Active Directory Sign In Failure

Similar Messages

• Connect Active Directory Sync Error - operation-size-error

  We are on Connect 9. We have our Active Directory Sync running once per day. I received a sync log error as follows:
  E-Learning-All-Empl-grps
  G
  error
  Change$Update$Group: SyncTargetException: StatusException$OperationSizeError: <status code="operation-size-error"/>
  The E-Learning-All-Empl-grps is a distribution list in Active Driectory that is used to contain one of 9 sublists. Each sub-list has up to 800 names. This was to get around an earlier issue with their being a limitation when we are on Breeze that only a max of 800 names could be in any group.
  What does this error mean and how can I correct this?
  Dave

  I tried all of this, I still can not bind my Mac 10.6.3 to Microsoft Windows 2003 R2 Active Directory, and the failure I receive that Time settings between both computers is not synced although the time is the same on both machines, and I restart the NNTP on Windows Server, and added the Active Directory IP Address on the Date & time Settings on Mac.
  Any Help

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Single sign on and microsoft active directory

  Hi,
  I have EBS 12.1.3 on linux. I know that I can implement single sign on to login to EBS. Now the question is: can I integrate this single sign on with my existing Microsoft Active Directory? Can you send me some links or documentation?

  Self-reply:
  http://blogs.oracle.com/stevenChan/2006/05/indepth_using_thirdparty_ident.html
  Thanks

• SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

  Hi,
  we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
  When we setup the Portal, we used the UME of the ECC - ABAP.
  The portal is used internally only.
  Now we want to provide SSO.
  User authenticate against Windows Active Directory (Windows 2003).
  We thought SSO via spnego would be the best solution.
  Any better alternates, we should use?
  We are following the SAP documentation:
  SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
  We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
  When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
  In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
  What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
  Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
  In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
  Thanks for your help.
  Best regards
  Carlos Behlau

  Hi,
  I was able to generate the key via ktab program.
  But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
  I installed WebDiag tool on the portal server and ran trace.
  The users are located in domain: company.com of activate directory.
  The Java AS are located in domain: sap.company.com of activate directory.
  The sap.company.com domain acts as child of company.com.
  When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
  I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
  Is it possible to get SSO with child domain running?
  Based on the statement of the network folks, child and father domain having a trust.
  Thanks for your help.
  Best regards
  Carlos

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Apply SSL in JSP with internal CA signed by Active Directory

  Hi geniuses, who has any idea how to apply SSL into JSP pages.
  I am try add SSL to my authentication JSP pages. My company has exist internal CA signed by Microsoft Server 2003 Active Directory.
  Who's have any idea or tutorial, can you please share to me?

  webster wrote:
  Hi geniuses, who has any idea how to apply SSL into JSP pages.
  I am try add SSL to my authentication JSP pages. My company has exist internal CA signed by Microsoft Server 2003 Active Directory.
  Who's have any idea or tutorial, can you please share to me?This really has nothing to do with JSP or this forum. It's a matter of setting up your Servlet/JSP container properly. Consult the docs for your servlet/jsp container for how to enable SSL.

• Certificate Authority not working when signing documents (Active Directory)

  We recently went to an Active Directory structure at my job, and we do a lot of signatures. Part of the Active Directory setup was an auto-certificate authority setup. I went to sign a document  recently and the signature will not apply. I went into trust tab and clicked to trust the certificate, and then backed out, but it still will not sign. When I click to sign the document nothing happens. There are red Xs next to everything in the trust tab.
  Any ideas? I am wondering if there is something I can do in Adobe to let it know that certificate is trusted?
  Any help would be appreciated.

  When Acrobat builds the signature object (which is created when you sign), it tries to populate the object with as much data as possible in order to facilitate long term validation. This means that it is trying to add all of the certificates in the signature chain to the PDF along with all of the corresponding revocation information (which is either an OCSP response of a CRL). This way, after the signer's digital ID expires all of the validation collateral will still be available, otherwise you would get an Unknown signature after the signer's cert expired.
  In order for Acrobat to get the revocation information trust has to be established. When you create the signature Acrobat tries to gather all of the certificates in the signing chain. After it has finished building the chain it walks the chain from the bottom up (the bottom being the signer's certificate) and checks to see if the cert is a designated trust anchor. Once it finds trust anchor it will try to procure revocation info for each cert below the trust anchor, but not the trust anchor itself. After it has gathered up all of the rev info it writes it into the PDF file along with the certificates. So, when it comes to signature creation, it's good to add the certificate that is at the root (top) of the signing chain to the Manage Trusted Identities list and trust it for signing and certifying. That way when you do sign all of the rev info will be written into the file.
  The next thing to realize is Acrobat can only retrieve the revocation info if it knows where to get it from. Each certificate in the signing chain except for the root cert should have an extension that tells Acrobat where it can download the information. For an OCSP response the URI is in the Authority Information Access (AIA) extension and for a CRL the URI is in the CRL Distribution Point (CRLdP) extension. If there is an entry in either of these two extensions that are not valid (that is either they don't exist or, the exist but don't really provide the expected data) then Acrobat will try to download the data, but the download will fail. Thus, you end up with a signature in an Unknown state because revocation checking must succeed if the is an AIA or CRLdP extension. Wheat you need to check is, does the certificate have one or both of these two extensions and if so, does it lead to a successful download.
  Steve

• Weblogic Single Sign On on Active Directory doesn't work

  Hello!
  Please help me to work out what my mistake is.
  I configured Weblogic for SSO on Active Directory using article, described on support.oracle.com.
  My krb5.ini file is
  [libdefaults]
  default_realm = DOMAIN.RU
  default_tkt_enctypes=des-cbc-crc
  default_tgs_enctypes=des-cbc-crc
  udp_preference_limit = 1
  [realms]
  DOMAIN.RU= {
  kdc=192.168.1.1
  admin_server = DC.DOMAIN.RU
  default_domain = DOMAIN.RU
  [domain_realm]
  .DOMAIN.RU= DOMAIN.RU
  DOMAIN.RU= DOMAIN.RU
  When I try to launch check by running kinit command I get following error
  C:\Users\testuser>kinit -k -t "C:\Oracle\Middleware\user_projects\domains\base_d
  main\test.keytab" HTTP/[email protected] -J-Dsun.security.krb5
  debug=true
  KinitOptions cache name is C:\Users\testuser\krb5cc_testuserPrincipal is HTTP/[email protected]
  Kinit using keytab
  Kinit keytab file name: C:\Oracle\Middleware\user_projects\domains\base_domin\test.keytab
  KeyTabInputStream, readName(): DOMAIN.RU
  KeyTabInputStream, readName(): HTTP
  KeyTabInputStream, readName(): test01.domain.ru
  KeyTab: load() entry length: 66; type: 1Added key: 1version: 5
  Ordering keys wrt default_tkt_enctypes list
  Config name: C:\Windows\krb5.ini
  default etypes for default_tkt_enctypes: 1.
  0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
  0000: 79 02 0D 8A 19 29 67 E0
  Kinit realm name is DOMAIN.RU
  Creating KrbAsReq
  KrbKdcReq local addresses for test01 are:test01/192.168.1.2
  IPv4 address
  test01/ga80:0:0:0:te2e:3de1:crew:a409%11
  IPv6 address
  default etypes for default_tkt_enctypes: 1.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  Kinit: sending as_req to realm DOMAIN.RUException: krb_error 0 Cannot get kdc for realm DOMAIN.RU No error
  KrbException: Cannot get kdc for realm DOMAIN.RU
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:168)
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:147)
  at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:298)
  at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
  at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
  Thank you!

  Hi,
  Refer this..
  http://help.sap.com/saphelp_crm52sp01/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  Regards
  Nandha

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• How to authenticate using Active directory!

  Hi all!
  at present im using a code given below, its working fine! currently we are using mixed mode active directory! we are going to migrate that to Native mode!
  import java.util.Properties;
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.Vector;
  import com.aigss.codegene.utils.PropertyDispatcher;
  public class LdapAuthentication//Servlet extends HttpServlet
       private java.util.Hashtable cache = new java.util.Hashtable();
        * @param loginid
        * @param passwrd
        * @return boolean
       public boolean authenticate(String loginid, String passwrd) {
            if(passwrd.trim().equalsIgnoreCase(""))
            return false;
            Properties props = new Properties();
            String ldapHost = "ldap://HDCQ3Q5CDOM01:389";
            String DN =
                 "CN="
                      + loginid.trim()+"DN=,CN=Users,DC=pslsdc,DC=legacy,DC=r5,DC=websi,DC=net";
            System.out.println("DN: "+DN);     
            props.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
            props.put(Context.SECURITY_AUTHENTICATION, "simple");
            props.put(Context.SECURITY_CREDENTIALS,  passwrd);
            props.put(Context.SECURITY_PRINCIPAL, DN);
            props.put(Context.PROVIDER_URL, ldapHost);
            try {
                 DirContext ctx = new InitialDirContext(props);
                 System.out.println("successfully authenticate DN: " + DN);
                 return true;
            } catch (Exception ex) {
                 System.out.println(ex+loginid);
                 try{
                      throw new Exception("login failure : "+ex+loginid);
                 }catch(Exception e){
                      e.printStackTrace();
                 return false;
  }when i try to connect into Active directory the new one, im unable to get authenticate, user not found error is coming! (data 525)
  im unable to continue!
  i tried changing the DN to : [email protected]
  also DN: mydomain\vijayvignesh
  then im getting error:
  java.lang.Exception: istar login failure : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vecei almost tried everything!
  if any one can find a solution pls do come forward!
  remember my code works fine in Mixed mode active directory, when we shift that to native mode, it is not working!

  If you would read the Active Directory error message, it actually gives you a hint:
  "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
  There was a security feature introduced in Windows Server 2003 that would allow administrators to only allow connections over encrypted sessions (eg. SSL/TLS or Kerberos signing and sealing). This setting is configured somewhere in the Domain Controller's Group Policy, called something like "LDAP Server signing"
  One solution is to use SSL/TLS. Refer to my previous post titled "JNDI, Active Directory & Authentication (part 2) (SSL)" at
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50

• Discussion and Announcement Services in webcenter Spaces + Active Directory

  I had successfully customized Discussion and announcement Services in webcenter spaces using the default authenticator user WEBLOGIC. And it was working fine.
  I was able to post and configure announcement and also able to create forums and threads in webcenter spaces.
  Now i have Successfully integrated my ACTIVE DIRECTORY to WLS. And now i want to configure discussion and announcement using active directory users. i am facing problem in it. I am able to login to Webcenter spaces as well as 8890/owc_discussions and also in 8890/owc_discussions/admin (jive forum admin) using AD users. i have also given admin roles to ACTIVE directory users in 8890/owc_discussions/admin under Global Settings -> Admins & Moderators .
  When I tried to configure Discussion and announcement Services in webcenter spaces it gives me errors like.....
  (1) The service did not get provisioned.
  (2) failure to authenticate the user *******, due to: Unable to connect to discussion server.*
  Do i need to make changes in keystore.properties & jive_crypto.jar ? Do i need to make a new connection in EM inside WebCenter > Service Configuration.
  Please help.
  Thanks

  Have you set up ws-security between your webcenter and discussion server? If not you need to set it up to get rid of the authentication error.
  Are you setting up a single-sign on between all webcenter components using OAM? If so there is an additional step to add/update owc_discussions.sso.mode property under discussion admin.

• Active Directory accounts no longer connect to Server

  I administrate a small office network.
  We have a Windows 2000 Server with active directory and a Windows 2003 Storage Server Appliance. (From Iomega)
  After upgrading to 10.4.8 (it seems), our Mac integrated to the Active Directory has had problems connecting to the storage server.
  When attempt to connect to smb://storage (the 2003 server appliance) we get a Error code -36 -- could not be read or written.
  This only happens when logged into an AD account. Local accounts on the machine access the server as normal.
  Also of note, the AD accounts have no problems accessing shares on the 2000 server.
  Any ideas why this is only effecting AD accounts and a solution?

  There are a couple of things you can check...
  1. Check to make sure that the SMB signing option is disabled for the Windows 2003 Storage appliance. This can be done in the local group policy on the Server.
  2. If it is a storage appliance, you should be able to run Microsoft's Services for Macintosh. This would give you AFP on the file server - a potential way to eliminate the need for using SMB on the Macs.
  3. Use a 3rd party software on the Windows 2003 Storace Server called ExtremeZ-IP by Group Logic. It is a full featured AFP/IP file server for Windows (replacing SFM). We have an HP DL380 NAS device on our network (running Windows 2003 Storage Edition) that has 1.5 TB of storage for our MAc users. We use ExtremeZ-IP... I have nothing bu great things to say for it...

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• ACS 5.3 WLC Certificates RADUIS Active Directory

  Hi,
  I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
  I have setup ACS to connect to AD.
  I have added the local certificate with my company's CA
  acs.blah.com
  acs.blah.com
  SubCA3-1
  09:50 28.09.2012
  09:50 28.09.2018
  EAP, Management Interface
  I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
  Authentication Summary
  Logged At:
  October 2,2012 3:06:37.996 PM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  blah\Eddy
  MAC/IP Address:
  18-3d-a2-26-7f-b9
  Network Device:
  L39-WC-5508-01 : 10.49.2.150 :  
  Access Service:
  WirelessAD
  Identity Store:
  AD1
  Authorization Profiles:
  Wireless AD
  CTS Security Group:
  Authentication Method:
  PEAP(EAP-MSCHAPv2)
  I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
  any help would be great happy to send screen shots of my setup.
  Cheers
  Eddy

  Hi Guys,
  Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
  Logged At:
  October 12,2012 2:50:17.866 PM
  RADIUS Status:
  Authentication failed : 15039 Selected Authorization Profile is DenyAccess
  NAS Failure:
  Username:
  blah\eddy
  MAC/IP Address:
  00-21-6a-07-31-88
  Network Device:
  -WC-5508-01 : 10.10.2.10 :  
  Access Service:
  WirelessAD
  Identity Store:
  AD1
  Authorization Profiles:
  DenyAccess
  CTS Security Group:
  Authentication Method:
  PEAP(EAP-MSCHAPv2)
  I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24416  User's Groups retrieval from Active Directory succeeded
  24101  Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
  24420  User's Attributes retrieval from Active Directory succeeded
  24402  User authentication against Active Directory succeeded
  22037  Authentication Passed
  Evaluating Group Mapping Policy
  11824  EAP-MSCHAP authentication attempt passed
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12314  PEAP inner method finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12306  PEAP authentication succeeded
  11503  Prepared EAP-Success
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  any ideas guys?
  thanks for the help.