Authentication distance issues

Similar Messages

• Claims Based Authentication SPSecurityTokenService.Issue() failed: The security token username and password could not be validated.

  Please excuse the lousy table...Its late :-)
  I have a multi-server SP2010 farm.  Patched up to
  Configuration database version: 14.0.6106.5002
  My goal is to have a claims based web application that authenticated to ADAM for Extranet.  I have configured the servers exactly to MSDN and technet specs (following this spec to the
  letter (
  http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
  IT WORKS IN DEV!!! , which is a single server farm.  However, it does not work in production.  I get the following:
  Claims Auth log entries:
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  f2ut
  Verbose
  Authenticated with login provider. Validating request security token.
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Using membership provider 'ADAMProvider'.
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Doing password check on '[email protected]'.
  1:06:46 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Failed password check on '[email protected]'.
  1:06:46 AM
  w3wp.exe (0x0EDC)               
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Unexpected
  Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
  token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
  1:06:46 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  fo1t
  Monitorable
  SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
  could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  fsq7
  High   
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.    
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)    
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)  
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)    
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  8306
  Critical
  An exception occurred when trying to issue security token: The security token username and password could not be validated..
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  f2un
  Verbose
  Form authentication failed.
  I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose). 
   I found plenty out there and nothing directly correlates with this issue. 
  I searched on all parts of the errors I got.
  This contains an interesting blurb about setting up access for the apppool id correctly. 
  That’s not the case for me.  It works in dev and the same id are used there. 
  http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
  This was good but it doesn’t give specs on what the environment looks like:
  http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
  The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
  Any and all help would be greatly appreciated!

  Hi.
  You say its a multiserver farm, do you have more than one web server then?
  If thats the case, have you tried accessing the site on each server directly?
  Found this for you, maybe that can help?
  Troubleshooting Exceptions: System.ServiceModel.FaultException`1
  http://msdn.microsoft.com/en-us/library/bb907220.aspx
  and this:
  SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
  http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
  and
  This seems to be a good guide:
  http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
  Good luck
  Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com

• Ap authentication/join issue

  i am having issues joining new 1242LAP's to my controller.  i am receiving the follwing error on my controller:
  AAA Authentication Failure for UserName:5475d01144f0 User Type: WLAN USER
  username is the MAC of my new 1242LAP.  older 1242LAP's have no issue.  i have 70 of the newer ones that i have just installed and fail to join the controller with the above error message.  i'm not sure how to resolve.  any help would be appreciated.  thanks.
  Brandon

  Hi Brandon,
  Good question.  Sounds like your WLC may be authorizing LAPs via an Auth-list or AAA.  You can view these settings here:
  Web GUI --> Secuirty --> AAA --> AP Policies
  If you do not wish to authorize the APs via an auth-list or AAA, simply uncheck the following option:
  Authorize MIC APs against auth-list or AAA
  Cheers.
  Drew

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• Anchor Guest 3.2.171.6 Web Authentication page issue

  Hi folks,
  I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

  you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
  HTH,
  Steve

• "Authentication Failure" Issue on most devices.

  I'm getting an "Authentication Failure" when installing my J2ME app OTA to most devices I've tried, including Pantech, Samsung, and Nokia ones (all AT&T or unlocked). I've included my (censored) JAD file below.
  The entire application downloads to the device, and I can view the certificate info and there are three Thawte certificates, as expected.
  All http reference exists.
  The Thawte Root Certificate is present on the device.
  I signed the JAD during NetBeans build by choosing so in the Signing section of the project properties.
  I've tried using jarsigner in lieu of and in addition to the NetBeans method.
  I've experimented with various MIDlet-Permissions as required/optional, and including/excluding various JAD parameters like MIDlet-Data-Size.
  I've even tried desperate things like changing the CLDC/MIDP config, messing with the version number, and changing the icon file type.
  I've read dozens on posts on the subject and I am really stumped. Thanks in advance for any assistance.
  MIDlet-1: Example,http://www.example.com/dist/desktop_32.png,com.example.mobile.view.View
  MIDlet-Certificate-1-1: (removed)
  MIDlet-Certificate-1-2: (removed)
  MIDlet-Certificate-1-3: (removed)
  MIDlet-Data-Size: 3000000
  MIDlet-Description: App Description
  MIDlet-Icon: http://www.example.com/dist/desktop_32.png
  MIDlet-Info-URL: http://www.example.com/help.php
  MIDlet-Jar-RSA-SHA1: (removed)
  MIDlet-Jar-Size: 148060
  MIDlet-Jar-URL: http://www.example.com/test/ExampleMobile.jar
  MIDlet-Name: ExampleMobile
  MIDlet-Permissions-Opt: javax.microedition.io.Connector.file.read, javax.microedition.io.Connector.file.write, javax.microedition.io.Connector.https, javax.microedition.io.Connector.http, javax.microedition.pim.ContactList.read, javax.microedition.pim.ContactList.write, javax.microedition.pim.EventList.read, javax.microedition.pim.EventList.write, javax.microedition.location.Location
  MIDlet-Vendor: Example
  MIDlet-Version: 0.2.18
  MicroEdition-Configuration: CLDC-1.1
  MicroEdition-Profile: MIDP-2.0

  one of the stupid reason of the invalid descriptor (ota 907) in samsung : (to my opinion samsung is just a visual device, has buggy implementations and lack of documentation, comparing to nokia and sony ericsson)
  if you specify an https url in jad for "midlet-jar-url", then samsung gives this error.
  And why? i don't know, anybody doesnot know.
  No documentation.
  Read midp specs and no such a thing.
  Read samsung docs if you find any, no result.
  And you spend your time for stupid samsung issues, again.
  Anyway, look at this, the problem can be resolved as :
  Here is a typical jad runs on nokia devices well and fails with 907 in samsung:
  MIDlet-1: Test OTP, /smlogo.png, testMIDlet
  MIDlet-Icon: /smlogo.png
  MIDlet-Jar-Size: 39122
  MIDlet-Name: Test OTP
  MIDlet-Vendor: None
  MIDlet-Version: 2.12
  Manifest-Version: 1.0
  MicroEdition-Configuration: CLDC-1.0
  MicroEdition-Profile: MIDP-2.0
  MIDlet-Jar-URL: https://xx/wap/midlet/xx.jad
  MIDlet-Install-Notify: https://xx/wap/notify.jsk?jaduid=123
  MIDlet-Delete-Notify: https://xx/wap/notify.jsk?jaduid=123
  and if you change https into http, then it runs well.
  All is this.

• Authentication prompt issue when opening an office file in a document library with read permission for domain users

  An user as part of the domain users tries to open an office file from a document library but he got an authentication prompt asking him to authenticate. Domain users has only access to this library and not to the whole site. This uses to work in SharePoint
  2007 without any problem but not in SharePoint 2013, we didn't have a workflow on SP2007.
  Domain users has read access to only this document library in the site, but he shouldn't get an authentication prompt since he is part of the domain users and he is not trying to modify the document, he can open the document but gets two prompts, he can't
  also see the list using explorer view since nothings appears using the explorer view.
  Now, when opening the file, we can see..Updating Workflow Status, but we don't have any workflow working on this site or library, event any feature related to workflow.
  If we go to the event viewer in the server, we find this information,
  I also checked this thread but I couldn't find this scenario.
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/91bc770b-bb70-4885-a4ad-a243edb88753/event-id-8026-workflow-soap-getworkflowdataforitem-failed-doc-library-no-workflow?forum=sharepointgeneralprevious
  I also created another list with the same permissions and using other office files but got the same behavior.
  Now, we have migrated this site from SP2007 to SP2013.
  Any ideas?

  OK, I am going to throw out a lot of ideas here so hopefully they get you closer to a diagnosis. Hang on :)
  Does it happen to work for some users but not others? If so, try logging in on the "good" computer with the "bad" username. This will tell you if the problem is related to the end-user's system. Also, once the user downloads a document
  successfully can they open and work on it in Word? Also, does the document library have any custom content types associated with it or does it just use 'Document'?
  I notice that there are other folks on the web that have run into this same problem and the similarity seems to be that they are either on SharePoint 2007 or have upgraded from 2007. Did this doc library start out as a 2007 library?
  What you might want to do is this: Make a site collection from scratch in 2013 (or find one that you know was created in 2013). Choose team site (or whatever you want) for the root web and set up the security the same way you have it on the malfunctioning
  library. Now, use windows explorer to copy and paste some of the documents to the new location. Be sure you recreate any needed content types. Now test it from the troubled user's computer.
  I'm thinking there may be something that is different about the library since it was migrated through various versions and updates since 2007. I've sometimes found that there can be problems (especially with user profiles but that's a different story) with
  things that go through this evolution.

• Authentication PEAP issue (I believe!).

  I'm using PEAP, AP1200, ACS 3.2, WXP SP2 and Microsoft AD to authenticate machine and user. The authentication process supplies the WEP key to the client.
  When I'using a Cisco 350 client adapter all works fine. When I'm using another adapter, the ap log shows a continuous association/deasso.
  Any ideas?
  Thanks.
  Andrea.

  are you using the client software for the wireless or windows. One or the other must be disabled.
  Start/settings/ control panel/Administrative tools/ Services/ Windows Zero configuration/disable...

• Authentication/Time issue

  iTunes U has just started rejecting our authentication credentials, debug shows that the credentials are valid but originated too far in the past. We understand there is a 90 second time window. We seem to be within a few seconds of Apple's time server.
  Bumping the time ahead by one minute on our server allows the scripts to start working... but then fail again (like the next day)
  Is it possible that the server that generates our tokens on Apple's side might be out of phase?
  Any help would be appreciated.
  thanks
  db

  I don't want to rule out the possibility that Apple's clocks are out-of-phase ... but if what you're describing were happening at our site, I would so totally think it a problem with our clocks. The reason is that such a wide variety of computers hook up with Apple ... we probably all sink or swim together on this.
  But hey, lessay there is some kind of problem with Apple's iTunes U clock. A sneaky, sneaky way of fixing it would be to tell your server to use Apple's NTP server as it's NTP server. That way, if Apple's clock is wrong, yours will be wrong by the same amount.
  NTP to time.apple.com

• ISE Authentication timers issues

  Is there a way within ISE so that when a machine uses dot1x to authenticate that it will not occur for an extended period of time?

  You can disable re-authentication or send the values from ISE.
  It's actually best practice to disable reauthentication or if needed, keep it above 2 hours.

• Access gate SDK, authentication and issues/bug

  I have been trying to test authentication against CORE ID using the access gate SDK for java and following the samples that installed with the SDK.
  I simulate user account lock-out and pwd to expire ( in two days) situations. Doing the form based access server authentication, I am able to see the error messages and in the case of locked a/c, it doesn't log me in.
  Using access gate SDK, it successfully creates a ObUserSession object for the protected resource, shows user as LOGGED_IN and the getStatus() returns normal. There is no indication of the actual status of the user account on the server !
  It does, catch the actual pwd expired status, as mentioned in the documentation.
  Is there anything missing here ?

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• 550 5.7.1 Authentication Required; Issue sending mail via Eudora 7.1

  I know this topic has been covered previously.  I have tried many of the previous suggested solutions but nothing has worked.  I thought I would post a message myself, as my situation might be slightly different.
  As of July 31st Eudora 7.1 worked great for me.  I have it on my desktop and prefer it over the alternatives for a variety of reasons.
  I went on the road on August 1st.  I tried to access my Verizon e-mail at verizon.net, but using my phone and being all thumbs I got locked out.  I created a new pw and proceeded to send and receive e-mail through verizon.net.
  When I returned home I could not send or receive e-mails through Eudora.  I quickly realized that I needed to re-set my Verizon password in Eudora, which I did.  However, that only solved the receiving e-mails issues.  For the past week I have been struggling to get the send function to work, again following the various solutions that apparently worked for others in the past, but to no avail.
  It doesn't make sense to me that re-setting my pw would leave a lasting impact on the send function only, but I guess stranger things have happened.  Does anyone have a solution that has worked recently?
  Thank you,
  Jeff
  Solved!
  Go to Solution.

  Check this thread out!
  http://forums.verizon.com/t5/Verizon-net-Email/Eudora-7-1/m-p/723997/highlight/true#M17627
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• APSB13-03 authentication bypass issue

  I see hotfixes for version 9 and 10, but how can I fix this vulnerability in Cold Fusion version 8.0.1?

  Because CF8 has reached end of life period Adobe only provides security patches for CF9 and up currently. I'd recommend upgrading to CF9 or CF10 so you can get security patches.
  My best guess on how to secure yourself from this particular issue would be to block /CFIDE and make sure you don't use cflogin in your applications.
  Pete Freitag
  Foundeo Inc. - Makers of HackMyCF & FuseGuard

• Authentication Device Issues

  I am trying to log into my UC540W via CCA and i am getting a pop up box asking for realm "level_15
  Any ideas, I thought my password gave me full access rights.
  Thanks

  Hi Mate,
  You are going to hate me for this suggestion :-)
  Please remove your current connection out of your community and re-add it again, then add the ESW back into the topology section and authenticate that ESW again.
  It is likely that your community has become corrupt and a simple remove and add can resolve it :-)
  Cheers,
  David,
  Sent from Cisco Technical Support Android App

• AnyConnect 3.1.05160 - no valid certificates available for authentication

  Hi all,
  one of our customer is running the above AC version and hitting the above error.
  form the DART file I gathered the following information
  Description : Server certificate validation failed with the following errors:
  Certificate does not match the server name.
  Certificate is from an untrusted source.
  Certificate is not identified for this purpose.
  Certificate is malformed.
  Certificate is explicitly distrusted.
  I am sure the Cert is valid however reading the following article got me thinking,  https://supportforums.cisco.com/discussion/11533701/cisco-anyconnect-3008057-certificate-validation-failure.
  could this be the same reason, haven't mentioned this to my customer as he is running 3.1.05. but could this be related to the same issue?
  thanks in advance
  Lance

  I also had the problem of "no valid certificates available for authentication", although it only prompted once, rather than a flood like the OP.
  However, the cause and solution for my problem was:
  The certificate used for authentication was issued by my internal CA, to the Computer, NOT the user.
  Although the user that is logged on is a local administrator, the AnyConnect Client application does not have the permission to send the certificate from the Computer store.
  The application needs to 'run as administrator'
  Right-click the application shortcut-> Properties->Compatibility->Privilege Level.
  Tick ->Run This Program As Administrator.
  I needed to reboot the client pc before this worked.
  n.b I was using Windows 8