ACS Authentication against Lotus Notes

Hi Team, is it possible to authenticate Users via ACS against Lotus Notes, similar to MS AD? Regards, Michael

I don't think it is possible to use ACS with Lotus notes for user authentication. These are the external databases supported with ACS.
a) Windows User Database
b) Generic Lightweight Directory Access Protocol (LDAP)
c) Novell NetWare Directory Services (NDS) when used with Generic LDAP
d) LEAP Proxy Remote Authentication Dial-In User Service (RADIUS) servers
e) Token servers
f) Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

Similar Messages

  • Authentication against Lotus notes engine

    Hello All,
    I have a requirement to develop an application to authenticate the user against the Lotus notes Engine.... which I think is the LDAP.
    Any pointers to more information will be very helpful...
    Thanks and Regards
    Pradeep Bhojak

    I don't think it is possible to use ACS with Lotus notes for user authentication. These are the external databases supported with ACS.
    a) Windows User Database
    b) Generic Lightweight Directory Access Protocol (LDAP)
    c) Novell NetWare Directory Services (NDS) when used with Generic LDAP
    d) LEAP Proxy Remote Authentication Dial-In User Service (RADIUS) servers
    e) Token servers
    f) Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

  • Cannot perform authentication in Lotus notes portlets

    Hello again,
    I have managed to setup an external application for Lotus Notes portlet for
    9.0.2.0.1 AS. By clicking the login button I can access my Lotus Domino mail!
    However, when I registered the Lotus Notes Provider (its test page runs fine),
    associated its authentication model with my ext. app, and then tried to access the
    portlets I keep getting messages about "user authentication failed".
    Actually my log file reads:
    11/29/02 1:17 PM webapp1: oracle.webdb.provider.v2.adapter.SOAPServlet: init
    11/29/02 1:17 PM webapp1: NumberFormatException while initializing Logger. Defaulting LogLevel to 4
    11/29/02 1:17 PM webapp1: ServletLogger - Logging level: 4
    11/29/02 1:17 PM webapp1: [id=(null), instance=(null)] CONFIGURATION: Invalid or null value for property - executionWarningTimeout = null - setting to default value of 20 seconds
    11/29/02 1:17 PM webapp1: [id=(null), instance=(null)] CONFIGURATION: Invalid or null value for property - executionKillTimeout = null - setting to default value of 80 seconds
    11/29/02 1:17 PM webapp1: [id=(null), instance=(null)] Unhandled exception in SOAP call
    oracle.webdb.provider.v2.utils.soap.SOAPException: Error: Failed to authenticate user with external application
         at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.initSession(Unknown Source)
         at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.initSession(Unknown Source)
         at java.lang.reflect.Method.invoke(Native Method)
         at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source)
         at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source)
         at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source)
         at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source)
         at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
         at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
         at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:64)
    Is there any issue with the fact that I installed the latest PDK (November 02)? Its test
    page also appears without problems.
    Thanking you in advance,
    Serafeim.

    This may be happening because the configured Lotus Notes External Application does not have the Lotus Domino Username, Password and MailFilename entries. Please click on the "Update Login Information" link and supply these values. You should be able to see the Lotus Notes portlets now.
    Thanks,
    Geeta

  • ACS authentication against AD

    I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.
    First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?
    I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?
    Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?
    I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.
    brent

    If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.
    Use this page to select groups that can then be available for policy condition,
    Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
    For more information, you may visit the below listed URL
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999
    Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.
    In order to do dynamic vlan assignment on ACS 5.1 you do the following:
    Policy elements >> Authorization  and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >>   Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >>  Click OK.
    HTH
    Regds,  Jatin
    Do rate helpful posts~

  • Anyone got ACS SE 4.2.1 authenticating against server 2008 R2 via LDAP?

    Hi, I'm working on a new network implementation where the customer has ACS SE and wants to use AD for machine based authentication of wired 802.1x clients.
    As the support for 2008 R2 server (64-bit OS used here) using remote agent is not yet released they are attempting to set this up using an LDAP connection. The final goal is to use certificate based authentication, and I have had a message indicating this authentication type may not work due to an issue with binary comparison, so we started with basic username/password accounts first.
    So far the ACS is populating its external user database fields with the domains setup on AD, but user authentication is failing.
    Briefly we started with basic username/password usng MD5-CHAP on XP to an account configured on ACS, that worked fine. Then set up the external user database to use an LDAP connection to AD, and an unknown user policy, this dosent work. It looks like the issue could be do with the LDAP attributes not being set correctly.
    Has anyone used LDAP as an authentication mechanism against 2008 R2 based AD and got it working?

    Aacole,
    The above error message says that your external database that is LDAP doesn't support EAP-MD5 and that is quite true.
    You may check the below listed link for protocol and database compatibility.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp824733
    Since you are using LDAP its only supports EAP-GTC.
    Do let me know if you need any further suggestions.
    Regds,
    JK
    Do rate helpful posts-

  • ACS 5.1 Authentication against AD problem

    I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
    ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
    I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
    The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
    show logging application acs reveals the following:
    ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
    password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
    I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
    Any ideas on what might be the cause, and how I can fix this?
    Thanks!

    Hello,
    It is complicated to explain this rule but hopelly you will understand.
    I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
    Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
    To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
    Regards,
    Sebastian Aguirre

  • ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

    Hello
    We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
    Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
    Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

    Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
    Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
    http://technet.microsoft.com/en-us/library/cc772007.aspx
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco Phone Control and Presence 8.6.1.1185 with IBM Lotus Notes 8.5.2 (Integrated Sametime Client 8.0.2) - No presence status visible

    Hi community,
    I am trying to integrate Cisco Unified Presence 8.6.1.10000-34 with IBM Lotus Notes 8.5.2 with the integrated Sametime Client version 8.0.2 via the Cisco Plugins 8.6.1.1185.
    Phone control is working fine, whereas the presence status is not shown (= no handset symbol next to the Sametime user). When I look in the preferences of the plugin, I can see that the plugin has connected successfully to the CUCM (8.6.2.20000-2),whereas the connection to the CUPS has not been established.
    The user id as well as the password are all the same on all systems. Here is a description of what I have configured via the ciscocfg.exe tool:
    Feature Control:
    - Enable Phone Status -> checked
    - Enable Dial Using Cisco IP Communicator -> unchecked (not required)
    - Enable Control Desk Phone -> checked
    - Default Mode -> Control Desk Phone
    Control Desk Phone Settings:
    - Voicemail Pilot Number -> left blank (no voicemail)
    - Cisco Unified Communications Manager
         - Servers -> IP address of CUCM
         - Read Only -> unchecked
         - Use as Default CUCM -> checked
         - Synchronize Credentials -> checked
              - Use Sametime Credentials -> checked
    Use Secure Connection: -> not required
    LDAP Phone Attributes: -> not required
    Phone Status Settings:
    - Cisco Unified Presence Servers -> IP address of CUPS
    - Read Only -> unchecked
    - Synchronize Credentials -> checked
         - Use Sametime Credentials -> checked
    - Sametime User ID Mapping
         - Use Business Card Attribute -> MailAddress
         - Remove Domain -> checked
    - Display Off-Hook Status Only -> unchecked
    At the moment I don't see an error in the configuration, but maybe I am wrong. Could anyone please tell me what the error could be?
    Thanks a lot in advance!
    Kind regards,
    Igor

    Hi all,
    here are some additions to my above post:
    Servers and clients used:
    1x CUCM 8.6.2.20000-2
    1x CUPS 8.6.1.10000-34
    1x IBM Lotus Domino Messaging Express Server 8.5.2
    1x Sametime Entry Server 8.5.2 (on top of the Domino server)
    2x IBM Lotus Notes 8.5.2 with integrated Sametime 8.0.2
    2x Cisco Phone Control and Presence with Lotus Sametime (PCAP) 8.6.1.1185
    2x Cisco Unified Personal Communicator 8.5.5.19839
    Setup:
    - CUCM, CUPS and CUPC are working fine, i.e. Desk Phone control via CUPC, as well as availability and presence status are working without issues
    - IBM Lotus Domino server is the LDAP Directory, the Sametime Entry Server is installed on top of the Domino server and uses the Domino Directory
    - User ID and password on CUCM/CUPS match the ShortName field and password in Domino
    - The PCAP plug-in has been manually deployed to both Notes clients with the following configuration:
         - Enable Phone Status -> active
         - Desk Phone Control -> active
         - no credential synchronization for CUCM and CUPS, i.e. every user must fill the user details himself
         - Sametime User ID Mapping is implemented via the LDAP Attribute uid (which is equal to the user id in CUCM)
         - LDAP configuration filled in with details of the Domino server
    Phone Control is working fine, also the connection to the LDAP server (Domino) is fine. However, when I type in the credentials for the CUPS server login, I can see (in Troubleshooting pane) that the user (pparker) is connected to the CUPS server for a short period of time and then gets disconnected. After that no connection is possible to the CUPS server, i.e. status is always disconnected.
    I have collected the Tomcat (EPASSoap00010.log and security00010.log) logs via RTMT and compared them to the logs from the PCAP plugin. The relevant time period is from 15:14 to 15:17. In the Tomcat logs I can see that the authentication is successful (see attached files), however in the log of PCAP plugin I can see the following messages:
    2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
    2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.1 ::loggername=com.cisco.sametime.phonestatus.cup
    2012/02/03 15:14:35.281 WARNUNG Credential is rejected. Nothing to retry ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.answerChallenge() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
    2012/02/03 15:14:35.281 WARNUNG #### Connection rejected presence server ::class.method=com.cisco.sametime.phonestatus.cup.CUPPresenceWatcher.onPresenceServerConnectionRejected() ::thread=CT_CALLBACK.2 ::loggername=com.cisco.sametime.phonestatus.cup
    I don't understand why the connection is rejected although the Sametime Internal ID and CUPS User ID match. Does anyone know what the issue could be?
    All posts are very much appreciated!
    Thanks a lot in advance!
    Kind regards,
    Igor

  • Sending an email from Lotus Notes release 5.0.4a

    I need to write java code for sending an email from Lotus Notes release 5.0.4a.
    Initially, I tried using Lotus Domino Toolkit for java, but the current release, "Lotus Domino ToolKit for Java/Corba release 5.0.8" is not compatible with the notes client/server we are using(5.0.4a).
    Now, I am trying to use "Lotus Domino Toolkit 2.1" which supports notes version 5.0.3 and higher, but I couldnot find out how to use it to send email.
    Is there are other way in which we can connect to Lotus Notes for sending email. I cannot use SMTP as the Lotus Notes administrator is afraid of security issues so there is no possibility that I can connect to Domino server using java mail API by enabling SMTP on the Domino server.
    I would be thankful if somebody can help me to do this.

    First off - This is very "off topic"
    The Domino SMTP server is not hard to lock down. Any Notes Admin worth his/her salt should know how to do it. Try to persuade them to run the SMTP stuff using name and password authentication only, or restrict access to an IP address range. This is all easy stuff.
    Otherwise DIIOP/CORBA is one way to go. If your toolkit jar files don't work with the server then try using the ones on the server. Look in %noteshome%\data\domino\java for the ncso.jar file.
    This works for me on an AS/400 java VM to WinNT/Linux Domino servers of various versions.
    How to create an email using this method is again not difficult. All you really need is a blank database template. You have to create a document with certain fields in it (all documented) and then save it. That's all there is to it.
    Word of warning DIIOP is not very rapid and careless coding can create problems. Ensure that once you have finished a session you make sure you close it else you will have continual connection problems.
    Try searching around the domino/notes groups on how to actually do this.
    SH

  • Ubuntu Karmic authentication against Snow leopard open directory server

    Hi,
    I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
    Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
    Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
    (I've changed the hostname and ldap url)
    /etc/ldap.conf has:-
    base dc=server,dc=domain,dc=com
    ldap_version 3
    rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
    bind_policy soft
    pam_password md5
    /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
    /etc/pam.d/common-passwd :-
    password sufficient pam_ldap.so md5
    password required pam_unix.so nullok obscure md5
    password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
    /etc/pam.d/common-auth:-
    auth [success=2 default=ignore] pam_unix.so nullok_secure
    auth [success=1 default=ignore] pam_ldap.so usefirstpass
    auth requisite pam_deny.so
    auth required pam_permit.so
    /etc/pam.d/common-account:-
    account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
    account [success=1 default=ignore] pam_ldap.so
    account requisite pam_deny.so
    account required pam_permit.so
    /etc/pam.d/common-session
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pamckconnector.so nox11
    Does anyone have any ideas where to go from here?
    Message was edited by: zebardy

    Hi
    It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
    You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
    An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
    Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
    http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
    Page 55 onwards.
    From Page 64:
    "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
    If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
    HTH?
    Tony

  • Lotus Notes connector: Error while crawling LOB contents

    Hi all,
    I am trying to configure Lotus Notes connector on SP search. We have successfully followed the Randy Rempel's blog on
    test environment. No problem to search lotus notes content.
    In production environment, we've followed the same procedure but we are facing the following problem. During the full crawl, the below error is thrown
    Error while crawling LOB contents. ( Error caused by exception: Microsoft.BusinessData.Infrastructure.BdcException The shim execution failed unexpectedly - Exception has been thrown by
    the target of an invocation..: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail] An unexpected error occurred in the Lotus Notes protocol handler while processing the URL
    We have forced Lotus Notes Connector to be more verbose, without success.
    Any help will be appreciated
    David

    Reset the index and re-crawl. That usually claers it
    If you are using NTLM authentication, then make sure that you specified the PassThrough authentication for crawling
    Probably you need to debug the BDC code that underlies the external content types.
    can you Check the permission that you have set for the lotus notes domino databases? Was the content access account added to the local administrator group?
    If this helped you resolve your issue, please mark it Answered

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • ISE internal user authentication failure - user not found

    Hi Forumers'
    I trying to do wireless 802.1x, where identity store using intenral user.
    But i found this error message when i trying to connect
    Authentication failed                                                                                 :
    22056 Subject not found in the applicable identity store(s)
    My authrorization rules is built like this
    identity groups = user identities group / " mygroup"
    condition = no setting
    permissions = standard / PermitAccess
    Question 1
    Any troubleshooting step to do on this?
    Question 2
    For the Authorization rules, what's the condition should set for using Internal User as Identity store?
    Thanks
    Noel

    The error is caused to an authentication failure and is not an issue with authorization
    You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
    In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".

  • Remote Data Source Settings for Lotus Notes CWS

    I have installed the Crawler Web Service for Lotus Notes on a box seperate from Machine hosting Portal Server. After that I did all the migrations successfully at the portal side as mentioned in installation guide. But while configuring Remote data Source ,in Authentication Page , i am not getting an edit box to specify the User ID file.Its just have edit box to specify password.
    Its taking the last user id that was used in the Notes Client on that machine, or more specifically the KeyFilename setting in the Notes.ini file
    How can i set the User ID File(to be considered).
    Moreover there is an error
    An error occurred while validating the remote XUI service. Verify the Web Service settings, including the SOAP Encoding Style.
    Can anybody provide pointers on configuring the Remote Data Source for Lotus Notes database
    Thanks in Advance

    Hi,
    I would check this with the Lotus Notes guys. If the mail is OK in SOST, then SAP is delivering the mail correctly. There is something wrong with the Lotus Notes client itself. I have seen this same problem and I have alos witnessed the HTML email to crash the whole Lotus client. (This lead to a situation that it was just easier to send the plain text emails.)
    Regards,
    Karri

Maybe you are looking for

  • Modern UI Apps can't be installed or updated while logged in as a Domainuser. (8.1)

    Hello. I've run into the following issue with the first 8.1 Client in our Domain: Whenever I try to update an existing App or try to install a new one, the Download fails and I'm presented with the Error code 0x8007002. This happens in our Company LA

  • Use of 3rd party Digital Signatures in SAP enviornments

    Hi all, I wanted to inquire about 3rd party digital certificates usability within the SAP environment. for e.g can Verisign digital certificates be used within the SAP environment. Any directions/links on related reading material would be highly appr

  • Jython having issue importing weblogic modules for changing passwords

    I am trying to import some WLST modules into a Jython script as outline in the documentation at http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019971 The strange thing is that it says it is a WLST script, but it appears to be a

  • Just found a code that works for my Wharfedale LCD...

    I can't remember the full details of the TV and the instructions book does not have any - but after lots of trial and error 0017 worked. Hurrah!

  • Trouble syncing, lost music

    Can someone help? I deleted my iTunes library from my hard drive thinking it would be safe on my external hard drive. While I've still got all my music on my ipod the computer won't allow me to sync it, as it says it is already synced to another user