Anyconnect 3 NAM Profile user authentication failure

Similar Messages

• Go URL - User Authentication Failure

  Hi,
  I am trying to use a 'Go URL' in web application and I see some issue with authentication mechanism.
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?
  Thanks

  969211 wrote:
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?Check the usage of Go URL first : http://docs.oracle.com/cd/E21043_01/bi.1111/e16364/apiwebintegrate.htm
  If you dont user NQUser and NQPassword then they will be prompted for a password. you need to http://<hostname.domain>:9704/analytics/saw.dll?Dashboard&PortalPath=<your GO URLpath>*&NQuser=USERNAME&NQPassword=PASSWORD*
  You should not access if URL without logging in.
  Also on different note:
  Rupesh Shelar wrote:
  Make sure your BISYSTEM password
  Go to weblogic console, http://IP address:7001/console
  Home >Summary of Security Realms > myrealm > Users and Groups > BISystemUser
  And then go to your EM (http://IP address:7001/em)
  expand weblogic domain > bifoundation_domain > Security > Credentials > oracle.bi.system ? system.user
  Just retype a new password then Restart BI All Services then test it.How is BISystemUser even related to Go URL .or this issue .?
  Hope this helps.
  Let me know the updates. Mark if it answers!
  Thanks,
  SVS

• "Remote Apple Events" User Authentication failure

  I will send some Remote Apple-Events from a local machine to a remote Mac Mini (OS X Server 10.5.4) with "eppc://admin:[email protected]". But i get the error message "User Authentication failure -927".
  Mounting the remote Volume is no problem with the same user and password strings "afp://admin:[email protected]" so i think that the user and passwort is correct.
  I have reset the Keychains and have no further ideas. Any hints?

  Have you checked that the account you're using is allowed to send AppleEvents?
  (System Preferences -> Sharing -> Remote Apple Events)
  I set the access for AppleEvents for all Users on the local machine as well on the remote server. Send AppleEvents from server to the local machine seems working.
  Are there special settings on OS X Server for user privileges in the "Workgroup Manager", i'm not very skilled with UID and GID?

• ISE internal user authentication failure - user not found

  Hi Forumers'
  I trying to do wireless 802.1x, where identity store using intenral user.
  But i found this error message when i trying to connect
  Authentication failed                                                                                 :
  22056 Subject not found in the applicable identity store(s)
  My authrorization rules is built like this
  identity groups = user identities group / " mygroup"
  condition = no setting
  permissions = standard / PermitAccess
  Question 1
  Any troubleshooting step to do on this?
  Question 2
  For the Authorization rules, what's the condition should set for using Internal User as Identity store?
  Thanks
  Noel

  The error is caused to an authentication failure and is not an issue with authorization
  You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
  In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".

• Mail user authentication failure

  My site has been suffering from a problem with access from Macs running Mail to POP3 mailboxes hosted on Snow Leopard server mail from at least 10.6.3 upwards (including the latest build of 10.6.5). It manifests itself as the notorious failed connections with Snow Leopard Mail, but the cause appears fairly clear.
  If I look at the Mail Server logs (Mail Access) I can clearly see that the connection was rejected with the error message "unable to lookup user record ". If I then look at the Password Service Server Log it is clear that this server did not receive the authentication request, as it is not present in the log even though many successful authentications both prior to and subsequent to the failed one are present.
  So somewhere between the Mail Server and the Password Server some authentication requests are going astray. It is only a very occasional occurrence but it appears to be totally random in nature - authentication will carry on correctly for hours and sometimes days, but then all of a sudden an authentication request will fail and Mail trips out on the client system. Once you reset Mail things again proceed fine but it is a nuisance that this happens at all.
  I would like to see Apple address this in one of two ways - either sort out why the occasional authentication request fails, or alternatively make Mail not be quite so pedantic. If a connection fails then tolerate it - this does happen occasionally, for many different reasons, and it is a big nuisance having to calm Mail down when it does. Why not just have an error window like Entourage which you can look at if you want to see when errors have occurred?
  In the meantime, if anyone has any good ideas about why the authentication requests fail on occasion I would be delighted to hear. This didn't happen at all originally for many iterations of the server software until suddenly it did start occurring, so it must be possible to make it work reliably!

  Unfortunately changing the access setting was not possible on my system - it is already set that way and the problem is still occurring.
  In order to see this happening in the logs, using Server Admin, firstly check in the Mail Access log for the Mail server for an unsuccessful (rejected) connection by a user that can normally access without problems. Check the exact datestamp.
  Then take a look at the Password Service Server Log in Open Directory at that datestamp and you will find that there is no entry, whereas there will be entries for all the successful logons. There won't be anything in the password server error log.
  Taken together this suggests to me that the request from the mail server to the password server is just getting lost between the two for some reason and never reaches the password server.
  It would be great to hear from others that they are also experiencing this same cause for their logon unreliability problems. As I say above, I think the problem is a combination of the fault with the two components on the server coupled with Mail's unnecessarily pedantic handling of failed logons. Both should be fixed pronto, but I would settle for Mail being cured of its ridiculously over the top panicking over something that can happen even on more reliable mail servers.

• WLAN USER AUTHENTICATION FAILURE

  Hello All,
  I have an enterprise WLAN which users are authenticating with the AAA server (CISCO ACS 4.2).
  We recently migrated this WLAN from autonomous mode to lightweight mode by introducing a wireless LAN controller and changed the AAA server device to CISCO ISE with base license.
  The challenge now is that some wireless users are connecting to this new controller based WLAN while other users are not authenticating.
  Hint: On the ISE, we implemented PEAP authentication. I noticed that some of end wireless devices (Laptops) are configured for LEAP instead of PEAP. I have made these changes but the issues still persists.
  Any help please.
  Regards,
  Ethelbert Ezeaputa

  Hi
  The description of your problem is vague. What are the authentication error logs on ISE? What state are clients on WLC? Could also post the debug client Mac address
  Sent from Cisco Technical Support Android App

• User authentication failure: BISystemUser.

  Hello All,
  Created an AD authentication and faced the above error. Backed out the AD and still getting the above error. in BI Server logs and the Presentation Server does not start.
  Did you guys face this issue before, if so what was your resolution ?
  Thanks !
  Rush

  Do I need to re-innstall the environment ? Changed the password for BISystemUser and changed the same in credential Store, but still the issue persists. Also refreshed the GUIDS..
  Thanks

• Prime 2.0: User Auth Failure Count

  Hello
  In Prime 2.0, on the Home page> General, you can view dashlets showing various bits of information.
  One of those available is User Auth Failure Count and I am trying to establish what this table is showing me and if I can get this information out of Prime in a CSV format for example, in order to do some correlation with RADIUS logs.
  I want to establish whether the users being reported as having an auth failure are actually managing to get onto the network eventually, or whether we have an authentication problem we need to tackle.
  The only reference in Cisco documentation I have found to date says the following, which is not helpful to me:
  "User Auth Failure Count
  This dashlet displays a chart which shows user authentication failure count trend over time.  "
  Does anyone know if this information is exportable somehow?
  thanks
  Bryn

  Hi Scott
  I agree with your point that the historical data is available via MSE, but I now come round to my first question, which is how do I get to the data from Prime?
  I cannot find a report to run to get the Failed Auth User Count data, although it must be there for the information to be populating the dashlet
  I think I will have to try our Cisco contact
  thanks
  Bryn

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• AnyConnect customized NAM Profile Problem

  Hello,
  i have a problem with the deployment of customized NAM profiles for AnyConnect 3.0.1047 clients on a Windows XP machine. I successfully installed via msiexec the anyconnect-win-3.0.1047-pre-deploy-k9.msi /passive /log c:\temp\anyconnect-base.log PRE_DEPLOY_DISABLE_VPN=1 and then the
  anyconnect-nam-win-3.0.1047-k9.msi /passive /log c:\temp\anyconnect-nam.log.
  But the folders ...\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager and the subloder logs, newConfigFiles and setup where not created during setup prozedure.
  So i created a profile with the AnyConnect profile editor and saved it as userConfiguration.xml in the setup folder. After restarting the anyconnect just ignores the xml file and starts with some default. In the try icon i see a wired LAN called wired. I can create another wired LAN from the advanced configuration of the client but i rather would use a customized profile without accessing every client.
  Any Ideas?
  Thanks in advanced for your feedback
  Alex

  Hi Tarik,
  thanks for your answer. I'll uninstall anyconnect disable the antivirus software and try again. I got some logfiles from the DART tool, i think i have some other issues. Here is some output of the logfile. it is particular this line which worries me.
  9: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Invalid development version of configuration file.
  1: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: SSO Logon Module service entry does not exist
  2: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: Starting main service
  3: BS3206: Aug 01 2011 01:19:48.265 -0100: %NAM-7-DEBUG_MSG: %[tid=2036]: NAM Plugin Agent: main service failed to start
  3: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: Starting oneTimeTimer with 24 seconds left
  4: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDA68, err=0(OS_OK), thread_id=2044
  5: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDBA0, err=0(OS_OK), thread_id=136
  7: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\/configuration.xml ...
  8: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>   false   false                                                                                                                          
  9: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Invalid development version of configuration file.
  10: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\/userConfiguration.xml ...
  11: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8"?> Local networks true true
  12: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-6-INFO_MSG: %[tid=136]: Opening file system/internalConfiguration.xml ...
  13: BS3206: Aug 01 2011 01:19:48.312 -0100: %NAM-7-DEBUG_MSG: %[tid=136]: <?xml version="1.0" encoding="UTF-8"?>
  6: BS3206: Aug 01 2011 01:19:48.296 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m003FDD18, err=0(OS_OK), thread_id=152
  14: BS3206: Aug 01 2011 01:19:48.406 -0100: %NAM-6-INFO_MSG: %[tid=1812]: Successfully initialized SAE Ver: 3.0.1047.0 (Mar 23 2011 16:26:07)
  15: BS3206: Aug 01 2011 01:19:48.406 -0100: %NAM-6-INFO_MSG: %[tid=1812][comp=SAE]: API (0) AC NAM Auth Version: 3.0.1047.0
  16: BS3206: Aug 01 2011 01:19:48.453 -0100: %NAM-7-DEBUG_MSG: %[tid=1812]: CoreLib:TRACE: context=ace, thread exec, ThreadImpl.cpp:74, m0142EBF0, err=0(OS_OK), thread_id=264

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Same select (user, name, profile, role, table_name, privilege table)

  hello Everyone
  1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
  Im using the tables usuarios and view dba_users : See next qry
  SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
  US.DESCRIPCION NAME,
  ACCOUNT_STATUS STATUS,
  DU.PROFILE,
  CREATED FECHA_CREACION
  FROM USUARIOS US,
  SYS.DBA_USERS DU
  WHERE DU.USERNAME = US.IDUSUARIO(+)
  UNION
  SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
  US.DESCRIPCION NAME,
  ACCOUNT_STATUS STATUS,
  DU.PROFILE,
  CREATED FECHA_CREACION
  FROM USUARIOS US,
  SYS.DBA_USERS DU
  WHERE DU.USERNAME = UPPER(US.IDUSUARIO)
  ORDER BY NAME;
  this extract me, USER, REAL NAME, STATUS, PROFILE, CREATION_DATE
  JP01 Johan Pena OPEN DEFAULT 05-07-2010
  on the other hand:
  select * from role_tab_privs
  this extract me, ROLE, TABLE_NAME and PRIVILEGE
  DBA TABLE1 SELECT
  DBA TABLE1 INSERT
  DBA TABLE2 DELETE
  1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
  2.-i want something like this.
  USER, REAL NAME, STATUS, PROFILE, CREATION_DATE ROLE, TABLE_NAME PRIVILEGE
  JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 SELECT
  JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 DELETE
  Ect Ect. Ect.
  who can HELP ME.

  I have part understood your requirement and assumed the rest! Hence, I have used dba_role_privs in addition to the list of tables you used.
  Also, I think your LEFT OUTER JOIN on sys.dba_users is incorrect. I think you are trying to get all users from USUARIOS table for which roles / privileges exist in the database. If that is what you want the following query should help out. If not change the LEFT keyword in the MAIN query (NOT the one in WITH clause) to RIGHT but the results might be unpredictable.
  Note: Using ANSI standard keywords for JOIN allows you to use functions in the JOIN clause (such as UPPER(column name), which the Oracle propreitary notation does not allow and hence made you opt for the UNION option).
  WITH OS AS
          SELECT
               DU.USERNAME
              ,DU.ACCOUNT_STATUS
              ,DU.PROFILE
              ,DU.CREATED
              ,DRP.GRANTED_ROLE
              ,RTP.TABLE_NAME
              ,RTP.PRIVILEGE
          FROM
              sys.dba_role_privs drp
          LEFT OUTER JOIN
              role_tab_privs     rtp
          ON
              ( drp.granted_role    = rtp.role    )
          LEFT OUTER JOIN
              sys.dba_users      du
          ON   
              ( du.username         = drp.grantee )
  SELECT
       NVL (US.IDUSUARIO, OS.USERNAME)    USUARIO
      ,US.DESCRIPCION                     NAME
      ,OS.ACCOUNT_STATUS                  STATUS
      ,OS.PROFILE                         PROFILE
      ,OS.CREATED                         FECHA_CREACION
      ,OS.GRANTED_ROLE                    ROLE
      ,OS.TABLE_NAME                      TABLE_NAME
      ,OS.PRIVILEGE                       PRIVILEGE
  FROM
      USUARIOS US
  LEFT OUTER JOIN
      OS -- temporary result set created using WITH clause above
  ON
      UPPER (US.USERNAME) = OS.USERNAME
  ORDER BY 2 ;Edited by: VishnuR on Jul 5, 2010 8:44 PM
  Edited by: VishnuR on Jul 5, 2010 8:47 PM

• OAM certificate Authentication failure redirection with no user certificate

  Hi,
  I am using Certificate authentication. I need to do an authentication fail redirect.
  When I have valid certificate in my browser - authentication is successful. This is fine.
  When I have invalid certificate (credential mapping failure) it redirects me to the intended url.
  The problem is when I do not have a user certificate in my web browser. It does not redirect to the url.
  Anyone has a solution? any suggesstion?
  Please let me know. Its an urgent requirment.
  Thanks.
  Himadri

  Hi Himadri,
  It's some time since I have tested this, but I believe that what you have discovered is unavoidable behaviour, and you will need to handle this condition somehow in the configuration of the web server. The behaviour is:
  - user presents certificate that is accepted by web server, but not OAM, then the OAM authentication failure redirect takes effect ;
  - user presents certificate that is not accepted by web server (or no certificate as you discovered) then the web server handles the failure without giving the WebGate the chance to intervene.
  Sorry I'm not sure how to do this in the web server.
  Regards,
  Colin

• I received a refurbished MBA today.  I have my original files on Time Machine from my first computer with 2 accounts/profiles/users.  I want to make migration of those files easy, but change the name of one of the profiles on the MBA.Things I should know?

  I have not set up the New-to-me MBA yet.

  Thanks so much for that article, however, I think that article is more confusing, since it says that there are 2 names, and then throughout the article refers to at least 4, and I am not 100% sure that was what I am after... So, maybe I am not asking correctly....  let me give more details here..
  I had a late 2008 Macbook with 2 "profiles" (work/home) (not sure which 'names' these would be) that was consistently backed up to an external HDD via Time Machine through my wifi network at home.  I had upgraded the OS to Mavericks and the "Latest" backup was backed up in Mavericks.  This computer was stolen a couple weeks back. I have now purchaed an Apple refurbished macbook air and received it recently and have not even taken it out of the packaging.  I assume that it is running Mavericks, but don't know that for sure.  Thus, I have not created any new accounts on the new device yet.  I want to migrate my backed up files from the external HDD and re-establish 2 'profiles', however, one of the "names" I'd like to change for the new machine.  So part of my issue is not knowing what the differences are between, "short names", "display names", "user account names", "profile names", and "home directory names".  I know that some of these refer to the same thing, but I am unsure which is which.
  What I remember about my old machine was this...  When I looked at the Users folder, there were three folders listed within it, "Shared", "work-name", "home-name".  I assume these are what's refered to as "home directory names" since they were all lowercase, all one word.  When I turned on the computer, the "profiles" that showed up for login had different words than these listed, let's say, "work" and "home".
  What I want is for the "work" profile and "work-name" directory to stay the same, and the "home" profile name to stay the same while the "home-name" directory name changes to something else.
  I've read many posts now, and haven't found the clear cut example of what I am attempting to do.  Some say to create a dummy admin account on the new machine, use Migration Assistance to bring the backed-up files over to the new-to-me MBA, with the two profile names as they existed.  In the dummy admin account somehow make changes to the one account I want to change, and then after restart, remove the dummy admin account.  I found numerous posts indicating that this may result in permissions problems, which I do not want to have to debug.  I'm a decent computer geek, but not a full on superuser.
  Other options I've read indicate to plug the external HDD directly into the new machine at first start up and use the Setup Assistant and transfer the info that way.  Again however, I then have the issue of one of the names, I'd like changed.
  While typing this I found.....
  Each user in Mac OS X has a full "Name" and a "Short Name" as defined in the Users pane of System Preferences. The short name can contain up to 255 lowercase characters with no spaces. This is the name used to create a user's home directory (also known as the user's Home or Home folder) in the Users folder. 
  This is from ealier versions of the OS, so I am not even sure if this is Mavericks friendly or not.

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful