Forcing successful chap authentication for old tacacs users

Similar Messages

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Basic Authentication for Non-AD Users

  Hello
  we are implemented windows integrated single sign on using spnego module and adjusted the login stacks as directed;
  Evaluate TicketLogin.Module = SUFFICIENT
  SPNEGO mdoule = OPTIONAL
  Ceate TicketLoginModule = SUFFICIENT
  BasicpasswordLogin Module = REQUISITE
  Create Ticket Login Module = REQUISITE
  This is tested an all works fine for AD users on the network.
  We have also activated the parameter;
  ume.usermapping.refsys.mapping.type = attribute
  So that we can perform user mapping of AD user id is different from backend sap user id.
  However, when Non-AD users, for example internet users or third parties want to access the portal we want them to be challanged by basic username and password authentication.
  All we get is page cannot be displayed. (we've made sure IP address / network etc is in place, this worked before implementing spnego)
  The security log shows the following error;
  #1.#001E680F70D100750000000D0000571E00046EE5C2DB2770#1247833002551#/System/Security/Authentication#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#Guest#0##n/a##b010c47072cb11de8c4c001e680f70d1#SAPEngine_Application_Thread[impl:3]_26##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
  User: N/A
  Authentication Stack: ticket
  Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
  1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true
  2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      
  Access Denied. No authorization header received.
  3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true
  4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false
  5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true       #
  What does it mean by no authorisation header?
  This is only affecting non-AD users.
  what have I missed / done wrong?
  cheers

  Could you try this one :
  Evaluate TicketLogin.Module = SUFFICIENT
  SPNEGO mdoule = OPTIONAL
  Create TicketLoginModule = SUFFICIENT
  BasicpasswordLogin Module = REQUISITE
  Create Ticket Login Module = OPTIONAL

• Authentication for easy vpn users using windows ad and xauth on pix firewa

  Hii
  We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
  Need the accounting for those vpn users.
  Thanks
  Manish GaurPlease guide me

  Manish,
  Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
  For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
  The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
  Patrick
  Please rate any posts that are helpful.

• For old mac users, "MegaPhone" compatibility help

  My old performa has just died. On the performa restoration CD is MegaPhone, phone calling/receiving software. It used my built in 14.4K modem. Would it work on a G3 900MHz iBook on the built in 56K modem? The performa was a Performa 6300, Processor: 603 100MHz. Help please, I use this software a lot!

  I'm only posting this because I don't want a broken computer!

• "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Kpdn, 
  Thanks for your post.
  All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• User Authentication for Internet access

  Hi,
  Is it possible to configure authentication for internal (LAN) users to Authenticate (local/RADIUS/LDAP) for any kind of internet access through the ISA550/570? (like cut-through authentication proxy in ASA.)
  And Can the ISA550/570 act as a Web proxy?
  Thanks in advance.

  HI Sulu,
  You can configure captive portal for internal LAN users to authenticate (local/Radius/LDAP) for internet
  access through ISA500. (see attached screenshot)
  ISA500 cannot act as a web proxy. what is your use case ?
  Regards,
  Wei

• "Team Foundation Server" is preventing authentication for whole team !!

  I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
  1st
  Error (from administrative events):
  The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
  More information is included below.
  Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
  Tried so far:-
  - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
  2nd
  Error (from application server):
  DistributedCOM error
  The application-specific permission settings do not grant
  Local Activation permission for the COM Server application with CLSID 
  {000C101C-0000-0000-C000-000000000046}
   and APPID 
  {000C101C-0000-0000-C000-000000000046}
   to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
  from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
  Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
  https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
  Other
  Fixes I tried
  - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
  loading up using w3wp.exe from processes. 
  Concern
  - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

  Hi Amr,
  For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
  blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
  thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
  About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
  blog
  to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
  Best regards,

• Radius or LDAP (not Oracle LDAP) authentication for GridControl

  I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
  I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
  However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
  Questions for all:
  Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
  I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
  Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
  I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

  <QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
  Amen.
  Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
  I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
  At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
  Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
  The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
  In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
  I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
  Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
  In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
  I'll keep the thread updated if I see results from our SR.

• Safari 5 seems to have slowed the OS for my Admin user account

  After installing Safari 5 (now 5.0.2), and after a few Safari hangs and force quits, my OS for my Admin user account has become slow. Opening folders and seeing the contents is slow; moving small documents from folder to folder is very slow; cutting and pasting text in a MS Word document sometimes takes two or three tries, as the text highlighting cursor function has slowed. (Interestingly, Safari's basic click and pageload functions seem to work fairly normally, but with the same highlighting and copy/paste slowness that affects all other programs. Also, my mouse pointer moves quickly as per normal.)
  However, I created a new user account as a test comparison and found that the new user account is NOT slow. It works perfectly fine.
  Any thoughts on what I should do? Is my original Admin account corrupted? Is it possible to simply move my personal files (Word docs, iTunes songs, bookmarks) to the new user account and then delete my original Administrator account?
  What should I do? Thanks everyone.

  Well, it was worth a shot.
  How full is your hard drive? Always a good starting point for diagnosing slowdowns.
  Sometimes running periodic maintenance scripts helps, because it cleans some caches that a Safari reset won't. The scripts are supposed to run automatically in the wee hours of the morning when most people are computing, but the problem is that they only run if the computer is on and not sleeping. Not too realistic.
  This article in an excellent series of "keep the Apple sweet" articles talks about the scripts and how to run them manually:
  http://thexlab.com/faqs/maintscripts.html
  They are less important in later incarnations of Mac OSX as some o the tasks they do were shifted to start-up, but doing them is worth trying.
  Also use Activity Monitor to check for a runaway background process. It's possible that this could affect only one user account. If you've not used Activity Monitor before, make sure you change its "Show" option from the default of "My Processes" to "All Processes" or you might miss some nasty troublemakers. Also click in the "%CPU" column header to sort by processor usage. With no user apps running, (basically an idling computer) no single process should demand more than ~5 percent of the processor. Let AM display for a few minutes while you watch it, as some processes toggle back and forth as they activate.
  Running any anti-virus software? Most does more Mac-harm than Mac-good.
  Keep us posted!
  A

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• Tacacs+ authentication/authorization based on user's subnet

  Hi Guys/Girls
  We have number of production cisco gears, all of which are configured with Tacacs+ and all of them working just fine. But now I have a requirement to implement SSH-ver2 across whole network, comprise of about 8000 cisco gears.
  I need to develop a proof of concept (POC), that enabling SSH on production gears will not affect existing Tacacs+ users authentication and authorization.
  In our lab cisco gears, it has been already configured with production Tacacs+ server for authentication and authorization. Now I am allowed to test SSH on these lab-gears but I without disrupting others users who are using the same lab-gears.
  So, I want to enable SSH version 2 on these lab-gears however, when user coming from a certain specific subnet, this particular user must be authenticated and authorized by LAB Tacacs+ but not from production Tacacs+, however please note that lab-gears I am testing with also already configured for  production Tacacs+ server as well. These lab-gears must be able to do authentication and authorization to two different Tacacs+ server based on users subnet that he or she coming from.
  Is this doable plan? I have been looking for a documentation to implement test this method, not being successful.
  Your feedback will be appreciated and rated.
  Thanks
  Rizwan Rafeek

  Riswan,
  This will not work, tacacs authentication starts once the ssh connection is established, the NAD (switch or router) will open a tacacs connection and send the start flag to the tacacs server in which the message "getusername" is sent from the tacacs server to the device and to the user terminal. You can not create an acl in order to pick which tacacs servers you can authenticate to either. So when it comes to authenticating users from a specific subnet to a specific tacacs server that is not the intended design of tacacs, when you configure multiple servers in a group it is to insure high availability such that when one tacacs server goes down you have a secondary to continue with the authenticaiton requests.
  Here is an example of how the tacacs authentication is performed.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic
  thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Trying to open Aperture, but I get the message, "There was an error opening the database for the library "/Users/davewasson/Pictures/Aperture Library.aplibrary". - and it forces me to quit. What do I do?

  Trying to open Aperture, but I get the message, "There was an error opening the database for the library “/Users/davewasson/Pictures/Aperture Library.aplibrary”. - and it forces me to quit. What do I do?

  Dave-
  You can try opening the old (problem) library by launching Aperture into Library First Aid mode and choosing to Repair (first option) or Rebuild the library. Before doing this, make a backup copy of the old library, since both Repair or Rebuild will write changes to the library database.
  Repair is the faster and less drastic option, so try that first: After backing up your library, hold down both the Option and Command keys while dragging and dropping the problem library on the Aperture icon. The Photo Library First Aid window appears. Select Repair Database, then click Repair. After some time Aperture should open the library, if possible.
  If that fails launch Aperture back into Library First Aid and select Rebuild Database. Depending on the size of your library this operation could take some time, up to several hours for a very large library. When the main window appears you may have some extra Recovered folders/projects. This operation rebuilds the library from scratch and is usually successful at reviving problem libraries.

• SUP user authentication for web services

  Hi there.
  Has anyone in the comunity had any experience with building Web Service based Mobile Business Object (MBO) in SUP 1.5.2. We have built a mobile application for a blackberry device which consumes two ERP web services. The application deploys successfully and runs on the blackberry device just fine. However, untill now the user credentials needed to authenticate a consumer to a web service has been hard-coded into the mobile business object. This, from an accountability point of view, is not an acceptible model (i.e. all mobile users would be logging in to the ERP backend with 1 common user ID).
  Has anyone had any experience and could suggest an an alternative solution to this that would support accountability i.e. map SUP users to ERP users, trusted connections etc. and is this possible with SUP 1.5.2?
  S

  Actually, SUP 1.5.2 just provides the HTTP basic authentication for WS-MBO. It is enable that to create 'username' and 'password' on the WS-MBO as two input parameters. Thus, you can design your device app in SUP to prompt the dialog to accpet the username and password before you access your WS-MBO. Similar, if your web-service has input argument for username and password, you also can design a dialog like above.

• User Authentication for Web Services

  Hi,
  I am developing a web services that resides in Intranet. Thus, would like to implement application layer of user authetication, i.e. to match the input user name and password against Database record through a web service logon() method. If authentication is passed, the client program is allowed to call subsequence web service methods, else exception needs to be thrown when calling subsequence methods.
  As understand that each method call to web services is treated seperately. Thus, how can we implement the authentication so that the client program only passes in the user name and password at once through logon() method, instead of perfoming the authentication for each method?
  Appreciate the advice. Thanks.

  Hi,
  But, I need to develop the web services logon method using WSDL which generated the LogonBindingImpl.java, instead of web services using EJB bean.
  Besides, the Web Service logon method (LogonBindingImpl.java) need to accept the input user name and password to check with the user name and password that stored in database table through the EJB bean. If checking successful, client program is allowed to invoke other WebServices method, else login failed exception need to be thrown when client calling other web services methods.
  Appreciate the advice here on how to achieve that. Thanks.