APSB13-03 authentication bypass issue
I see hotfixes for version 9 and 10, but how can I fix this vulnerability in Cold Fusion version 8.0.1?
Because CF8 has reached end of life period Adobe only provides security patches for CF9 and up currently. I'd recommend upgrading to CF9 or CF10 so you can get security patches.
My best guess on how to secure yourself from this particular issue would be to block /CFIDE and make sure you don't use cflogin in your applications.
Pete Freitag
Foundeo Inc. - Makers of HackMyCF & FuseGuard
Similar Messages
-
802.1X Inaccessible Authentication Bypass
On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available. The interface configuration mode command is supposed to be "dot1x critical".
Has it changed to something else in this version of IOS?
The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.htmlHello Prashant
Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
Hope this helps.. all the best.. rate replies if found useful..
Raj -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
802.1x: MAC Authentication Bypass
Hey sorry for keeping bugging you guys...
So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
Thank you!!
DifanDifan:
I went through your post and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
I have also attached a document regarding MAB for your better understanding.
This forum is only for you guys...keep bugging us
HTH
JK
Pls rate helpful posts- -
Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com -
i am having issues joining new 1242LAP's to my controller. i am receiving the follwing error on my controller:
AAA Authentication Failure for UserName:5475d01144f0 User Type: WLAN USER
username is the MAC of my new 1242LAP. older 1242LAP's have no issue. i have 70 of the newer ones that i have just installed and fail to join the controller with the above error message. i'm not sure how to resolve. any help would be appreciated. thanks.
BrandonHi Brandon,
Good question. Sounds like your WLC may be authorizing LAPs via an Auth-list or AAA. You can view these settings here:
Web GUI --> Secuirty --> AAA --> AP Policies
If you do not wish to authorize the APs via an auth-list or AAA, simply uncheck the following option:
Authorize MIC APs against auth-list or AAA
Cheers.
Drew -
MS Active Directory LDAP Authentication/Locking Issue.
Dear All,
We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
We have used following things with LDAP feature.
1. User Authentication.
2. Locking account after exceed the maximum attempts that has configured in window server.
Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
Can any body know what are the possibilities for identifying and resolving this issue?
Please help us if anybody has any experienced about it.
Please do the needful.
Thanks,
Mehul.Hi,
Thanks for your reply.
We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
Following code for checking whether ADS User is valid or not.
* Function checks whether ADSUser is valid user or not
* @returns int value indicating result.
public int isValidADSUser() {
Hashtable env = new Hashtable(5);
Vector adsInfoVec = getADSInfo();
env.put("java.naming.referral", "ignore");
// env.put("java.naming.security.authentication", "simple");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
String provider = "com.sun.jndi.ldap.LdapCtxFactory";
env.put("java.naming.factory.initial", provider);
//For handling Uncontinued reference found message of partial result exception
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.derefAliases", "always");
env.put("java.naming.ldap.deleteRDN", "false");
env.put("java.naming.ldap.attributes.binary", "");
env.put(Context.PROVIDER_URL,
"ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
(String) adsInfoVec.elementAt(1));
// env.put("java.naming.security.principal",
// userNameStr + "@" + (String) adsInfoVec.elementAt(0));
env.put(Context.SECURITY_PRINCIPAL,
userNameStr + "@" + (String) adsInfoVec.elementAt(0));
if (userPassStr == null) {
userPassStr = "";
// env.put("java.naming.security.credentials", userPassStr);
env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
try {
DirContext ctx = new InitialDirContext(env);
ctx.lookup("");
//System.out.println(ctx.lookup(""));
ctx.close();
catch (javax.naming.AuthenticationException ex) {
//System.out.println();
ex.printStackTrace();
return AUTHENTICATION_ERROR;
catch (javax.naming.PartialResultException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (javax.naming.CommunicationException pex) {
pex.printStackTrace();
return COMMUNICATION_ERROR;
catch (NamingException e) {
System.out.println("Failed to connect to ");
e.printStackTrace();
return COMMUNICATION_ERROR;
return SUCCESS;
Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
Your optimistic reply is much appreciated.
Thanks,
Mehul Garnara.
Edited by: [email protected] on Mar 6, 2008 10:24 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM
Edited by: [email protected] on Mar 6, 2008 10:25 PM -
Radius Inaccessible Authentication Bypass
Hello,
I'd like to know if it's possible to implement a such mechanism on a Cisco 2950 platform.
I'd like to avoid that my clients ports are unauthorized in case of a failure of my radius servers. Is there a way to implement it on a 2950G.gildas
Would I be correct to assume that you have your 2950G configured with a backup authentication method if the Radius server is not available and that your issue is what to do about authorization?
I have not done this on a 2950G and can not know that it works, but this solution generally works in IOS and I assume that it will work on your 2950G:
aaa authorization exec default group radius if-authenticated
Give it a try and let us know if it works.
HTH
Rick -
Anchor Guest 3.2.171.6 Web Authentication page issue
Hi folks,
I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
HTH,
Steve -
"Authentication Failure" Issue on most devices.
I'm getting an "Authentication Failure" when installing my J2ME app OTA to most devices I've tried, including Pantech, Samsung, and Nokia ones (all AT&T or unlocked). I've included my (censored) JAD file below.
The entire application downloads to the device, and I can view the certificate info and there are three Thawte certificates, as expected.
All http reference exists.
The Thawte Root Certificate is present on the device.
I signed the JAD during NetBeans build by choosing so in the Signing section of the project properties.
I've tried using jarsigner in lieu of and in addition to the NetBeans method.
I've experimented with various MIDlet-Permissions as required/optional, and including/excluding various JAD parameters like MIDlet-Data-Size.
I've even tried desperate things like changing the CLDC/MIDP config, messing with the version number, and changing the icon file type.
I've read dozens on posts on the subject and I am really stumped. Thanks in advance for any assistance.
MIDlet-1: Example,http://www.example.com/dist/desktop_32.png,com.example.mobile.view.View
MIDlet-Certificate-1-1: (removed)
MIDlet-Certificate-1-2: (removed)
MIDlet-Certificate-1-3: (removed)
MIDlet-Data-Size: 3000000
MIDlet-Description: App Description
MIDlet-Icon: http://www.example.com/dist/desktop_32.png
MIDlet-Info-URL: http://www.example.com/help.php
MIDlet-Jar-RSA-SHA1: (removed)
MIDlet-Jar-Size: 148060
MIDlet-Jar-URL: http://www.example.com/test/ExampleMobile.jar
MIDlet-Name: ExampleMobile
MIDlet-Permissions-Opt: javax.microedition.io.Connector.file.read, javax.microedition.io.Connector.file.write, javax.microedition.io.Connector.https, javax.microedition.io.Connector.http, javax.microedition.pim.ContactList.read, javax.microedition.pim.ContactList.write, javax.microedition.pim.EventList.read, javax.microedition.pim.EventList.write, javax.microedition.location.Location
MIDlet-Vendor: Example
MIDlet-Version: 0.2.18
MicroEdition-Configuration: CLDC-1.1
MicroEdition-Profile: MIDP-2.0one of the stupid reason of the invalid descriptor (ota 907) in samsung : (to my opinion samsung is just a visual device, has buggy implementations and lack of documentation, comparing to nokia and sony ericsson)
if you specify an https url in jad for "midlet-jar-url", then samsung gives this error.
And why? i don't know, anybody doesnot know.
No documentation.
Read midp specs and no such a thing.
Read samsung docs if you find any, no result.
And you spend your time for stupid samsung issues, again.
Anyway, look at this, the problem can be resolved as :
Here is a typical jad runs on nokia devices well and fails with 907 in samsung:
MIDlet-1: Test OTP, /smlogo.png, testMIDlet
MIDlet-Icon: /smlogo.png
MIDlet-Jar-Size: 39122
MIDlet-Name: Test OTP
MIDlet-Vendor: None
MIDlet-Version: 2.12
Manifest-Version: 1.0
MicroEdition-Configuration: CLDC-1.0
MicroEdition-Profile: MIDP-2.0
MIDlet-Jar-URL: https://xx/wap/midlet/xx.jad
MIDlet-Install-Notify: https://xx/wap/notify.jsk?jaduid=123
MIDlet-Delete-Notify: https://xx/wap/notify.jsk?jaduid=123
and if you change https into http, then it runs well.
All is this. -
I have a facility that when dialing a number that is sent over the WAN via toll bypass gets "call cannot be completed error" while other facilities can make the same call via toll bypass without issue. I get the following info via debug voice translation on the gateway router.
Thanks,
Adam
*Apr 23 22:05:38.897: //-1/806C03220E00/RXRULE/regxrule_stack_pop_RegXruleNumInf
o: stack=0x84356A78; count=1
*Apr 23 22:05:38.905: //-1/806C03220E00/RXRULE/regxrule_stack_push_RegXruleNumIn
fo: stack=0x84356A78; count=0
*Apr 23 22:05:38.921: //-1/806C03220E00/RXRULE/regxrule_stack_pop_RegXruleNumInf
o: stack=0x84356A78; count=1ok,
so it seems your WAN link is the T1 correct?
and when you send calls over this T1 you get the previously described translation rule output.
so, first things first, cisco recommends using the 'voice translation rule' and getting away from the translation rule.
second, since there are only three lines of output with little information in them, can you post your router configurations, specifically the translation rules, which side of the call leg they're on and the codecs used on the LAN side of the call legs.
(im assuming codec g729 is used on the WAN/T1 link of the call leg) -
An user as part of the domain users tries to open an office file from a document library but he got an authentication prompt asking him to authenticate. Domain users has only access to this library and not to the whole site. This uses to work in SharePoint
2007 without any problem but not in SharePoint 2013, we didn't have a workflow on SP2007.
Domain users has read access to only this document library in the site, but he shouldn't get an authentication prompt since he is part of the domain users and he is not trying to modify the document, he can open the document but gets two prompts, he can't
also see the list using explorer view since nothings appears using the explorer view.
Now, when opening the file, we can see..Updating Workflow Status, but we don't have any workflow working on this site or library, event any feature related to workflow.
If we go to the event viewer in the server, we find this information,
I also checked this thread but I couldn't find this scenario.
https://social.technet.microsoft.com/Forums/sharepoint/en-US/91bc770b-bb70-4885-a4ad-a243edb88753/event-id-8026-workflow-soap-getworkflowdataforitem-failed-doc-library-no-workflow?forum=sharepointgeneralprevious
I also created another list with the same permissions and using other office files but got the same behavior.
Now, we have migrated this site from SP2007 to SP2013.
Any ideas?OK, I am going to throw out a lot of ideas here so hopefully they get you closer to a diagnosis. Hang on :)
Does it happen to work for some users but not others? If so, try logging in on the "good" computer with the "bad" username. This will tell you if the problem is related to the end-user's system. Also, once the user downloads a document
successfully can they open and work on it in Word? Also, does the document library have any custom content types associated with it or does it just use 'Document'?
I notice that there are other folks on the web that have run into this same problem and the similarity seems to be that they are either on SharePoint 2007 or have upgraded from 2007. Did this doc library start out as a 2007 library?
What you might want to do is this: Make a site collection from scratch in 2013 (or find one that you know was created in 2013). Choose team site (or whatever you want) for the root web and set up the security the same way you have it on the malfunctioning
library. Now, use windows explorer to copy and paste some of the documents to the new location. Be sure you recreate any needed content types. Now test it from the troubled user's computer.
I'm thinking there may be something that is different about the library since it was migrated through various versions and updates since 2007. I've sometimes found that there can be problems (especially with user profiles but that's a different story) with
things that go through this evolution. -
Authentication PEAP issue (I believe!).
I'm using PEAP, AP1200, ACS 3.2, WXP SP2 and Microsoft AD to authenticate machine and user. The authentication process supplies the WEP key to the client.
When I'using a Cisco 350 client adapter all works fine. When I'm using another adapter, the ap log shows a continuous association/deasso.
Any ideas?
Thanks.
Andrea.are you using the client software for the wireless or windows. One or the other must be disabled.
Start/settings/ control panel/Administrative tools/ Services/ Windows Zero configuration/disable... -
iTunes U has just started rejecting our authentication credentials, debug shows that the credentials are valid but originated too far in the past. We understand there is a 90 second time window. We seem to be within a few seconds of Apple's time server.
Bumping the time ahead by one minute on our server allows the scripts to start working... but then fail again (like the next day)
Is it possible that the server that generates our tokens on Apple's side might be out of phase?
Any help would be appreciated.
thanks
dbI don't want to rule out the possibility that Apple's clocks are out-of-phase ... but if what you're describing were happening at our site, I would so totally think it a problem with our clocks. The reason is that such a wide variety of computers hook up with Apple ... we probably all sink or swim together on this.
But hey, lessay there is some kind of problem with Apple's iTunes U clock. A sneaky, sneaky way of fixing it would be to tell your server to use Apple's NTP server as it's NTP server. That way, if Apple's clock is wrong, yours will be wrong by the same amount.
NTP to time.apple.com -
ISE Authentication timers issues
Is there a way within ISE so that when a machine uses dot1x to authenticate that it will not occur for an extended period of time?
You can disable re-authentication or send the values from ISE.
It's actually best practice to disable reauthentication or if needed, keep it above 2 hours.
Maybe you are looking for
-
HI, I recently upgraded my operating system IOS 5.0.1 on an iphone 3gs. My question is, how do I get the text messaging preview to just pop up so that I can see the name only when the lock screen is on? The conventional ways of doing this, such as us
-
Want to De-activate the SERVICE radio button while creating a SC
Hello, My requirement is while a user create a SC and click on 'Describe Requirement' then the SERVICE radio button will deactivate. I'm using BADI BBP_UI_CONTROL_BADI and method BBP_SC_UI_CTRL, but it is not working.... It will be great if anyone he
-
Digital Signature - Bill of Lading
Hi, I am new to SAP Applications. Could someone brief me whether I am able to integrate digital signature into Bill of Lading using NetWeaver either Java or .Net Connector?. What other requirements must I have in order for this to be possible(hardwar
-
Hi We are using the following logic to enhance 2lis_02_itm with different fields from diff tables. We could able to see the enahnced field data in RSA3 , but after making any change in ME22n its not pulling those changes. can anybody advice where is
-
How to put decimal points in your calculator for mac only on Xcode.
I need help. I created an app for calculating division, multiplication, addition & Subtraction. But everytime I divide 5 / 4, I get 1 without a remainder. The calculator app in OS X has a remainder when I calculated the division problem. I searched o