HTTPS 2-way authentication doesn't work.

Similar Messages

• PEAP-GTC on Win 7 and 8 platforms (LDAP authentication doesn't work)

  Hi all!
  Customer is using Open LDAP as directory services.
  We're setting Cisco Wi-Fi network with following authentication scheme:
  Wireless LAN Controller - Cisco ACS 5.3 - Open LDAP
  According to the documents ACS - LDAP supports only EAP-TLS and PEAP-GTC methods.
  We need to perform username/password authentication. It works good on Apple and Android devices. But id doesn't want to authenticate Windows 7 clients.
  We're unchecking "Validate Servers certificate" in WLAN settings of Win 7 client, but it still doesn't work.
  It seems, that Windows doesn't support PEAP-GTC method. Are there any workaround to solve the issue?
  I might assume, that there could be some software plug-ins (supplicants) that can be installed on Windows and give support of PEAP-GTC. But in this case customer will face serious organizational issues of provisioning new devices.
  Please advice!
  Thank you!
  Yuriy

  In order to see PEAP EAP-GTC option on the client, you need to install EAP-GTC supplicant on the client machine.
  Check this:
  http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007967
  Jatin Katyal
  - Do rate helpful posts -

• Certification authentication doesn't work on linux version of Firefox

  I have web page on IIS6 which need windows authentication. I enabled certificate mapping on certain user so when I install the proper certificate on firefox installed on Windows-based PC (I login with local user) and set network.automatic-ntlm-auth.trusted-uris variable, I can access this site without typing username and password. I tried to configure in same way firefox on my linux station, but it doesn't work - the web site access attempt finishes with authentication request windows

  I didn't

• EA4500 guest network re-authentication doesn't work

  I have successfully set up a guest network on my EA4500. Guest laptop associates with guest SSID just fine. Then via IE, it gets prompted for the guest password, which is entered and accepted just fine. At this point guest laptop is on the network. Hooray!
  BUT... at some point the guest laptop will need to reauthenticate (I don't know what the timeout is, but maybe one or two days?). Anyway, it's at this point that IE presents the guest network login page. But now after typing in the password, "enter" or clicking on the button does nothing. It looks like the guest web page doesn't get loaded properly or completely, so the reauthentication can't complete, therefore can't get to the internet. So, while in this state, I've also tried Firefox and Chrome, and same thing, no action when trying to submit the guest password. Tried rebooting guest laptop, and still same problem. Only thing I've found so far that works is to reboot the router. So I'm guessing there's a problem with the guest/web server on the router?? It's a real pain to have to reboot the router every day or two, when I've had other Linksys routers run for months without having to touch them.
  I was running CCC 2.1.38 when I first noticed the problem. Since then I've downgraded to Classic 2.0.37, but it seems I still have the same problem. Again, I can connect & authenticate just fine initially, but when reprompted after some period of time, it doesn't work.
  I've tried contacting Cisco support, but it looks like I'm at 91 days since purchase and thus outside of my 90-day complimentary support, so they happily provided me with the premium support options just to have the honor of talking with them. Guess I shouldn't have spent so much time trying to figure this out myself.
  I've searched the forums here,but so far haven't found any answers (I do see posts where the guest web page isn't presented at all, but in my case the page is presented, just can't do anything). Anyone seen this or have any ideas?

  jaymay -- I agree there's no harm in a reset; just the time to reconfigure, reenter DHCP reservations, etc. I'll keep this as an option as I troubleshoot, but see next...
  TEXXSHARKK -- good news/bad news ... I ended up not yet resetting. Instead, since I had this problem first with CCC firmware 2.1.38 (Build 138828 - the automatically pushed update), I reverted back to Classic 2.0.37. Still same problem with guest re-authentication. Only workaround was to reboot the router. That's when I first posted.
  So, since I had the problem with both CCC and Classic firmware, I ended up going back to CCC. To do that, I needed to manually update, which is 2.1.38 (Build 138880 for web manual download only). SInce (re)updating the firmware, I haven't had a repeat of the original problem. It's been about a week now, and the guest laptop has gone through a number of re-authentications, all without problem. For continued troubleshooting, I've been periodically connecting my iPad, BlackBerry, etc, to the guest network, and they get through the authentication page just fine as well. So that's the good news in that the problem "seems" to have gone away.
  The bad news is that it's still unexplained:
  - There's what I assume is a just a minor build difference between the two CCC firmwares, so it seems unlikely that would make a difference?
  - Could be just the fact of reburning the firmware corrected whatever the problem was -- a la doing a reset, even though I didn't reconfigure, just firmware (re)update
  - Could be the problem is still there biding its time, waiting for me to think it's forever gone, only to pounce again
  If the problem does reappear, I'll update here.

• PEAP : Machine authentication doesn't work

  Hello,
  I'm trying to set up machine authentication and at this time I have some problems.
  I have the following configuration:
  - the users laptop are running WinXP
  - the AP is a 1232
  - ACS 3.3.2
  - external database (Win2000 Active Directory) authentication
  I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
  On the Active Directory I changed the Dial In config. for the computers to allow access.
  Is there anything else that has to be modified in order to perform machine authentication?
  Hope someone will be able to help me.
  Thanks in advance.
  Alex

  Hi Alex
  I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
  I am spending the day to get this working and I'll post what I find out.
  Regards
  Colin

• CP8 - WebObjects (link to http or pdf file) doesn't work on LMS

  Hi,
  Integrate an http link or pdf using WebObjects work well in preview. But once exported to scorm and integrated into an LMS, nothing appears.
  Any ideas ?
  Thanks

  Are these local files? I had lots of trouble getting the new webobject to work in captivate 8 when inserted with the 'objects' menu.
  I had better luck when inserting the old interaction->learning interaction->web object

• Proxy authentication doesn't work with JSSE

  Hello,
  Seems like there is no common way to authenticate with proxy for HTTP and HTTPS.
  Connecting to http://... - works fine, but https://... returns error message:
  Unable to tunnel through 111.111.111.111:8080. Proxy returns "HTTP/1.0 407 Proxy Authentication Required"
  (IP address is intentionally changed in the message above)
  I'm using JSSE with VAJ JDK 1.2 and here is a Java code snippet that works well with HTTP connections:
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("java.protocol.handler.pkgs",
  "com.sun.net.ssl.internal.www.protocol");
  System.setProperty("https.proxyHost", proxyHost);
  System.setProperty("https.proxyPort", proxyPort);
  System.setProperty("http.proxyHost", proxyHost);
  System.setProperty("http.proxyPort", proxyPort);
  try {
  URL url = new URL("https://www.sun.com");
  URLConnection connection = url.openConnection();
  String authString = proxyUserID + ":" + proxyPasswd;
  String encodedAuthString =
  "Basic " + new sun.misc.BASE64Encoder().encode(authString.getBytes());
  connection.setUseCaches(false);
  connection.setRequestProperty("Proxy-authorization", encodedAuthString);
  Listening to the network traffic helped me to understand that there is a difference between the way HTTP and HTTPS is handled. For some reason HTTPS ignores all the headers that I specify using setRequestProperty().
  Here is example of request and responses sent by HTTPS handler:
  Request:
  CONNECT 198.175.98.32:443 HTTP/1.0
  User-Agent: JSSE
  Proxy response:
  HTTP/1.0 407 Proxy Authentication Required
  Date: Wed, 07 Nov 2001 22:04:11 GMT
  Content-Length: 233
  Content-Type: text/html
  Server: NetCache (NetApp/5.1R2D4)
  Proxy-Authenticate: basic realm="NETCACHE2"
  Please note that there is no Proxy-authorization header in the request above.
  Compare it with HTTPS request sent by Netscape browser:
  Request to proxy:
  CONNECT www.sun.com:443 HTTP/1.0
  Proxy-authorization: Basic am0vbDphrGxHa22lLg==
  User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
  Response:
  HTTP/1.0 200 Connection established
  Proxy-Agent: NetCache NetApp/5.1R2D4
  So, the question is:
  What is the best way to pass "Proxy-authorization" header to proxy server??
  Thanks in advance for your time.

  Hi Guys,
  Just like, i assume, all of you, i've had my battles with javas' handling of https comms from behind a firewall. I'm actually amazed at how something that is a simple combination of protocol and security should become so messy.
  Luckily , i managed to get all my requirements met, but the sad thing is after all that hard work, i'm not much closer to understanding why the standard java sdk (im using 1.4) forces us to endure such painful tasks.
  Really, Java is quite a mature language now, and one of its touted benefits is its applicability to web and internet technologies... so why the messy proxy code when dealing with ssl?
  Anyway, i didn't really come here to b**tch, but rather to point you all to a handy library from apache - httpClient - http://jakarta.apache.org/commons/httpclient.
  After implementing ssl proxy tunnelling and all the fun that goes with it, i found this tool, and subsequently deleted all that ugly code, and let http client deal with all that for me.
  Its seriously simple, heres a snippet:
  httpClient = new HttpClient();
  httpClient.setTimeout(responseTimeoutMillies);
  Protocol myHttps = new Protocol("https", new SSLContextBasedSocketFactory(sslContext), targetServerPort);
  httpClient.getHostConfiguration().setHost(targetServerHost, targetServerPort, myHttps);
  if (useProxy)
       httpClient.getHostConfiguration().setProxy(proxyHost, proxyPort);
          httpClient.getState().setProxyCredentials("my-proxy-realm", proxyHost, new UsernamePasswordCredentials(proxyUser, proxyPassword));
  }This initialises the client, and after this, making http requests is simple:
  String response = null;
  PostMethod postMethod = new PostMethod("/secure/blah.jsp"); // A HTTP Post
  postMethod.setRequestBody("Hello there"); // this is the data in the http post body
  int responseCode = httpClient.executeMethod(postMethod);
  if(responseCode == 200)
      response = postMethod.getResponseBody();...
  As you can see, its alot less painful. It certainly makes me feel better, knowing i don't have to support/maintain the ugly proxy tunnelling code. Give it a shot on your next project.
  Hope it helps.
  Regards
  Marcus Eaton

• Client Certificate authentication doesn't work

  Hi there,
  I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
  (my system is not a sneak preview and it is based on Linux).
  When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
  In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
  All certificates are valid, no problem found.
  Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
  Any idea?
  Thank you,
  Erik

  Did you map the certificate and user in the transaction 'extid_dn' ?
  Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
  Felix

• BUG - Client Authentication doesn't work !!! [standalone 10.1.3.0.0]

  i tried to enable client authentication in jdevloper oc4j with
  needs-client-auth="true" but it doesnt work.. i got SSL connection but server do not request client certificate
  i did not have problems with 10.1.2.0.2

  FYI - It is hard to tell where you went wrong in the configuration. Typically this kind of error comes up if there is a problem with the certificate. The process of securing OC4J is detailed here:
  http://download-west.oracle.com/otn_hosted_doc/ias/preview/web.1013/b14432.pdf
  Perhaps you can validate what you did vs the documentation.
  I cut and pasted the following from the docs so may not come out well:
  Creating the Secure Web Site Configuration File
  Specify the appropriate SSL settings under the <web-site> element, as illustrated in the following example.
  <web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/
  web-site-10_0.xsd" port="4443" secure="true" display-name="My Secure Web Site">
  <access-log path="../log/secure-web-access.log" />
  <ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory"
  keystore="../../server.keystore" keystore-password="welcome"
  provider="com.sun.net.ssl.internal.ssl.Provider" />
  </web-site>
  Note the additions to <web-site>, shown in bold:
  Add a secure attribute with the value set to true. Setting secure="true" specifies that the HTTP protocol is to use an SSL socket.
  Set the port attribute to an available port. The default for SSL ports is 443; in the example above, the port attribute is set to 4443.
  Add the <ssl-config> element. This element is required whenever the secure flag is set to true. This element takes the following attributes and elements:
  o The optional factory attribute is used to specify the third-party SSLSecureSocketFactory implementation to use if the application is not using JSSE.
  The Oracle implementation - com.evermind.ssl.JSSESSLServerSocketFactory - is used by default. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
  If the application uses a third-party SSLServerSocketFactory implementation, you can use <property> subelements of <ssl-config> to send parameters to the factory.
  o The keystore and keystore-password attributes specify the directory path and password for the keystore. The specified keystore must contain the certificates of any clients that are authorized to connect to OC4J through HTTPS. The value of keystore can indicate either an absolute or relative directory path and includes the file name.
  o The optional provider attribute can be used to specify a security provider to use.
  By default, the Sun Microsystems implementation - com.sun.net.ssl.internal.ssl.Provider - is used. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
  o One or more <property> elements containing parameters to pass to the SSLSecureSocketFactory. Each element contains a name attribute and a value attribute, enabling you to specify parameters as name/value pairs.
  When the Web site configuration file is ready, add a <web-site> element referencing it to server.xml, the OC4J configuration file located in the J2EE_HOME/config directory. Note that applications will not be able to bind to the Web site unless this notation exists in server.xml. For example:
  <application-server ... >
  <web-site path="./default-web-site.xml" />
       <web-site path="./mycustom-web-site.xml" />
  <web-site path="./secure-web-site.xml" />
  </application-server>
  When configuration is complete, OC4J listens for SSL HTTP requests on one port and non-SSL HTTP requests on another. You can disable either SSL requests or non-SSL requests by commenting out the appropriate *-web-site.xml in the server.xml configuration file.
  <!-- <web-site path="./secure-web-site.xml" /> commented out to remove SSL -->

• Loaded Yosemite onto mid 2011 MacBook Air. IMAP account goes offline - message - Mail cannot send your password securely to the server.  Allow insecure authentication doesn't work. Repeated reloads. No joy. Help!

  Mail cannot send your password securely to the server. You can remove this restriction in the Accounts preferences by setting “Allow insecure authentication”, which could put your password at risk.

  I have the same problem.
  Late 2012 imac 27", intel i7 core
  When I upgraded to Yosemite, suddenly my email account (netvigator POP) gives an error:
  Mail cannot send your password securely to the server. You can remove this restriction in the Accounts preferences by setting “Allow insecure authentication”, which could put your password at risk.
  I have shut down & restarted mail, but no success. If I select Allow insecure authentication, it works, but that's not a long term fix.
  I also have a hotmail POP account enabled, and that is working fine.
  What's happening Apple??
  (Long term apple family - iMac, iBooks, TimeCapsule, iPhones, iPads, AirportExpress etc etc)

• Urgent help: why smtp authenticator doesn't work ?

  Please help me :
  My smtp server authenticates me whether a valid user when I send email. I have had setup an authenticator as following :
  //Setup authenticator
  Authenticator auth = new SMTPAuthenticator();
  // Get session
  Session session = Session.getDefaultInstance(props, auth);
  class SMTPAuthenticator extends Authenticator
  public PasswordAuthentication getPasswordAuthentication()
  String username="userid";
  String password="passwd";
  return new PasswordAuthentication(username, password);
  But It still prompted error with noting me:" login fail, this smtp server authentication required ".What's the problem?
  I'm a valid user in this smtp server. and the userid and passwd has no error, for it worked well when I used them to setup win2000 outlook express.
  I also tried to used authenticated javax.mail.Service's connect .
  Transport transport = session.getTransport("smtp");
  transport.connect(smtphost, username, password);
  transport.sendMessage(message, message.getAllRecipients());
  transport.close();
  but it didn't work yet ! If I use Authenticator ,is it still necessary to use connect(smtphost, username, password) ?
  Urgently, Please help me, any source code practising well with authenticating smtp server , please send it to [email protected]
  Thanks

  Just use " props.put("mail.smtp.auth", "true");"

• Ipsec Authentication doesn't work

  hi friends
  in my hyper-v test lab, i have tree win2008 R2 VMs.
  vm1= dc+enterprise root CA             vm2 & vm3 are domain joined VMs.
  in vm2, via MMC i obtained a computer certificate from vm1(enterprise root CA).
  now in vm3, in windows firewal with advanced security console, i have created a connection security rule to secure RDP traffic (TCP 3389). this rule "requires authentication for inbound & requests Authentication for outbound traffic.
  in authentication method i have selected computer certificate from vm1(enterprise-CA).
  but vm2 cannot establish remote desktop to vm3. (although it has obtained a computer certificate from my enterprise CA)
  is any additional configuration required in CA or any other place ?
  any help please

  Hi,
  you must create a IPsec rule on vm2 as well with the traget IP address of vm3.
  See also http://secattic.blogspot.com/2013/11/creating-ipsec-tunnel-with-windows.html
  Regards,
  Lutz

• Authentication doesn't work after SL upgrade

  Hi,
  This week I finally decided to upgrade my Mac Mini from Leopard to Snow Leopard, but it seems something went wrong. The authentication prompt that asks you to submit user account and password whenever you want to install stuff is not showing up anymore. Installation processes terminate without any notice and updates don't work with the message 'Failed to authenticate'. I've tried to edit my user preferences, but the Users pane is locked, so I can't do anything to change it.
  Could someone help out?
  Thanks,
  Martijn
  Utrecht, Netherlands

  Ah, thanks to the tags I came to this item. It seems to do the trick...
  Move along now, nothing to see here... :-)

• Hulu authentication doesn't work

  As everyone now knows Hulu requires you to loggin to your cable provider before it allows you to view any programming. When I login to my cable provider namely Verizon Fios it does take me to stage 3 that allows me to go on to watch my show. I am perpetually stuck at step 2 (i.e the authentication stage) I am able to go through each of the 3 steps with Chrome and so I am wondering what is wrong with Safari?

  Ah, thanks to the tags I came to this item. It seems to do the trick...
  Move along now, nothing to see here... :-)

• Can I use Factory re-set to fix that ? My Screen doesn't work when I put on mini display to HDMI My TV then set Mirror Main Screen.

  Last week I bought a miniDisplay to HDMI port. My macbookpro to SonyPlaystation 3D TV , it's work petty well on default setting. But when I set to Mirror setting, macbookpro screen turn to blue(more like computer is setting) then turn to normal and 1 second later turn to blue......that's a loop...never stop. only when I took out the miniDisplay to HDMI port, that stop...The TV doesn't have signal.
  I tried to delete apple.display.config files, but I can't find all of them( I already followed Apple support page article), so this way still doesn't work for me.
  what way can help me fix that?

  Disconnect the external monitor and any other third-party peripherals. Be sure to backup your files.
  Clean Install of Snow Leopard
       1. Boot the computer using the Snow Leopard Installer Disc.  Insert the disc into the
           optical drive and restart the computer.  After the chime press and hold down the
           "C" key.  Release the key when you see a small spinning gear appear below the
           dark gray Apple logo.
       2. After the installer loads select your language and click on the Continue
           button. When the menu bar appears select Disk Utility from the Utilities menu.
           After DU loads select the hard drive entry from the left side list (mfgr.'s ID and drive
           size.)  Click on the Partition tab in the DU main window.  Set the number of
           partitions to one (1) from the Partitions drop down menu, set the format type to Mac
           OS Extended (Journaled, if supported), then click on the Partition button.
       3. When the formatting has completed quit DU and return to the installer.  Proceed
           with the OS X installation and follow the directions included with the installer.
       4. When the installation has completed your computer will Restart into the Setup
           Assistant. Be sure you configure your initial admin account with the exact same
           username and password that you used on your old drive. After you finish Setup
           Assistant will complete the installation after which you will be running a fresh
           install of OS X.  You can now begin the update process by opening Software
           Update and installing all recommended updates to bring your installation current.