Identity Service Authentication failure

Similar Messages

• Shared Service Authentication Failure with Essbase.

  Hi can anyone help. I am using 9.3.1. SS & EAS and an instance of Essbase are already installed and configured i am just adding in an additional essbase server to scale out due to application growth.
  I have added in a new essbase server, successfully added the new server into the EAS console. Also Successfully externalised the users.
  On selecting OK on the dialogue box to say that the convert to shared service mode was successful the EAS console has chucked out the following error message:-
  Analytical Services user [essadmin] Authentication Fails against the Shared Services Server with Error[Failed to authenticate user essadmin against provider Native Directory].
  Now as i did not have the orginal essadmin password, i was unable to use this (and this does have a native account in SS). I Did however use essadmin as a username and created a new password, i have not however created this as a native account in SS as i thought the system would get confused with two essadmin accounts and i don;t want to affect the current essbase system that is running. The users would kill me!!!.
  Does anyone know how i can correct this issue?
  Thanks

  It would really help,if someone can reply and give advice on the problem mentioned in the original post.
  T
  hanks

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Issue in setting custom identity service for soa 11.1.1.4

  Hello,
  I am facing issue in setting custom identity service for soa 11.1.1.4
  It is not picking up the implemented UserManager (in custom IDM) implemented via ServiceProvider and IdentityStoreService.
  This is configured in jps-config.xml
  The same setup was working in soa 11.1.1.2
  I believe there is a change done in JpsProvider in bpm-service.jar to authenticate via default login context from oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule
  If my uderstanding is correct,
  Please guide me in implementing custom identity store and services for bpm services for soa 11.1.1.4
  Tried various work arounds but no luck.
  Thanks
  Bala

  Hi...
  Can u tell me how did u set up custom identity service for 11.1.1.2 ?
  Thanks

• The test couldn't sign in to Outlook Web App due to an authentication failure. Extest_ account.

  Hi.
  I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
  I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
  The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
  One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
  Target: xxx|xxx
  Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxxx
  User: extest_xxx
  Details:
  [22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
  [22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
  [22:50:09.154] : The server reported that it supports authentication method FBA.
  [22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
  [22:50:09.154] : Trying to sign in with method 'Fba'.
  [22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  [22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
  Authentication Method: FBA
  Mailbox Server: xxx
  Client Access Server Name: xxx
  Scenario: Logon
  Scenario Description: Sign in to Outlook Web App and verify the response page.
  User Name: extest_xxx
  Performance Counter Name: Logon Latency
  Result: Skipped
  Site: xxx
  Latency: -00:00:00.0010000
  Secure Access: True
  ConnectionType: Plaintext
  Port: 0
  Latency (ms): -1
  Virtual Directory Name: owa (Default Web Site)
  URL: https://xxx.com/OWA/
  URL Type: External
  Error:
  The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
  EventSourceName: MSExchange Monitoring OWAConnectivity External
  Knowledge:
  http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
  Computer: xxx
  Impacted Entities (3):
  OWA Service - xxx, xxx - xxx, Exchange
  Knowledge:     View additional knowledge...
  External Knowledge Sources
  For more information, see the respective topic at the Microsoft Exchange Server TechCenter
  Thanks
  MHem

  Hi,
  Based on the error, it looks like an OWA authentication failure.
  Have you tried post this to LYNC forums?
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

  With Eric Yu and Todd Pula 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
  Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 
  Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
  Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   
  Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
  Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
  Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Antonio,
  Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:
  On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
  On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
  Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870
  For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
  As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
  Related Info:
  Wireless BYOD for FlexConnect Deployment Guide

• ISE internal user authentication failure - user not found

  Hi Forumers'
  I trying to do wireless 802.1x, where identity store using intenral user.
  But i found this error message when i trying to connect
  Authentication failed                                                                                 :
  22056 Subject not found in the applicable identity store(s)
  My authrorization rules is built like this
  identity groups = user identities group / " mygroup"
  condition = no setting
  permissions = standard / PermitAccess
  Question 1
  Any troubleshooting step to do on this?
  Question 2
  For the Authorization rules, what's the condition should set for using Internal User as Identity store?
  Thanks
  Noel

  The error is caused to an authentication failure and is not an issue with authorization
  You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
  In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".

• Identity Services Engine 1.1.4: REPLICATION DISABLED

  Hey, guys.
  Has anyone accountered the problem, that replication between ISE nodes stops after an unpredictable timeframe ???
  This is the result after one day:
  I have set up a distributed deployment of ISE nodes, seven in total, split up into two nodes for each service (monitoring, administration, policy and profiling).
  Each of the nodes is running in an ESX 5.x environment, ESX itself is running on two hosts (two UCS with lots of ram and CPUs), each node has 8 virtual CPUs and 16GB ram, the virtual harddisks are 750GB and on some nodes even 2000GB .....
  This is a testing environment, radius accounting data is sent to the ISEs by a small number of switches only (but production switches, so that I can see profiling of our real clients), no authentication or authorization is done by the ISEs (yet).
  Profiling is configured in the following way:
  - a single node receives the HTTP probe (via a spanned port of our proxy server) on gig 1 (box does nothing else)
  - two nodes listen to the DHCP, DNS, RADIUS and SNMP probes, these two nodes have the policy service enabled also (but do nothing with it)
  All nodes run the same version of ISE:
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.4.120
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ise-worf
  Version information of installed applications
  Cisco Identity Services Engine
  Version      : 1.1.4.218
  Build Date   : Wed Apr 10 22:20:22 2013
  Install Date : Fri May  3 19:16:05 2013
  Cisco Identity Services Engine Patch
  Version      : 1
  Install Date : Wed May 29 08:16:58 2013 
  The database on this deployment contains about 5100 clients at this time:
  which is very little compared with the number of the rest of the endpoints that are connected to all the switches that do not send radius-accounting to the ISE deployment yet ....
  Anyone has a solution or a clue what to do ???
  In this state, ISE seems not capable to handle enterprise environments ....
  Btw, backups of the database do not work either, when you have more than 50% diskspace occupied ......
  Rgs
  Frank

  Hey, guys.
  Here is a little update, repication is still disabled, but it seems to be getting even worse:
  This happens when trying to connect via SSH AND via the vCenter Console window ......
  A reboot of the box enabled ssh again, but the application cannot be started again ...
  Disk full .... but full with what ???
  Replication is disabled, so no new database entries etc. can make the db grow, I guess .. ??
  The virtual disk that has been assigned to this vm is the largest size, that vmware can handle:
  The only thing I can do now, is to reimage the machine (again).
  Sadly, I do not expect things to be any different with the new installed ise, because I have done this three times before already...
  At this point I feel the urgent need to throw this whole project onto the dumpster and take another look at ISE when version 3.0 is released, because in this state it is not enterprise scalable software ....
  Rgs
  Frank

• Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD

  Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
  Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec. 
  Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
  Remember to use the rating system to let Nicolas know if you have received an adequate response.
  Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi.
  1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
  -You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
  -Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
  -Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
  2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
  By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
  It therefore does not affect non-Apple device to have the feature enabled.
  The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
  3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
  => This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
  If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
  I cannot comment on your auth policies as I do not know them :-)
  Regards,
  Nicolas

• Ask the Expert: BYOD with Identity Services Engine

  with Cisco Expert Bernardo Gaspar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
  Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
  Remember to use the rating system to let Bernardo know if you have received an adequate response.
  Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)
  administration  
  monitoring  
  policy service  
  Machine VM     
  primary    
  Not enabled 
  enabled 
  Machine HW     
  secondary 
  primary    
  enabled 

• Ask the Expert: BYOD with Identity Services Engine with Cisco Expert Bern

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various use scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
  Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
  Remember to use the rating system to let Bernardo know if you have received an adequate response.
  Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

  Feedback will be highly appreciated
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

• Identity Service 6.2 with ALI 6.0 SP1 - error

  Hello,
  I have installed Identity Service 6.2 on top a portal server. Trying to sync it with AD is not working. It keeps bombing on try to create an authentication source and profile source.
  I checked the ISS logs and it keeps throwing 500 errors.
  2008-07-08 23:57:02 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/index.html - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0
  2008-07-08 23:57:04 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/checkPath.aspx - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 500 0 0
  2008-07-08 23:57:07 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/writeFiles.aspx - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 500 0 0
  Any idea what is causing this? I even set the permissions to everyone on the virtual folders and still get this error.
  Help?
  Thanks,
  V

  Hello,
  I have installed Identity Service 6.2 on top a portal server. Trying to sync it with AD is not working. It keeps bombing on try to create an authentication source and profile source.
  I checked the ISS logs and it keeps throwing 500 errors.
  2008-07-08 23:57:02 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/index.html - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0
  2008-07-08 23:57:04 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/checkPath.aspx - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 500 0 0
  2008-07-08 23:57:07 W3SVC2109551109 testportal 127.0.0.1 GET /adaws/install/writeFiles.aspx - 8098 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 500 0 0
  Any idea what is causing this? I even set the permissions to everyone on the virtual folders and still get this error.
  Help?
  Thanks,
  V

• Go URL - User Authentication Failure

  Hi,
  I am trying to use a 'Go URL' in web application and I see some issue with authentication mechanism.
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?
  Thanks

  969211 wrote:
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?Check the usage of Go URL first : http://docs.oracle.com/cd/E21043_01/bi.1111/e16364/apiwebintegrate.htm
  If you dont user NQUser and NQPassword then they will be prompted for a password. you need to http://<hostname.domain>:9704/analytics/saw.dll?Dashboard&PortalPath=<your GO URLpath>*&NQuser=USERNAME&NQPassword=PASSWORD*
  You should not access if URL without logging in.
  Also on different note:
  Rupesh Shelar wrote:
  Make sure your BISYSTEM password
  Go to weblogic console, http://IP address:7001/console
  Home >Summary of Security Realms > myrealm > Users and Groups > BISystemUser
  And then go to your EM (http://IP address:7001/em)
  expand weblogic domain > bifoundation_domain > Security > Credentials > oracle.bi.system ? system.user
  Just retype a new password then Restart BI All Services then test it.How is BISystemUser even related to Go URL .or this issue .?
  Hope this helps.
  Let me know the updates. Mark if it answers!
  Thanks,
  SVS

• Authentication Failure (Password Mismatch)

  Hi there.
  I am having a nightmare trying to get my web server working under Snow Leopard. To cut a long story short the server died and I had to restore it using a disk image before I migrate it to a new mavericks server. For obvious reasons I'd like to get everything working before I migrate.
  Whenever a users tries to access a secure page (mainly for svn access) they get rejected. If I try to access the page via safari/chrome I get a pop up window asking for a username and password. If the user enters their correct name and password it is constantly rejected (the name and password work elsewhere for email etc).
  In the logs on the server I get:
  [Wed Feb 05 16:34:33 2014] [error] [client 192.168.0.56] mod_auth_apple: User XXX authentication failure for "/xxx/xxxxxx": Password mismatch according to checkpw
  [Wed Feb 05 16:34:33 2014] [notice] [client 192.168.0.56] mod_auth_apple: Authenticating using lookupd or checkpw failed, and no configured htaccess file (AuthUserFile)
  If in Versions I try to refresh the svn repository I get:
  OPTIONS of 'https://[email protected]/svn/project'://[email protected]/svn/project': authorization failed: Could not authenticate to server: rejected Basic challenge (https://server.name.com)
  I am also having issues with iCal Server and AFP which makes me think there is some authorisation service which is corrupt/broken?
  Any help MOST appreciated as I am tearing my hair out here!
  Yours,
  Nic

  Ok something I have worked out by a bit of trial and error.
  NEVER run a server with two HDDs both with clones/installs of Mac OS.
  My server had the internal (faulty HDD) with the original server install called Macintosh HD. The clone was on a USB drive called SnowLeopardServer_Backup.
  Now for the most part the server worked (because most stuff uses Unix and proper paths). However it looks like all of apples stuff (Web services, iCal server and AFP) use the full path or at least components of them do. So because the server was originally set up on an HDD called Macintosh HD I can only suspect that it was freaking out by 1) now being on an HDD called something else and 2) that there was another HDD there called Macintosh HD.
  I have now renamed my old HDD to something else and renamed all the OS folders in it to something different too. I also renamed the clone drive to Macintosh HD.
  So far I turned on Web services and AFP and they work perfectly I have not turned on iCal yet as I want to ensure each service is working before turning on another.
  Also finally got the holy grail of Kerberos and Open Directory triangle working. I though that the iCal/Web/AFP not working with accounts was Open Directory related so I backed it up (and WGM), change to standalone and then tried to go back to a Master. It complained about the DNS not being set up and I finally found a post saying that you need to have your DNS set to point at 127.0.0.1 in the System Preferences > Network settings. I changed that and boom no more complaints about bad DNS
  Nic.