Authentication on web directory

Similar Messages

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Authentication on Active Directory using JNDI (A Proffessional Appraoch)

  I am using following code for getting authenticated on Active Directory by user logon name.
  Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
  thanks in advance
  * Created on Nov 10, 2004
  package auth;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  * @author Tushar Agrawal
  * Created On Nov 10, 2004
  public class UserAuthentication {
       public UserAuthentication() {
            super();
       public NamingEnumeration loginToActiveDirectory(
            String logonName,
            String password,
            String domain) {
            boolean success = false;
            NamingEnumeration attrs = null;
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
            env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
            env.put(Context.SECURITY_CREDENTIALS, password);
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put("java.naming.ldap.version", "3");
            env.put(Context.REFERRAL, "follow");
            try {
                 String base = "";
                 DirContext ctx = new InitialDirContext(env);
                 SearchControls controls = new SearchControls();
                 controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 controls.setReturningAttributes(
                      new String[] {
                           "sAMAccountName",
                           "userPrincipalName",
                           "displayName",
                           "memberOf",
                           "objectSid",
                           "title" });
                 NamingEnumeration e =
                      ctx.search(base, "sAMAccountName=" + logonName, controls);
                 if (e.hasMore()) {
                      SearchResult r = (SearchResult) e.next();
                      attrs = r.getAttributes().getAll();
                      /*while (attrs.hasMore()) {
                           System.out.println(attrs.next());
                      ctx.close();
            } catch (AuthenticationException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            } catch (NamingException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            return attrs;
  tushar agrawal

  You''l find more info at :
  http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  That's the right way to do it.

• Does Apache in 10.6 support Web directory protection using .htpasswd?

  I am trying to protect a directory on my mac os 10.6 Web Sharing server using .htpasswd to no avail. I am creating an .htaccess and an .htpasswd file in the directory with what I think are proper configurations. Has anyone done this successfully? Am I missing something? Does the default setup in Snow Leopard allow for this? Is there a better way? Are these too many questions in a row?

  It was my understanding that one creates the .htpasswd file inside the directory that one is protecting, no?
  You can do that, but it's hardly recommended. Ideally the password file should be completely outside of the web directory since that makes it harder for someone to get access to it. If it's anywhere in the web directory tree then there's a chance that a remote user could get access to it (via some as-yet-unknown web server compromise) and there go all your passwords.
  .htaccess has to be in the directory it relates to, but .htpasswd can (and should) be elsewhere.
  and then created an .htaccess file alongside it with the entry shown in my original post.
  Sure, but that .htaccess file includes the path to the .htpasswd file to use for authentication.
  Just edit that line to the full path to your .htpasswd file.
  I'm not sure but I don't even see sever logs where I expected at:
  /private/var/log/httpd/access_log
  Under Apache 2 the logs are in /var/log/apache2/
  Also it appears that there are two apache2 folders:
  /etc/apache2/
  /private/etc/apache2/
  It doesn't matter. /etc is really a symlink to /private/etc. It's there mostly for compatiblity with unix apps that expect /etc.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Get file list from URL/web directory

  Hey guys,
  I have created a script for After Effects that can download multiple images from URLs that are given in an array. Now ideally what I want, is to get all the filenames of the files in a certain browsable web directory to be put in an array.
  Unfortunately, I can't seem to figure out how to do this. Does someone have the knowledge here to help me out?
  Thanks in advance,
  Jorge

  This is more difficult to do than it seems. Since the files are on a remote web server, you need to find some way to get the server to divulge its local file structure, which is not something most servers will do. The absolute best way is to have control over the web server and run some server-side code (PHP, node.js, whatever) to generate the file list on the server side and then fetch it with your client/extension/script. Other than that it's almost impossible to get a 3rd party server to divulge its file structure as far as I know, mainly for security reasons. So the #1 question is: do you have control over the server/website that you're trying to fetch from or not?

• User Authentication in Web Dynpro Java

  Hi guys,
  I was just wondering how user authentication can be achieved in WDJ? In Web Dynpro ABAP this comes for free when you launch an application. However, in WDJ we can deploy and call the URL without any authentication at all. Is there a way to configure this or do we really have to code this? Thanks! Generous points will be awarded!

  Hi Alex,
  check this links,
  Re: User Authentication in Web Dynpro Application
  Authentication of Web Dynpro
  Using Web Dynpro authentication for a Web Service call
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/dd48d990-0201-0010-92a3-c3ed7e9fd244
  http://help.sap.com/saphelp_nw04s/helpdata/en/04/ee8b8b0d23b746854897adc5611c1d/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8304e990-0201-0010-ed8b-d978f1e67b1e
  Regards,
  vino

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• BASIC authentication and web client problems

  I have a very simple web service that is working. Now before attempting to use
  SSL, I want to test authenticating using BASIC authentication. I’ve made the
  changes to web.xml and even though the other web service pages authenticate ok
  (ex. http://localhost:7001/fileexchange/FileExchangeFacade), I am prompted again
  for authentication for web service itself. I can never authenticate to http://localhost:7001/fileexchange/FileExchangeFacade?operation.view=helloWorld.
  Has anyone completed this and if so, how does it work? I must have missed something
  simple.
  First, I setup the security constraint as follows:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>file-exchange-resources</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Administrators</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
  <description>An administrators</description>
  <role-name>Administrators</role-name>
  </security-role>
  That allows me to secure / authenticate to the JSPs in the web service test app
  provided. Then I tried working with the admin server console to setup roles /
  privileges. I couldn’t get this to work but I easily could have done something
  wrong since there are no step by step examples other than the general docs in
  the programming guide.
  Next, since the web service deploys as a web application, I figured the problem
  must be that the internal WLS servlet needs security information defined in web.xml.
  I saw the programming guide listed the servlet name and discussed servlet mapping
  so I added the normal security entries for a servlet as follows and re-jarred
  the WAR and EAR.
  <servlet>
  <servlet-name>WebServiceServlet</servlet-name>
  <servlet-class>
  weblogic.webservice.server.servlet.WebServiceServlet
  </servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>WebServiceServlet</servlet-name>
  <url-pattern>/FileExchangeFacade/*</url-pattern>
  <security-role-ref>
  <role-name>Administrators</role-name>
  <role-link>Administrators</role-link>
  </security-role-ref>
  </servlet-mapping>
  It still doesn’t work. Any idea on how to get it to authenticate?
  Thanks,
  Dave

  Ok, this looks like an issue with the test page.
  When the test page gets a request to invoke a
  web service, it creates a client proxy and call invoke
  on the proxy. This will case the client proxy to
  create a new HTTP post connection to the server.
  Test page pulls out the username/passwd from the
  GET request from the browser and pass it to the
  POST request it makes to the web service. I think,
  the test page needs to do the same for realm. I will
  file a CR for this (CR105320).
  Please contact support with the case number if you
  need a patch for this.
  http://manojc.com
  "Malcolm Robbins" <[email protected]> wrote in message
  news:[email protected]...
  "Malcolm Robbins" <[email protected]> wrote in message
  news:[email protected]...
  One more thing.
  I took out explicit realm mapping and noticed that the firstauthentication
  challenge was for the WebLogic standard realm which was fine and
  authentication was successful. (i.e. I got to the web service "homepage").
  Actually I meant it was listed as "Weblogic Server" in the 1st challenge.
  When I stepped into the web service method and pressed the Invoke buttonon
  the web service methods the realm was "default" and authenticationfailed.
  Why does the domain change and how do I cover this?Is was actually listed as "Default".
  However this is the same domain I believe because I've done a further
  experiment and set the domains explicitely
  in the deployment WAR deployment (Other tab) and in the web.xml file. The
  second challange is then asking for re-authentication in the correctdomain
  (myrealm) but it does not accept the valid user/password and just re
  challenges until 3 attempts then it displays the SOAP message and theserver
  log file has the following exception:
  java.io.FileNotFoundException: Response: '401: Unauthorized xxx' for url:
  'http://localhost:7001/webservice/TraderService?WSDL'
  at
  weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:36
  2)
  at java.net.URL.openStream(URL.java:793)
  at
  weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(Definitio
  nFactory.java:73)
  at
  weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.java:63)
  at
  weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
  108)
  at
  weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
  84)
  at
  weblogic.webservice.server.servlet.ServletBase.invokeOperation(ServletBase.j
  ava:230)
  at
  weblogic.webservice.server.servlet.WebServiceServlet.invokeOperation(WebServ
  iceServlet.java:306)
  at
  weblogic.webservice.server.servlet.ServletBase.handleGet(ServletBase.java:19
  8)
  at
  weblogic.webservice.server.servlet.ServletBase.doGet(ServletBase.java:124)
  at
  weblogic.webservice.server.servlet.WebServiceServlet.doGet(WebServiceServlet
  .java:224)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at
  weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1058)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :401)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  at
  weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:5412)
  at
  weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:744)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3086)
  at
  weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2544)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)

• JDBC realm of FORM authentication in Web AS 640

  Hi, All,
  We try to port a web application from Apache Tomcat to WebAS 6.40. In the application we use FORM authentication based on Tomcat JDBC Realm. The configuration in Tomcat server.xml is like:
  <Context...>
    <Resource name="jdbc/mydb" auth="Container" type="javax.sql.DataSource" username="..." password="..." driverClassName="..." url="..."/>
    <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="jdbc/mydb" digest="MD5" userTable="users"  userNameCol="userName" userCredCol="passwd" userRoleTable="roles" roleNameCol="roleType"/>
  </Context>
  In database there are 2 tables for authentication purpose: users and roles. There are column userName, passwd in table users and userName, roleType in table roles (correlated with column userName). Then in web.xml we define FORM authentication:
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>...</realm-name>
    <form-login-config>
      <form-login-page>...</form-login-page>
      <form-error-page>...</form-error-page>
    </form-login-config>
  </login-config>
  Has anyone tried to port Tomcat JDBC realm mechanism of FORM authentication to WebAS 640? How do we need to configure J2EE server in Visual Administrator or deploy an application with DeployTool to implement the same features? And does WebAS support declarative MD5 digest algorithm in FORM Authentication?
  Any help is highly appreciated.
  Thanks in advance
  John

  evnafets wrote:
  The way it works is that you declare which pages in your application have got security around them in your web.xml. Whenever a user tries to navigate to one of those pages, they are presented with the login screen. If they login successfully, then they are taken to the page they originally requested.
  You should never actually have a link to your login page - the container will serve it when required.Ok, but how do i stop them entering the URL of the login page?
  i get this error after logging in correctly if i directly access the login page:
  "HTTP Status 400 - Invalid direct reference to form login page"
  i tried adding this constraint but it still happens:
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>login</web-resource-name>
            <url-pattern>/staffLogin/login.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint/>
  </security-constraint>
  >
  One possible way around this would be to create a database view which is a union of the two tables, thus giving you one "table" to query for the username/password/role combinations. That should satisfy the realm requirement.
  Cheers,
  evnafetsThats a good idea, il give that a shot. Thanks.

• Apache web directory password protection

  Hello all,
  I seem to be having a problem password protecting a web directory. I have my .htpasswd file and all of my directory info set up in my httpd.conf file but when I go to this directory via the web, I get prompted for a username and password but when I enter my username and the password that is in my .htpasswd file, it simply keeps prompting me for my password as if the user or the password is incorrect. Can anyone give me any hints as to how I can fix this?

  lovell,
  hi. glad you got it working. as for setting the permissions...
  for our server, which is FreeBSD but essentially no different, i setup basic auth directories as follows:
  username = My Admin User in all cases. I am assuming that www is the owner:group of the server process.
  I chown -R the directory to username:www. I then set the permissions on the directory to 0750 which allows rwx for the user and r-x for the group. the execute bit should be set on the directory to allow traversal by the webserver.
  as for the files in the directory, the chown -R of the directory should set all content ownership to username:www. Then I chmod all contents to 0640. this allows the owner to read and write and the webserver to read only. this does not allow any permission for folks outside of the owner or members of the www group (e.g. via terminal or ssh).
  now, the auth method of the webserver should be able to determine who has read access to the files. in your case, this is for the user 'lmcilwain'. e.g. only the user entering the proper credentials into the authorization box should be able to view the files (at least through their browser).
  remember, too, that basic auth passes passwords in plain-text, so if bad people want to intercept your password and username, they can do this if they really want to.
  that being said, basic auth is ok for things like pdf documents and whatnot. i wouldn't put anything terribly important in a directory 'protected' by basic auth, however.
  cheers,
  b
  some macs, some bsds, some tuxs   Mac OS X (10.4.4)  

• Networking techniques to explore the web directory.

  Hi all,
  I want to list all the file names present in a Web directory using URL methods. Can anybody suggest me how could i do this using Core Java APIs?
  Thanks in advance!

  Some web servers can be configured to list the files in a given directory if the URL points to that directory and there isn't any kind of default content. But that trick is being used less and less these days, it seems.
  If the server doesn't want to provide a list of files (either automatically generated or written by a web designer) then a client can't force the server to do so.
  If there are a bunch of example files on a site, you can try to see if the server will auto-list them. If not, you can use Google perhaps to get a list of the URLs.