EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

Similar Messages

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• EAP TLS authentication failed during SSL handshake

  We see this message, trying to set up EAP TLS. Anyone come across this ?

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Error during SSL handshake

  Hi,
  I am getting the "Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error during SSL handshake.
  I am implementing SSL authentication in custom JCA adapter. I have the keypairs in the DEFAULT view in keystorage and the public key of server in services_ssl view. I am able to access the certificated by doing a looklup. Below is the implementation
  KeystoreManager manager = (KeystoreManager)ctx.lookup("keystore");
  trustKeyStore = manager.getKeystore("service_ssl");
  keyStore = manager.getKeystore("DEFAULT);
  KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
  KeyManagerFactory.getDefaultAlgorithm());
  kmfactory.init(keyStore, null);
  KeyManager[] kmanager= kmfactory.getKeyManagers();
  TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
  TrustManagerFactory.getDefaultAlgorithm());
  tmfactory.init(trustKeyStore);
  TrustManager[] trustmanagers = tmfactory.getTrustManagers();
  SSLContext sslcontext = SSLContext.getInstance("SSL");
  sslcontext.init(keymanagers, trustManagers, null);
  I am able to get the contents of DEFAULT view and services_ssl view. When i try to connect to the server using httpClient.executeMethod() i am getting the below.
  Is this the correct way to initialize the SSL context? Any info on this will be really helpful.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:395)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
       ... 10 more
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
       at sun.security.validator.Validator.validate(Validator.java:203)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
       at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
       ... 27 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
  Thanks

  You need to re-add the host using the mkhost command, that will rewrite the wallet for you.
  Thanks
  Rich

• Weblogic server 10.3.5 error during SSL handshake

  Please some one help to figure the issue with following logs.
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33092690>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33095418>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33092490 SSL Version data invalid>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
  <16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
       at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  >
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33092690>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33095215 SSL Version data invalid>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
  <16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
       at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  >
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
  <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33095418>
  I just created domain with http and https ports. I installed an web app. When I am trying to access the app from browser through https the above error is occurring.
  Please somebody help me.
  Thanks in advance.
  SK

  This message indicates that the SSL connection is closed successfully. It is a warning message and normal to see in the logs when you enable the SSL debug flags. This is an expected behavior. If you see alerts when SSL debug is NOT ENABLED then it is a real alert and we need to take care of those issues. Also, it is not a real alert, it is a caught and handled exception from the certicom code which is not harmful and should be ignored, just because you have enabled the SSL debug flag. Once you turn it off, you won't see it in the logs.
  Edited by: sharmela on Jan 22, 2013 4:55 AM

• Error: Load operation failed for query 'GetAuthenticationInfo'. The remote server returned an error: NotFound.

  Hello,
  I have a lightswitch web-application in development, which I need to copy from one computer to the other. I have tried doing it both through Git and by simply copying the solution and opening the project on another machine. The project builds without errors,
  but when I try to debug it, it opens a web-browser, loads to 100% and pops up an error - Load operation failed for query 'GetAuthenticationInfo'. The remote server returned an error: NotFound.
  Now, I have tried repairing Visual Studio on my machine, reinstalling .NET framework and setting  <basicAuthentication enabled="false" /> in web.config, yet it still does not run.
  When using Fiddler, it shows an error while loading the application - "HTTP/1.1 500 Internal Server Error" , which I honestly don't know what it means.
  The application uses ComponentOne and Telerik modules, but they are both installed on both machines. 
  The application does run perfectly on the original machine, but it is not working on any other one.
  Both machines are using Win 8.1 and Visual Studio 2013 Update 4.
  I have tried to look this up online, but most people's problem are when they are deploying the app, not just debugging. I would be really happy for any help with this issue.
  Thanks!

  I have the same problem on one of my development machines. Whenever I create a new project, the System.IdentityModel.Tokens.Jwt nuget package is not referenced properly. The project compiles correctly but you are not able to debug as I get the same error
  as you.
  If you open up your references and there is an error next to any of your references make sure that you correct them. In the case of the jwt reference error, I have to remove the jwt reference and then add it back from the packages folder.
  This may not be your problem but could point you in a direction?

• Failed to set Subscriptions on the WSUS Server

  We are running SCCM 2012 R2; synchronization of updates is not working.
  The SUP is running on a Windows 2008 R2 server and it is not the Site Server.
  Below I have some log data. I have already tried uninstalling and reinstalling WSUS.
  WCM.log
  Starting WSUS category sync from upstream... SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:22 PM 4488 (0x1188)
  Refreshing categories from WSUS server SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:27 PM 4488 (0x1188)
  Attempting connection to WSUS server: cobalt.ad.northcentral.edu, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:27 PM 4488 (0x1188)
  Successfully connected to server: cobalt.ad.northcentral.edu, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:27 PM 4488 (0x1188)
  Successfully refreshed categories from WSUS server SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Attempting connection to WSUS server: cobalt.ad.northcentral.edu, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Successfully connected to server: cobalt.ad.northcentral.edu, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Category Company:94d731de-22a6-4458-dc4d-b5267de026fc (Adobe Systems, Inc.) not found on WSUS SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Subscription contains categories unknown to WSUS. SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  STATMSG: ID=6603 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=ALGAE.ad.northcentral.edu SITE=NCU PID=1204 TID=4488 GMTDATE=Tue Jan 06 19:14:53.974 2015 ISTR0="cobalt.ad.northcentral.edu" ISTR1=""
  ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  Waiting for changes for 59 minutes SMS_WSUS_CONFIGURATION_MANAGER 1/6/2015 1:14:53 PM 4488 (0x1188)
  wsyncmgr.log
  Found active SUP SUP.ad.domain.tld from SCF File.SMS_WSUS_SYNC_MANAGER 
  1/6/2015 1:10:45 PM    4576 (0x11E0)
  Sync failed: WSUS update source not found on site NCU. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSourceSMS_WSUS_SYNC_MANAGER           
  1/6/2015 1:10:45 PM          
  4576 (0x11E0)
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=Siteserver.ad.domain.tld SITE=NCU PID=1204 TID=4576 GMTDATE=Tue Jan 06 19:10:45.260 2015 ISTR0="getSiteUpdateSource" ISTR1="WSUS update source
  not found on site NCU. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_WSUS_SYNC_MANAGER         
  1/6/2015 1:10:45 PM          
  4576 (0x11E0)
  Sync failed. Will retry in 60 minutes        
  SMS_WSUS_SYNC_MANAGER 1/6/2015 1:10:45 PM           
  4576 (0x11E0)
  Setting sync alert to active state on site NCU    
  SMS_WSUS_SYNC_MANAGER 1/6/2015 1:10:45 PM     
  4576 (0x11E0)
  Sync time: 0d00h00m00s   SMS_WSUS_SYNC_MANAGER
  1/6/2015 1:10:45 PM          
  4576 (0x11E0)
  WSUSCtrl.log
  Failed to create instance of Microsoft.SystemsManagementServer.WSUS.WSUSServer. error = Unspecified errorSMS_WSUS_CONTROL_MANAGER        
  1/6/2015 12:39:11 PM        
  4888 (0x1318)

  Blank out/remove all of the categories you have configured in ConfigMgr on the Software Update Point. Then run a full synchronization from the console. This will synch up all available categories without trying to subscribe to any. Then, you can go back
  re-select the categories that want (after the full synch completes) and perform another full synch.
  Right now, you are trying to subscribe to a category that doesn't exist.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error

  Recently restored SCCM 2012 SP1 from Sever 2008 R2, to Server 2012 R2. I had Updates Publisher installed on old 2008 Server with Firefox and Chrome imported into Configuration Manager. Since I have upgraded I am no longer able to sync updates with Microsoft.
  WCM.log says:
  Category Product:44048288-2aac-b2b5-3730-fc020622ea05 (Firefox) not found on WSUS
  Category Product:cc5cb1bb-6b87-94ae-f96a-f758195112a7 (Chrome) not found on WSUS
  Subscription contains categories unknown to WSUS.
  Failed to set Subscriptions on the WSUS Server. Error:(-2147467259)Unspecified error
  STATMSG: ID=6603 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=wdlsccmpri.aarcorp.com SITE=AAR PID=2788 TID=4668 GMTDATE=Mon Feb 17 18:22:43.654 2014 ISTR0="wdlsccmpri.aarcorp.com" ISTR1=""
  ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=
  I have gone to deselect these products from syncing in Administration> Site > Configure Site Components >Software Update Point Products Tab.  They are not there. Any help on getting SCCM to sync updates would be greatly appreciated.

  PROBLEM
  =========
  Unable to sync after moving the Primary site server to different OS.
  CAUSE
  =======
  Issues with the product and classification setup in the SUP after the restore.
  RESOLUTION
  ===========
  Ran below query to check if we have reference to Firefox and Chrome categories in the database.
  QUERY:
  select CategoryInstance_UniqueID, CategoryInstanceName
  from fn_ListUpdateCategoryInstances(9) cat
  where cat.AllowSubscription=1 and cat.IsSubscribed=1 and cat.IsParentSubscribed=0
  order by cat.CategoryInstance_UniqueID
  RESULT:  [Along with other products we found Chrome and Firefox]
  Product:44048288-2aac-b2b5-3730-fc020622ea05  Firefox
  Product:cc5cb1bb-6b87-94ae-f96a-f758195112a7 Chrome
  Ran Select Query
  select * from CI_CategoryInstances where categoryinstanceid in
  (select categoryinstanceid  from CI_LocalizedCategoryInstances where LocaleID = 9 and CategoryInstanceName = 'Firefox'or
  CategoryInstanceName = 'Chrome')
  RESULT:
  CategoryInstanceID CategoryInstance_UniqueID CategoryTypeName DateLastModified SourceSite ParentCategoryInstanceID IsDeleted rowversion
  16777523 Product:cc5cb1bb-6b87-94ae-f96a-f758195112a7 Product 2013-11-27 21:05:23.000 AAR 16777522 0 0x0000000006B08673
  16777549 Product:44048288-2aac-b2b5-3730-fc020622ea05 Product 2013-11-27 21:05:23.000 AAR 16777536 0 0x0000000006B08676
  Ran Select Query
  select * from CI_LocalizedCategoryInstances where LocaleID = 9 and CategoryInstanceName = 'Firefox'or
  CategoryInstanceName = 'Chrome'
  RESULT:
  CategoryInstanceID LocaleID CategoryInstanceName rowversion
  16777523 9 Chrome 0x0000000006B08674
  16777549 9 Firefox 0x0000000006B08677
  We did find Chrome and Firefox items in the database.
  We need to delete these items in the database.
  We used below queries to delete the reference from the database.
  delete from CI_CategoryInstances where categoryinstanceid in
  (select categoryinstanceid  from CI_LocalizedCategoryInstances where LocaleID = 9 and CategoryInstanceName = 'Firefox'or
  CategoryInstanceName = 'Chrome')
  delete from CI_LocalizedCategoryInstances where LocaleID = 9 and CategoryInstanceName = 'Firefox'or
  CategoryInstanceName = 'Chrome'
  After deleting performed Scheduled Sync. Was successful

• Messaging Server 3.6 fails to start even though the Administration Server says "Success"

  Messaging Server 3.6 fails to start even though the Administration Server says
  "Success". There are no entries in the log to help explain what has happened.
  <P>
  Any failure to start Messaging Server via Administration should be analyzed by
  starting the server with /etc/NscpMail.
  <P>
  # /etc/NscpMail start
  19991219004527:Dispatch:Notification:Network Module (IMAP4-Server) Failed the verify environment test.
  Module not Loaded.
  Startup Problem:
  Problem Gaining Unique Lock
  Netscape Messaging Server Exiting!
  <P>
  This error is caused by an inability to create the .netscape.mailID file
  inside the top level of the postoffice.
  <P>
  # cd /var/spool/postoffice
  # ls -la
  total 30
  dr-x------ 8 nobody nobody 512 Dec 19 01:06 .
  drwxrwxr-x 13 root bin 512 Feb 12 1999 ..
  drwx------ 2 nobody nobody 1536 Dec 19 01:04 config
  drwx------ 2 nobody nobody 512 Dec 19 01:04 control
  drwx------ 3 nobody nobody 512 Dec 19 01:04 deferred
  drwx------ 2 nobody nobody 512 Dec 19 01:04 hold
  drwx------ 2 nobody nobody 5120 Dec 19 01:04 log
  drwx------ 2 nobody nobody 512 Dec 19 01:04 messages
  -rw-r--r-- 1 root other 183 Apr 12 1999 sie.conf
  -rw-r--r-- 1 root other 6 Dec 19 01:04 socket.dat
  <P>
  NOTE: The "." entry is the same as ls -l /var/spool/postoffice
  <P>
  # chmod u+w .
  # /etc/NscpMail start
  # ls -la
  total 32
  drwx------ 8 nobody nobody 512 Dec 19 01:04 .
  drwxrwxr-x 13 root bin 512 Feb 12 1999 ..
  -rw------- 1 nobody nobody 5 Dec 19 01:04 .netscape.mailID
  drwx------ 2 nobody nobody 1536 Dec 19 01:04 config
  drwx------ 2 nobody nobody 512 Dec 19 01:04 control
  drwx------ 3 nobody nobody 512 Dec 19 01:04 deferred
  drwx------ 2 nobody nobody 512 Dec 19 01:04 hold
  drwx------ 2 nobody nobody 5120 Dec 19 01:04 log
  drwx------ 2 nobody nobody 512 Dec 19 01:04 messages
  -rw-r--r-- 1 root other 183 Apr 12 1999 sie.conf
  -rw-r--r-- 1 root other 6 Dec 19 01:04 socket.dat

  Hi,
  Please check if you have disabled the autodisconnect feature of the Server service. On Windows servers it can be configured through the Autodisconnect registry key.
  \HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
  CIFS and SMB Timeouts in Windows
  http://blogs.msdn.com/b/openspecification/archive/2013/03/19/cifs-and-smb-timeouts-in-windows.aspx
  Based on the research, as the open shared folder is in a SMB session, the default timeout for SMB session is 15 minutes. If the SMB session is inactive for 15 minutes the server will send a TCP reset to close the SMB connection. Until the
  Autodisconnect timer is reached, the server will send an NBT keep-alive packet every two minutes. If a client or server application is not written to properly handle network delays, it may terminate the session prior to the default timeout
  period.
  For more detailed information, please refer to the thread below:
  Session doesn't close Shared Folder
  https://social.technet.microsoft.com/Forums/en-US/54f658c8-3d41-4beb-9a2f-47b054a11b7a/session-doesnt-close-shared-folder?forum=smallbusinessserver
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Adding server in DAG failing with error Error: Cluster API failed: "AddClusterNode() (MaxPercentage=25) failed with 0x800706ba. Error: The RPC server is unavailable

  Hi, Below is teh environments
  DC: Win 2008 R2 SP1
  Exchange Server OS: Win  2012  R2 Std 
  Exchange : 2013 SP1 Ent
  Two Servers with CAS+MB role, already part of one DAG. I am trying to add one new server in existing DAG. The installation of exchange 2013 competed successfully. However when i am adding it to the existing DAG, the below error is coming. Please help
  to solve the issue. Thanks in advance.
  A server-side database availability group administrative operation failed with a transient error. Please try the operation again. Error: An error occurred while attempting a cluster operation. Error: Cluster API failed: "AddClusterNode() (MaxPercentage=25)
  failed with 0x800706ba. Error: The RPC server is unavailable" [Server: cluster owner FQDN]
  Manu

  Hi Manu,
  As Deepak mentioned, please try to enable IPv6 on all member servers first.
  Based on my research, In Microsoft Exchange Server 2013, IPv6 is supported only when IPv4 is also installed and enabled. If Exchange 2013 is deployed in this configuration, and the network supports IPv4 and IPv6, all Exchange servers can send data to and
  receive data from devices, servers, and clients that use IPv6 addresses.
  Please also configure or disable Firewall to allow the connection.
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Mavis Huang
  TechNet Community Support