Authentication combinations with ISE 1.2

We're in the process of completing our ISE deployment for Wireless but are having some issues with authentication combinations and not sure of which are possible or not.We would like to perform workstation auth based certificate authentication with Microsoft domain credentials authentication, a so called dual authentication using cert and username/password.
Is this possible using the Microsoft WIndows default supplicant?

is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Similar Messages

Authentication Combination in ISE 1.2

Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?

Hi Kevin,
This would be a client side configuration.
What type of authentication is this?
VPN? wired or wireless dot1x?
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed

Apple macosx machine authentication with ISE using EAP-TLS

Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo Novais

Additional information from the above question.
I have the following setup;
ACS 3.2(3) built 11 appliance
-Cisco AP1200 wireless access point
-Novell NDS to be used as an external database
-Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
-Windows XP SP2 Client
My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
Please help...
Thanks

Intermittent AD Authentication failures in ISE 1.2

Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal? Any ideas?
Thanks
Jef

Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
When you say Multicast to you AD...how did you check that? We do use multicast.

URL is not change after successful authenticate with ISE 1.1.1

Hi,
I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.
But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is changed to the URL that being configured such as http://www.google.com/
How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
Thanks,
Pongsatorn

Hi,
This is the user experience when using central web authentication:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
Here is the process when you use local web authentication:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html#wp1295223
Hope this helps,
Tarik Admani
*Please rate helpful posts*

Limit the number of session per user in the Wired dot1x environment with ISE 1.2

Hello,
I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
I need to check if this feature is available or not to solve the following scenario:
I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
The case, that I need to deny the same user to connect on a different machine with the same credentials.
The ISE itself does not have this feature currently, the only feature available is to limit the number of sessions for the guest user.
Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
Thanks.

limit number of session per user using wired dot1x is not available in 1.3

CWA with ISE and 5760

Hi,
we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
aaa authentication login Webauth_ISE group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization network Webauth_ISE group ISE
aaa accounting network ISE start-stop group ISE
aaa server radius dynamic-author
client 10.232.127.13 server-key 0 blabla
auth-type any
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only
wlan test4guests 18 test4guests
aaa-override
accounting-list ISE
client vlan 1605
no exclusionlist
mac-filtering cwa_macfilter
mobility anchor
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Webauth_ISE
no shutdown
wc5# debug aaa coa
Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
Feb 27 12:19:08.444: RADIUS: authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
Feb 27 12:19:08.444: RADIUS: NAS-IP-Address      [4]   6   10.232.127.11
Feb 27 12:19:08.444: RADIUS: Calling-Station-Id [31] 14 "40f308c3c53d"
Feb 27 12:19:08.444: RADIUS: Event-Timestamp     [55] 6   1393503547
Feb 27 12:19:08.444: RADIUS: Message-Authenticato[80] 18
Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 41
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35 "subscriber:command=reauthenticate"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 43
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37 "subscriber:reauthenticate-type=last"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 49
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0aea2001530f2e1e000003c6"
Feb 27 12:19:08.444: COA: Message Authenticator decode passed
Feb 27 12:19:08.444: ++++++ CoA Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444:
Feb 27 12:19:08.444: ++++++ Received CoA response Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
Feb 27 12:19:08.444:
wc5#

Reason for this are two bugs which prevent this from working:
https://tools.cisco.com/bugsearch/bug/CSCul83594
https://tools.cisco.com/bugsearch/bug/CSCun38344
This is embarrassing because this is a really common scenario. QA anyone?
So, with ISE and 5760 CWA is not working at this time.

Authentication order and ISE authorization policys

Hello
I'm looking at configuring ISE to authenticate AD joined PC's (using Anyconnect NAM for user and machine authentication with EAP chaining) and to profile Cisco IP phones. The Pc's and phones connect on the same switchport. The switchport configuration for this was:
switchport
switchport access vlan 102
switchport mode access
switchport voice vlan 101
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
The above config worked fine with the "show authentication sessions" on the switch showing dot1x as the method for the DATA domain and mab for VOICE. I decided to reverse the authentication order/priority on the switch interface so that the phone would be authenticated first with mab. This resulted in the "show authentication sessions" on the switch showing mab as the method for both DATA and VOICE domains.
To prevent this I created an authorization policy on ISE to respond with an "Access-Reject" when the "UseCase = Host Lookup" and the Endpoint Identity Group was Unknown (the group containing the AD PC's). This worked fine - the switch would attempt to authenticate both PC and phone using mab. When an "Access-Reject" was received for the PC, the switch would move onto the next method and the PC would be successfully authenticated using dot1x.
The only problem with this is that the ISE logs soon become full with the denys caused by the authorisation policy - is there any way to acheive the above scenario without impacting on the logs?
Thanks
Andy

Hi Andy-
Have you tried to have the config in the following manner:
authentication order mab dot1x
authentication priority dot1x mab
This "order" will tell the switchport to always start with mab but the "priority" keyword will allow the switchport to accept dot1x authentications for dot1x capable devices.
For more info check out this link:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
Thank you for rating helpful posts!

Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

Hi
Can Anybody can update whether ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
has succeed in command level accounting on Cisco ISE ..
Please update
Cisco ISE doesn't have TACACS feature ...

Command Accounting is a TACACS+ feature so not for ISE....yet.
However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory. The notify syslog is what sends it via syslog.
conf t
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
wr mem
Remember, syslog is clear text :-) log away from user traffic when possible. Or use TLS based syslog when possible.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James

5760 Central Web Auth with ISE

Hi,
I am having problems with getting central web auth to work on the 5760, I cant seem to find any documentation for the 5760-Central Web Auth.
The setup is with a Cisco 5760 and Cisco ISE, for guest users to be re-directed to ISE guest portal to authenticate. Has anyone configured this or have any advice, that would be great.
Thanks

Hi Roger,
I have gotten CWA running on the 5760 with ISE, below is the config for the guest SSID:
wlan Guest 1 TEST-guest
aaa-override
ip dhcp required
mac-filtering cwa_macfilter
mobility anchor 10.1.1.100
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ISE_Auth_Group
session-timeout 14400
no shutdown
! ***You will need the following commands as well:
ip http server
ip http authentication local
ip http secure-server
aaa authentication login ISE_Auth_Group group ISE
aaa authorization network cwa_macfilter group ISE
Hope it helps =)

6.1 SP 2 certificate authenticator fails with Apache plugin and SSL

Hi,
Does anybody have a certificate authenticator working in WebLogic 6.1
SP 2, in combination with the Apache HTTP Server plugin and SSL?
We implemented a certificate authenticator that works correctly in
WebLogic 6.1 SP 2 when we configure SSL with "Client Certificate
Required", and access it directly from a browser (the browser hits the
SSL port of the WebLogic server, like 7002).
This certificate authenticator also works correctly with a proxy web
server. We set up a Stronghold server (web server based on Apache) on
Linux with the Apache HTTP Server plugin from BEA, configured the
plugin to use SSL, and configured our WebLogic 6.1 SP 1 server without
"Client Certificate Required". The certificate authenticator gets the
end user's certificate correctly.
This same architecture with the proxy web server does not work when we
upgrade the WebLogic Server to SP 2. WebLogic Server logs the
"incorrect or missing client cert" error, our certificate
authenticator is never called, and the browser gets a 401 Unauthorized
error.
We looked all over the WebLogic 6.1 SP 2 installation for a newer
version of the plugin (mod_wl_ssl.so) and found the same version as SP
1. We double-checked that it was the Linux-specific installer
(because we'd found that some Linux libraries are missing from the
generic installer). So it appears to us that the plugin encodes the
certificate in the request header in such a way that a SP 1 server can
extract it, but an SP 2 server cannot. We were wondering whether
there might be changes to the plugin to stay in step with the SP 2
server that never got ported to Linux, or whether an updated Linux
plugin never got included in the installer packages.
So: has anybody gotten a system like
Apache/Stronghold + WebLogic Plugin <-- SSL --> WebLogic 6.1 SP 2 +
Cert Auth
to work?
Thanks in advance for any help,
Jim Doyle
[email protected]

A correction, I think:
Now that I rolled back a system to 6.1 SP 1, it looks like 6.1 SP 1
does include a different mod_wl_ssl.so from that in SP 2. I believe I
was comparing the wrong file. In fact, trying to compare versions of
the mod_wl_ssl.so makes things rather confusing:
A mod_wl_ssl.so from a straight weblogic610sp2_generic.zip install has
a cksum of "1853014778 1132467".
A mod_wl_ssl.so from a weblogic610sp1_generic.zip install with a
subsequent SP 2 upgrade install has a cksum of "1350917183 1147927".
A mod_wl_ssl.so from a plain 6.1 install with subsequent SP 1 and SP 2
upgrade installs, followed by an SP 2 uninstall and another SP 1
upgrade install, has a cksum of "1471948065 1136501".
I think I may be looking at three different plugin versions here: 6.1,
6.1 SP 1, and 6.1 SP 2, assuming the upgrade installs don't actually
change mod_wl_ssl.so. I'm not sure whether there's an easier way to
verify what version of the plugin you have.
In any case, we did try each plugin version, and none of them works
against a 6.1 SP 2 WebLogic server.
Jim
[email protected] (Jim Doyle) wrote in message news:<[email protected]>...
[snip]
We looked all over the WebLogic 6.1 SP 2 installation for a newer
version of the plugin (mod_wl_ssl.so) and found the same version as SP
1. We double-checked that it was the Linux-specific installer
(because we'd found that some Linux libraries are missing from the
generic installer). [snip]

VDI Access Control with ISE

Hi Guys,
Can ISE do the Access Control for the VDI users with thinclients like PCs? Now we wanna to setup the 802.1x authentication for the VDI users, but i'm not sure if this can be done by ISE. Do we just need to configure the access switch ports to open 802.1x as usual and the switch then will relay the radius to ISE?

Rodrigo,
You are right if it is using the same IP+MAC, then I don't think the identity-based firewall feature of the ASA will work for you unless you can set the Citrix VDI to use DHCP to give a unique IP for each desktop.
This is how it worked with vmware::
1. Single VDI pool with a unique IP for each desktop assigned by DHCP on the same subnet.
2. User logs in to floating desktop and Windows login server is updated with username and IP
3. Cisco Directory Agent (CDA) gets the username/IP mapping from Windows login server.
4. Cisco ASA is configured to allow access based on Windows AD group X.
5. ASA gets username/IP mapping from CDA and checks AD directly for group assignment.
6. ASA enforces access policy on the IP that is currently used by the user of group X. Users of groups Y and Z would have different policies.
NOTE: Anyconnect is not used with identity-based firewall for Windows devices. If used for 802.1x (wired or wireless) or any other supplicant, it does allow Identity-based firewall to work with non-windows devices. If Cisco would only enhance RA VPN to work when using ISE authentication with windows domain detection or assignment, it would be a complete identity-based solution. RA VPN can work if authenticating directly with AD.

Replacing ACS with ISE

What is required to replace ACS with ISE in simple terms?
I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
Is there a limit to how many devices or users the base can deal with in its simplest form.
I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
thanks
dave

yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
Software Packages
Options
Base
Capabilities: Basic network access and guest access
Network deployment support: Wired, wireless, and VPN
License prerequisite: None
Perpetual license
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Advanced
Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
Network deployment support: Wired, wireless, and VPN
License prerequisite: Base license
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wireless
License prerequisite: None
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless Upgrade
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wired, wireless, and VPN
License prerequisite: Wireless license
Term license: 1, 3- and 5-year terms
Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
***Do rate Hekofuls posts***

PKI authentocation with ISE

Need some help with PKI authentication with ISE in terms of Configuration......need to deploy it in the network
Minakshi

their isnt any specific example for this , check the following link
http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
for cerificate config on ISE
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_04_ise_bootstrapping.pdf
Base license is intended for organizations that want to authenticate and authorize users and devices on their networks (wired, wireless, and VPN).
Advanced license expands on the Base license and enables organizations to make more advanced policy decisions based on user and device compliance. Advanced license features include device onboarding and provisioning, device profiling, posture services, mobile device management (MDM) integration capabilities, and Cisco Security Group Access enforcement capabilities across the entire network (wired, wireless, and VPN)

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Authentication combinations with ISE 1.2

Similar Messages

Maybe you are looking for