ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
Regards

Hello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
    loadbalance vip inservice
    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
    serverfarm ENCRYPTED-SERVERFARM
    ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
    inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge

Similar Messages

ACE - Support for SSL Server Name Indication (SNI)

Hi,
I have the question if Cisco ACE currently or in the future supports SSL SNI (RFC 3546 or 4366). You run into that problem when moving SSL termination from a server that supports having multiple different certificates bound to the same IP and acting on the different domain names (SNI). Currently I do not see any chance how to build that on the ACE. In case it is definitely not supported, is there anything on the roadmap for that?
Thanks and best regards,
Daniel

From what I understand SNI is largely reliant on client support. It is just an extension of the TLS SSL protocol. One of our Escalation Engineers wrote up a pretty good post explaining SNI.
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
"SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate to serve to the client. A key benefit
of SNI is that is allows a server to host multiple certificates on the same IP/port pair instead of needing an IP per certificate (assuming you are using port 443)."
A few questions I would have is what client and browser combination have you attempted on this? Also, are you using a wildcard certificate on your Web Listener? Have you taken network traces to see if client is sending SNI? Ian does a good job of explaining
how to do that in his blog post.

SD & FI BI functional Questions

Hi Experts,
I need to ask some questions to customer on SD & FI functional related questions for BI Analytical reports..
Already cutomer implemented Data ware house Informatica with congnos reporting tool.
right now they want to implement BI.
please any one can share on what type functional questions could ask the customer.
Advance Thanks,
Bala.

Hi,
A few more pointers.
Start with Reports. What the client is using. What he is expecting.
If he got existing reports map the fields with Business Content BW Fields. Go to Business content and make a list of queries which are delivered from SAP. Explain them the KPI's. This should be good to start with. Also check the Tcodes they use.
Look for DataSources that get data from theses Tcode's.
Project Preparation (Initial stuff -- Do a conceptual review after this phase requirements gathering)
Collect requirement thru interviews with Business teams /Core users / Information Leaders.
Study & analyze KPI's (key figures) of Business process.
Identify the measurement criteria's (Characteristics).
Understand the Drill down requirements if any.
Understand the Business process data flow if any.
Identify the needs for data staging layers in BW (i. e need for ODS if any)
Understand the system landscape.
Prepare Final Requirements Documents in the form of Functional Specifications containing:
Report Owners, Data flow, KPI's, measurement criteria's, Report format along with drilldown requirements.
Hope this helps.
Thanks,
JituK

ACE as ssl client

Hello all,
has anyone been able to successfully configure the ACE board to initiate and terminate ssl connections as ssl client. We tried a lot, but no luck... Is there a working configuration example out there, because the documentation does not tell anything useful? Would be great to get some hints on this issue.
And what IP is the ACE using, when initiating the ssl connection to the outside? As we can not configure NAT through a VIP address, how can the ACE board recognize the right IP association?
Thanks in advance and regards,
Rene

Hi,
thank you, i red this doc already. I tried several different ways of configuring all this. But no luck in any way. Is the vserver address the one of the external server? And do i need to configure the external server as serverfarm? All this is not very clear from my point of view. Do you have a working example?
regards,
rene

Sumifs function question

Hi, Everyone, I have a function question of Sumifs, here a sample as follows,
=SUMIFS(Budget :: E4:E14,Budget :: C4:C14,"=5003677000",Budget :: B4:B14,OR("=Transit","=Drawing cash")), according to the logic, I think like this, but it's wrong. So how to insert the OR function to the Sumifs function? May someone find the mistake in the function?
Thank you.
Alex

I think you would actually do a sum of simifs, i.e. Sumif(....."Transit") + Sumif(....."Drawing Cash")
Basically if you have two sumifs that differ in only one condition that would be treated like an OR in SQL, then make one Sumif for each unique set of conditions and add them up
Jason

OIC: Functional Question(11.5.10)

Hi All,
I would like to know answer for the following functional question in Oracle 11.5.10 Incentive Compensation Application(OIC). I would greatly appreciate if you anyone can reply for this.
1. Question on Foreign currency exchange rates:
We know that OIC cannot handle foreign currency exchange rates. Since all of our offer letters to the Sales guys are in local currency what we end up doing is picking an exchange rate on July 1st every year and converting them to US $. What I’m wondering is why couldn’t we just set them up in OIC in their local currency, without converting them?
Is that possible? OIC can handle this?
2. In OIC, Can I enter a DUMMY Acoount Executive (since we are not going to credit any single person in the Primary Account Executive role) that bookings could be credited to in order to ensure they roll up to the appropriate manager?
a) Is that possible?
b) Does this DUMMY Acoount Executive should be part of the HR Employee setups as well?, In OIC should we need to load the transaction for DUMMY Account
Executive so that credit will get rolled up to approriate managers based on the Group hiearchy setups?
Thanks,
Johnson
Edited by: user10413783 on Jun 23, 2009 4:06 PM

Hi Johnson,
2. In OIC, Can I enter a DUMMY Acoount Executive (since we are not going to credit any single person in the Primary Account Executive role) that bookings could be credited to in order to ensure they roll up to the appropriate manager?
Yes
b) Does this DUMMY Acoount Executive should be part of the HR Employee setups as well?, In OIC should we need to load the transaction for DUMMY Account
Executive so that credit will get rolled up to approriate managers based on the Group hiearchy setups?
You do not need to set up the dummy resource as employee. All you need is to create as OTHER type of resource and add that resource to group.
Hope this helps.
Thanks
Srini

Ace 6500 question

new to ace just purchased a new blade, could somebody advise on deployment in routed and single arm mode. if a client connects to the vip can the traffic route back out the vip interface to the servers. we have a dmz were we want to deploy a vip, once the packet enters the dmz and hits the vip can the servers be located on the same subnet as the vip and also a backup server on another dmz or even the inside of the firewall.

I am also fairly new to the ACE modules, but I think I can answer your question. Yes the servers can be located on the same subnet as the VIP. As for the backup servers, as long as the ACE can reach the servers via IP you can load balance servers even if they are if different VLANs or DMZ's.
I have a context in one arm mode and would suggest against it unless you do not have a choice. Even though one arm mode is easy to set up, it can be a little hard to troubleshoot if you have source NAT enabled, if you do not have Source NAT enabled on the ACE, you will have to configure PBR on the MFSC of the 6500 and specify what you want to go to the ACE(what needs to be load balanced).
If you configure the ACE in routed mode, be sure that you configure it so that you do not run into an assymetrical routing issues.
Like I said; I am fairly new to these load balancers, but we have very talented folks on this site that can assist you with almost any ACE related question that you may have.
Good luck,
John...

ACE checkpoint question

I have a ACE checkpoint question. when u create a checkpoint to save the config on the ACE module where does the file get stored

HI,,
To display checkpoint information, use the show checkpoint command in Exec mode. The syntax of this command is:
show checkpoint {all | detail name}
The options and arguments are:
â¢all-Displays a list of all existing checkpoints
â¢detail name-Displays the running configuration of the specified checkpoint
For example, to display the running configuration for a specific checkpoint, enter:
host1/Admin# show checkpoint detail MYCHECKPOINT
Sachin

Incremental updates on collections/full schedule - Functional question

Hi everyone,
At a customer of mine we have the following set-up:
Almost all applications are deployed User Based
Collections are used for targetting the applications
Incremental updates are enabled on practically all collections which deploy applications
For the moment this setup is active for 498 collections (out of 714 collections).
Since it's not advised and Microsoft recommends to only have incremental updates active for 200 collections, I would like to change this setup by means of POSH. I have just finished writing it, but I still have a functional question:
Which schedule time would be best to activate for the collections? Keep the standard value to update collection every 7 days?
When would you activate "incremental updates"? Device collections with required software for faster deployment time?
I only foresee the following "downside":
We have a lot of applications who are available to "all domain users". When the AD-account is created, it will sync with SCCM and will receive their deployements. But by changing the update schedule to, let's say, 7 days.. They wouldn't be able
to see and install these applications if the collections haven't been updated yet?
Thanks for the insight with your experience!
Kr,
Sven

Wow Jörgen, thanks for this information! This was something I haven't read about. Will keep this in mind.
In your blog, you mention that you use this tool to keep track of performance issues. When do you feel that there are too many collections which have incremental updates enabled (by using the tool)?
The last weeks/months, we have a lot of issues during OSD. We have collections to which the TS is deployed.
In orchestrator we have a runbook to add workstations to SCCM + add workstation to collection + update membership of collection. But the update takes from 5 minutes to 40 minutes.. So this is the main issue that we have..
@Andrew: Thanks for your contribution! I believe you are speaking of "Global Conditions"? I haven't used it either, but I thought that this had some downsides.. For instance, we target most of the applications "Used Based" (since MS is
moving to user centric deployment). So if I target the application to the "all users" collection and create a "global condition" to only install when user is a member of a specific AD-group (for instance: Skype), then the user still sees
"skype" in the application catalog and will have an error upon installing it when he is not a member of the skype AD-group.
Maybe this is completely wrong what I'm saying.. Just did some brainstorming with collegues but haven't found the time to play with it in a test environment. @Jörgen: Please enlighten us if I'm wrong.

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Can't get WebVpn full SSL client to work

Hello,
I just get a new 1812 router and i wanna try the full SSL client. I upgrade IOS to 12.4.9T1, get last SDM and last vpn ssl package.
I follow the wizard on SDM to configure a simple webvpn on my outside network.
I can connect to the portal with my creditentials, and the ssl client install itself. It write warnings about certificates. But at last, i always got a message window "http return code error, contact your network admin". And on event viewer i have some errors with STCAgent (one is HTTP response code from the gateway is 401 , unautorized....).
I try on 2 different PC's with XP PRO SP2.
What else to try ??
Thanks

Hi,
I am getting the exact same error. Below is my webvpn configuration:
webvpn gateway guest
ip address 10.100.1.254 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-927014488
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context guest
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
policy group fullclient
functions svc-required
hide-url-bar
svc address-pool "vpn-pool"
svc rekey method new-tunnel
svc dns-server primary 10.100.2.8
default-group-policy fullclient
aaa authentication list default
gateway guest
inservice
Have you solved your problem?
//F

SSL Client example from dev2dev

Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
>>
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
>>
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.

Hi Michael,
I've asked our security folks to help answer your questions. The
weblogic.webservice.client.ssl.trustedcertfile file (located on the client
application computer) contains the certificates of CA (certificate authority).
The CAs are trusted to issue WebLogic Server certificates. The file can also
contain certificates that you trust directly. The file contains a collection of
PEM-encoded certificates. See:
http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
There shouldn't be any WSDL changes/tags required.
HTHs,
Bruce
Michael Jouravlev wrote:
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.

Using JSSE : "Invalid Netscape CertType extension for SSL client" Error

Hi all,
Im using the sample code given sun site for JSSE with Client Authentication. The sample as such it worked with the testkeys provided in that. But it didn't workout when I tried using other certificates.
Both client and server certificates I generated from our internal Netscape Certificate Manager.
Function of the server :
The server will read a private key from the given keystore and starts listening on a port. This server will server only GET request.
Function of the client :
The Client sends a GET request to the server and gets the response back.
I simply changed the key store name alone in the working sample code.
It is not working.
The Exception thrown on client side :
D:\users\Jp\java\jssesamples\sockets\client\class>java SSLSocketClientWithClientAuth1 localhost 1089 /urls
localhost
1089
/urls
java.net.SocketException: Software caused connection abort: socket write error
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at com.sun.net.ssl.internal.ssl.OutputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at SSLSocketClientWithClientAuth1.main(SSLSocketClientWithClientAuth1.java:119)
Exception thrown on server side :
D:\users\Jp\java\jssesamples\sockets\server\class>java ClassFileServer 1089 . TLS true
USAGE: java ClassFileServer port docroot [TLS [true]]
If the third argument is TLS, it will start as
a TLS/SSL file server, otherwise, it will be
an ordinary file server.
If the fourth argument is true,it will require
client authentication as well.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at ClassServer.getPath(ClassServer.java:162)
at ClassServer.run(ClassServer.java:109)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
... 17 more
error writing response: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExce
ption: Invalid Netscape CertType extension for SSL client
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.Certificate
Exception: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.e(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.DataOutputStream.writeBytes(DataOutputStream.java:256)
at ClassServer.run(ClassServer.java:128)
at java.lang.Thread.run(Thread.java:536)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension
for SSL client
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at ClassServer.getPath(ClassServer.java:162)
at ClassServer.run(ClassServer.java:109)
... 1 more
Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
... 17 more
The Client code :
* @(#)SSLSocketClientWithClientAuth.java 1.5 01/05/10
* Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
* -Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* -Redistribution in binary form must reproduct the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* Neither the name of Sun Microsystems, Inc. or the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
* EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
* DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
* RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
* ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
* FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
* SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
* THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
import java.net.*;
import java.io.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import java.security.KeyStore;
* This example shows how to set up a key manager to do client
* authentication if required by server.
* This program assumes that the client is not inside a firewall.
* The application can be modified to connect to a server outside
* the firewall by following SSLSocketClientWithTunneling.java.
public class SSLSocketClientWithClientAuth1 {
public static void main(String[] args) throws Exception {
 String host = null;
 int port = -1;
 String path = null;
 for (int i = 0; i < args.length; i++)
 System.out.println(args);
 if (args.length < 3) {
 System.out.println(
 "USAGE: java SSLSocketClientWithClientAuth " +
 "host port requestedfilepath");
 System.exit(-1);
 try {
 host = args[0];
 port = Integer.parseInt(args[1]);
 path = args[2];
 } catch (IllegalArgumentException e) {
 System.out.println("USAGE: java SSLSocketClientWithClientAuth " +
 "host port requestedfilepath");
 System.exit(-1);
 try {
 * Set up a key manager for client authentication
 * if asked by the server. Use the implementation's
 * default TrustStore and secureRandom routines.
 SSLSocketFactory factory = null;
 try {
 SSLContext ctx;
 KeyManagerFactory kmf;
 KeyStore ks;
 char[] passphrase = "passphrase".toCharArray();
 ctx = SSLContext.getInstance("TLS");
 kmf = KeyManagerFactory.getInstance("SunX509");
 ks = KeyStore.getInstance("JKS");
// ks.load(new FileInputStream("testkeys"), passphrase);
 ks.load(new FileInputStream("clientkey"), passphrase);
 kmf.init(ks, passphrase);
 ctx.init(kmf.getKeyManagers(), null, null);
 factory = ctx.getSocketFactory();
 } catch (Exception e) {
 throw new IOException(e.getMessage());
 SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
 * send http request
 * See SSLSocketClient.java for more information about why
 * there is a forced handshake here when using PrintWriters.
 socket.startHandshake();
 PrintWriter out = new PrintWriter(
 new BufferedWriter(
 new OutputStreamWriter(
 socket.getOutputStream())));
 out.println("GET " + path + " HTTP/1.1");
 /* Some internet sites throw bad request error for HTTP/1.1 req if hostname is not specified so the foll line */
 out.println("Host: " + host);
 out.println();
 out.flush();
 * Make sure there were no surprises
 if (out.checkError())
 System.out.println(
 "SSLSocketClient: java.io.PrintWriter error");
 /* read response */
 BufferedReader in = new BufferedReader(
 new InputStreamReader(
 socket.getInputStream()));
 String inputLine;
 while ((inputLine = in.readLine()) != null)
 System.out.println(inputLine);
 in.close();
 out.close();
 socket.close();
 } catch (Exception e) {
 e.printStackTrace();
The Server code :
* @(#)ClassFileServer.java 1.5 01/05/10
* Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
* -Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* -Redistribution in binary form must reproduct the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* Neither the name of Sun Microsystems, Inc. or the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
* EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
* DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
* RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
* ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
* FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
* SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
* THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
import java.io.*;
import java.net.*;
import java.security.KeyStore;
import javax.net.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
/* ClassFileServer.java -- a simple file server that can server
* Http get request in both clear and secure channel
* The ClassFileServer implements a ClassServer that
* reads files from the file system. See the
* doc for the "Main" method for how to run this
* server.
public class ClassFileServer extends ClassServer {
private String docroot;
private static int DefaultServerPort = 2001;
* Constructs a ClassFileServer.
* @param path the path where the server locates files
public ClassFileServer(ServerSocket ss, String docroot) throws IOException
 super(ss);
 this.docroot = docroot;
* Returns an array of bytes containing the bytes for
* the file represented by the argument path.
* @return the bytes for the file
* @exception FileNotFoundException if the file corresponding
* to path could not be loaded.
public byte[] getBytes(String path)
 throws IOException
 System.out.println("reading: " + path);
 File f = new File(docroot + File.separator + path);
 int length = (int)(f.length());
 if (length == 0) {
 throw new IOException("File length is zero: " + path);
 } else {
 FileInputStream fin = new FileInputStream(f);
 DataInputStream in = new DataInputStream(fin);
 byte[] bytecodes = new byte[length];
 in.readFully(bytecodes);
 return bytecodes;
* Main method to create the class server that reads
* files. This takes two command line arguments, the
* port on which the server accepts requests and the
* root of the path. To start up the server: 
* <code> java ClassFileServer <port> <path>
* </code> 
* <code> new ClassFileServer(port, docroot);
* </code>
public static void main(String args[])
 System.out.println(
 "USAGE: java ClassFileServer port docroot [TLS [true]]");
 System.out.println("");
 System.out.println(
 "If the third argument is TLS, it will start as\n" +
 "a TLS/SSL file server, otherwise, it will be\n" +
 "an ordinary file server. \n" +
 "If the fourth argument is true,it will require\n" +
 "client authentication as well.");
 int port = DefaultServerPort;
 String docroot = "";
 if (args.length >= 1) {
 port = Integer.parseInt(args[0]);
 if (args.length >= 2) {
 docroot = args[1];
 String type = "PlainSocket";
 if (args.length >= 3) {
 type = args[2];
 try {
 ServerSocketFactory ssf =
 ClassFileServer.getServerSocketFactory(type);
 ServerSocket ss = ssf.createServerSocket(port);
 if (args.length >= 4 && args[3].equals("true")) {
 ((SSLServerSocket)ss).setNeedClientAuth(true);
 new ClassFileServer(ss, docroot);
 } catch (IOException e) {
 System.out.println("Unable to start ClassServer: " +
 e.getMessage());
 e.printStackTrace();
private static ServerSocketFactory getServerSocketFactory(String type) {
 if (type.equals("TLS")) {
 SSLServerSocketFactory ssf = null;
 try {
 // set up key manager to do server authentication
 SSLContext ctx;
 KeyManagerFactory kmf;
 KeyStore ks;
 char[] passphrase = "passphrase".toCharArray();
 ctx = SSLContext.getInstance("TLS");
 kmf = KeyManagerFactory.getInstance("SunX509");
 ks = KeyStore.getInstance("JKS");
// ks.load(new FileInputStream("testkeys"), passphrase);
 ks.load(new FileInputStream("serverkey"), passphrase);
 kmf.init(ks, passphrase);
 ctx.init(kmf.getKeyManagers(), null, null);
 ssf = ctx.getServerSocketFactory();
 return ssf;
 } catch (Exception e) {
 e.printStackTrace();
 } else {
 return ServerSocketFactory.getDefault();
 return null;
Could anyone help ?
thanks in advance
Jayaprakash

The same thing.
I have found the place where the exception throws.
It is com.sun.net.ssl.internal.ssl.AVA class.
It has a constructor AVA(StringReader)
There is a check in this constructor of different certificate extensions
(if-else). If it sees no familiar extension it throws exception and handshake fails.
It is not difficult to fix this problem: just ignore unknown extension.
Everything works fine with this "improved" class (under VA 3.5).
But the problem is - the using of this class in applets.
How can I say the browser to use my "improved" class and not the one it downloaded with java plug-in?

Why are intermediate certificates needed within STRUST with SAP as SSL client?

Scenario: My company is hosting various applications on a web server. Our customers connect their SAP systems to our applications using web services. We changed one of our VeriSign web server SSL certificates a few weeks ago. This new SSL certificate was signed by a VeriSign intermediate CA which itself is signed by a new VeriSign root CA.
In the past, we only took care that our customers have the corresponding VeriSign root certificate imported into their SAP via STRUST; in our case this is the following root certificate: http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem
Now as we changed the certificate on our web server, our customers can't connect to it with their SAP systems any more. We found out that it works again, if the customers additionally import the VeriSign intermediate certificates into their SAP via STRUST; in our case the following ones: https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
This is something we don't understand for two reasons:
1.) Usually it shouldn't be necessary to have intermediate certificates on client side, only on the web server. We saved the two VeriSign intermediate certificates into one file and linked it within our Apache via the "SSLCertificateChainFile" directive. This is what we expected to be enough for all SSL clients which have the corresponding root certificate within their certificate stores.
2.) Our old certificate was signed by an (other) intermediate certificate, too and we didn't have this one on client side at our customers… it worked. Why? The only difference seems to be, that the old chain had only one intermediate certificate and the new one has two.
Anyone has an answer to these questions or an idea how to avoid uploading the intermediate certificates all the time?

Hi !
have a look at this thread may be helpful for you .
Cannot import certificate response in STRUST
Regds
Abhishek

A fatal error occurred while creating an SSL client credential. The internal error state is 10011.

Need help. I have my pilot lync 2013 pool up (in coexistence with 2010 production environment) and can log into Lync 2013 environment with a lync 2010 client but am not able to with a lync 2013 client. It just prompts for password but will not
take it. I'm sseeing this on my front end server multiple times:
A fatal error occurred while creating an SSL client credential. The internal error state is 10011.
Came across this http://www.logicspot.net/index.php?id=50 and tried disabling TLS 1.2, which I did and verified but yet the issue still exists.
All my certs are good coming from internal CA. My signin logs show below but keep in mind, this works just fine if using a 2010 lync client to my lync 2013 servers. Issue only occurs when trying to connect using a lync 2013 client.
1 Login: FAIL (hr = 0x1)
this request needs authentication, trying webticket from: https://domain.com/WebTicket/WebTicketService.svc
1.1 Get-NewWebTicket: FAIL (hr = 0x1)
CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
1.1.1 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.2 ExecuteWithWindowsOrNoAuthInternal: PASS
1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.4 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Discovery task(0A4FF830) sent to URL http://domain.com completed with hr=0x80f10045
1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.6 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
Rich

Hi,
Please check the server role and Web Services for Internet Information Services (IIS) are set correctly.
For the detailed IIS configuration, please check:
http://technet.microsoft.com/en-us/library/gg412871.aspx
As Lync client 2013 attempt to query in order to perform autodiscover of the Lync registration server. First
lyncdiscoverinternal.<sipdomain> Host (A) record and then
lyncdiscover.<sipdomain> Host (A) record. If neither of these records are resolvable then the legacy DNS SRV and A record fall-back process is used. So make sure you have add the two A record in DNS server.
More details:
http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

Similar Messages

Maybe you are looking for