems by using servlets for the login and error 'pages', having these servlets forward to different .JSP's based on roles, and writing some sort of JAAS module to add an access (authorization) role based on the password and account lock status.
  Has anyone else worked on this kind of problem? Are there any efforts to extend the J2EE specifications to handle these alternate flows in the j_security_check activity.
  I'm frustrated with each of the different container providers handling the JAAS Authorization differently. Further, since the j_security_check doesn't discuss how the server tracks the original request, each container provider has used a custom mechanism for keeping the original URI as j_security_check activity proceeds.
  One final gripe, since the J2EE specification does not specify how to deal with JAAS, and further define a mechanism to getting the Subject associated with the current ServletRequest, all providers have done this differently too. Perhaps this was avoided as a 'non-goal', but wouldn't it have been nice to state that 'should a provider decide to offer JAAS based security, the implementation must...'?

  I understand this problem... I dont know whether I have term this as a "Feature" or a "Drawback".
  I have handled this problem differently in my project.
  Scenario: When user does normal login
  1. User is displayed a home page. During this process, I create a session variable "Initialized".
  2. I check for this session variable in all the pages. If this session variable is missing then I redirect to the home page which in turn creates the "Initialize" variable in the session.
  Scenarion: Session time out happens in Page 3
  1. User will be taken to login page.
  2. Typically scenarion, when user is authenticated successfully, Page 3 is displayed.
  3. I check for the session variable "Initialize" in Page 3. This "Initialize" variable will not be available due to session expiry.
  4. I redirect my page to "Home Page" which inturn creates session variable "Initialize".
  5. This solution solved the problem of showing home page when user does the login

• Unable to see 'Result' option in MTM test plan in VS 2012

  Hello,
  I am unable to see 'Result' Tab in the MTM Test plan view of MTM in VS 2012.
  It only displays two options - 'Contents' and 'Properties'
  How can I get to view this option? Please help.
  Thanks,
  DR

  Hi DR,
  What’s the detail version of your TFS and VS?
  I think you may connect to TFS 2010, if that is the case, please connect to TFS 2012 and check the result.
  There is a similar thread:
  # MTM 2012 RC - Test Results not displayed in Test Plan Tab - Visual Studio 2012 RC Ultimate
  https://social.msdn.microsoft.com/Forums/en-US/b737b083-0c0d-4e01-8d1b-96c8a4b357ba/mtm-2012-rc-test-results-not-displayed-in-test-plan-tab-visual-studio-2012-rc-ultimate?forum=vsmantest
  Regards
  Starain
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Unable to check for Downloads

  I rented a movie a couple of days ago, still not in in "downloads..?" I get the "Unable to check for dowloads" message each time I try. I have since purchased two movies and rented another without any issues. ANY IDEAS? THanks

  I had the same problem and this worked. First do a factory reset of the apple tv - hold down the menu and the "-" key for about 6 seconds and the unit will reset. Then in the menu choose "factory reset". the unit will now reset all settings (including all network and account information which will have to be re-input later). When the unit restarts put in your network info. Then do a software update - there is new software which seems to be causing the problem (perhaps you can try the software update without resetting the unit first???) Anyway, after the software update and another restart the unit worked fine and downloads worked again. Good luck,

• Unable to check for available downloads. the network connection was lost

  in my downloads window in iTunes it shows i have "28 iTunes downloads available". when i try to download them, i get the error "Unable to check for available downloads. the network connection was lost."
  my connection is fine though, as i can individually download purchases by clicking on the cloud icon.

  I followed the advice on Holgr's link, i used screen flow to capture the error message, and then made the video available to apple support. My issue was immediately escalated, and my account started working again shortly after.
  I received no additional messages from tech support, i had no idea the problem was resolved until i tried it again.

• Cannot download songs - Unable to check for purchases...

  Hello everybody,
  This week-end I tried to upgrade my library to iTunes Plus. Everything went fine.
  But the problem is that I have 228 files to download, and I cannot do it, because iTunes tries to check for purchases... and then it stops by saying that it was unable to check for purchases.
  I can connect to iTunes Stores, I can check my account, I can see all purchases I've done since the beginning of my account, I can do everything!
  Except that iTunes does not allow me to download my files...
  I have checked on my Mac OS X 10.5 iTunes... and in a Windows XP iTunes.
  It's the same story.
  I have put the topic on Windows, but Mac/Windows... same problem for me now...
  Do you have any idea what is wrong? I suppose since Apple is doing many maintenance... they could have some issue with the Purchasing server.
  Can you buy and download songs? Am I the only one with this problem?
  Just to inform you, I've read all the info and contacted the Apple tech support, and except giving me all sort of "not usefull" tips like firewall check/download accelerator removal (which I don't have). Checking for error codes (I have no error code, just that he cannot check the purchasing server), ... and check the internet connection (which works for EVERYTHING except for this purchasing server!).
  So any help would be great!
  Thank you in advance!
  Alessandro

  I have a hunch it is something wrong on Apple's end with having 200+ downloads queued. Some other folks with hundreds of DLs were having this same problem.
  What I would do, is contact iTS support and ask them to clear your DL queue so you can have fewer DLs wiating in line. THen when you get the first batch, go on to the 2nd batch.
  The magic number mentioned in the other thread seemed to be 69 DLs....you could try searching for it.
  Use the "Contact Us" button on this page and give them the URL of this topic you started
  http://www.apple.com/support/itunes/store/download/