AD Authentication - pass through?

Evening ladies and gents, really stuck and need some help with implementation of our new Apple network.
the story so far.....
We have Windows Server 2008 R2 AD running over a HSRP VLANed network. We've purchased 30 Apples and we want to be able to authenticate users against AD as well as map their Windows home areas.
Firstly I know nothing about the Apple OS and concerned direct integration into the AD network may pose security risks. As' I understand it' OD ignores NTFS permissions, the backbone of AD security.
I envisaged being able to use a multi-honed OSX Server as a 'pass through' / 'proxy' for AD kebros authentication and home area mapping. So firstly is this possible?
What is generally recognized as best practice in this kind of setup?
Many thanks

Hello Colin,
The response you get back indicates that the setspn tool detected an error in the attributes.
When the command is succesfull, you will get a message saying that registering the SPN is succesfull.
When using the setspn.exe tool, make sure you are logged on with Domain admin rights. I always run the tool on the domain controller itself.
Try including the domain name when you enter the service account, the command should read like this:
setspn -a HTTP/portal.customer.de DOMAIN\j2ee-SID
Replace portal.customer.de with the DNS name for your server, repeat the command with the different DNS names if you have more then one DNS name.
Replace DOMAIN with the name of your windows domain.
Replace j2ee-SID with the User Logon Name of your service account.
Make sure there are no spaces or special signs in the User Logon Name !
On Windows servers, the usage of SPNs is not case sensitive, but when calling the service from non-window systems, it is !
For more info on the setspn tool, look here:
[http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx]
I hope this helps.
Dagwin

Similar Messages

AAA Authentication for Traffic Passing through ASA

I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enable

your definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

API to verify a resource Password? Like pass through authentication...

Howdy folks,
OK. I have a requirement to check the old (or current) password of a user at the time that they change there password to something new. I can do this with lighthouse accounts, but.... We don't update Lighthouse accounts. We only update our LDAP account. I know that pass through authentication checks this automatically by attempting to bind as the user with the given password. Does anyone know if I can ask IDM to do that for me? If not I'll write a java class to do it, but since it is already happening in IDM, I thought there MUST be something in place that can do this already....
Does anyone know?

anyone?

Pass-through authentication failing

The enviroment:
Server A: Windows Server 2008 R2 / IIS 7
Server B: Windows Server 2003 R2
Domain Controller: Windows Server 2003 R2
Both server A and B are part of the same domain.
The issue:
We have files stored in server B that are being shared as \\B\Files. We want to have a virtual directory/application in IIS on server A to make those files available on a web browser,
but, we want access to be controlled by NTFS permissions, and access granted to the user accessing the website by pass-through authentication (challenged for user and password by the browser).
We have set up an application pool, and have set the identity of it to a user that has
read NTFS permissions to \\B\Files. We then set up an Application and set its application pool to the one mentioned above, and have pointed it physical location to \\B\Files. In the advanced settings, we set the physical path credentials
to Application user (pass-though authentication).
In the authentication settings for the application, we disabled all but Windows Authentication, and in the providers, we have removed everything but NTLM, which is the one we want.
When we test it (https://serverb.com/Files) however, we are challenged (user/password prompt comes up) as expected, but despite what we put in, the prompt comes back, as if the user/password was wrong, or as if the user did not have enough permissions
to access the files. We checked permissions and that's not it. And we have also checked the domain controller to see if the request is getting there, and it is, which means that it is authenticating properly. We can only assume there is a communication
problem, or restriction somewhere.
We are not sure where else to look, and any ideas would be greatly appreciated.
Thank you

On Wed, 5 Feb 2014 17:48:47 +0000, ucis wrote:
We are not sure where else to look, and any ideas would be greatly appreciated.
Since this is really an IIS question you should post to the official IIS
forums:
http://forums.iis.net
Paul Adare - FIM CM MVP
It used to be said [...] that AIX looks like one space alien discovered
Unix, and described it to another different space alien who then
implemented
AIX. But their universal translators were broken and they'd had to gesture
a lot. -- Paul Tomblin

Pass through authentication (function_)

I wrote many functions before, but NEVER a function to pass through authentication
Here are some of the specs
In this example, an institution will be accepting tuition and fee payments against bills that are stored in the our system. In addition to the minimum ebill authentication parameters, the institution would like to pass us a full name to display when welcoming the user, control the users primary e-mail address, and restrict the payment method on a per user basis.
URL     url     This will be issued to you by your project manager. It should be of the form https://pleasepay.com/schoolname/payer.do
User Id     user_id     The unique identifier for the user within the institution. This is typically a student ID. (in our database)
Full Name     full_name     Users full name. Example “John Smith”. (in our database)
Email Address     email     Primary email address.     in (our database)
Payment Method     paymentMethod     Payment methods allowed for this user.
Allowed values:
“none” :no payments accepted
“ach” :ach is the only accepted
“cc” :credit cards only accepted
“ach_cc” :credit card and ach      16
Key     key     The shared key that is issued to you by your project manager.
Time Zone     tz     The time zone you are located in. Valid values are:
“E” :Eastern time zone
“C” :Central time zone
“M” :Mountain time zone
“P” :Pacific time zone     1
function get_payment_url_test(
        url         in varchar2,
        user_id     in varchar2,
        full_name   in varchar2,
        email       in varchar2,
        pay_method in varchar2,
        key         in varchar2,
        tz          in varchar2
    ) return varchar2. Here is my questions: I know I need to have cursor to check on the user_id, full name, email (those values are store in our DATABASE. The URL and the key are giving to me. Do I have to hard code the url in the cursor and stored in a variable so I can check that the url coming in (url in varchar2) is equal to the url in my cursor? The same with the key?

I saved the url the user_id and the full_name in a custom table, it is workinng, but I would like
to pass a message like
if user_id is null then
raise_application_error(-20101, 'User ID is missing.');
what is doing now if that it checks on the cursor and if any of the paramters if false
it will return the first message in the --- return mesages that is fine the cursor is not retrieving any data, but I want to be more 'friendly' to the user, and if the user
don't enter the id say something like null id or if is wrong wrong id, invalid id etc...
wha
function get_user_url(
        url         in varchar2,
        user_id     in varchar2,
        full_name   in varchar2,
        email       in varchar2,
        pay_method in varchar2,
        key         in varchar2,
        tz          in varchar2
    ) return varchar2
    is
Audit Trail:
10/25/2010
T
Change History:
      timestamp varchar2(20);
      v_pidm      saturn_midd.synelck.synelck_pidm%TYPE;
      v_user_id   saturn_midd.synelck.synelck_id%TYPE;
      v_full_name saturn_midd.synelck.synelck_name%TYPE;
      v_email     saturn_midd.synelck.synelck_email%TYPE;
      v_url       saturn_midd.synelck.synelck_email%TYPE;
      v_key       saturn_midd.synelck.synelck_key%TYPE;
      v_pay_method varchar2(6);
    /* this table saturn_midd.synelck is inserted with all the students (with bills),
    the url and the key, in the way the function is going to validate the url, the id
    and the key against the values in the table*/
    CURSOR pass_the_test_cur is
    SELECT
    synelck_pidm,
    synelck_id,
    synelck_name,
    synelck_email,
    synelck_url,
    synelck_key
    from
    saturn_midd.synelck
    where
    synelck_url = url
    and synelck_id = user_id
    and synelck_key = key
    AND SUBSTR(synelck_name,1,120) = full_name;
     BEGIN
      IF pass_the_test_cur%ISOPEN
      THEN
          CLOSE pass_the_test_cur;
      END IF;
        OPEN pass_the_test_cur;
             FETCH pass_the_test_cur
                   INTO v_pidm,v_user_id,v_full_name,v_email,v_url,v_key;
        if pay_method = 'none' then v_pay_method := 'none';
          elsif
            pay_method = 'ach' then v_pay_method := 'ach' ;
          elsif
             pay_method = 'cc' then v_pay_method := 'cc';
          elsif
              pay_method = 'ach_cc' then v_pay_method := 'ach_cc' ;
       end if;
          timestamp := get_epoch_timestamp(CURRENT_TIMESTAMP);
        If (v_url is not null and v_user_id is not null and v_key is not null
            and v_full_name is not null and v_key is not null
            and v_email is not null and v_pay_method is not null)
        then
             return url || '?userId=' || escape(v_user_id, TRUE, character_set) ||
            '&' || 'fullName=' || escape(v_full_name, TRUE, character_set) ||
            '&' || 'email=' || escape(v_email, TRUE, character_set) ||
            '&' || 'paymentMethod=' || escape(v_pay_method, TRUE, character_set) ||
            '&' || 'timestamp=' || timestamp ||
            '&' || 'hash=' || get_md5_hash_value(v_user_id || v_full_name || v_email || v_pay_method || timestamp || v_key);
        end if;
        --- return mesages
       if v_url is null then
            raise_application_error(-20101, 'Inalid log on chek: Id .');
        end if;
        if v_user_id is null then
            raise_application_error(-20101, 'User ID is missing.');
        end if;
        if key is null then
            raise_application_error(-20101, 'Key is missing.');
        end if;
        if v_full_name is null then
            raise_application_error(-20101, 'Name is missing.');
        end if;
        if v_email is null then
            raise_application_error(-20101, 'eMail address is missing.');
        end if;
        if v_pay_method is null then
            raise_application_error(-20101, 'Payment method is missing.');
        end if;
    end l;Edited by: peace4all on Oct 26, 2010 7:13 AM

Cisco ASA 5505 L2TP Pass through

I am having trouble with L2TP pass through on an ASA 5505 device.
L2TP server: OSX 10.6
I can connect with any OSX system and it works fine straight away.
When connecting with a windows computer I get a 789 error. "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
I am using the ASDM 6.4 to manage the device.
Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
Im just looking for other common issues?
Rob

Below is the commands you wanted.
Where you see: IPNOTWHATIWASEXPECTING
This is an IP I dont know. possible and old IP address.
and
default-domain value domain-notcorrect.local
This is an old domain from years ago.
Result of the command: "show run crypto"
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address acl-amzn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
crypto map outside_map 2 set transform-set transform-amzn
crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-192
hash sha
group 1
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 22
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 23
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 32
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 33
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 34
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Result of the command: "show run group-policy"
group-policy evertest internal
group-policy evertest attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy petero internal
group-policy petero attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy awsfilter internal
group-policy awsfilter attributes
vpn-filter value amzn-filter
group-policy vpnpptp internal
group-policy vpnpptp attributes
dns-server value 10.100.25.252
vpn-tunnel-protocol l2tp-ipsec
group-policy vanheelm internal
group-policy vanheelm attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy ciscoVPNuser internal
group-policy ciscoVPNuser attributes
dns-server value 10.100.25.10
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy chauhanv2 internal
group-policy chauhanv2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy oterop internal
group-policy oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy Oterop internal
group-policy Oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
group-policy chauhanv internal
group-policy chauhanv attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy bnixon2 internal
group-policy bnixon2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
Result of the command: "show run tunnel-group"
tunnel-group ciscoVPNuser type remote-access
tunnel-group ciscoVPNuser general-attributes
address-pool vpnippool
default-group-policy ciscoVPNuser
tunnel-group ciscoVPNuser ipsec-attributes
pre-shared-key *****
tunnel-group petero type remote-access
tunnel-group petero general-attributes
address-pool vpnippool
default-group-policy petero
tunnel-group petero ipsec-attributes
pre-shared-key *****
tunnel-group oterop type remote-access
tunnel-group oterop general-attributes
address-pool vpnippool
default-group-policy oterop
tunnel-group oterop ipsec-attributes
pre-shared-key *****
tunnel-group vanheelm type remote-access
tunnel-group vanheelm general-attributes
address-pool vpnippool
default-group-policy vanheelm
tunnel-group vanheelm ipsec-attributes
pre-shared-key *****
tunnel-group chauhanv type remote-access
tunnel-group chauhanv general-attributes
default-group-policy chauhanv
tunnel-group Oterop type remote-access
tunnel-group Oterop general-attributes
default-group-policy Oterop
tunnel-group chauhanv2 type remote-access
tunnel-group chauhanv2 general-attributes
address-pool vpnippool
default-group-policy chauhanv2
tunnel-group chauhanv2 ipsec-attributes
pre-shared-key *****
tunnel-group bnixon2 type remote-access
tunnel-group bnixon2 general-attributes
address-pool vpnippool
default-group-policy bnixon2
tunnel-group bnixon2 ipsec-attributes
pre-shared-key *****
tunnel-group vpnpptp type remote-access
tunnel-group vpnpptp general-attributes
address-pool vpnippool
default-group-policy vpnpptp
tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
pre-shared-key *****
tunnel-group evertest type remote-access
tunnel-group evertest general-attributes
address-pool vpnippool
default-group-policy evertest
tunnel-group evertest ipsec-attributes
pre-shared-key *****
tunnel-group evertest ppp-attributes
authentication ms-chap-v2
tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
pre-shared-key *****
tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
INFO: There are presently no active sessions of the type specified
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
INFO: There are presently no active sessions of the type specified

USB Pass-Through From Windows 8.1 Host To Windows Server 2012 R2 VM

I want to be able to connect with a Windows Mobile Device through Windows Mobile Device Center, within a Virtual Machine. When connecting through the Hyper-V Manager and through Remote Desktop, under "Other supported RemoteFX USB devices",
I can see the Symbol USB Sync Cradle. In the VM, in Device Manager, I don't see a USB connection. In the VM, I don't see any meaningful errors in the Event Viewer.
Host: Windows 8.1 Enterprise Hyper-V on a Domain. Upgraded from Windows 8.1 Pro. When this computer was originally installed with Windows 8 Pro, Hyper-V was enabled. I removed Hyper-V, and installed VMWare Player, because I wanted
USB Pass-through. I then uninstalled VMWare and installed VirtualBox. Recently, I uninstalled VirtualBox, upgraded to Windows 8.1 Enterprise, and enabled Hyper-V.
Virtual Machine OS: Windows Server 2012 R2 on a Workgroup. Started out with being a VMWare VM, using VMWare Player. Moved to VirtualBox. USB Pass-through was working in both those virtual environments. Used Disk2VHD to convert the
VM to a VHDX file.
On the Host:
Windows Mobile Device Center is connected to a Motorola Windows Mobile Device (MC959X) sitting in a Symbol USB Cradle. The OS on the scanner is Windows Embedded Handheld 6.5 Classic CE OS 5.2.29217 (Build 29217.5.3.12.26). Advanced Networking
(USB to PC) is not enabled.
Enabled RemoteFX.
In the RDP file, and in the Registry, added the GUID's for:
WPD "{eec5ad98-8080-425f-922a-dabf3de3f69a}";
Windows Mobile "{6AC27878-A6FA-4155-BA85-F98F491D4F33}";
USB Device "{88BAE032-5A81-49f0-BC3D-A4FF138216D6}";
Windows CE USB Device "{25dbce51-6c8f-4a72-8a6d-b54c2b4fc835}";
GUID_DEVINTERFACE_USB_DEVICE "{A5DCBF10-6530-11D2-901F-00C04FB951ED}"
Ran "sfc /scannow"
All Microsoft Updates are current.
What am I missing?

I hope it's something like that. Those features have been installed. Here's what PowerShell shows is installed:
PS C:\Windows\system32> Get-WindowsFeature |Where {$_.Installed -eq "True"} | ft DisplayName, Installed
DisplayName
Installed
File and Storage Services
True
File and iSCSI Services
True
File Server
True
Storage Services
True
Remote Desktop Services
True
Remote Desktop Licensing
True
Remote Desktop Session Host
True
Web Server (IIS)
True
Web Server
True
Common HTTP Features
True
Default Document
True
Directory Browsing
True
HTTP Errors
True
Static Content
True
HTTP Redirection
True
Health and Diagnostics
True
HTTP Logging
True
Performance
True
Static Content Compression
True
Security
True
Request Filtering
True
Windows Authentication
True
Application Development
True
.NET Extensibility 3.5
True
.NET Extensibility 4.5
True
ASP.NET 3.5
True
ASP.NET 4.5
True
ISAPI Extensions
True
ISAPI Filters
True
Management Tools
True
IIS Management Console
True
.NET Framework 3.5 Features
True
.NET Framework 3.5 (includes .NET 2.0 and 3.0)
True
.NET Framework 4.5 Features
True
.NET Framework 4.5
True
ASP.NET 4.5
True
WCF Services
True
TCP Port Sharing
True
Ink and Handwriting Services
True
Media Foundation
True
Remote Server Administration Tools
True
Role Administration Tools
True
Remote Desktop Services Tools
True
Remote Desktop Licensing Diagnoser Tools
True
Remote Desktop Licensing Tools
True
SMB 1.0/CIFS File Sharing Support
True
User Interfaces and Infrastructure
True
Graphical Management Tools and Infrastructure
True
Desktop Experience
True
Server Graphical Shell
True
Windows PowerShell
True
Windows PowerShell 4.0
True
Windows PowerShell 2.0 Engine
True
Windows PowerShell ISE
True
WoW64 Support
True

OBIEE and Essbase security pass through

Hi All,
I'm using Essbase as a data source for OBIEE. Right now I'm trying to use Hyperion security to pass through OBIEE. I've setup OBIEE to use Hyperion Shared Services as custom authenticator and Hyperion users can log in. However, I'm having problem passing through the users to Essbase. I've changed the Essbase connection pool to use :USER and :PASSWORD. When I tried to check for global consistency, I'm getting the following error
[38098] The password in the Connection Pool '"server"."Connection Pool"', associated with the Repository Initialization Block '"SUB_VAR_BLOCK_server"', contains the use of :USER or :PASSWORD.
When I tried to open any existing Essbase reports from OBIEE, I'm getting this error (as expected)
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. Essbase Error: Login fails due to invalid login credentials (HY000)
Any ideas on how to get around this issue? Thanks
Regards,
Gerd

Hi Gerd,
Could you please explain in detail how you have setup OBIEE to use Hyperion Shared Services as custom authenticator so that Hyperion users can log into OBIEE?
Please provide the steps and custom authenticator function?
we would need to implement it fromm scratch. So, your help will be greatful.

McAfee EEMAC Login pass through

Our Security team at my company wants to install McAfee's Endpoint Encryption on our Mac laptops. Our Macs are bound into AD and end users login with a user ID and password.
McAfee's Endpoint Encryption login modifies the boot process so that the user logs into McAfee first (AD user ID and password) and then gets to the Mac login screen. I'm wondering if anyone else has a similar configuration, but has developed a login hook to pass through the McAfee user authentication to the Mac's login so the end user only has to login one time.
Any advice is appreciated... thanks!

Two problems with trying that:
a) Not an available option If Iopen the control panel I see eight options: System & Security, Neytwork & Internet, Harware & Sound, Program, User Accounts and Family Safety, Appearance and Personalization, Clock, Language, and Region, and Ease of Access. No "Change Bionmetric Settings".
This Winodws 7 Pro 64 bit
b) I could have done more on introduction but didn't see the need. While these little computers aren't THAT familiar to me I am retired from decades in the cypher mines in the world of large mainframes. So Iknow SOMETHING about the problem. When Windows is booting up it will start a number of tasks (services) ending with the one that will prodiuce the log in screen. Or in this case, two such routines, one first dsplaying the fingerprint log in screen, then, after a few seconds, running another routine that brings up the normal password sign in screen. At least, that's what happens wen it doesn't "stall" .
I am asking if anybody can tell me how I turn off the first. It isn't clear that turing off the device that this first routine is trying to access wouldn't make things even worse (unclear that disabling thdevice would remove the routine from the liust of things Windows does when coming up -- perhaps the "stall" is even relted to it not getting a "ready" response form the fingerprint reader).
I am new to Windows7. If still under Windows XP I know there is something that I run that brings up the "things to do while starting up" where you can check or uncheck things (I'd have to find my notes to give more details) but I don't know what that would be under Windows 7 nor, if I got there, the name of the "fingerprint log in" routine to uncheck nor the name of the routine to check that devices without a fingerprint reader would use.
PROBLEM STILL OPEN

Disable Pass-through

Hi
I imported a big update.xml with pass-through authentication configuration ... Now I can't log in web admin console as configurator. How can I disable the great pass-through?
Big Thanks
JXXE

Hey JXEE,
This is in case still you haven't solved the passthrough, configurator login problem.
I once faced a similar situation, where when one of our administrators configured passthrough login. What he did was, while creating the "passthrough login module group", he added the "resource Login Module" to the "passthrough login module group" but removed the "Default Lighthouse Login Module" from the group. After that the users can login to IDM using the resource login password but configurator could not login at all as the "Default Lighthouse Login Module" was removed from the Login Module Group.
After trying so many options the only thing that worked for me was, preserving the IDM repository, which in this case MySQL, to preserve already created users, roles, resources etc. and then preserving WPMessages.properties, styles.css and images folder to preserve the customization and then reinstalling Sun IDM. By making the new IDM installation to point to the preserved repository and overwriting the new WPMessages.properties, Styles.css and images folder with the preserved WPMessages.properties, Styles.css and images folder I managed to restore the IDM properly.
Looks like you too have similar problem. Hope this procedure would work for you. One reminder though, you may want to create the problem in a test environment and try this remedy before you try it on your production.
Hope this would help.
Thanks,
SunCrazy

Pass Through Auth Not Using Novell eDirectory Over RDP - Virtual Desktop

Hi,
I have installed and configured SGD and the Virtual Desktop Adapter to a Virtual Center server. So far that whole side of things is working great. Machines are cloned, prepped and connected to by users through the My Desktop link in SGD. Now that I am attempting to perfect the master template I have encountered some issues. The network here is Novell eDirectory and at the moment when the desktop is launched the username and password used to authenticate to the SGD webtop are passed through to the Virtual Machine, but it seems that they are passed through to the Windows Authentication System/GINA even though the Novell client is in place.
The virtual machines are Windows XP and by default none of the user accounts exist locally, so of course the login fails. This drops the user back to the login box where it can be seen that the Workstation Only tick box is checked. Settings in the Novell client to always default to eDirectory authentication, forget last setting used etc has all been set properly. Even when hiding the Workstation Only tickbox the username and password are passed to local system authentication still.
I need to get the username and password sent to the Novell eDirectory authentication system/GINA in order for Zenworks to create the user on the local system. When dropping back to the login box and manually unticking the Workstation Only box login proceeds normally. Drives are mapped and the local user account is created by the Zenworks agent.
Is SGD specifically targeting an authentication subsystem within the virtual machine, regardless of your installed authentication handler/GINA preference order? Can I get SGD to pass the details to the Novell client? Barring that is there some way I can prevent SGD passing the details? I tried turning off some of the authentication details caching etc but some of that is needed to rename the virtual machines after the user connecting. For the time being having users authenticate twice would be acceptable, having them login in, then get an error message, then manually unticking Workstation Only then relogging in is not acceptable.
I have been searching these forums, Novell forums, Terminal Server forums for answers but so far nothing has been of any help. Please note that the login box is not the cut down/windows only login box that users are seen when they connect over RDP to a machine that already has a user logged in locally. There is no user logged in locally and the full login box is presented once the login failed message is cleared.
Any help, or even a nudge in the right direction would be great.
Thanks
Russ

Hi,
Thanks for taking the time to respond. I tried the full context user name path as well, but its defiantly just being passed to a different GINA. The only credentials that determine if you have RDP access to a server is the local machines credentials, so Microsoft have the service pass authentication straight to the Microsoft GINA non-interactively instead of honouring the installed GINA's. So it will fail no matter what I put in since the account doesn't exist locally yet. People have implemented solutions that depend on Active Directory domains, but that's what I am trying to avoid.
In that situation the AD Domain would allow access to the local machine based on Windows permissions, and a registry setting TSAutoLogin or something would trigger the Novell log in in parallel to map the Netware shared volumes. With no domain you can't get the initial log in triggered for the Novell client to kick in.
Connecting to the virtual machine using an RDP client without pre-entering authentication information does show the Novell Login (NWGINA) with all the right settings in place, so I have modified the expect (login) script for SGD not to automatically pass log in information through with the RDP connection it makes. The result is a clean Novell login box without any errors that a user can just enter their details into a second time.
Russ

Pass Through plugin

Hi Dudes,
When using the 'Pass Through Authentication' plugin the Directory Server bind requests are redirected to the Directory Server specified as argument(s) in the PTA configuration.
My question is does the PTA also handles group evaluation...?
For example in ACI:
Does NOT function properly.
aci: (targetattr = "*")(version 3.0; acl "Enable Read-Only access for Directory Services Managers Group"; allow (read,search,compare)(groupdn = "ldap:///cn=Administrators,cn=dscc");)
Does function properly.
aci: (targetattr = "*")(version 3.0; acl "Enable Read-Only access for Directory Services Managers Group"; allow (read,search,compare)(userdn = "ldap:///cn=\*,cn=Administrators,cn=dscc");)
Can anybody provide a solide explanation of this behaviour.
Regards,
Bhagt Rajaram
Edited by: gonzales on May 6, 2008 5:10 AM

PTA doesn't deal with ACI and group evaluation.
PTA only forward the authentication to a remote server (Bind request).
The ACI that doesn't work because the groupdn is not a local group and the server doesn't know how to compute membership.
Regards,
Ludovic.

How does client certificate get passed through TMG/ISA to destination server (eg. SCCM)?

To avoid the 403.7 errors when the destination server requires certificate authentication, how does SSL bridging reverse proxy inspect the traffic for safety without breaking the certificate authentication?
I'm not asking for specific configuration steps on this. I just want an easy to understand overview on the process of how the laptop or smartphone authentication device certificate would pass through while TMG/ISA is still protecting the destination
from attacks.

I'm not sure if SSL Bridging is the same with Cert Authentication,...but...
The way it works when Bridging SSL for published SSL web sites is by the ISA having a copy of the same Cert used on the published site. You buy the cert for the Site and install it on the web server and get it set up with the site,..then export it
with the private key. Take the exported Cert and install it on the TMG and configure it into the Web Publishing Rule.
The SSL tunnel coming in terminates at the TMG,...meaning the SSL Tunnel was only between the user and the TMG (not between the user and the site as it would appear on the surface). Then the traffic is inspected or whatever would be intended to do with it.
Then a new distinct independent SSL Tunnel is created between the TMG and the SSL Site and the traffic is passed on to the site at that point. AFAIK, the Reverse Proxy only happens between the two tunnels while the traffic is unencrypted.

Does user traffic pass through Controller and Aironet 1030?

Hi All,
I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
Jason,
best regards,

Hi Jason,
Hopefully this info will clear this up for you;
Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
From this doc;
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
Hope this helps!
Rob
Please remember to rate helpful posts.....

Data has changed after passing through FIFO?

Dear experts,
I am currently working on a digital triangular shaping using the 7966R FPGA + 5734 AI. I am using LabView 2012 SP1.
Some days ago I have encountered a problem with my FIFOs that I have not been able to solve since. I'd be glad if somebody could point out a solution/ my error.
Short description:
I am writing U16 variables between ~32700-32800 to a U16 configured FIFO. The FIFO output does not coincide with the data I have been writing to the FIFO but is rather bit-shifted or something is added. This problem does not occure if I execute the VI on the dev. PC with simulated input.
What I have done so far:
I am reading all 4 channels of the 5734 inside a SCTL. The data is stored in 4 feedback nodes I am applying a triangular shaping to channel 0 and 1 by using 4 FIFOs that have been prefilled with a predefined number of zeros to serve as buffers. So it's something like (FB = Feedback node):
A I/O 1 --> FB --> FIFO 1 --> FB --> FIFO 2 --> FB --> Do something
A I/O 2 --> FB --> FIFO 3 --> FB --> FIFO 4 --> FB --> Do something
This code shows NO weird behaviour and works as expected.
The Problem:
To reduce the amount of FIFOs needed I then decided to interleave the data and to use only 2 FIFOs instead of 4. You can see the code in the attachment. As you can see I have not really changed anything to the code structure in general.
The input to the FIFO is a U16. All FIFOs are configured to store U16 data.
The data that I am writing to the FIFO can be seen in channel 0 of the output attachment.
The output after passing through the two FIFOs can be seen in channel 2 of the same picture.
The output after passing through the first FIFO (times 2) can be seen in channel 3 of the picture.
It looks like the output is bit-shifted and truncated as it enters Buffer 1. Yet the difference between the input and output is not exactly a factor of 2. I also considered the possibility that the FIFO adds both write operations (CH0 + CH1) but that also does not account for the value of the output.
The FIFOs are all operating normally, i.e. none throws a timeout. I also tried several different orders of reading/writing to the FIFOs and different ways of ensuring this order (i.e. case strucutres, flat and stacked sequence). The FIFOs are also large enough to store the amount of data buffered no matter if I write or read first.
Thank you very much,
Bjorn
Attachments:
FPGA-code.png ‏61 KB
FPGA-output.png ‏45 KB

During the last couple of days I tried the following:
1. Running the FPGA code on the development PC with simulated I/O. The behavior was normal, i.e. like I've intended the code to perform.
2. I tested the code on the development PC with the square and sine wave generation VI as 'simulated' I/O. The code performed normal.
3. I replaced the FIFOs with queues and ran my logic on the dev. PC. The logic performed totally normal.
4. Right now the code is compiling with constants as inputs like you suggested...
I am currently trying to get LabView 2013 on the development machine. It seems like my last real hope is that the issue is a bug in the XILINX 13.4 compiler tools and that the 14.4 tools will just make it disappear...
Nevertheless I am still open for suggestions. Some additional info about my FIFOs of concerne:
Buffer 1 and 2:
- Type: Target Scoped
- Elements Requested: 1023
- Implementation: Block Memory
- Control Logic: Target Optimal
- Data Type: U16
- Arbitrate for Read: Never Arbitrate
- No. Elements Per Read: 1
- Arbitrate for Write: Never Arbitrate
- No. Elements Per Write: 1
The inputs from the NI 5734 are U16 so I am wirering the right data type to the FIFOs. I also don't have any coercion dots within my FPGA VI. And so far it has only occured after the VI has been compiled onto the FPGA. Could some of the FIFOs/block memory be corrupted because we have written stuff onto the FPGA too often?

AD Authentication - pass through?

Similar Messages

Maybe you are looking for