Authenticator.getPasswordAuthentication: NTLM Caching

Hello,
I have written a subclass of java.net.Authenticator and implemented the getPasswordAuthentication method for use with NTLM authentication. Then I call Authenticator.setDefault(myAuth);
At the first web service call to an IIS server the getPasswordAuthentication method is invoked and the NTLM authentication works like a charm.
When the user logs out of my Swing Application, the application doesn't shut down, but all the socket connections are closed, I call Authenticator.setDefault(null), various cleanup, and the user is presented with another Login Screen.
When the user logs in again with a different username and password, I again set the default authenticator, but HERE'S THE PROBLEM: the getPasswordAuthentication method is not invoked again! It seems to be cached in the JVM.
I know a lot of things are going on behind-the-scenes between IIS and Java; is there any way (besides shutting down the app and making the user launch it again) to trigger the invocation of getPasswordAuthentication so the server will recognize the newly-entered username/password?
Thanks,
Andrew
Message was edited by:
luxner

HI Jiggy,
The thing with NTLM authentication is that the server requests your username/password whenever it needs them. So you have to write an Authenticator extension to supply the credentials. It's not very hard. The biggest concept is to get is that there is no control over sending them to the server; you just have to write this simple handler to give the info when requested. There is an excellent article on this: http://java.sun.com/javase/6/docs/technotes/guides/net/http-auth.html
You just have to override one method:
public PasswordAuthentication getPasswordAuthentication(){
PasswordAuthentication auth
= new PasswordAuthentication(user, pwd);
return auth;
}There is little more to it than that. You may need a HostnameVerifier implementation as well. But if you read the article above you should be on the right track.
Andrew
Edited by: luxner on Oct 9, 2008 1:53 PM

Similar Messages

  • Overrrided Authenticator.getPasswordAuthentication not called!

    Hi All,
    I am trying to understand this behavior since 2 days but still no success.
    here is my scenario.
    I am using jdeveloper IDE, java sdk 1.5 and Oracle Application Server(OAS) 10g.
    I have to read the contents of a URL(that is hosted on other server), and write it back as a pdf file. the URL needs authorization.
    I have followed the below articlwe and did exactly the same,
    http://www.javaworld.com/javaworld/javatips/jw-javatip46.html
    this authorization works if i run the application on the embedded oc4j server from my JDeveloper. but when i deploy the application to standalone OAS, i get a http response code 401 as the I/O exception for call to con.getInputStream().
    through my research i found that Authenticator.requestPasswordAuthentication is called when getInputStream() isd invoked and this inturn calls the overrided getPasswordAuthentication() method which i implement in my subclass to Authenticator.
    for debugging i inserted the below code before i call getInputStream()
    PasswordAuthentication  pa = Authenticator.requestPasswordAuthentication("vwsql01",InetAddress.getByName("vwsql01"), 80, "http","", "ntlm");
             if (pa != null)
                logger.info("username: " + pa.getUserName());
               logger.info("password : " + new String(pa.getPassword()));
             else
                 logger.error ("PasswordAuthentication was null !");
                 success = false;
                 return "Success";
             }ok, this returns pa != null and my overrided getPasswordAuthentication() is hit for the first time and i get correct username and password. then in call to con.getInputStream this method is hit again_ and i am successful.
    but, but the above bold text is not happening when i run the application on standalone OAS ! i believe the getPasswordAuthentication() of Authenticator class is called and it returns null.
    it seems to be a security issue to me here. but no idea how i can resolve this.
    and input is highly appreciated.
    Thanks,

    It seems the problem has now been fixed in JRE 1.3.1_04.
    Thanks!

  • The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

    when i connect to wcf service , i am getting the client authentication error.
    It happens only when i connect to wcf service from a client machine (virtual machine) that is logged in with local user account.
    Wcf service is hosted as windows service in my case.
    Client application is a windows application that connects using below security mode.
    BasicHttpBinding httpbind = new BasicHttpBinding();
    httpbind.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
    httpbind.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
    httpFactory.Credentials.Windows.AllowedImpersonationLevel
                                    = System.Security.Principal.TokenImpersonationLevel.Impersonation;
    Please help me with a solution.
    As i read more through below link , i doubt if the client is not in the same domain, it might not work ? is it rite.
    http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
    Regards Battech

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
    Well, you need to figure out what the authentication is supposed to be bettwen the WCF client and WCF service, because Windows Authentication is being rejected.

  • WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

  • Public pages in authenticated application (NTLM)

    I've been using a custome authentication method based on the NTLM Authentication method documented in the [white paper|http://www.oracle.com/technology/products/database/application_express/pdf/apex_ntlm_authentication_wp.pdf] for a while now with no problems.
    This basically does the following 2 steps:
    1) Standard NTLM Auth
    2) Check returned user ID exists in a seperate table containing valid users
    I've recently been working on an application where the bulk of the application is restricted to users with relevant permissions to edit the data. However there needs to be a public search facility open to anyone.
    I was assuming that I'd be able to do this by just setting the authentication of the relevant page to "Page is Public", however this has presented a problem.
    When I run the app as a user which passes both steps above (ie. auth succeeds), everything works fine.
    However when I run as a user which fails step 2 above (auth fails) the public page loads fine, but whenever anything is posted I get an error like
    Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
    Error ERR-7621 Could not determine workspace for application (:) on application accept. Also this problem only rears it's head in IE (tried in 7&8), everything works fine in Firefox.
    Also I've created a seperate application with just the public page (and the application set to use the DATABASE auth (i.e. no auth)) and this works fine.
    This is fine as a workaround in this one instance, but i suspect there is likely to be call for similar public pages in other applications, and I don't want to have to create seperate apps for these unless I really have to.
    Anyone any ideas about what the cause of the problem may be, or even pointers about where to look?

    Try Page properties, Security tab, Authentication setting. It has values: Page requires authentication (default) / page is public. Havent tried though..
    Just tried. it works. i manually changed page address in address line like http://something.lt:7777/pls/htmldb/f?p=103:19:3411287399936455. The user connected is "nobody". Public page is page 19.
    Simas
    Message was edited by:
    SimAkas

  • Sharepoint authentication via NTLM from proxy OSB service

    Hello all ,
    I want to reopen again this point of NTLM authentication for OSB to IIS/Microsoft .
    So we follow all the recomandation until now regarding Authenticator and open URL .
    The problem is that - webservice client generated from SharePoint wsdl - runs ok from java enviroment (Jdeveloper , Eclipse ) with Authenticator class set .
    But when we move on OSB - and made a proxy service that made the java call out to one of client method the response is 401 - not authorized .
    Any new hints ?
    What can be wrong ?
    Many thanks in advance ,
    Stefan

    Any way how can I see the error messages also in the log of OSBYou may use sysout's in Java code to print information on Standard out. You may also utilize server logging service-
    http://download.oracle.com/docs/cd/E14571_01/web.1111/e13739/logging_services.htm#CJAGBADA
    enable some http monitor to see what happened behind - and where credentials are lost .You may use any network packet analyzer.
    Regards,
    Anuj

  • 4265 Audit Failure: NTLM Authentication Issue from constant Outlook Login Prompts

    Hello Technet!
    Last week I started running into a domain-wide issue where users could authenticate while connected to the domain, but would receive prompts to log in to our external host. The first prompt is for mail.domain.local, which works fine inside the office, and
    the second is owa.domain.com, which continually fails. 
    On the second prompt, the Exchange 2007 server (on Server 2008 R2) reports the following error:
    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 3/19/2015 9:10:19 AM
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: mail.domain.local
    Description:
    An account failed to log on.
    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: user
    Account Domain: domain
    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xc000006d
    Sub Status: 0x0
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: DOMAIN-PC
    Source Network Address: 12.345.67.89
    Source Port: 56984
    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    I've gone through quite a few attempted fixes already, all to no effect:
    1. I've both added BackChannelHostName to the server's registry, as well as described here: https://support.microsoft.com/en-us/kb/896861
    2. Verified SSL Cert status
    3. Internal and External OWA URI is set to owa.domain.com in EWC
    4. Set up the IIS7 authentication and SSL settings to their defaults, as described here: http://msexchangeguru.com/2010/10/05/autodiscover/
    5. I added a SRV record for autodiscover on our DC to correct an EXPR auth issue: https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
    Despite all these things, I haven't yet seemed to scratch whatever itch Exchange is having. All of the client Outlooks will get the prompt for owa.domain.com, even though their mail is working because they're in the office or on VPN. For whatever reason,
    the Mac Outlook 2011 users cannot authenticate to the mail server at all, so they are the ones hit the hardest by this issue.
    Any insight everyone here at TechNet can offer would be appreciated. Every fix and workaround I've looked at has either changed nothing, or pointed to something that was already configured properly. If there are details missing that I could offer to provide
    a better idea of the problem, please let me know. Thank you.
    -- Brian Q.

    Hi,
    Yes, it may be caused by the security updates on March 10, 2015. Please refer to the known issue in the following KB:
    http://support.microsoft.com/en-us/kb/3002657
    Please remove the security patch on the DC and restart server to have a try. Additionally, here is a similar thread for your reference:
    https://social.technet.microsoft.com/Forums/exchange/en-US/1b2a24d9-3d77-49f6-9d0f-63c71da64827/password-prompt-after-exchange-server-windows-updates?forum=exchangesvrclientslegacy
    Regards, 
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Winnie Liang
    TechNet Community Support

  • OSB NTLM authentication

    Hi.
    I'm looking for any example to create a passthrougth proxy service on a business service based on an endpoint HTTP that requires basic authentication plus NTLM domain.
    I haven't OWSM on this OSB.
    TIA
    Corrado

    Corrado,
    FYI, NTLM is no longer recommended -
    http://msdn.microsoft.com/en-us/library/cc236715.aspx
    http://en.wikipedia.org/wiki/NTLM
    Now coming to your question, OSB does not support NTLM authentication mechanism. As a workaround, you may write a java client that can support NTLM authentication over HTTP and then use this as a java callout in your proxy. You may pass the incoming authentication info to the java callout which may perform the further work (authentication and service invoke)
    Regards,
    Anuj

  • NTLM Authentication Problems

    Hello
    I have the following scenario in my company for the development team: 1 server with SQUID proxy, 1 server with IIS7 and 1 site requiring NTLM authentication. NTLM is REQUIRED for compatibility purposes. 
    When i try to access the site from Windows XP or from other OS using safari or firefox i can access to the site and get the message "You are now authenticated using NTLM". No issues here. 
    When i am trying using Windows 7 or Windows 8 i get always the message "Proxy server isn't responding". I already followed several recommend steps on technet pages and forums (GPO's alterations, regedit values for NTLM, etc) and nothing works. 
    Does somebody has any idea? I am completely blocked. 
    Thanks in advance. 

    Hi,
    Please take a try with the following steps:
    1. Open "Tools" -> "Internet Options".
    2. On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
    3. On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.
    Hope this may help
    Best regards
    Michael Shao
    TechNet Community Support

  • Safari proxy NTLM authentication on Lion

    I working on an (let me say "enterprise") oddly problem. To connect to Internet our company make use of a http proxy, based on TrendMicro IWSS, configured to authenticate users with AD credential, forcing digest authentication with NTLM.
    The loginout windows on safari reports "unencrypted" , but analyzing tcp/ip traffic with Wireshark, it really seems that NTLM has been used and so password is really crypted....anybody has noticed such behaviour ?

    I have noticed this too when trying to connect to a Sharepoint server.
    Reading elsewhere suggests this message "Your password will be sent unencrypted" is meant to come up when "Basic" authentication is requested by the server, which is understandable.
    However, when I look at the headers coming back from the Sharepoint server, it is only offering NTLM authentication.
    It kinda looks like the Safari developers wrote the following, back when there was only Digest and Basic:
    if (method != Digest) {
         Complain about unencrypted passwords
    whereas they should have done
    if (auth method == Basic) {
         Complain about unencrypted passwords
    Or something similar.

  • Adobe Flash NTLM Authentication Issue

    This problem is having a major impact for many users in my account.
    The users are testing streaming course ware delivery over the Internet and also hitting the proxy re-login prompt.
    The problem with them is that after re-logging in the course restarts at the beginning.
    So it is not a fit for purpose environment for this application currently.
    The same problem occurs for companies webcast through Internet.
    Recent test with the users have confirm the issue occurs using the following version of flash:
    Adobe Flash Player ActiveX 11.1.102.55
    Adobe Flash Player ActiveX 11.1.102.62
    The Shockwave Flash NTLM authentication issue is characterised by the following packet sequence: WS sends Request to Server. Server closes the TCP connection without a response to the request. The WS establishes a new TCP connection and resend the request with previous NTLM Authentication details (ie does not go through the correct NTLM handshake for proxy authentication failure and the browser to pop for user credentials.
    When the above occurs,
    NTLM authentication screen popup up, entering credential again didn’t resume video. I had to reload the page to resume video from the beginning.
    No popup, but the video resumes from the beginning when there was a prolonged delay.
    The problem occurs on Windows XP SP3 with IE7 or IE8 with Flash Player 11.1.102.62
    Is the problem a known issue with Adobe Flash Player ?

    Hello,
    The bug report states can not reproduce. I understand the problem and am happy to help Adobe understand if they want to email me and organise a webex.
    The problem is associated with the way IE handles NTLM on a new connection. When performing a POST request, it will make two requests: the first contains a type1 NTLM token and no body, and the second will contain the type 3 token and the body. It does this because it expects to perform NTLM authentication as NTLM is connection not session based, and hence for efficiency, it doesn't send the POST body on the first request (knowing a second request will be required).
    The POST request initiated by the Flash application is only made once, so it presents a POST request and no body with the type 1 token to the web server (ie IIS, or some Java implementation such as SSO Plugin), and does not make a second request with a type 3 token and the body. It gives up and automatically prompts the user for a username/password, which is the wrong behaviour when the browser is in the Local Intranet zone and the web server responded with a type 2 token.
    I can reproduce this easily and it is a serious bug: it means that any Flash application that is accessed via Integrated Windows Authentication and IE will fail when trying to make a POST request, such as uploading a file from the user.
    John
    SSO Plugin for BMC, HP and more.
    http://www.javasystemsolutions.com/jss/ssoplugin

  • Negotiate Authentication Not working for Outlook

    This is a very odd situation so bear with me when explaining this.
    I have several users scattered out in different remote offices that are haveing authentication issues in outlook 2007 when trying to connect to our exchange 2010 public folder servers (CAS).  When the users open outlook it constantly sits at trying
    to connect and eventually locks the machine up until you use the task manager to close outlook.  I have only determined this is a public folder issue because if you hold down the cntrl key and right click on the outlook icon in the taskbar (next to clock) you
    get and option to see connection status.  This shows the server name (one of the CAS) and the type as public folder and the connection status is empty. 
    We opened a microsoft ticket on this and they said it was a client side issue because we have 1700 users connection to the same set of servers with out issues.  Well we have reimaged the users desktop, replaced all cableing from the user to the switch,
    and confirmed the IOS on the routers matches other offices that are working.   Still the same problem.
    Heres the kicker!  This problem does not effect other users in the same office and if this paticular user logs into another machine the same problem happens.  But if she accesses her mailbox from Web Access she has no problems and if I log this
    user on here at our home office on the same LAN as the Exchange system she has no issues.
    But wait theres more.  We have deleted the user's mailbox and LAN account.  Created a new mailbox and LAN account with a similar name not the same one and when I log on to her machine exacte same issue.  I have removed all antivirus software
    from the machine and still have the same problem.  
    Not until we ran wireshark on her machine did I start seeing some ntlm authentication issues to the exchange system. We manually changed outlook from Negotiate Authentication to  Password Authenticatoin (NTLM) and viola her email started syncing??? 
    When i change this setting on the other users they connect also. But why are we not haveing to change this on the other 1700 users?
    Can anyone please offer some insite in to what the hell is causing this and why it seem to follow the user around.  I have been troubleshooting this for weeks and am so frustrated because it just doesnt make any sense. 
    Thankyou to anyone willing to provide any ideas into what could be causing this.  When we opened a Microsoft ticket they were convinced that its client side but I have replaced everything.

    Hello,
    if you using OAW (Outlook AnyWhere) check the authentication method
    get-OutlookAnywhere -Identity "<Servername>xpv00645\RPC (Default Web Site)" | fl *AuthenticationMethod*
    I think it is set of NTLM or Negotiate.
    Outlook 2007 has negotiate
    problems at an OAW connection
    authentication.
    Change the authentication to NTLM for
    the internal and Basic for the extenal method.
    You need to reconfigure the Outlook Exhange settings to anonymous authentication and in the proxy settings to default authentication

  • Custom search policies: remote authentication, local user data?

    I'm feeling optimistic this morning, but I fully expect the answer to this question to be no.
    I've just read "Open Directory Administration", in particular the part about custom search policies. What I would like is an Open Directory server that uses another LDAP server for authentication but local information for administrative information such as UID, GID, name, home directory location. Is this possible?
    I can think of some security problems that could be caused if it was possible, but I had to ask - it would make my life much easier.
    I realise that the sensible answer is to put the administrative information on the LDAP server. For a variety of reasons too stupid to recount here, this would be a bit of a headache. It's also probably impossible to setup Kerberos on the LDAP server.
    XServe Mac OS X (10.4.6) Horribly mixed environment: OS X, SuSE, old IRIX, Windows XP

    its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
    Interesting log section is NULL SID which doesn't corresponds to any account name.
    Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0
    and the below section explains , the request is made over network, which is most of the times by the service
    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0
    The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
    can you disable
    a) Server service
    b) Workstation service
    c) Disable RPC dependent service and services which depend on RPC and test
    Question:
    What is the level of DC hardening you have in your environment ?

  • Web Authentication with RSA SecureID on a Cisco Switch

    Hi,
    I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
    I've already managed to link it in for ssh access
    but I've not managed to get it working for http / web access to the switch
    I think this is because we're using "single use" tokens for maximum security with RSA SecureID
    and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
    (okay on the first authentication, but each time after it's going to want a different token code)
    I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
    For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

    Hello Chris,
    Can you test the following configuration?
    aaa group server radius webtac_grp
    server
    cache expiry 1
    cache authorization profile httpauth
    cache authentication profile httpauth
    aaa authentication login httpauth cache webtac_grp group webtac_grp
    aaa authorization exec httpauth cache webtac_grp group webtac_grp
    aaa authorization network httpauth cache webtac_grp group webtac_grp
    aaa cache profile httpauth
    all
    ip http server
    ip http authentication aaa login-authentication httpauth
    ip http authentication aaa exec-authorization httpauth
    radius-server host key ******
    I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
    NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
    If this was helpful please rate.
    Regards.

  • Publish RD Gateway and Web Access with One-Time Password (OTP) / Two-factor Authentication WITHOUT ISA/TMG server

    Hi everybody,
    I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
    We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
    I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
    Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
    The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
    Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
    After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
    The setup is supposed to be like this:
    LAN:
    1 DC (2008 R2)
    RD Farm (2012)
    1 SA Server (2012)
    DMZ:
    RD Gateway/Web Access (2012)
    Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
    When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
    Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
    (without the OTP extension).
    If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
    contain the correct OTP extension.
    The problem comes here.
    When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
    An account failed to log on.
    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: user
    Account Domain: domain
    Failure Information:
    Failure Reason: Unknown username or password.
    Status: 0xc000006d
    Sub Status: 0x0
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: server
    Source Network Address: 192.168.x.x
    Source Port: 63003
    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
    The problem is that no matter what i try the above problem stays there.
    Is it not possible to just forward ALL authentication handeling to a remote server?
    The only solution I've found to get it working someday in the future is this:
    "Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
    Also this link describes it:
    http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
    Please, bring me some answers before my head explodes! :)
    PS, long question = maybe some errors, ask me if something is unclear.

    Hi,
    Based on our experience, if the NTLM error occurs, please check the password.
    Regards,
    Mike
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Maybe you are looking for