ASA MPF on HTTP traffic
Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
thanks in advance, !!!
Hello Terry,
First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com) and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able to block cisco.com as an example.
You can also match the URI, etc etc and then apply the rigth http inspection paramater.
Please rate helpful posts.
Regards,
Julio
Similar Messages
-
MPF ASA for Web Filtering. Https traffic
SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
Hi all,
I have the following configuration in my ASA based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
access-list WEBFILTER extended permit tcp any any eq www
access-list WEBFILTER extended permit tcp any any eq https
regex allowex1 “website1\.com”
regex allowex2 “website2\.com”
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list WEBFILTER
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside
HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
Thanks in advance for your help
JuanIs it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
(config)# class-map type inspect ?
configure mode commands/options:
dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP -
ASA - What is allowing return HTTP traffic?
Hi,
I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
Thanks for any help.Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
Jon -
ISE Guest Portal only redirect HTTPS traffic.
I have a wireless deployment consisting of the following:
5760 WLC & ISE 1.2
Am I missing something here
I have 4 similar deployments, and never had these issues:
On Android / Apple devices, the guest portal does not pop up automatically &
On a Windows Laptop only https traffic directs to the guest portal.
Thanxi think you need to recheck the configuration also check the link for step by step config
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html -
Is it possible to redirect https traffic to http in CSM?
Hello,
I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
Thanks for any help offered.
MurtazaI don't have a config in hands for this.
I have done it before and know this is feasible.
The redirect is here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
Just change the vip to be only accessible by the SSLM.
Create the appropriate redirect vserver.
On the SSLM, send the decrypted traffic to the vip address and port.
Just as if the Vip was a server.
Gilles. -
Can a WLC redirect HTTPS traffic in a CWA environment
Hi Guys.
Regarding with ISE, CWA and WLC, I 'm seeing that when you connect to the SSID and open your navigator, if the URL is an HTTPS URL the traffic is not redirected to the ISE Portal using CWA. I though that the WebAuth Proxy Redirection Port option of the WLC only works when It has the portal (LWA) but not in CWA.
I only found information about the redirection of the traffic when is a HTTP connection (port 80).
Is it possible to redirect HTTPS traffic in a CWA deployment??, most of my users use Google Chrome and, in some scenarios, any search using Gooogle is in HTTPS mode and the captive portal is not shown.
Thanks.
Best regards.No, the WLC is not able to redirect HTTPS pages.
You can however add other ports(other than 80) that can be redirected incase of proxy etc.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
How to redirect https traffic to captive portal?
Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
Is there any way to redirect https traffic to captive portal as well?redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
please check the following
CSCar04580
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
Please make sure to rate correct answers -
Http Traffic Slow/Broken, ping fine
Hello,
I am writing because as of this morning all http traffic on my network has went to a snails pace. However, pings of all types work at normal speed, but fail approximately 5% of the time(Independent of pinging internal address or external).
I have a very basic setup, i do not really have any custom configures on anything. The only wifi authentication at the moment is WPA2-PSK. I have this network set up as a test bed for a new setup, its a good thing too because it is unusuable in its current state.
Network Setup:
3 3502i AP - Setup in Hreap mode - Connected to PoE Switch
1 2106 WLAN Controller - Connected to 2960
2960s Switch
Dell Layer 2 PoE Switch
Thanks!
SethSince you are using HREAP, I'd sniff the AP port. Make sure the traffic is flowing in both direcitons there before going further. You should also make sure to prune the VLAN that are not needed on the AP.
Also, make sure your ports are full duplex and not at half. -
QoS value for http traffic from IP Phone
Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
Thanks!With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
DSCP for SCCP Phone-based Services :
This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
This is a required field.
Default: default DSCP (000000).
Restart SCCP-based phones for the parameter change to take effect.
HTH
Sankar
PS: please remember to rate posts! -
Intercepting all http traffic and forwarding to VIP on CSM?
We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!
Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!
-
SG300 Redirect HTTP Traffic to Proxy
Dear Cisco Community,
We have the following setup
1 x SG300 Switch in Layer 3 Mode
VLAN 100 (Management VLAN)
VLAN 200 (Data VLAN for Internet Users)
The SG300 has an IP4 Interface in each VLAN:
100: 10.1.1.254 / 24
200: 10.1.2.254 / 24
The internet gateway (Zyxel USG-100) is located in VLAN 100.
In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor). Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server? I was thinking of a static route, but then this would apply to all traffic. Another option would be to block port 80/443 traffic using an ACL I suppose=
Any input will be highly appreciated, thank you!
Kind regards,
RomeoHi Mohamad,
I've seen this done in slightly different ways. One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
CSM-S Configuration Examples
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
Another way is like this:
serverfarm REDIRECT
nat server
no nat client
redirect-vserver REDIRECT
webhost relocation https://www.example.com/
inservice
serverfarm SSL_DC
no nat server
no nat client
real 192.168.78.36 local
inservice
vserver VSERVER_80
virtual 192.168.78.35 tcp 80
serverfarm REDIRECT
persistent rebalance
inservice
vserver VSERVER_443
virtual 192.168.78.35 tcp 443
serverfarm SSL_DC
persistent rebalance
inservice
Hope this helps get you started.
Sean -
Redirect / Block non https traffic
I have a quick question. Today I setup teaming 2.0 on SLES10.
After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
Any other thoughts?
Cool product by the way!
Tha
DennisDennis,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
CheersHi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser -
Kerberos encryption for HTTP traffic
Hello
I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
And I cannot make subscription for Windows events using Push method.
The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
I didn't find it in MSDN.
Subscription request is:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
<env:Header>
<a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
<w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
<a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
<w:Locale xml:lang="en-US"/>
<w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
<w:OptionSet>
<w:Option Name="ReadExistingEvents" mustComply="false"/>
<w:Option Name="ContentFormat">RenderedText</w:Option>
</w:OptionSet>
</env:Header>
<env:Body>
<e:Subscribe>
<e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
<e:NotifyTo>
<a:Address>http://Antares:443</a:Address>
</e:NotifyTo>
</e:Delivery>
<e:Expires>PT12H0M0.000S</e:Expires>
<w:Filter>
<QueryList>
<Query Path="Security">
<Select>*</Select>
</Query>
<Query Path="System">
<Select>*</Select>
</Query>
<Query Path="Application">
<Select>*</Select>
</Query>
</QueryList>
</w:Filter>
<w:SendBookmarks/>
</e:Subscribe>
</env:Body>
</env:Envelope>
WinRM connection test request is request with empty content length and with header:
Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.
WinRM subscription response is:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
<a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>e:EventSourceUnableToProcess</s:Value>
</s:Subcode>
</env:Code>
<env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
</env:Reason>
<s:Detail>
<w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
<f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
In WinRM documentation I see:
+Note: HTTP traffic by default only allows messages encrypted with
the Negotiate or Kerberos SSP.+
But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
One more - I use BASIC authentication.
Does anybody know what should I send back for connection test request.Sorry, I forgot to set "java.security.krb5.conf" and "java.security.auth.login.config" properties.
But after I set these properties I've got another exception:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
at com.symantec.cas.ucf.sensors.ws_management.WSServer.start(WSServer.java:132)
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
... 28 more
But it seems to me that I've set login module correctly:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false;
May be I missed something...
What do yo think about it ? -
Debugging HTTP traffic from iPad with Charles
Here's a great tip on how to use Charles on your Mac or PC to proxy HTTP traffic from your iPad so you can debug it.
http://www.ravelrumba.com/blog/ipad-http-debugging/Talking of debugging iPad, and Flash apps specifically, I only recently tried out the "Quick publishing for device debugging" option. When you do that, and run the app on the device, you can set Flash to be in a remote debugging session, and on the app screen you type in the IP address of your computer. You can then debug the running app in just the same way you would debug a swf running in your desktop browser. You don't even have to be connected by USB, it works across the wireless network.
Maybe you are looking for
-
3rd week of MacBook ownership.. my observations and questions...
Note: I have 2 main questions below.. if you don't want to read my thoughts, skip below... I bought a Black MacBook about 3 weeks ago from CompUSA.. 18 months no interest and an interested buyer for my windows laptop--I had to go for it. This is my f
-
Reverse a clearing generated by ALE
Hello. How can I reverse a clearing generated by ALE? There were sent several FIDCC1 messages from my system by mistake and the documents were automatically cleared with BSEG-AUGBL = 'ALE-external'. How can I reverse/cancel this clearing? FBRA is not
-
How to read the extension .RNO files.
Guys.. We are implementing B2B scenario , We are getting .RNO file with Rossettanet, Preamble, ServiceContent, OrderCreate, and DigitalSignature tags in it. Once XI got .RNO file, XI needs to map with ORDERS05 and send to R/3. Can any one explain me
-
What am I doing with my new iPhone 5s it's not good
I have a problem with charging the iPhone 5s
-
Firefox hangs after shut off, was told to use: file exit but it is no help
FF re-opens on the same web page as I last visited on my last internet visit. Using: file>exit, as was suggested is no help. Yes I have the newest ver. of FF. I am using Windows XP with Svc. pack 3. Yes I clear cookies and cache daily. NO I do not ha