Authentication woes

Similar Messages

• Wifi Woes - Phase 2 Authentication Resets Itself

  Hey,
        I'm having difficulty connecting to my school's internet with the Droid Bionic.  According to my school's IT the wireless setup should be:
  Security:           802.1x EAP
  EAP method:   TTLS
  Phase 2 auth:  PAP
  CA Certificate: <is installed>
  The problem I'm having is when I go to save a Wifi network the Phase 2 Authentication resets from PAP to 'None'.  Is anyone else having this problem?  Could someone try this really quickly and send me a response?
  ~Justin

  Yep, this is an ongoing issue and appears to be a Verizon thing.  The issue seems to be that it is not possible to update the Phase 2 Authentication field to anything other than 'none' for EAP... it simply is not being set or remembered. 
  My original Droid actually worked with the Andriod 2.0 release, but 2.1 broke it and it hasn't worked since.  I believe the Android codebase DID fix this, however Verizon has not made it a priority to include the fix in their releases.  I now have a Droid 4 running 2.3.6 and it is still broken.  Many of my coworkers have this same issue, but ONLY THE ONES ON VERIZON!  Other carriers have apparently figured out how to port this fix into their releases, regardless of which Android phone. 
  Come on Verizon, fix this so we can stop wasting your 4G bandwidth!!!

• Domain user not authenticated from Windows 7 PC

  Hi,
  This is the background of the problem.
  Windows 2003 Servers running AD. 2 Servers, Primary and Backup.
  2008 R2 servers are joined as members of 2003 AD. Mail server and File server
  Clients - Win XP, Win 7.
  Share folders on Fileservers were accessible from both type of clients.
  Since windows update happend last week (12/03/2015),Win 7 users are being rejected by the 2008 servers
  Win XP users do not face this issue
  Please help, it's driving me nuts :)
  Thanks
  Thepul

  Look at some of the issues that have been arising from KB3002657; uninstalling it seems to solve the problems for most people.  Authentication errors from Windows 7 and 8.1, but XP works normally.
  The update has been re-released as of 03/16 for Server 2003 only.  Some information:
  http://www.infoworld.com/article/2897814/operating-systems/server-2003-admins-beware-microsoft-re-issues-botched-netlogon-patch-kb-3002657.html
  https://social.technet.microsoft.com/Forums/en-US/0a520543-29d4-4466-9967-e39d819d11f1/users-cannot-log-into-remote-desktop-after-3112015-update
  https://www.pickysysadmin.ca/2015/03/11/kb3002657-breaks-everything/
  http://www.infoworld.com/article/2895900/microsoft-netlogon-patch-kb-3002657-woes-continue-kb-3032359-cisco-anyconnect-fix-confirmed.html

• Authentication, login trouble.

  Hello,
  Part my work's domain set up is not behaving normally. This anomaly was noticed on March 11th. My co-worker connects to the network share daily from her Mac via smb:// , but starting the 11th she couldn't anymore. It's similarly true with my other coworkers
  who use Mac, and also those that use Windows that are added to the domain. We use various version of OSX (10.7 - 10.10) and Windows 7, 8.
  The servers of interest:
  Server A: physical machine. Host the network share. Host virtual machines. Windows Server 2008 R2 Standard SP1.
  Server B: virtual machine on server A. Domain Controller, and primary DNS. Windows Server 2003 SP2
  Server C: virtual machine on server A. DHCP, and secondary DNS. Windows Server 2008 R2 Standard SP1.
  Server D: physical machine. Has a network share that uses active directory authentication. Windows Server 2008 R2 Standard SP1.
  NAS: physical device. Synology DS415+. Connected to the domain.
  I am the primary manager of these machines. I haven't done any configuration changes since the end of February, when I added a new user. These machines are patched up-to-date.
  Another problem with Server A is RDP'ing to it. I usually can log in using domain admin account, or .\Administrator (local account), but now have to use SERVER_A\Administrator.
  Connecting to the NAS also unable to authenticate against domain accounts; I have yet to find the error logs. I do not know when the NAS started having problem authenticating. The last time I used the NAS was at the end of February.
  Interestingly, the network share on Server D works with AD authentication. Other aspects of the domain seems to be working fine.
  I've been searching around the internet using these keywords: Event 4625, NULL SID,  An Error occured during Logon, 0xc000005e.
  I haven't found a solution. My plan is to make a new server similar to Server D, and start a new network share. But the NAS seems unrecoverable.
  Please advise. Thank you.
  Event viewer's security log of Server A shows audit failure of this form when trying to connect to the network share:
  - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <Channel>Security</Channel>
    <Security />
    </System>
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user.name
  Account Domain: ADOMAIN
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000005e
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: workstation
  Source Network Address: 192.168.167.181
  Source Port: 50683
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0

  It is a bad Microsoft patch. Here's a writeup.
  http://www.infoworld.com/article/2895900/security/microsoft-netlogon-patch-kb-3002657-woes-continue-kb-3032359-cisco-anyconnect-fix-confirmed.html

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Authentication - multiple domains with multiple accounts

  Dear All,
  Consider an environment where a user, Joe Bloggs, has an account on two Windows domains:  DOMA and DOMB.  DOMA is a domain that all users in the organisation are members of.  DOMB is a domain used by a smaller subset of users.  The user's
  machine is part of the DOMB domain.
  I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.  
  So far, I've thought of the following solutions:
  1.  Build a trust between the two domains.  Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles.  Also, DOMB is likely to be deprecated in the future.
  2.  Use WorkPlace Join.  Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
  I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
  Any ideas?  Or, am I completely mad?!
  Thanks in advance.

  1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
  An ADFS trust might be another option, although that increases your deployment footprint and complexity.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Error while authenticating a user

  Dear all,
  Hope you all are doing well.
  Production issue :
  When an user tries to login with his username and password. He is getting error message "INTERNAL ERROR OCCURED".
  And the standard RFC which i'm using for authenticating user is  SUSR_LOGIN_CHECK_RFC
  CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'
    EXPORTING
         bname                                 = ip_empid
         password                             = ip_password
  EXCEPTIONS
         wait                                     = 1
         user_locked                          = 2
         user_not_active                    = 3
         password_expired                 = 4
         wrong_password                   = 5
         no_check_for_this_user         = 6
         password_attempts_limited    = 7
         internal_error                         = 8
  OTHERS                                    = 9.
  I want to know what is the meaning of this internal error ? something is going wrong with the standard RFC which I am referring to ? Some one please help me out..
  Thanks in advance.

  Hi Syed,
  Really need more of a context to your problem.
  1. You've posted in the SSO forum. A SSO problem or a normal SAPGUI logon problem ?
  2. You say .... "And the standard RFC which i'm using for authenticating user is  SUSR_LOGIN_CHECK_RFC" .... Meaning what ??? you are using a home developed solution ?
  3. Problem affects one user or all users ?
  4. Backend version and kernel pl level please.
  Cheers,
  Amerjit

• Continual Mac woes (no question, just a rant)

  It's Tuesday, and I am having terrible problems with my Mac. But then, why should Tuesday be different from any other day of the week.
  Here is a typical day for me. The computer appears to be working OK. I need to watch a DVD for my work. I turn on DVD player, and put one in. The machine can't read the disc. It clicks and whirls, but the icon does not show up on the desktop. Meanwhile, so distressed is the machine that it freaks out. What was up until now was a fluidly operating machine suddenly reverts back to its old ways (i.e., its ways of two days ago). The hold ups and spinning pinwheels begin to eat of hours of my work day. (Remember the old days when computers made life easier?) The machine becomes sticky, gummy. Oh, I can move the curser and it seems to work for a second but then gets stuck in the dock, which explodes in icons and then freezes for five minutes. Yes. Five minutes.
  Would love to use Force Quit, but the cursor is spinning, and nothing is responding. Funny about that old Mac. You can't force quit Force Quit. I guess I need to leave it open all the time.
  Of course, FQ usually works on Safari. I have never just "quit" Safari. It always requires Force Quit, otherwise I can't turn off my computer. It stalls shut down.
  Now I have a DVD trapped in there and can't get it out. [But I just got an answer from another posting.]
  In the old macs, there used to be a pin hole you could stick a needle into ... can't find one on my flatpanel iMac.
  I bought my Apple flat panel iMac in August of 2002. Yes, I know that that is a long time to have a computer, but I am not rich nor attached to a corporation that can splurge on computers. The first weekend I had the machine, I had three kernal panics.
  Among the other problems I have documented are the following: the dock hiding itself unbidden and other features checking and unchecking themselves (Aug 2002); bus errors connected with OS 9 (Sept); some problems that inspired the tech person (Eric)) to talk me through deleting my user i.d., resulting in the loss of two months worth of e-mail (Thursday, 12 September); Preview problems (September); a bizarre box with an unmovable and undeletable red stop sign in it that no tech person or other Mac user I know had ever hear of (Monday 30 September); printing problems; computer won't shut down, numerous disconnection errors, which turned out to be caused by an OS X update (beginning December, 2002, or later); Kernel panics (Feb); computer won't shut down (March); Faxstexx problems, program won't allow me to set it up, finally just deleted the software (April); keys like "V" freeze and repeat endlessly (May 21); DVD Player freezes (May); Safari and Mail begin quitting unexpectedly (May); cursor begins to blink and fade out, plus odd sounds come out of the speakers, a constant error beeping (Sept 9); DVD Player problems (Oct 4).
  I called AppleCare while I had it about once a week (the total between August 2002 and the time it ran out was about 155 calls). Naturally, some of these calls are motivated by user error. On the other hand, many of the issues I have called about were unprecedented as far as the Tech person was concerned, such as the blinking mouse, the red stop sign, and the DVD Player woes.
  Things improved with Panther, but in Tiger many of the same old issues have returned.
  I have been having so many problems with my Mac that I once wrote a letter to the company asking when do I qualify for a new replacement machine. I never received an answer, but I felt better for about a day. Then I turned on my Mac again.

  The spinning ball of death as we used to call it is often caused by a lack of RAM, it is hard to be sure as I am not working on your machine, but sometimes things can be improved with additional RAM, it makes it seem like a whole new computer.
  A lot of your problems sound like stuff that can be fixed easily enough, and although frustrating things happen here and there with updates. It sounds like you are in fairly good spirits with it all, I would suggest just researching a bit more into maintenance you can do to help maintain the computer and educate yourself a bit more (sounds like you already have learned quite a bit along the way) and you will find a lot of these issues take you a few seconds to rid yourself of. I would start by making sure you are repairing permissions regularly and running the most up to date software. If a lot of problems persist, try creating a second user that is a "test" user to see if the problem is replicated on that user (don't delete your other one, but if you do find the problem not on the other user, you might have a corrupt user, however you don't have to lose all your emails there are plenty of ways to back it up and import it in, or even just bring the entire Mail folder from your library over to the new user). Another thing you can do if you find a lot of system problems is archive and install the OS, it takes a bit of time, but doing it overnight shouldn't be an issue, and you won't lose any of your stuff.

• Authenticating test applcation in OAM is not working

  Hello OAM experts, can you please help to figure out why my test application is not getting authenticated by OAM.
  I have installed IDM for fusion application and SSO login is working for all admin consoles such as WLS, EM, OAM, OIM. I have deployed test application to OAM server itself to test the authentication of protected resources.
  Host identifier is already there which was create while configuring my IDM for fusion applications. I created new application domain , created resource for /text/*, created authentication policy and used LDAPScheme for authentication, created authorization policy and defined constraints by adding a group OAMAdministrators ( just for testing purpose). I also added response in the authentication policy.
  Then I have configured admin.conf of OHS server to redirect http://webhost1:7777/test to oam server host and port. It is getting redicted but not to the SSO login page. The URL still shows http://webhost1:7777/test and executes the test page and displays test application. It should have been redirected to SSO login page though OAM.
  At this stage I have no clue what did I miss. As I said, when I login to wls console, it gets redicted to SSO login through OAM login page and then while accessing OIM, it directly takes me to OIM application since the user has privileges and also OAM page without logging in again.
  But why my test application is not redirected to OAM authentication page ?
  Any help is grately appreciated.
  thanks
  Edited by: Jyothi on May 3, 2012 3:25 AM

  Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.
  I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.
  I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.
  Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.
  Thank You.

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Authentication Combination in ISE 1.2

  Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?                  

  Hi Kevin,
  This would be a client side configuration.
  What type of authentication is this?
  VPN? wired or wireless dot1x?
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

  We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
  Is there any requirements or configurations change needs to be done to make it success?

  Use the license that is currently on your ISE.  If your account has access to download the software, then you are good.  The license will not change during the upgrade.  If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model. 
  If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Can we add new logical system in Entitlement tab in SAP Authentication.

  Hi ,
  We already Installed and configured sap integration kit and every thing works fine. My question is as of now we connected our sap BW Dev system  to BOBJ but we would like to connect to BW Prod System to same BOBJ System. What are the steps we need to follow to do this.
  Can we just add the new logical system in entitlement tab of sap authentication in BOBJ 3.1? and import the roles and login to BOBJ USING THE Newly added SYSTEM Credentials.  Thanks in Advance.
  Thanks,
  SK.

  Hi Ingo,
  Thanks for the information.
  Are there any specific steps you need to follow when you are adding one more system to sap authentication. can you please give the steps we need to follow to setup this in right way. Thanks in advance.
  Is there any thing we need to configure on sap side other than sap logon ticket parametre. If you can please provide the steps it will be great. Thankyou very much In advance.
  Thanks,
  SK.
  Edited by: Vallabhaneni SK on Jul 14, 2009 8:53 AM

• Data Federator authentication modes

  In Data Federator (3.0 SP1 or previous), Is there any authentication mode similar to AD/LDAP in BOE?
  What are the options available for dynamic logon, while connecting to a database via JDBC in the DF Data source definition screen?
  Thanks
  Tiji

  Hi Tiji,
  Connecting to Data Federator using BOE applications
  In Data Federator XI 3.0 SP1 and previous versions the only way to connect to Data Federator is to provide a user name and password. Data Federator manages its own repository of users.
  Using Universe Designer, you can create a Data Federator connection with two authentication modes:
  - Configured Identity: the same user name and password is used for all consumers of the connection
  - Database Mapping: the DBUser and DBPassword associated to the BOE user are used to connect to Data Federator.
  There is no support for single sign on.
  Creating a datasource using Data Federator Designer*
  When you register a new datasource using Data Federator Designer you have three authentication modes supported:
  - Configured Identity: the same user name and password is used to connect to the database (for all DF users).
  - Principal Mapping: a mapping can be defined between a DF user and data source credentials. This is done through creating and managing "login domains".
  - Caller Impersonation: the DF user and DF password is used to connect to the data source.
  The Principal Mapping mode is pretty similar to the feature in BOE called Database Mapping except that you are not restricted to a single DBUser/DFPassword pair whatever data source you want to access. This is more flexible. Note that there is no UI in Administrator to manage login domains. You have to run built in stored procedures in the query tool.
  Hope this helps,
  Mokrane
  Mokrane Amzal
  Software Development Manager
  SAP BusinessObjects Divison