ASA 8.2(1) WEBVPN ntlm authentication with internal sharepoint problem

I have added internal sharepoint site in ssl vpn bookmark and setup all required permission , but after the user enter his credential in web authentication form , the connection reset with the server, when I used wireshark to sniff the traffic from ASA to sharepoint server I found that ASA does not send NTLMSSP_AUTH, User request.

Hi Oscar,
That's the reason why I requested that information.
Remember that we strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
For instance the release notes doc for 8.2.x does mention SharePoint 2007, but not 10. On the other hand, the specific release notes for 8.2.5 include information about 2010, please be aware of this bug:
CSCtn99416
WebVPN: Dropdown menu doesn't work in customized SharePoint 2010
I am glad to know you fix the issue by upgrading the ASA to 8.2(5).
Please mark this post as answered and rate any helpful posts
Portu

Similar Messages

NTLM Authentication with a domain controller/active directory

Hi,
I have a requirement to do an NTLM authentication with the MS active directory.
I am aware that JNDI doesn't support this protocol to communicate with the AD.
I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
Can any of you guys suggest any alternative to achieve this ?

it really depends to be honest. I'd probably go something like this though:
One Small physical server to act as a domain controller - you could put DHCP on this too
One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined.
Then for your VM's create the following:
1 x additional domain controller
For remote desktop services:
1 x Remote Desktop Session Host
1 x Connection Broker
1 x Gateway and web server
For additional services
1 or 2 x Exchange
1 x sharepoint
1 x IIS
but it really depends what you want to achieve.
The benefit from Virtual machines is that you can keep separate virtual servers for separate applications.
If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance.
Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

Anyconnect - NTLM authentication on internal website

Hi..
I'm setting up a portal on the ASA - and I need the users to access an internal site with NTLM authentication.
They all share the same password - but we need it to be single sign on.
I can't get it working with the post codes..
I have looking with live http headers in Firefox - but no help.
Any hints???
Best regards
Tue

Hi Jesper,
the ~HTTP_REMOTE_USER was set by the NTLM PAS module. PAS is an proprietary addon for ITS 6.20 provided by SAP to allow external authentication via PAS modules. With Netweaver 2004 the integrated ITS no longer has anything to do with authentication. This is done by the webAS. WebAs does not support PAS but provide a similar technique call JAAS (Java Authentication and Authorization Service) which other than SAP PAS is a industrial standard. SAP Note 858138 points to SAP documentation, Teched Sessions and e-learning. I would suggest that you use this note as a starting point. I assume there is a NTLM JAAS module available but have no further information about it. Maybe this module passes the user ID to the called service.
Best regards,
Klaus

AD Machine Authentication with Cisco ISE problem

Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,

You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

Jaas authentication with cutom realm problem

I'm having this problem, I have a web application made with JSF running on Sun One Application Server 9, and I made a cutom realm with Jaas so that the server will be handeling the authentication and it is working fine. The problem is that i want to load some info into the user's session after that he have been authenticated based on the username. But I have on clue how to do it. so I'll be very thanks full it anybody helped me.

Did you resolve this problem? Please let me know. I have the same issue now and don;t know what I should be doing next

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a              u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

Public-facing on-premises SharePoint with NTLM authentication

I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

I have an existing application that I developed on a Windows machine using CS5. It uses a local intranet web service written in .NET using NTLM authentication. The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare. When my company upgraded, I went to a Mac with Flash CC which is great. However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines. In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue. The issue is in Flash development. When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors. I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash. The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all. Does anyone have a solution to this issue?

Did you check Apple Support Boot Camp article?
iMac displays a black screen during installation of Windows 7
http://www.apple.com/support/bootcamp/
Installation Guide
Instructions for all features and settings.
Boot Camp FAQGet answers to commonly asked Boot Camp questions.
Windows 7 FAQAnswers to commonly asked Windows 7 questions.

How to do HTTP getRequest() with windows NTLM authentication from OBPM..??

Hello All,
Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
Version : Oracle BPM v 10.3.1
Cheers
Parveen Jaswal

You are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC.

Asa 5505 Remote VPN Can't access with my local network

Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context

Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
      current_peer:155.155.155.1, username: Thomas
      dynamic allocated peer ip: 192.168.100.1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 73FFAB96
    inbound esp sas:
      spi: 0x1B5FFBF1 (459275249)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 2894
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x73FFAB96 (1946135446)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 2873
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Outlook Negotiate/NTLM authentication credential prompt

Hello everyone,
I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
connect via MAPI over HTTP. Everything working fine!
External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
(notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
So here is my progress on this:
I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
IISAuthenticationMethods          : {Negotiate}
InternalUrl                    : https://mail.domain.com/mapi
InternalAuthenticationMethods : {Negotiate}
ExternalUrl                     : https://mail.domain.com/mapi
ExternalAuthenticationMethods   : {Negotiate}
I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
"Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
apply.
Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
A great day to everyone!
Vasko

I don't have a ton experiencing using something like ARR, but we should do some testing. The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally. This SHOULD let us know where the problem
lies. If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange. If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

Windows NTLM Authentication on SAP 4.6c (Platform AIX)

I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
I need to implement single sign on for SAP integrated application.
As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory id as external id in connection string. All transaction should run with external user id context.
Can someone help me with following question.
1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
2. What SNC library needed for SAP (AIX instance)?
3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
What option do I have to get Single Sign On working?
Any help is highly appreciated.
Regards and Thank you in advance.

> Hi Reiner,
> Thank you very much for response, this is helpful
> information.
If you consider an answer as helpfull, please mark it with the button on the left side :-).
> My options are pretty much limited,
> I can't use NTLM since, AIX will not accept trust
> -- NTLM Auth will not work with AIX
> -- Kerberos auth have to have third party tool like
> CyberSafe for SNC trust relationship.
As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
> I planning to try using SSO as mentioned in "Enabling
> Single Sign-On for ASP.NET Applications in Enterprise
> Portal 6"
> Is this approach works with EP 5.0?
This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
> If any one has "sapsecu.dll" please send me at
> [email protected] with same size as stated in
> this document.
This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
> My SSO ticket did not get created after following
> steps in document, I am suspecting either sapsecu.dll
> or veryfy.pse is wrong?
Did you find a MYSAPSSO2 cookie in the request?

Ricoh Aficio MP C2051 Scan to Folder - Windows Server 2012 Error: Authentication with the destination has failed check settings

I have recently upgraded a clients servers to Windows Server 2012 & since doing so have lost the ability to scan to folder.
Both servers are domain controllers and previously on a 2008 domain controller I would have had to make the following change to allow scan to folder:
Administrative Tools
Server Manager
Features
Group Policy Manager
Forest: ...
Default Domain Policy
Computer configuration
Policies
Windows Settings
Security Settings
Local Policies
Security Options
Microsoft Network Server: Digitally Sign Communications (Always)
- Define This Policy
- Disabled
However I have applied this to the Windows 2012 server but am still unable to scan, possibly due to added layers of security in server 2012. The error on the scanner is Authentication with the destination has failed check settings.
I have also tried the following at the server:
Policies -> Security Policies
Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and uncheck the require 128 bit.
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers and uncheck the require 128 bit
I have created a user account on the server for the ricoh and set this in the settiings of the Ricoh and verified everything is correct.
Are there any other things I have missed?

I can email anybody the firmware module if interested and how to...
Tell me your model and email
If your offer still stands we have an Aficio MP C3300
Firmwareversion
Modulnavn Version Delnummer
System/Copy 1.13 D0255562H
Network Support 8.16.1 D0255563D
Font EXP 1.03 D0255588
OptionPCLFont 1.02 D0255589
animation 1.3.1 D0255568A
Fax 01.10.00 D0255569B
RemoteFax 01.10.00 D0255564B
Printer 1.11 D0255572A
RPCS 3.7.5.4.1 D0255574A
Option PCL 1.00 D0255580A
Scanner 01.17 D0255570C
Network DocBox 1.00 D0255567B
Web Support 1.06 D0255565B
Web Uapl 1.07 D0255566C
libcvm(v4) 4.13 D4135765B
GWFCU3-13(WW) 03.00.00 D3935570C
PowerSaving Sys 1.10 D0255560C
Engine 1.51:09 D0255117E
OpePanel 1.03 D0251492A
LANG0 1.03 D0251496
LANG1 1.03 D0251496
ADF 03.420:02 D3665604
Finisher 01.090:03 D3725112
Best Regards/
Henrik Plougstad
henrik(a)pieroth.dk

ASA 8.2(1) WEBVPN ntlm authentication with internal sharepoint problem

Similar Messages

Maybe you are looking for