CiscoWorks LMS 3.1: HUM and Web access issue...

Similar Messages

• Publish RD Gateway and Web Access with One-Time Password (OTP) / Two-factor Authentication WITHOUT ISA/TMG server

  Hi everybody,
  I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
  We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
  I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
  Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
  The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
  Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
  After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
  The setup is supposed to be like this:
  LAN:
  1 DC (2008 R2)
  RD Farm (2012)
  1 SA Server (2012)
  DMZ:
  RD Gateway/Web Access (2012)
  Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
  When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
  Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
  (without the OTP extension).
  If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
  contain the correct OTP extension.
  The problem comes here.
  When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: Unknown username or password.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: server
  Source Network Address: 192.168.x.x
  Source Port: 63003
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
  The problem is that no matter what i try the above problem stays there.
  Is it not possible to just forward ALL authentication handeling to a remote server?
  The only solution I've found to get it working someday in the future is this:
  "Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
  Also this link describes it:
  http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
  Please, bring me some answers before my head explodes! :)
  PS, long question = maybe some errors, ask me if something is unclear.

  Hi,
  Based on our experience, if the NTLM error occurs, please check the password.
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• EM Application Log and Web Access Log growing too large on Redwood Server

  Hi,
  We have a storage space issue on our Redwood SAP CPS Orcale servers and have found that the two log files above are the main culprits for this. These files are continually updated and I need to know what these are and if they can be purged or reduced down in size.
  They have been in existence since the system has been installed and I have tried to access them but they are too large. I have also tried taking the cluster group offline to see if the file stops being updated but the file continues to be updated.
  Please could anyone shed any light on this and what can be done to resolve it?
  Thanks in advance for any help.
  Jason

  Hi David,
  The file names are:
  em-application.log and web access.log
  The File path is:
  D:\oracle\product\10.2.0\db_1\oc4j\j2ee\OC4J_DBConsole_brsapprdbmp01.britvic.BSDDRINKS.NET_SAPCPSPR\log
  Redwood/CPS version is 6.0.2.7
  Thanks for your help.
  Kind Regards,
  Jason

• Difference between BLOCK DATA and WEB ACCESS BLOCK?

  Currently my account shows I have both BLOCK DATA and WEB ACCESS BLOCK in place. I did this a couple of years to prevent data charges. Works perfectly. Now I'm trying to upgrade one of my lines to a Kin Onem because of the WiFi option and when I add the phone to my shopping cart and go to the Select Features & Services Page I see a message at the bottom that says: Features We Needed To Remove (Because they're incompatible with your phones or plan) - Block Web Access.
  It looks like I don't have a choice when ordering the phone, but what exactly will removing the Web Access block do? Maybe I have to turn it off anyway to use the WiFi anyway right? I just don't want to incur any data charges.
  Someone please help. Thank you!

  "Data block" actually blocks your phone's ability to connect to the 3g data network. What this means is your phone can't create an internet connection on a cellular network. Web Access block specifically blocks the browser/mobile web on your phone from making a connection. Unblocking mobile web will not cause your phone to be able to connect to the cellular data network (resulting in 1.99/mb charges), but will allow the browser on the kin to connect while you're using wifi.

• Pros and Cons between BEx client and Web access

  Dear all,
  I am quite new to BI 7.0 and have some question about frontend tools.
  I am looking for a comparison material describing pros and cons of BEx client application and Web access in BI 7.0.
  There are many tools in BEx suite and I am a bit confused about what fuctionality each tool has or what to consider to choose the right tool.
  Thanks a lot in advance and appreciate any input.
  Regards,
  Kazuya

  Hello,
  Shortly speaking there are 4 tools and you need at least 2 of them:
  1. Query Designer: you need it always as this is a tool for defining queries
  2. Web Application Designer: you need it if you want create web reports
  3. Report Designer: only if you want create formatted reports in web
  4. BEx Analyzer: if you want to run queries in Excel (Analyzer is an add-in)
  Help on BEx:
  [http://help.sap.com/saphelp_nw70/helpdata/en/b2/e50138fede083de10000009b38f8cf/frameset.htm]
  -> BI Suite: Business Explorer
  Regards, Karol

• CiscoWorks LMS 4.0.1 and devices other than Cisco.

  Hello.
  Can I use some CiscoWorks LMS functions like config management, topology, with devices other than Cisco?
  Thanks.
  Andrea

  No, RME, Campus and DFM are still hardcoded to restrict to cisco devices.
  HUM and IPSLA are more open.
  The functionality from the HUM will allow you to monitor availablilty, interfaces and you can add OID's yourself.
  IPSLA can use non cisco devices as a target for their tests.
  Cheers,
  Michel

• CiscoWorks LMS 4.0.1 and ASA 5540

  I've added an ASA-5540 to the group of systems I backup each night. When the admin logs into the ASA in the morning, he sees the "save configuration" flag has been set. This started the same day CiscoWorks saved teh configuration. What is CiscoWorks doing to set this flag, and how do I stop it? It should only be reading the configuration. Thanks.

  Ideally LMS should not save configuration only when LMS is taking the backup of configuration. This can be easily tested, if you try to run an instant job for Configuration Archive under Configuration > Sync Archive and see it on the ASA if it shows "save configuration" flag set.
  It should be something else on either LMS or somewhere outside. In LMS it could be something like a NetConfig Job which may save configuration or other options like deploy configuration, which is very unlikely.
  Before we stop it, we need to test and confirm, it is actually LMS,. You can also try to suspend the device once from LMS to see if next day you still see similar flag set.
  Once we confirm it is LMS, we can test which action of LMS is doing it and how to prevent.
  -Thanks
  Vinod
  ** Encourage Contributors. RATE them**

• Ciscoworks LMS 4.0.1 and 3850 switch support

  HI, I want to know if 3850 switch is supported in ciscoworks LMS 4.0.1, I added the devices, inventory collections successful but devices icon is  blue with question mark "?" and config sync fails always.
  I tried to download the packages to install it but I couldn't find it.
  thanks fo help

  Yes LMS 4.2 needs a new license. You can probably check once if your LMS 4.0.1 license allows you a free upgrade.
  Many old LMS 4.0.1 were offered free Cisco Prime Infrastructure 1.x, which has LMS 4.2 available with.
  You can check the contract covering your LMS 4.0 on Product upgrade tool :
  http://tools.cisco.com/gct/Upgrade/jsp/productUpgrade.jsp
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• What ports to open between Connection broker and Web access hosts

  I have setup a 4 node 2008 R2 RDS farm (1 connection broker, 1 Web access, and 2 session hosts.) They were all built from the same image, but the web access and connection broker will not talk to each other. They are all on the same subnet, and ips are x.x.x.200-203 The Web access server can ping the Sesions hosts, the session hosts can ping each other, web access and the connection broker. But the Web access and Connection broker cant ping each other. I turned off the windows firewall and they can ping, and connect... So whats ports does it need open?
   Thanks!
  ~M

  Hello,
  Do you need any further helps? Please let us know it. Thanks.
  ·        Lionel Chen
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please [email protected]
  This posting is provided "AS IS" with no warranties, and confers no rights.

• RDS 2012 Connection Broker and Web Access in different domains

  Hello!
  I'm trying to add Web Access (WA) server to RDS 2012 Deployment. WA server and other servers in Deployment are in different domains (in different forests with 2-way forest trust).
  WA server was added to Deployment
  successfully without any warnings.
  We have many applications published but in this new WA server there are no application icons in Rdweb page at all.
  There is nothing interesting in logs on WA server as well as on Connection broker servers. 
  Is this design
  acceptable? Which additional actions are needed to make application icons visible?

  Hi,
  Please refer below links and cross verify the Web Acess server settings.
  http://blog.kristinlgriffin.com/2010/03/rd-web-access-is-emply.html
  http://social.technet.microsoft.com/wiki/contents/articles/5974.the-case-of-invisible-remoteapp-programs-a-k-a-no-remoteapp-programs-listed-on-rd-web-access-site.aspx
  Regards,
  Manjunath Sullad

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !

• SAP Web Access Issues

  Hello Experts,
  I have been given a link for SAP Web Access. I am able to access transactions and post data and write programs. However, none of the GUI functionality is working and is giving shorts dumps when i click on the layout tab for Adobe, Internal error for form painter in smartforms and a file not found error for layout editor for screen painter. I raised this issue with the Ides team but they do not have a resolution for it and they too get the same error on all of there systems.
  Has anybody enocountered this issue before and if so could you please give me some direction.
  One point is that for an existing Adobe form i'm able to successfully execute it and display the form.
  Thanks for your help!
  Minhaj.

  Dear Juan,
  I can access another server with http://FQDN:50000, It will show the screen of SAP Web Application Portal.
  After I check parameter icm/host_name_full , I did not maintain anything, it is working fine.
  Why in ERP system, I did not maintain anything like that server, I have only maintain FQDN, It is not working and did not show anything.  Pls suggest me how to solve it.
  Regards,
  Pannee

• Application Itegrator - Outlook Web Access issue!

  Dear all,
  Currently, on a requirement to integrate Outlook Web Access into portal, I am required to create a system based on par file "webapps.par".
  I've looked into SDN and Service Marketplace but unsuccesful to find the par file.
  If any of them have been able to download it or are aware of the location to download, request you to provide it.
  My mail id is "[email protected]".Appreciate any kind of help.
  Thanks & Regards,
  Sharath MG

  Sharath,
  Please refer to this blog.
  Configuring Outlook Web Access iViews
  Hope this helps.
  Cheers,
  Sandeep Tudumu

• Oracle Primavera Cost manager v 6.2 web access issue

  Hi,
  We are trying to integrate the cost manager for web access. However, after setting up the IIS for the latest version, an error message is generated saying the web access installation was interrupted abruptly.
  Assistance is highly appreciated.
  thank you,

  One other thing to check is that iptables on your Oracle VM Manager box/vm is not blocking the Oracle VM Manager UI, to test type /sbin/iptables status, if iptables running turn it off by typing /sbin/iptables stop.

• Linux ODBC Instant Client and Web access?

  Hi,
  I have downloaded instant client 10.2 and the corresponding ODBC RPM, installed them on a CentOS 4.7 (32 bits) Linux machine. I have also installed UnixODBC on this machine. After a lot of experiments and searches on Internet, I have finally obtained a working state. I.e. using DataManager to test the connection, I access to the Oracle Server that is on another computer.
  Now, I am in the second step of my tests. I have to access to the database through Internet. The scheme is the following:
  1- a web client is connected, to my web server (server is HTTPD),
  2- the web server has to access to the Oracle server by using the ODBC Instant Client.
  But this does not work yet. When I try this configuration, I see the error "*can't find the lib libsqora.so.10.1. libcintch.so.10.1 cannot open shared object library*". To solve this problem, I have to tried to define (and export) LD_LIBRARY_PATH in the /etc/sysconfg/httpd file. But this does not work.
  Does anyone has a solution?
  Thanks in advance.

  here, the trace from the log file:
  [ODBC][8089][SQLConnect.c][3549]
            Entry:
                 Connection = 0x81db4a0
                 Server Name = [GTModus][length = 7 (SQL_NTS)]
                 User Name = [GTModus][length = 7 (SQL_NTS)]
                 Authentication = [*******][length = 7 (SQL_NTS)]
            UNICODE Using encoding ASCII 'ISO8859-1' and UNICODE 'UCS-2LE'
  [ODBC][8089][SQLConnect.c][1012]Can't open lib '/usr/lib/oracle/10.2.0.4/client/lib/libsqora.so.10.1' : libclntsh.so.10.1: cannot open shared object file: No such file or directory
  Concerning exporting LD_LIBRARY_PATH I did as explained in one of the few posts found on internet. I have also tested by modifying the httpd.conf file by adding SetEnv directives. But whatever the changes I did, it seems that, through internet, the environment is lost.