Authentication issue with 4.1
We are using a custom authentication scheme. It calls the authenticatin api to authenticate agains active directory.
It is working in multiple apex aplications in apex version 3.2. We created a new install of 4.1 and imported the apps from 3.2
I can't get this authentication to work in 4.1. Here is the code that works in 3.2 but not in 4.1
This code is in the login process of page 101.
The error msg I get is Invalid Login Credentials
I have created the application at the oracle hosted site. id/wd id guest/Lock01$
Off course for simplicty, all the code does is emualte how I am logging in at the 3.2 install. All other code has not been copied over. This application works on our 3.2 install but not 4.1! Help!
{declare
b_result boolean := false;
c_result boolean := false;
d_result boolean := false;
begin
-- :IS_ADMIN_USER := 0;
-- :IS_IE_USER := 0;
:USERNAME := :P101_USERNAME;
:PASSWORD := :P101_PASSWORD;
-- for security reasons I commented out the server and base domain info. in this call.
b_result := LDAP2.AUTHENTICATE_ADUSER(:P101_USERNAME, :P101_PASSWORD, :P101_DOMAIN, '#####.####.com', 'DC=####,DC=####,DC=com');
if (b_result = true) then
-- I know that session is valid as i displayed a mesg if it was valid to be sure.
If APEX_CUSTOM_AUTH.IS_SESSION_VALID
--this was the old way in 3.2 that worked but doesn't in 4.1
-- wwv_flow_custom_auth_std.post_login(
-- P_UNAME => :USERNAME,
-- P_PASSWORD => :PASSWORD,
-- P_SESSION_ID => v('APP_SESSION'),
-- P_FLOW_PAGE => :APP_ID||':1'
-- I tried this in 4.1 but still doesn't work
APEX_CUSTOM_AUTH.POST_LOGIN (
p_uname => :USERNAME,
p_session_id => V('APP_SESSION'),
p_app_page => :APP_ID||':1');
End if;
else
owa_util.redirect_url('f?p=&APP_ID.:&LOGIN_PAGE.:&SESSION.');
apex_util.set_session_state('LOGIN_MESSAGE', 'Your ID or PASSWORD is incorrect. Please try again.');
end if;
-- :PASSWORD := null;
end;
Edited by: ashalon on Mar 16, 2012 11:23 AM
Edited by: ashalon on Mar 16, 2012 11:25 AM
Edited by: ashalon on Mar 16, 2012 12:20 PM
Edited by: ashalon on Mar 16, 2012 3:46 PM
Hi ashalon,
login processing normally calls the authentication scheme's login handler (aka authentication function). In many cases, this is done in a submit process on an Apex login page, that calls
apex_authentication.login (
p_username => :P101_USERNAME,
p_password => :P101_PASSWORD );This procedure (and it's variants, like wwv_flow_custom_auth_std.login) cause the Apex engine to
1. run the authentication scheme's pre-authentication procedure
2. pass username and password to the authentication scheme's authentication function, which should return true or false, depending on whether the credentials are valid
3. if true: run the post-authentication procedure
4. if true: save the username in session state
5. if true: prepare a redirect URL to the deep link (i.e. the page that triggered login)
6. if false: prepare a redirect URL to the login page with a notification_msg that contains the error
7. log success/failure of the login attempt
8. generate a new session cookie
9. perform the redirect
The exact order and technical details of these steps may vary from Apex version to version.
The authenentication function (2.) can check against the workspace users table (Apex authentication), the database, an LDAP repository or you can build your own.
Some authentication schemes rely on external mechanisms to check the credentials and a defined way for these to pass the username back to the authentication scheme. SSO does this in a very special way, the header-based authentication scheme simply relies on a HTTP header variable to transport the username. These authentication schemes never run 1. and 2. from above, but simply accept the username and run 3. - 9. This behaviour is exposed with the post_login procedure.
Your authentication scheme is interesting. It piggybacks on the Apex authentication scheme, but de facto uses nothing of it. The submit process on the login page checks LDAP credentials and then runs post_login, if the check was successful. You could surely rewrite this as a custom authentication, although the authentication function had to rely on v('P101_DOMAIN') in addition to the username and password that get passed to it by default. Whether the rewrite makes sense is up to you, of course. If you are comfortable with this authentication, stick to it. But it probably would be much easier to understand for others and also easier to reuse in other apps if the LDAP credentials checking was in the authentication scheme.
Regards,
Christian
Similar Messages
-
ACS 5.2 Authentication Issue with Local & Global ADs
Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
YeHello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards. -
Authentication issue with Xcelsius/Portal integration
I am facing an issue with the way we have integrated our Xcelsius dashboard with our corporate portal. I know this probably is more of a SDK question than Administration, but I figured I will ask it here anyway since Tim and some others are diverse enough in their knowledge base. This might be LONG post but please advise if anyone has any good pointers.
We have an Xcelsius dashboard that needs to be served up via our corporate intranet (based on MS Sharepoint 2007). Now we are NOT using the MS Sharepoint Portal Integration Kit, but just doing a basic integration of the SWF call within a web part on Sharepoint. All this means is that within a portlet (web-part) on Sharepoint, I am making a HTTP call to the openDocument URL to invoke the SWF file. So the SWF is actually served up from our Tomcat App Server, and displayed onto this frame within the portal. That is the basic idea.
To achieve this, what I did was write some custom code using the Java SDK to modify the openDocument a little bit. By doing so, I was able to insert some behind-the-scenes-login code wherein no matter who the portal user (Win AD-based) is, he is logged in to BOE as a generic "dashboard-user" and the dashboard is served up. This worked fine for the first dashboard where all we had was SWF and some WebI linking using openDocument (no full-InfoView access).
But in this second dashboard now, what we also have is a hyperlink for users to get to InfoView to do Ad-hoc reporting. What this does is open a child browser window from within the portal (dashboard) --- and it remembers the BOE session for the generic user id "dashboard-user" and logs the end-user in to InfoView using that. But what I actually want is that the end-users, on this new window, should only be prompted at the traditional InfoView logon screen where they can manually enter their Windows AD password and get in. Thus, I would like to keep the dashboard SWF page session separate from the InfoView ad-hoc session, which I cannot seem to do because of the browser relationship and session maintenance.
I am trying to find a way where I can simulate a single sign-on for dashboard viewers on the portal, but at the same time let them jump off to InfoView as themselves.
Any thoughts on how I can do this?
Notes:
We DO NOT have Single Sign-On enabled for InfoView
We are using Windows AD authentication (manual, no SSO)
We are on TomcatSarang Deshpande wrote:
1) If the InfoView app on Tomcat (desktoplaunch) is configured with Vintela, openDocument calls from the portal with automatically work using behind the scenes SSO, correct?
in XIR2 everything that falls under infoview should SSO when infoview is setup for SSO (not the case in XI 3.x)
Sarang Deshpande wrote:
2) What is the best practice when it comes to the service accounts needed? I have implemented Windows AD manual auth already so I have a service account that use for that. Should I be using the same on and making vintela/SSO-specific changes to it...or should I have a separate vintela service account and deal with two different ones..each for a diff purpose?
There is no best practice per se but the less service account the lower your chances to duplicate an SPN, functionally everything seems to work just as well with multiple as it does with 1 (of course with 1 there is less management work) If you click the SSO link in my forum sticky post I have a section explaining this with some suggested methods of deploying a service account(s)
Sarang Deshpande wrote:
3) Other than some minor browser configurations that might be required, is there anything else that I should communicate to the team about what might be required to be "pushed" to users' PCs?
Using the default config nothing should be required on the client machine (unless SSO has been disabled in the browser or you intend to use a url that contains a period ..... (i.e. FQDN or IP) with hostname URL (the default) it should just work.
To note if you have XP SP2 or older there is a microsoft spnego bug you may need to apply a fix if you aren't patched to SP3 (about 5% of our customers run into this).
Regards,
Tim -
SMTP relay authentication issue with DynDNS MailHop Outbound
Hi,
I'm trying to use the SMTP relay functionality of my OS X Server but I get following log message:
Apr 4 21:40:21 mydomain postfix/smtp[7629]: 4EE3686F529: to=<xxxx@xxxxx>, relay=outbound.mailhop.org[204.13.248.71]:465, delay=140731, delays=140130/0.06/600/0, dsn=4.4.2, status=deferred (conversation with outbound.mailhop.org[204.13.248.71] timed out while receiving the initial server greeting)
I configured the relay settings in Server-Admin for host: outbound.mailhop.org:465 and added my dyndns username and password.
I would appreciate if someone could help me to figure out what I'm missing.
ThanksIf you're getting a 550 error then it indicates an issue with the SMTP server you're using / how you're connecting to it. Either the mail server you've got configured for SMTP isn't setup to handle email for you, or in addition to setting the server address
in the SMTP settings, you also need to configure it to configure authentication on the email accounts. In the account settings you need to select More settings (I think, I don't have an Outlook 2007 copy to check on), then you'll see an Outgoing
Server tab, within which you can configure the required authentication. It will either be the same as the POP3 login, in which case you can select "Use same settings as my incoming mail server", or if they're different you can enter the specific details that
are required to send. -
Custom Authentication Issue with Policy Agent
Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
NeerajHi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas -
WCS Radius Authentication issue with 2008 R2 NPS
OK, so I have my MPS working. I am authenticating all sorts of Cisco devices and I can even authenticate the admin login from the WCS server. UNLESS I add more than 27 of the custom settings in the Cisco-AV-Pair that the WCS uses to define the logged in user rights. Anything after the 27th setting the login times out and the WCS denies access. I go back to 27 and it logs in fine. There are 73 settings for the default admin user.
Anyone have any ideas why this is happening or better yet, how to get around it?
I have been searching through the MS technet to see if there is a limitation built in to the NPS, but I have yet to find anything.
Thanks,
RodI have not gotten any other feedback and I have not been ablet to identify anything on technet about it. It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings. It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.
-
SOAP Sender Adpater Authentication issue with Siebel
Hello PI experts,
I have developed scenario in which,
SAP PI version: 7.31
Sender : Siebel
Sender Adapter: SOAP
Receiver: SAP ECC
Receiver Adapter: Proxy
Scenario has been configured and wsdl is generated properly. I tested scenario using SOAP UI which gave me proper response.
But when scenario has been tested through Siebel UI, its giving Authorization 401 error.
HTTP/1.1 401 Unauthorized
server: SAP NetWeaver Application Server 7.20 / AS Java 7.31
date: Wed, 20 Aug 2014 05:54:58 GMT
We have tried following approaches:
1. Appending Credentials in URL
2. Siebel team tried sending credentials in their workflow
Referred blog:
http://scn.sap.com/community/pi-and-soa-middleware/blog/2012/03/07/a-closer-look-at-soap-sender-authentication
But in all cases we got same error.
Also, is there any possibility to turn of sender authentication for SOAP adapter ?. I tried approach of removing tags in web.xml but that also dint work.
Please suggest some way
Thanks,
Gaurav KhandelwalHi Gaurav,
Can you please check with your basis is that firewall will be open to send data through soap to PI.
Thanks,
Sreenivas -
Authentication Issue with BPM work space
Hi
I have created a sample BPM process using JDeveloper and deployed as well
but when i tried to login to verify created process in workspace it shows the
"Invalid ID or password. Please try again" , i tried using weblogic user id and password (weblogic/Welcome1)
and also tried using existing users in weblogic (ex:cooper/welcome1) but no luck . so could you please let me know what may be issue
and how to resolve this issue, it will great help if you can help
Regards
NoorHi Noor
By any chance for this SOA/BPM domain, have you configured any other External Authenticator also like LDAP, AD etc. If so, is that the first in the list. And if yes, then your error is valid. You need to do some extra settings. I can give more details, once you confirm above points.
BUT if you just created a BPM domain and created those test users like jcooper/welcome1 etc, then you should not get these errors. I hope you used the demo community seed war file, deploy and run that servlet. And also, make sure that you are using correct username/passwords. So first try weblogic user on your console, em etc. Then try bpm/workspace. You should be able to login, even though you may not see links on left side to create new taks,
Thanks
Hi Ravi Jegga,
Thanks for your reply, i have not configured to any external authenticator and i have not created any test users while creating domains i hope this test users will created automatically , i am able to login both weblogic console and em as well when i try login for work space it shows the Invalid user name or password
I am trying very basic sample process model given by Oracle (http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/obpm/11g/r1/firstProcess/firstprocess_obpm11g.htm)
so could you please let me know if i miss some thing
Thanks & Regards
Noor -
OS X Server + Active Directory Authentication Issue with Wikis
Hello,
I recently purchased an Apple XServe with Snow Leopard installed. The purpose of this server is to enable students and teachers to create Wikis and Blogs.
The majority of my environment is MS, with Active Directory as our LDAP provider.
I have joined the server to my domain and can add domain accounts to the Wiki creation access list without issue, but whenever I try to login to the server's web interface with one of those accounts the login screen shakes and prompts for another set of credinitals.
What am I doing wrong? Open Directory seems to be setup properly and has been kerberitized as it requested when I joined the box to the domain.
Thank you all for your help,
David
Message was edited by: DHeath_WJCCplease ask in the Snow leopard server forum
http://discussions.apple.com/category.jspa?categoryID=96 -
We've had authentication issues with Infinity since the install just over a week ago (BT Business package)
The router will drop the connection and then we have a problem reconnecting (won't). Out of sheer frustration I've discovered a workaround that sometimes works that is to change the user name to the BT test account, connect, and then change the router user name setting back to our own. The BT test account always works, so despite a BT engineer being sent to trace the problem onsite yesterday the issue remains. We've also been sent a new router, and the BT engineer arrived with yet another new one yesterday
The problem seems to be purely authentication. The Technical Helpdesk have changed our password (twice) but we still get the problem. Yesterday I was told that some other users in our area have also had an authentication issue and that over the weekend 'patches' were going to be applied at our local exchange.
When the service works we get quite good speeds (37 down, 8 up) but we're frustrated with the lack of knowledge from the help-desk and have doubts that the 'patches' will resolve the issue
Such is the problem that BT will downgrade us back to ADSL2 (which was rock solid in comparison) next week if we're still unhappy
I did ask if our user name could be changed but told no. I'm curious to know as to what the switch to fibre could cause authentication problems?hi this is a BT Residential forum as a Business user you may get more help from the BT business forum
http://business.forums.bt.com/t5/Broadband-and-internet/bd-p/Broadband
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’ -
Safari 5.1 HTML5 HTTP basic access authentication issue video does not load
I have a .m4v video referenced in a page with the HTML5 video tag in a folder which is in a password protected folder housed on iPage.
Safari 5.0.5 plays the video fine. Safari 5.1 fails to load/play the video in the protected folder. If I move the video to a not protected folder, Safari 5.1 plays it fine.
This is on iPage. Back on MobileMe all is fine with 5.1.
I think this is a HTTP basic access authentication issue with 5.1.
Anyone have similar issue? Work around?Yes, I can also confirm this behaviour. This is in Safari 5.1.1, but I also see the exact same thing in WebKit nightlies.
-
I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL> -
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
Slowness Issues with Windows Authentication in SharePoint Foundation 2010 sites
All,
We are having a strange issue with SharePoint Foundation 2010 sites where sites are very slowly loading when accessed via windows based authentication where as the extended sites in forms authentication are loading normally.
There were no error logs or even SharePoint logs also except the images load time is showing with different load times.
Attached are the patches that were updated to the server that may be issue but not sure. Can some one please share your thoughts.
SQL connectivity b/w the server is good.there are no n/w issues except that the users are using the sites with a different domain other than the domain in which the servers were hosted.
There is a trust b/w the two domains.This was never changed and there were no issues in the last 2 years.
Thanks keshav,Share point Developerwe do have trusted domains
Inder : It would be better if you run that command again now.
Inder: How many AD server do you have
Inder: Do you notice the login request go to nearest AD server.
and https sites. Please share your thoughts.
Inder: All the certificate have intermedite certificates. You need to logon to each SP server, and install
these certificates on trusted root authority
If this helped you resolve your issue, please mark it Answered -
Issue with form based Authentication in three tier sharepoint 2013 environment.
Hi,
We are facing issue with form based Authentication in three tier environment.
We are able to add users to the database and in SharePoint.
But we are not able to login with created users.
In single tier everything working fine
Please help , Its urgent ... Thanks in advance.
Regards,
Hari
Regards, Hariif the environments match, then it sounds like a kerberos double-hop issue
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs
Maybe you are looking for
-
Itunes won't load without my E USB flash drive being plugged in....
I have a problem with my Itunes, and it's driving me nuts. When I open Itunes, it will not open/work, UNLESS I have my USB flash drive in my pc. This USB flash drive is my E drive. I also have another external USB drive, which is where all my music i
-
Printing mirror image doesnt work
Hey OT, Tried your method and worked up to a point, when I try to print the flipped image it opens a new preview screen with the original unflipped image and thats the one that prints. Anyone any more ideas? Or am I doing something wrong? Thanks!
-
JBL Home Theater Mod# AEH50
Got a stupid question- like to get some info before I actually purchase. What I'd like to know is if I would need an amplifier hooked up between some JBL AEH50 surround sound speakers and my TV, or can I hook straight to audio outputson the TV. The
-
Putting german language on my 9500
Hi there. I have just bought a 9500 phone in the UAE. When I tried to set the language to German, I found that only English, French and Arabic was installed. Where can I download German language to put on my phone. Waiting 4 an answer - cheers - Mike
-
Sudden;y i can't upload from iPhoto to other websites?
up till today if I wanted to upload from iPhoto, say to Gumtree to sell something - I could. Now I can't, nothing loads or it frezes trying. Am using safari...?