ACS 5.5 and Windows 2012 AD support
Hi All,
previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
authentication.
I have now upgraded the machine's domain to 2012 and machine authentication works fine and user authentication
also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
The clients are all windows 8.1
Has anyone encountered this scenario before ?
TIA
I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html
Similar Messages
-
False Duplicate ip address error reported on our windows 2008 and windows 2012 servers
we use windows 2008 and windows 2012 servers our company. my access switches are cisco catalyst 3560.
A sample of a show version command from one of our access switches is as shown below.
SW_01#show version
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 22-Dec-11 00:16 by prod_rel_team
ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
SW_01 uptime is 2 weeks, 5 days, 16 hours, 15 minutes
System returned to ROM by power-on
System restarted at 17:31:47 UTC Fri Nov 14 2014
System image file is "flash:/c3560e-universalk9-mz.150-1.SE2/c3560e-universalk9-mz.150-1.SE2.bin"
I will be grateful if any one can help with some solution.
Thank youCan you post your switch config?
How many switches do you have? Presumably you have more than one, this one is connected to others, and those others have servers and clients?
Try doing a 'show arp' on the switch and comparing the IPs and MACs to your windows server. Do it a few times as it may change as each device using the IP sends packets. -
SCM update for Windows 8.1 and Windows 2012 R2
Hi,
When are we likely to get an update to SCM for Windows 8.1 and Windows 2012 R2?Hi
you must add these lines in ZTIGpoPack.wsf (for MDT) and LocalGPO.wsf (for LocalGPO), and for MDT 2013, copy ZTIGpopack to Deploymentshrare\Scripts
sOSVersion = oEnvironment.Item("OSCurrentVersion")
If (Left(sOSVersion,3) = "6.3") and oEnvironment.Item("IsServerOS") then
sOS = "WS2012R2"
oLogging.CreateEntry "Using Windows Server 2012 R2 GPO Pack", LogTypeInfo
ElseIf (Left(sOSVersion,3) = "6.3") and Not(oEnvironment.Item("IsServerOS")) then
sOS = "Win81"
oLogging.CreateEntry "Using Windows 8.1 GPO Pack", LogTypeInfo
Regards
Thanks for this, but you also need to update the GPOPack.wsf in (each relevant) template folder of the Deployment Share like this:
If(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOS = "WS12R2"
ElseIf(Left(strOpVer,3) = "6.3") and (strProductType = "1") then
strOS = "Win81"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
strOS = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then
strOS = "Win8"
As ZTIApplyGPOPack calls GPOPack.wsf.
(Which is what I think Scorpio92 probably meant when you said to edit LocalGPO.wsf...) -
Microsoft Windows 8 and Microsoft Windows 2012 server are now supported platforms for ColdFusion 10. The new Windows installers are available for download to all retail and licensing customers as well on the trials download page.
The ColdFusion Builder 2.0.1 installers have also been updated to support Windows 8. The existing MAC OS X installer for ColdFusion Builder 2.0.1 has also been certified to now support MAC OS X 10.8.
Refer this technote for more details about the support.@Adam @CarlV
>what's the version number when you dump the server scope?
ColdFusion Server - Evaluation 10,0,8,284032
OK I see, the I button reports differently to Settings Summary.
About ColdFusion »
System Information
Server Details
Server Product ColdFusion
Version 10,0,8,284032
Tomcat Version 7.0.23.0
Edition Enterprise (Trial)
Serial Number
Operating System Windows Server 2012
OS Version 6.2
Update Level /D:/ColdFusion10/cfusion/lib/updates/chf10000008.jar
Server Settings > Settings Summary
System Information
Server Details
Server Product ColdFusion
Version ColdFusion 10,284032
Edition Enterprise (Trial)
Operating System Windows Server 2012
OS Version 6.2
Update Level /D:/ColdFusion10/cfusion/lib/updates/chf10000008.jar
Adobe Driver Version 4.1 (Build 0001)
Regards Carl M. -
ISE 1.1.4 and Windows 2012 AD
Hi.
I'm trying to get 802.1x certificate authentication up and running. I want to use both user and machine certificate.
On "vanilla" v1.1.4, I got an error message with user certificate. After some reading it seems support for AD 2012 was added in patch 2.
So I installed patch 4, and user certificate authentication works!
But I still have problems with machine certificate authentication.
I get these errors:
Machine authentication against Active Directory has failed.
Check whether the machine's account is present and enabled in Active Directory. Also, check whether the Active Directory is reachable.
But the machine is indeed both present and enabled in AD.
And AD is working too. I know this from the user certificate authentication, because binary comparison is enabled:
24432 Looking up user in Active Directory - [email protected]
24469 The user certificate was retrieved from Active Directory successfully
22054 Binary comparison of certificates succeeded
22037 Authentication Passed
12506 EAP-TLS authentication succeeded
So is Windows Server 2012 AD supported for machine authentication? Or do I need to go go v1.2 for that?
Or it could just be something wrong with my setup
Thanks.Hi, and thank you for answering.
The release notes (for both 1.1.3 and 1.1.4 says:
CSCug98513: Integrate components to support AD 2012 or mixed mode (2008)
Centrify version is upgraded to support Active Directory 2012 and mixed 2008/2012 environments.
That's all that is mentioned about 2012 AD.
Not sure what it means, though. -
Same CAS Array Exchange 2010 (HLB), with OS Windows 2008R2 and Windows 2012.
Hello,
We have a 10 node DAG (Exchange 2010 SP3, Windows 2008 R2), with 2 CasArray.
We are planning to add news (multirole) servers and create a new DAG (Exchange 2010 SP3, Windows 2012) in this infra, in the same AD site, to migrate all mailbox from the other DAG (Migration from virtual servers to physical servers).
So we use the same CasArray (HLB, with F5) with différent OS version, during the migration time (1 month or more). I haven't found anything that say it's not supported or can be problematic.
Have you feedback or advice?
Thanks,
SébastienHi,
Based on my knowledge, there is no need to deploy a CAS array with CAS servers running on the same Window version. The version can be different.
After a Client Access server array is defined within an Active Directory site, all Client Access servers within that Active Directory site are automatically part of the Client Access server array.
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA
Hello,
We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
We tested the other certificate functions and that went fine too.
But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
We recreated the wireless policy but also no success.
We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
It looks like that older versions of Windows do not work with newer certificate servers?
Do we miss something? Can someone confirm this.
We already looked for these forum posts, but with no success
http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\NB80W7$
Account Name:
host/NB80W7.domainname.local
Account Domain:
domainname
Fully Qualified Account Name: domainname\NB80W7$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
EAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
48
Reason:
The connection request did not match any configured network policy.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\Username
Account Name:
domainname\Username
Account Domain:
domainname
Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
WLC5500
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
PEAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.Hi,
Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
More information:
Renew a Certificate
http://technet.microsoft.com/en-us/library/cc730605.aspx
NPS Server Certificate: Configure the Template and Autoenrollment
http://msdn.microsoft.com/en-us/library/cc754198.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Storage Manager and Windows 2012 Deduplication
Does anyone have Storage Manager working with the deduplicated volumes in Windows 2012? It works fine on 2012 itself, but when I attempt to move data to or from a deduplicated volume I get the following error:
182: the requested operation is not supported.
The error seems pretty self explanatory. But I'm really hoping there's a way to get it working. We're planning to do a complete teardown and rebuild of our storage and this could be a deal breaker for whether we use Storage Manager at all to manage user data.
Engine Version: 3.1.0.4
Windows 2012 Standard
Active Directory Schema Not ExtendedOn 4/17/2013 10:46 AM, scunha wrote:
>
> Does anyone have Storage Manager working with the deduplicated volumes
> in Windows 2012? It works fine on 2012 itself, but when I attempt to
> move data to or from a deduplicated volume I get the following error:
>
> 182: the requested operation is not supported.
>
> The error seems pretty self explanatory. But I'm really hoping there's
> a way to get it working. We're planning to do a complete teardown and
> rebuild of our storage and this could be a deal breaker for whether we
> use Storage Manager at all to manage user data.
>
> Engine Version: 3.1.0.4
> Windows 2012 Standard
> Active Directory Schema Not Extended
>
>
scunha,
Could you send an email to [email protected] explaining what
you're doing and providing some details of your deduplication settings?
We'd like to look at this in more detail.
- NFMS Support Team -
Horizon View 6.1 and Windows 2012 as Desktop OS
Hi Community,
we are currently running a PoC for Horizion View 6.1. Various reasons require to use Windows Server 2012 r2 as guest os, afeature which should exist in 6.1 according the release notes.
When trying to create a linked clone pool with a windows 2012 template we get the message that the guest os is not supported. I know that we only have a 2012 Standard Edition for the PoC but would have DC Edition once we decide to go forward with the solution.
How des View check the edition of the template and is there any possibility to get this working since we need to move on with the poc?
Thanks an kind regards,
- MatthiasSo today got some word from their office. They were using RDP from 8AM until 12PM all was working fine. Then got back after lunch about 1PM and got a few connection lost errors when they tried using RDP again. Its weird since they didn't have disconnects
in the morning, and started having them after lunch.
Also noticed, that two pc were not using RDP and were disconnected as shown in task manager. And they still got request timeouts.
Maybe this is not a remote desktop issue?
TASK MANAGER
The 2 disconnected pc's ping screens: -
Trying to install AppV server on Windows 2012 server. Getting lots of errors.
Is this compatible and/or are there different rules/instructions etc.
thanks
Dave
Dave KozlowskiI've also got it running on 2012 and it is fully supported. Please share the errors...
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon -
Slow printing on windows 2008 std, R2 and windows 2012
Hi All,
I have a print server which is configured on windows 2008 R2. We are experiencing slow printing when printing directly from the server or from a client through the server. Small sized files prints fast, anything which has image takes a long time. All the
printers in our organization are Xerox Colorqube 9303. When installed the driver directly on to windows 7 32 bit PC, it prints without any delay. Also, when prints from the server a 2 MB file becomes 15 MB or more while sending. We have tried PCL6 and PS drivers.
To replicate it, i have installed a windows 2012 server ended up with the same result. Installed windows 2008 standard 32 bit with SP2 and the result remains same. Also tried it on windows 8, 64 bit without any luck. So effectively, it works fine only when
directly installed on a windows 7 PC. I have disabled all three: disabling TCP Chimney Offload, RSS, Receive Window Auto-Tuning .
After shooting the print, if you observe the printer properties, it sends data at a very low rate which results a 10 MB documents prints take around 10 minutes. At the same time, file copying from the server to and fro is working normally. All these servers
are directly connected to the cisco 6509 core switch. All the above tests were performed on the same physical switch. The server and clients are on the same network (subnet).
Have anybody come across to a similar issue. Any useful suggestions would deeply appreciated.
Thanks,
Prince MathewHi Prince Mathew,
Based on your description, this issue seems that it’s related to this specific model printer (Xerox
colorqube 9303). Please install the latest version of the driver and the firmware from Xerox website, and then check if this issue still exists.
If it still persists, please clear Printer Spooler Files and enable the Spooler Service again.
For details, please refer to.
1. Click Start, run "Services.msc" (without the quotation marks).
2. In Services list, please double click "Printer Spooler". Then click
Stop, and then click OK.
3. Please locate to: "%WINDIR%\system32\spool\printers", delete all files in this folder.
4. Click Start, run "Services.msc" (without the quotation marks). In Services list, double click
"Printer Spooler". Click on Start. In the Startup Type list, make sure that "Automatic" is selected and click OK.
Then check if this issue can be solved.
Hope this helps.
Best regards,
Justin Gu -
DHCP Failover in Windows 2008 R2 and Windows 2012 R2 Environment
Hi Everyone,
We are trying to implement DHCP failover in our environment. Our IT Infrastructure consists of 4 – windows server 2008 R2 servers and 7 – Windows Server 2012 servers; 1 Main Office with 2 – DC’s and 9 branch/remote offices with one DNS server in every remote
office. All the DNS servers have 2 scopes defined on them for VOICE and Data with different Subnets.
What would be the best method to implement failover in 2008 R2 – Windows Failover Cluster or Split scope? And how to implement DHCP Failover in Windows Server 2012 R2?
Please let me know if you need more information.
Thank you for your help!
-kNHi,
if you can choose between 2008 R2 and 2012 R2 than go with 2012 R2 it is easy to create a DHCP failover there. Actually that is one of the new features of Windows 2012.
With Server 2012 you setup your fist DHCP server with the scopes you want to setup. Than you install the second 2012 server with DHCP role and authorized. If you have done this you going back to your first server, where you already configured your scopes.
Now right click onto the scope you want to setup for failover and select 'Configure Failover'. You can than set it up as kind of split scope (Load balance Mode) or as real fail over setup (Hot Standby). In Load balance Mode you can configure the balance of
IP addresses between the both servers, like primary has 60% IP addresses and secondary has 40%.
With Server 2008 R2 the easiest configuration is split scope. But here it depends how many IP leases you will max have and if you can absorb if one of the server is going down. Lets say you have 50 DHCP leases max, than sure, set it up as split scope. But
if you have 200 DHCP clients, than I would go with failover cluster. At the end it depends on your environment.
Sven -
Change license to Windows 2012 R2 Essentials and Windows 2012 R2 Standard
Hi,
I'm working for a small company (10 users). We have 2 servers; 1 is a normal file server, domain controller etc.; the second is dedicated for running a financial application. We bought and installed new hardware but with so called 'Technet licenses'.
Obviously we need to buy proper licenses. I have 2 questions :
1. Am I correct in buying 1 Windows 2012 R2 Essentials license, 1 Windows 2012 R2 Standard license and 10 CALs ?
2. Can I just install these licenses 'over' the existing 'Technet licenses' ?
Any help will be greatly appreciated.
Ronald RuijtenbergI would purchase one Server Standard license, install it as a hypervisor on the server, then add to VMs. First one is Server with the Essentials role, the second to run your financial application. You can do this on one physical box and you
only have to purchase one copy of Server Standard.
Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit. -
ACS 4.0 and Windows 7.
Facing challanges in integrating ACS 4.0 with Windows 7. Please help.
Is ACS 4.0 with Windows 7 compatibility?have a look here http://forums.macrumors.com/showthread.php?t=467704 for instructions/solution.
Basically you have to make yourself a copy of your Windows disc using the files of that disc and a programm called oscdimg.exe plus a burning program.
And it had to be done on a Windows PC or in virtualized Windows (using Parallels/Fusion/VirtualBox) on your Mac.
Hope it helps
Stefan -
TCS gen 2 and Windows server 2003 support
Hi,
I have a Cisco TelePresence Content Server v5.3 running on gen 2 hardware.
From what I can see TCS v5.3 only works in Windows server 2003, this is a concern as Windows server 2003 support is ending July 14, 2015.
Is there anything that can be done to mitigate the above problem without having to purchase the gen 3 hardware?
Kind Regards
EdThe supported deployment methods right now for the virtual TCS is for it to be installed on existing TCS hardware, either 2nd or 3rd Gen server only, 1st Gen servers aren't supported, but you can migrate from a 1st Gen to either of the latter two. You'll basically be wiping the old hardware servers and installing VMWare on them to run a single instance of Windows and the virtual TCS application. As Wayne said, support for 3rd party platforms is coming, Cisco knows it's a big deal for customers and a solution needs to be provided and not just limited to existing TCS hardware.
You would migrate your existing license and option keys to the new servers by looking them up from the registry and creating a license file to be used during the install process.
Support contracts will migrate as well, the serial numbers will remain the same, but the product IDs might change to reflect you now having a virtual TCS instead of hardware. However, I'm still working out the details of the product IDs from my migration I did back in August, though that hasn't stopped me from getting TAC support.
To give you an idea of the process, take a look at the TCS 6.1 VM Install Guide.
Maybe you are looking for
-
I accidentally uninstalled Safari on my home computer, reinstalled it, and now my Ipod wont acknowledge it or sync. How do I fix this without resetting it so I dont loose all my music and apps????
-
Windows Server 2008r2 Printer Sharing
Hi folks, I have a Windows Server 2008r2 set up as my workstation and I'd like to share the printer with my wife's MacBook. I've set up Printing Services on WS2008r2 and enabled IPP, LPD and everything else I could think of. The printer sharing works
-
Canon 70D RAW file not recognized in PSE 11
I tried opening a RAW file from my Canon 70D in my Elements 11. It did not recognize it. I read Elements 12 can read it. Can I upgrade to 12 for free? If not how can I get my Elements 11 to open the RAW files?
-
Application connection to TimesTen In-Memory Database
Hi All, We're in the planing of creating TimesTen In-Memory Database for our production databases.Now we're in testing phase,we made one TimesTen In-Memory Database for one test database. Now we don't want to put all database in memory, we've some se
-
Windows 7 Home Premium install disks?
OK, so I've had my K330B system since before Christmas and I just realised that I didn't burn the system recovery disk when the system was new. Now, when I attempt to make a system recovery disk using the Lenovo process and it says I need 30+ DVD di