AD FS Device Registration CNAME records
I researched all over but couldn't find an answer, I am hoping someone can help me or lead me to a solution/answer. I have two (2) AD FS farm in the same Active Directory domain. I will call them sts.contoso.com and sts-test.contoso.com. I need to setup/enable
device registration on both. First the sts-test and then the sts. Everywhere I have read it says to use EnterpriseRegistration.contoso.com for DNS/CNAME. Can I use any another name other than EnterpriseRegistration? The issue I am facing is that both my AD
FS uses same internal DNS at contoso.com. so if I create a CNAME EnterpriseRegistration.contoso.com and link to sts-test.contoso.com, then I will not be able to create another CNAME EnterpriseRegistration.contoso.com and link to sts.contoso.com.
can I modify this DNS suffix to say EnterpriseRegistration1.contoso.com and EnterpriseRegistration2.contoso.com? Will this work?
Thanks
Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>
Hi Isaac.. no I don't believe that's possible.. I'd suggest using another (subordinate) zone, e.g. test.contoso.com and then placing the appropriate records beneath, or using a different domain. There's nothing that binds the chosen AD FS domain name to
the AD domain per se, so it could even be foo.com, assuming the appropriate zone is registered for internal and external (internet) use.
http://blog.auth360.net
Similar Messages
-
I'm running the DNS server role on Windows Server 2012 R2 on a physical machine on my home network.
My AD is configured with a non-registered name - let's say it's "home.acme.ca" and the DNS server is configured to host that zone. I also configured a 2nd zone in the DNS server called "myinf.acme.ca". They both run on a physical
server with an IP of 192.168.1.10
The DHCP server on my Cable Modem is configured to hand out 192.168.1.10 as the only DNS server to every device on my network. On my servers (with static IP addresses), 192.168.1.10 is configured as the only DNS server available for them.
I took the DNS servers from my Cable Provider and configured a Forwarder on my server to send name resolution requests to them only if my DNS server can not answer the request - basically for any name resolution request that does not end with ".home.acme.ca"
or ".myinf.acme.ca"
The "home.acme.ca" zone is populated with 'A' records for all of the physical and virtual servers and PC's on my network.
The "myfin.acme.ca" zone is populated with 'CNAME' records that point directly to the 'A' record in "home.acme.ca" - for example, I have a serve named s000abc123ww.home.acme.ca with an 'A' record providing an IP address of 192.168.1.20 and
I created a 'CNAME' (alias) record named 'webserver.myinf.acme.ca' which points to the 'A' record 's000abc123ww.home.acme.ca'
2 of my 6 machines can resolve the alias but not the real name of the server!
.10 is the Domain Controller. All of the other machines (except .98) are members of the home.acme.ca domain.
I attempted to ping 's000abc123ww.home.acme.ca' AND 'webserver.myinf.acme.ca' on the following 6 computers. I used the fully qualified name in all cases.
4 of the below machines are able to resolve BOTH names. The other 2 can resolve the Alias but not the real name!
I don't understand how this is possible, but I would like to fix it...!!! Please help?
.10 - Server 2012 R2 (Physical) - Hosts Active Directory and DNS.
.20 - Server 2012 R2 (Virtual) - Runs SQL Server
.21 - Server 2012 R2 (Virtual) - Runs Apache
.22 - Server 2012 R2 (Virtual) - Runs Apache. This is the device I am trying to ping (s000abc123ww)
.98 - Windows 7 (Physical)
.99 - Windows 7 (Virtual)
.21 (which is configured nearly identically to .20 and .22) can resolve and ping the Alias, but not the real name.
.98 can also resolve and ping the Alias, but not the real name.
The rest of the machines can resolve and ping both the alias and the real name.
All of the Virtual Machines are running under Hyper-V on the .10 physical server.
All the devices are on the same subnet.
Thank in advance to anyone who can help me understand and correct this problem!
JimHi,
CNAME resource records are recommended for use in the following scenarios:
• When a host that is specified in an A resource record in the
same zone needs to be renamed
• When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide the same
service, for example, a group of redundant Web servers
Therefore please try to create your CNNAM record in the same zone and try again.
The related KB:
Adding, Changing, and Deleting Resource Records
http://technet.microsoft.com/en-us/library/cc779020(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I have one application proxy and one adfs server. Right now normal sso works (utilizing Office 365 services). I am trying to configure two-factor using device registration. I was able to join an internal computer using Workplace join.
I am trying to install an iPhone that's connected to the public internet. I can get to the otaprofile fine, but when I click install I get an error saying "A connection to the server could not be established." I ran the update command on my proxy
server. Backend servers are enabled and initialized.
In my certificate, I added enterpriseregistration as a SAN. My common name is sts.companyname.com. Public dns is CName from enterpriseregistration to sts. STS is A-record points to proxy server. Proxy server is using hosts file to get internal servers.
Any thoughts? Am I missing something?
-- MichaelHello,
please see
http://social.technet.microsoft.com/Forums/windowsserver/en-US/195399e6-b5dd-46cf-a351-228bd62b24d8/adfs-specific-question-post-on-the-adfs-forum?forum=winserverDS
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
How do I skip the Device Registration Portal for Cisco ISE web portal
I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!
Hello Scoot,
you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self registration.
I hope this works for you -
Hello,
we are at the beginning of evaluating the sybase unwired plattform and stuck in the following situation.
we created a MBO, deployed it to the supserver, generated the iOS code, included it in your app and now trying to connect to the server with the following settings:
DEVICE:
ServerName: myServer.local (the sup is running in a VM)
ServerPortSetting: 5001
CompanyIDSetting: 0
UserNameSetting: supAdmin
ActivationCodeSettings: 123
URL Prefix: /tm?cid=%cid%
SCC- Device Registration:
Activation user name: supAdmin
Server name: myServer
Port: 5001
FarmID: 0
Activation Code: 123
For the connect we use the following code:
SUPConnectionProfile* cp = [iMAM_IMAMDB getSynchronizationProfile];
[cp setDomainName:@"default"];
// Set log level
[MBOLogger setLogLevel:LOG_INFO];
if (![iMAM_IMAMDB databaseExists]) {
[iMAM_IMAMDB createDatabase];
CallbackHandler* databaseCH = [CallbackHandler newInstance];
[iMAM_IMAMDB registerCallbackHandler:databaseCH];
[iMAM_IMAMDB startBackgroundSynchronization];
NSInteger stat = [SUPMessageClient start];
if (stat == kSUPMessageClientSuccess) {
while([SUPMessageClient status] != STATUS_START_CONNECTED){
[NSThread sleepForTimeInterval:0.2];
NSLog(@"wait for connection to the sup server!");
[iMAM_IMAMDB beginOnlineLogin:@"supAdmin" password:@"s3pAdmin"];
while([iMAM_IMAMDB getOnlineLoginStatus].status == SUPLoginPending){
[NSThread sleepForTimeInterval:0.2];
NSLog(@"wait for connection to the sup server!");
the problem is, that we are currently not leaving the first while loop, means we do not get a connection to the supserver. In the scc i do not see any incoming requests of my device - "Activation still pending"
Any clue what causes this strange behaviour?
Are there any further sybase monitoring capabilities which helps me to get more information about this?
In general the sybase scc can be reached by the device, which means that that the tcp channel is open.
We are running on sybase 1.5.5 and iOS 4.2.
Looking forward to share my experiences with you here.
JensHi, try to use same server name in scc (myServer.local).
The program run on the device or on the simulator? Try to telnet myServer.local on port 5001
If still not work try this:
if (result == kSUPMessageClientSuccess) {
[iMAM_IMAMDB asyncOnlineLogin:@"supAdmin"
password:@"s3pAdmin"];
while([databaseCH loginSuccessCount] < 1) {
[NSThread sleepForTimeInterval:1];
[window addSubview:navController.view];
[window makeKeyAndVisible];
} else
[self showNoTransportAlert:result];
Edited by: Alessandro Iannacci on Apr 6, 2011 10:43 AM -
ISE 1.2 device registration with MAB only, no client provisioning
Hello,
Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
I do not want to push certificates or native supplicant profiles to client devices.
I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
Am i really obliged to use native supplicant provisioning to register my device ?
GNHi
Device Registration web auth is a process where you can configure user without client provisioning.
In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC. -
ISE 1.2 Guest Portal - Device registration portal
Hello,
I have a problem with the following setup:
- Cisco ISE 1.2 (latest patch)
- Cisco WiSM with 7.0.220.0 (first generation)
I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
Please can someone help me to find a solution for this problem?
Thank you in advance.I know this might be reaching, but have you turned off the My Devices portal?
If so, an idea of the different settings you have already tried might help.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
ISE 1.2 Device registration problem
I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
I cannot seem to find any information on those errors from the manuals.
What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
ISE 1.2Hi Harri,
What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
Therefore if you are using the custom portal, can you instead try with a default portal?
Thanks,
Aastha -
Ise 1.2 Device Registration not auto filling the MAC field
Hello
I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
90% of the users doesnt know what a MAC adress is, or where to find it.
Greetings
StevenPeter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration. This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address. This was a very limited feature introduced in 1.0.
This feature should not be confused with the DRW or NSP flows for device registration. For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7. However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users. That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices. This makes future cleanup easier and maintains them separately from employee RegisteredDevices. ISE 1.2 ERS API can be used to programmatically to delete these endpoints periodically.
Hope that helps to clarify. -
ISE 1.2: Employee with personal device registration
Hi experts,
I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
but looking for a detailed configuration to get following to work:
Employee's have access to the network with their corporate devices. No problem
Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
II guess to let employees register their private devices with MAC address on MyDevice portal would be the most sufficient solution.
Does anyone have a detailed configuration or link how to achieve that?
Thanks,
FrankHaving BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
Hope this helps!
Thank you for rating helpful posts! -
Unable to run the application via DNS CName record.
I have Windows Server 2008R2 running an application that connects to a database via a DNS CNAME record. The application was working fine until after yesterday when it could no longer
connect to the database. The database server is up and running without any issues. You have verified remote connectivity to the database server from your workstation.
How would you troubleshoot the issue and what are the steps to resolve it?It might be that the application does not support using aliases for DNS resolution. You will need to contact your application developer/vendor for assistance.
To make sure that DNS resolution works properly from the infrastructure level, you can simply use
nslookup and make sure that the resolution is done properly.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page
I recently upgraded to ISE 1.3. We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1. We are running 7.6 as 8.0 was unstable with ISE1.2.1. The device registration redirect page worked fine with these same devices in ISE 1.2.1. Is there a work around short of turning off registration? The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.
Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
Patrick -
Query in Device Registration Criteria
Hello,
I need some more details regarding Device Registration Criteria. When I access the transaction SDOE_DEV_REGISTER, by default only the attribute name 'USER' is Mandatory. With this setting when I register a application on client, it registers for any available device.
I understand that I can make more parameters mandatory for device registration in the above transaction and this is fine.
However I see a potential problem with this. Say I am installing my application(using Custom Client) at a customer site who is already using some SAP Specific Standard Application. Now in this case its quite possible that the mandatory parameters for registration are different for SAP Standard Application and my custom application.
How can we handle such scenarios? Any help will be appreciated.
Regards,
ShubhamHi Shubham,
Basically device registration parameters are for identifying the correct logical device for the physical device based on the values of the parameters specified at the time of registration.
This is not application specific as at the time of registration you might be not aware of the application that is going to be installed (unless you use setup package).
So by default only user name is considered for registration, which is under the assumption that each user uses only one physical device..
Each applications internally uses device attributes for distribution criteria. The value for these attributes need not be set from the device at the time of registration. Infact these must be set via receiver generation so that you can avoid wrong values entered by application users during registration. So it doesn't matter what other applications (say SAP standard apps or other vendor apps) asks for device registration parameters, because these varies from one customer to another.
So now what is required is a unique way to identify the correct device, if a single user uses more than one device.. You can choose any other device attribute (either standard or custom; ) say for example device_type and set different values for the different usages. You can then instruct your end user to enter the value as per the device type they have..
Hope this clears all your doubts...
Regards
Ajith -
I am using ISE 1.2. I have to configure automatic device registration through Guest Portal.
The issue is that whenever a guest logs in for first time, he needs to enter the device mac address manually. Is there any method so the ise will automatically notice device's mac address and automatically populate it in "Device ID" field on Device Registration Portal
Regards,
Aditya -
ISE device registration webauth with wlc 7.0 lwa
Is it possible to use the DRW feature with WLCs running 7.0 code? All configuration examples refer to 7.2 code. Its only for guest user device registration. No profiling / provisioning.
Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
Thanks.Hi,
The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
For your reference here is the item in the New Features section of the 7.2 WLC release notes:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
Hello Everyone, I today did a clean install of Arch but im getting a error while boot up.Its with the "dbus" daemon.The error im getting is as follows:- [root@Rajiv-Nair rajiv]# /etc/rc.d/dbus restart :: Stopping D-BUS system messagebus
-
Todays date plus a set number of days
I know I'm just having a brain fart here, this has got to be easier than I'm making it. Essentially, I have a variable bit of text that I need to display todays date + 10 days. Getting todays date and formatting it are simple I know: var today_date:D
-
Hi Experts, I am new to WebDynpro ABAP. I want to assign a search help to one of the UI elements in WebDynpro ABAP component. The search help is attached as a value table in a domain LAND1. Now while creating an attribute i am creating it from a data
-
How to handle E1 Purchases & Sales in SAP B1
Hi all, How to handle E1 Purchases and Sales in SAP Business One. Kindly advise, if possible provide me the documents. Regards, Vikram
-
Move PSE 7 from laptop to ultrabookwithout CD drive
How can this be done?