Digest Authentication against IIS

Hi All,
I have created a .net web service and deployed it on IIS.
I am calling it from java. In java I have written following code snippet to pass the creadentials:
Stub stub = createProxy();
            stub._setProperty(javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY,"http://servername/_vti_bin/CreateUser.asmx");            
            stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, "domain\\username");
            stub._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, "password");It's workng fine when I enable "Basic Authentication" and "Integrated Windows Authentication" on IIS but it gives me unuthorization error when I enable only " Integrated Authentication" or combination of "Integrated Windows Authentication" and "Digest Authentication".
Do I need to write some another code for "Digest Authentication"?
Thanks
Gaurav

No. We only use Digest. I am able to login but must continue providing credentials on any link past the secured folder.

Similar Messages

  • Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

    Hi Folks,
    I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
    Authenticator.setDefault(new ReportAuthenticator());
    HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
    As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
    Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
    When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
    Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
    Any help is greatly appreciated.
    P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
    best regards
    Dushy

    Hi,
    we had the same problem, but we got support
    from readme.txt
    Bug#: 6789020
    Agent type: All Agents
    Description: In CDSSO mode non enforced POST requests cannot be accessed
    Bug#: 6736820
    Agent type: IIS 6 Agent
    Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
    Both bugs should be fixed in this version:
    Sun Java System Web Agents 2.2-02 hotpatch2

  • Digest Authentication issues

    Has anyone ever successfully performed a remote http server
    digest authentication? I am currently building a script that
    authenticates against a server using a supplied username and
    password. All of my attempts thus far have come up empty and I am
    not quite sure where I am going wrong with this.
    I have modeled my headers exactly after the heads I get with
    a successful Firefox login.
    Here are the headers I get from the Live Headers firefox
    addon.
    Initial Response:
    http://rets.armls.mlsrets.com/rets/login
    GET /rets/login HTTP/1.1
    Host: rets.armls.mlsrets.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Accept:
    application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    HTTP/1.x 401 Unauthorized
    Content-Length: 1944
    Content-Type: text/html
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    WWW-Authenticate: Digest
    qop="auth",realm="[email protected]",nonce="2aaa0db6ed2bb21e8b913e1844b0abf1",opaque="2 0050024497281"
    Date: Sun, 20 May 2007 00:24:49 GMT
    Connection: close
    Authenticated Response:
    http://rets.armls.mlsrets.com/rets/login
    GET /rets/login HTTP/1.1
    Host: rets.armls.mlsrets.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Accept:
    application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Authorization: Digest username="cril01",
    realm="[email protected]",
    nonce="2aaa0db6ed2bb21e8b913e1844b0abf1", uri="/rets/login",
    response="db214dcb999219968d829b5513e476dd",
    opaque="20050024497281", qop="auth", nc=00000001,
    cnonce="1d545807784766d0"
    HTTP/1.x 200 OK
    Connection: close
    Date: Sun, 20 May 2007 00:24:54 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    Expires: 0
    Cache-Control: private
    RETS-Version: RETS/1.5
    Set-Cookie: RETS-Session-ID=2aaa0db6ed2bb21e8b913e1844b0abf1;
    path=/
    Content-Type: text/xml
    Now even with me exactly copying these headers. I still get
    401 (Unauthorized) errors. Does anyone see where I went wrong with
    this?
    Here is a link to my current test:
    http://www.myhomesmart.com/admin/dev/test4.cfm
    And here is my code.

    You cannot just copy headers form successful login, since
    they are a function of server's nonce, which is different on every
    request (this is the main idea of Digest). Actually, authorization
    is a function of server's nonce and client's nonce. So, you have to
    correclty calculate this every time you log in.
    However, with
    CFX_HTTP5 I
    immediately got this [successful] response without any programming:
    <RETS ReplyCode="0" ReplyText="Operation Successful">
    <RETS-RESPONSE>
    MemberName = TRUDY MOORE
    User = CRIL01,1,SUBSCRIBER,CRIL01
    Broker = HOMESMART
    MetadataVersion = 1.00.00004
    MinMetadataVersion = 1.00.00004
    OfficeList = NONE
    TimeoutSeconds = 1440
    Action = /RETS/Action
    GetObject = /RETS/GetObject
    Login = /RETS/Login
    Logout = /RETS/Logout
    Search = /RETS/Search
    GetMetadata = /RETS/GetMetadata
    X-Links = /RETS/LINKS
    X-Stats = /RETS/STATS
    X-OMEGA = /RETS/Omega
    </RETS-RESPONSE>
    </RETS>

  • Logical Port for Digest Authentication

    Hello,
    I want to connect to a webservice which is running at an IIS with Digest Authentication. I created a Consumer Proxy and added a Logical Port in SAO Management (Java-Stack) to this Consumer Proxy, but I can't find a digest authetification in Configuration of the Logical Port. Is it possible to connect from a SAP System to a webservice with Digest Authentification?
    Thanks and best regards
    Iris

    Hello Gourav,
    Thank you for your answer.
    I tried to create a Logical Port with HTTP Access to the WSDL, but the WSDl needs digest authetication as well. So I get the error
    Error: Error in WSDL access: Exception occurred in communication framework:Error in HTTP Framework:401Unauthorizedhttps://itnts2371/SecurityWebService.asmx?WSDL
    though I logged in with right credentials.
    Then I tried to read the WSDl from a file then, but I get the error
    Error: Error in WSDL parsing: Exception occurred in library handler
    So I created a manual Logical Port for SSL-Access. I get only "User ID/Password" and "SAP Authenticatoin Assertion Ticket", but no "Digest Authentication". "User ID/Password" doesn't work, I get a dialog to put in User ID and password, but I'm never authorized.
    Any other suggestions?
    Thanks
    With best regards
    Iris

  • Git authentication against proxies

    Hello there:
    Maybe this is not the right place to post this, but, maybe here more interested people will hear of it.
    My situation is this, i found myself behind a proxy trying to make git clone over http protocol, and i wasn't able to do it. My proxy use digest authentiction, and git software doesn't manage http proxy with auth, so i downloaded the code of git (course after i got tired of searching google) and start reading to patch it.
    After a few looks and some advice from my fellow developers i managed to do so, then i made a patch and i thougt about make a PKGBUILD and submit a package to aur, then after reading all the guidelines (aur guildelines, bug report guidelines) i decide the right thing to do was not to upload a package to aur.
    So i submitted the patch to the git's maintainers and now i'll posted here fpor someone else looking for it.
    --- git-1.6.6/http.c 2009-12-23 19:00:22.000000000 -0500
    +++ git-1.6.6/http.c 2010-01-19 11:59:17.000000000 -0500
    @@ -33,6 +33,10 @@
    static long curl_low_speed_time = -1;
    static int curl_ftp_no_epsv;
    static const char *curl_http_proxy;
    +static const char *curl_http_proxy_auth;
    +static const char *curl_http_proxy_user;
    +static const char *curl_http_proxy_pass;
    +
    static char *user_name, *user_pass;
    #if LIBCURL_VERSION_NUM >= 0x071700
    @@ -174,6 +178,15 @@
    if (!strcmp("http.proxy", var))
    return git_config_string(&curl_http_proxy, var, value);
    + if (!strcmp("http.proxy-auth", var))
    + return git_config_string(&curl_http_proxy_auth, var, value);
    +
    + if (!strcmp("http.proxy-user", var))
    + return git_config_string(&curl_http_proxy_user, var, value);
    +
    + if (!strcmp("http.proxy-pass", var))
    + return git_config_string(&curl_http_proxy_pass, var, value);
    +
    if (!strcmp("http.postbuffer", var)) {
    http_post_buffer = git_config_int(var, value);
    if (http_post_buffer < LARGE_PACKET_MAX)
    @@ -267,8 +280,32 @@
    curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
    if (curl_http_proxy)
    + {
    curl_easy_setopt(result, CURLOPT_PROXY, curl_http_proxy);
    + if(curl_http_proxy_user && curl_http_proxy_pass)
    + {
    + char* c;
    + c = xstrdup(curl_http_proxy_user);
    + strcpy(c, curl_http_proxy_user);
    + strcat(c, ":");
    + strcat(c, curl_http_proxy_pass);
    + c[strlen(curl_http_proxy_user) + strlen(curl_http_proxy_pass) + 1] = 0;
    + curl_easy_setopt(result, CURLOPT_PROXYUSERPWD, c);
    + free(c);
    + }
    + if(curl_http_proxy_auth)
    + {
    + if(!strcmp(curl_http_proxy_auth, "digest"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_DIGEST);
    + else if(!strcmp(curl_http_proxy_auth, "basic"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
    + else if(!strcmp(curl_http_proxy_auth, "ntlm"))
    + curl_easy_setopt(result, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
    + }
    +
    + }
    +
    return result;
    @@ -430,6 +467,21 @@
    curl_http_proxy = NULL;
    + if (curl_http_proxy_auth) {
    + free((void *)curl_http_proxy_auth);
    + curl_http_proxy_auth = NULL;
    + }
    +
    + if (curl_http_proxy_user) {
    + free((void *)curl_http_proxy_user);
    + curl_http_proxy_user = NULL;
    + }
    +
    + if (curl_http_proxy_pass) {
    + free((void *)curl_http_proxy_pass);
    + curl_http_proxy_pass = NULL;
    + }
    +
    if (ssl_cert_password != NULL) {
    memset(ssl_cert_password, 0, strlen(ssl_cert_password));
    free(ssl_cert_password);
    Any suggestion, would be appreciated.

    Ni Nicolaj,
    why? Because the security team is requesting this. If some went out of the office just for a coffee and leave his PC open everyone is able to connect to any system. If there is needed a re-authentication against LDAP this becomes secure and only an open session with one R/3 can be used.
    The re-authentication against LDAP because in this case the user has ONE password: windows password. No need to remember 20 passwords on 20 systems. And it is not possible to syncronize the password from LDAP to ABAP user store.
    So if the user is successful re-authenticated the portal will use the SAPLogonTicket.
    The question is how to implement this re-authentication for example the portal login itself?
    And yes, ITS with PAS is using LDAP - this we want to have also for the connection from the portal to R/3.
    Best regards,
    Michael

  • Ubuntu Karmic authentication against Snow leopard open directory server

    Hi,
    I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
    Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
    Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
    (I've changed the hostname and ldap url)
    /etc/ldap.conf has:-
    base dc=server,dc=domain,dc=com
    ldap_version 3
    rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
    bind_policy soft
    pam_password md5
    /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
    /etc/pam.d/common-passwd :-
    password sufficient pam_ldap.so md5
    password required pam_unix.so nullok obscure md5
    password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
    /etc/pam.d/common-auth:-
    auth [success=2 default=ignore] pam_unix.so nullok_secure
    auth [success=1 default=ignore] pam_ldap.so usefirstpass
    auth requisite pam_deny.so
    auth required pam_permit.so
    /etc/pam.d/common-account:-
    account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
    account [success=1 default=ignore] pam_ldap.so
    account requisite pam_deny.so
    account required pam_permit.so
    /etc/pam.d/common-session
    session [default=1] pam_permit.so
    session requisite pam_deny.so
    session required pam_permit.so
    session required pam_unix.so
    session optional pam_ldap.so
    session optional pamckconnector.so nox11
    Does anyone have any ideas where to go from here?
    Message was edited by: zebardy

    Hi
    It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
    You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
    An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
    Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
    http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
    Page 55 onwards.
    From Page 64:
    "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
    If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
    HTH?
    Tony

  • How can I tell if a user has already authenticated against AD?

    Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
    We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
    This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
    Any tips would be very welcome,
    Mark

    You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
    There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
    at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
    Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
    Good luck.

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • Authentication against users in a table

    I am somewhat familiar with JAZN authentication but here is what I need to do and would GREATLY appreciate as much details as you can provide:
    Say, I have a table USERS(USER_ID, NAME, ...) and several other tables in the DB. Let's say I have another table ADDRESS(ID, USER_ID, ADDRESS, ...). Several things needs to be done:
    1. When user attempts to access a Input Form page to add new record in ADDRESS, a login screen should appear. I KNOW how to do this with either basic or form based authentication. However in this case user credentials will be stored using jazn tool.
    2. Since I need USER_ID to be passed to my Input Form page I believe that I cannot use jazn for this, but rather to authenticate against my USERS table. How?
    3. In this case (authentication against my USERS table) where the paswords are kept?
    4. Also in this case, is it possible to provide several levels of access, ie all to managers, some to data enter people etc.
    We are new to Oracle and JDev so any help is appreciated. The more the better...
    Cheers!
    Rade

    Here is what I did and it does not work:
    I have 'login.uix' page with username and password entries:
    <form name="form0" method="post">
      <contents>
       <pageLayout>
        <pageButtons>
         <pageButtonBar>
          <contents>
           <submitButton text="Sign In" event="verifySignin"/>
           <submitButton text="Login" event="login"/>
          </contents>
         </pageButtonBar>
        </pageButtons>
       <contents>
      <tableLayout>
       <contents>
        <rowLayout>
         <contents>
          <messageTextInput name="username" prompt="Enter Name"/>
         </contents>
        </rowLayout>
        <rowLayout>
         <contents>
          <messageTextInput name="password" prompt="Enter Password" secret="true"/>
         </contents>
        </rowLayout>
       </contents>
       </tableLayout>
      </contents>
      </pageLayout>
    </contents>
    </form>
    ...Then in its Action class I have:
    public void onLogin(DataActionContext ctx)
        //ctx.getBindingContainer();
        HttpServletRequest r = ctx.getHttpServletRequest();
        String userName = r.getParameter("username");
        String password = r.getParameter("password");
        // username and password required
        if (userName.length()==0 || password.length()==0)
          ctx.setActionForward("loginFailed");
          return;
    try
          // Get handle to Application Module that "carries" Staff View
          DCDataControl dc = ctx.getBindingContext().findDataControl("AppModuleDataControl");
          ApplicationModule am = dc.getApplicationModule();
          // find the Staff view object that holds username and password
          ViewObject vo = am.findViewObject("StaffView1");
          //find user
          Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
          System.out.println(" I never get here!?!?!!!!!");
      catch (Exception ex)
          //Set Main Error Page here
          System.out.println(ex.toString());
          ctx.setActionForward("loginFailed");
          return;
    }Seems like Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
    is not properly executed?!?
    Anybody know what the problem is??? This is based on Frank's code sample that I found on forum.

  • Oracle 10g Reports Server - problem authenticating against DB

    I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
    When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
    REP-51018: Need database user authentication
    When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
    REP-51018: Need database user authentication
    REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
    When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
    Any ideas which config file I should be looking in?
    Any pointers would, of course, be much appreciated.
    thanks,
    Brian

    Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
    To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
    # nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
    passwd files compat
    # /etc/passwd (just add at the end of file)
    +:x:::::

  • AD authentication against Shared Services failing randomly

    We're seeing random failures in AD authentication against Shared Services both via the Excel Addin and via Maxl scripts.
    SQL server (v 10.50.2500), Shared Services and OHS (v 11.1.2.2.303), and Essbase server (v11.1.2.2.104) are installed on the same physical box (16 cores, 192GB RAM) in a single-server configuration. It happens every few days at no fixed time and is resolved either by itself in a few hours, or by stopping and starting EPM services (Hyperion Foundation Services - Managed Server, OPMN service for Essbase, and OPMN service for OHS are stopped by running <Middleware_Home>\user_projects\epmsystem1\bin\stop.bat, and started by running start.bat).
    While the AD authentication is down, nobody is able to connect (via the Excel Add-in or Maxl scripts) using their AD accounts and get the following error - "Analytical Services user [AD_user1] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]". Native authentication works at all times (even when AD authentication fails).
    Although it seems to apply to an older version and to Planning/Workspace, we did look into "Error "EPMCSS-00301: Failed To Authenticate User. Invalid credentials" Intermittently When MSAD User Logs Into Workspace. (Doc ID 1389871.1)". But even after making the suggested changes, the problem persists. Any ideas what might be causing AD authentication to fail randomly like this? Below are some relevant portions of the logs -
    From ESSBASE_ODL.log -
    [2014-01-10T04:41:06.693-05:00] [ESSBASE0] [ERROR:32] [AGENT-1440] [] [ecid: 1388972435616,0] [tid: 6312] Essbase user [hyperion_admin] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]
    [2014-01-10T04:41:06.693-05:00] [ESSBASE0] [WARNING:1] [AGENT-1003] [] [ecid: 1388972435616,0] [tid: 6312] Error 1051440 processing request [Login] - disconnecting
    From SharedServices_Security_Client.log -
    [2014-01-10T04:39:00.490-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required. [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection  from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url. ad.weil.com:389. Verify MSAD user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
    [2014-01-10T04:39:42.547-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration.
    [2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-10T04:41:06.693-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
    [2014-01-10T04:41:06.693-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    From console~Essbase1~EssbaseAgent~AGENT~1.log -
    [Fri Jan 10 04:40:22 2014EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.               
    at com.hyperion.css.facade.impl.CSSAbstractAuthenticator.authenticateUser(CSSAbstractAuthenticator.java:658)
    at com.hyperion.css.facade.impl.CSSAPIAuthenticationImpl.authenticate(CSSAPIAuthenticationImpl.java:69)               
    at com.hyperion.css.facade.impl.CSSAPIImpl.authenticate(CSSAPIImpl.java:102)               
    at com.hyperion.css.facade.impl.CSSAPIImpl.login(CSSAPIImpl.java:794)               
    at com.hyperion.css.facade.CSSAPIFacade.login(CSSAPIFacade.java:776) ]
    Local/ESSBASE0///9180/Info(1042059)

    Server times are in sync. In fact, we see no such issues on the 9.3.1 environments (which are in the same server farm as the 11.1.2.2 environments).
    We're using the same MSAD configuration we have in the 9.3.1 environments as follows -
    Directory Server: Microsoft
    Name: AD Host Name: ad.mycompany.com
    Port: 389
    SSL Enabled: unchecked
    Base DN: DC=ad,DC=mycompany,DC=com
    ID Attribute: objectguid (greyed)
    Maximum Size: 200
    Trusted: checked
    Anonymous Bind: unchecked
    User DN: ad\hyperion_admin
    Append Base DN: unchecked
    User RDN: blank
    Login Attribute: cn
    First name Attribute: givenName
    Last name Attribute: sn
    Email Attribute: mail
    Object Class: person,organizationalPerson,user
    Support Groups: checked
    Group RDN: OU=groups
    Name Attribute: CN
    object class: group?member
    I also tried disabling AD groups (Support Groups = unchecked), but I still see a random AD authentication failure. Below are logs based on automated retrievals using an AD account at 14:37, 17:37, 20:37 and 21:40 today. The first 2 worked fine, the 3rd failed, the fourth worked fine again. From SharedServices_Security_Client.log -
    [2014-01-11T14:37:00.574-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 42] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 45] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T14:37:01.151-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
    [2014-01-11T17:37:00.752-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 46] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 49] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T17:37:01.361-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
    [2014-01-11T20:37:00.634-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection  from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url . ad.weil.com:389. Verify MSAD user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
    [2014-01-11T20:38:24.748-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration..
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
    [2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
    [2014-01-11T21:40:41.799-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 52] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
    [2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
    [2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 55] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
    [2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
    [2014-01-11T21:40:42.080-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

  • ACS 5.1 Authentication against AD problem

    I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
    ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
    I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
    The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
    show logging application acs reveals the following:
    ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
    password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
    I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
    Any ideas on what might be the cause, and how I can fix this?
    Thanks!

    Hello,
    It is complicated to explain this rule but hopelly you will understand.
    I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
    Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
    To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
    Regards,
    Sebastian Aguirre

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

Maybe you are looking for

  • MY CC SUBSCRIPTION HAS BEEN SHUTDOWN  –  TOLD PAID BY ADOBE SUPPORT - UNABLE TO WORK

    I am currently shut down by Adobe. I can't use any products on the Creative Cloud. Adobe has had a gun to my head for the past 7 days and just pulled the trigger. I am currently unable to work. I have used 3 credit cards with Adobe on this account an

  • JComboBox Cell Render selection problem

    .......It only changes the color of the triangle for the drop down. It does not change the color of what is selected. There is just a gray selection background <code> import java.awt.*; import javax.swing.*; import javax.swing.border.*; import javax.

  • Error while Check-in DC's on NWDI: No Prefix found for DC

    Hi, I receive the following error when I try to check-in a CAF DC creation activity on the DTR. FAILED: No prefix found for development component "vendorname/name_A/caf/dictionary". Appropriate development component prefix should be configured in SLD

  • TS2999 Please help my macbook pro want turn on

    Please help nothing happening

  • Solaris 10 TPI interface

    Hi all, I am writing a streams driver to catch the TCP data in between Client/ Server applications under loopback mode using TPI interface. To identify the new listener queue and the client end point information I am using T_CAPABILITY_ACK, T_CONN_RE