ISE 1.2 Admin Access via Active Directory

Similar Messages

• Restrict Spiceworks access via Active Directory

  Could you specify the base DN Spiceworks is searching in and limit what gets synced? Maybe put the users you want to have Spiceworks access in a separate OU?

  I'm trying to figure out a way to restrict access to Spiceworks by way of an Active Directory group. 
  I want to do this so that I dont have to create new users manually in Spiceworks and so not just anyone with the URL can log in with their AD credentials. 
  I need this kind of feature if possible so I can move our onboarding/offboarding submission process off of another server and integrate it into Spiceworks like we have with our Change Control Request submission process.
  EDIT: More specifically, I'd like to be able to restrict access to the Spiceworks Portal via an AD Group.
  This topic first appeared in the Spiceworks Community

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Unable to save Unified Messaging PIN: Access to Active Directory Failed

  I'm trying to enable all of our users for Unified Messaging and I've created a powershell script for each of users I want to enable but I am getting an error message everytime I try and run it.
  Unable to save Unified Messaging PIN for mailbox 'smtp address': Access to Active Directory Failed
  Our setup is forest root domain and 2 child domains.  Most of the users are in the child domains and the Exchange server is in the forest root domain.
  I'm using -domaincontroller but this doesn't make a difference.  Here is the script I am using:
  Enable-UMMailbox -Identity [email protected] -UMMailboxPolicy "DefaultUM Default Policy" -Extensions 303 -PIN 1234 -SIPResourceIdentifier "[email protected]" -PINExpired $false -domaincontroller "rc-curdc-01.curriculum.riddlesdown.local"
  Can someone point out why this isn't working?

  I had the same experience as Gueetar. Couldn't enable a UM mailbox, or change the PIN. Got a generic "Access to Active Directory Failed" message instead of anything useful. Even went so far as enabled a ton of diagnostic logging, which didn't report anything
  useful.
  Of course, all the accounts I was enabling had the HiddenFromAddressListsEnabled property set to $true (these were old deactivated accounts I was using to test with). I found that setting it back to $false corrected the issue.
  Of course I didn't know it was that exact problem at the time. I only found a difference after disabling/re-connecting mailboxes (and of course newly created mailboxes exhibited no issues). Assuming this was going to be the case for all mailboxes this would
  be fine for testing and proof of concept, bad for production/implementation. Instead I ran a bunch of scenarios over two days, culminating in a crap load of LDIFDEs and DSACL dumps to enumerate the object properties and compare the values that were different.
  This property (HideFromALEnabled) and a few others stood out. Luckily it wasn't ACL-related - that would've been a complete head wreck!
  Dear Microsoft: More descriptive errors next time, please :)

• Can't connect to Small Business Server 2003 via Active Directory

  I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
  I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
  But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
  I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
  Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!

  Hi Andbrowny, thanks for your response.
  Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
  Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
  So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
  Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
  Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.

• SMB access for Active Directory users

  Hi there,
  My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
  When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
  [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
  My smb.conf file is as follows:
  ; Configuration file for the Samba software suite.
  ; ============================================================================
  ; For the format of this file and comprehensive descriptions of all the
  ; configuration option, please refer to the man page for smb.conf(5).
  ; The following configuration should suit most systems for basic usage and
  ; initial testing. It gives all clients access to their home directories and
  ; allows access to all printers specified in /etc/printcap.
  ; BEGIN required configuration
  ; Parameters inside the required configuration block should not be altered.
  ; They may be changed at any time by upgrades or other automated processes.
  ; Site-specific customizations will only be preserved if they are done
  ; outside this block. If you choose to make customizations, it is your
  ; own responsibility to verify that they work correctly with the supported
  ; configuration tools.
  [global]
  debug pid = yes
  log level = 1
  server string = Mac OS X
  printcap name = cups
  printing = cups
  encrypt passwords = yes
  use spnego = yes
  passdb backend = odsam
  idmap domains = default
  idmap config default: default = yes
  idmap config default: backend = odsam
  idmap alloc backend = odsam
  idmap negative cache time = 5
  map to guest = Bad User
  guest account = nobody
  unix charset = UTF-8-MAC
  display charset = UTF-8-MAC
  dos charset = 437
  vfs objects = darwinacl,darwin_streams
  ; Don't become a master browser unless absolutely necessary.
  os level = 2
  domain master = no
  ; For performance reasons, set the transmit buffer size
  ; to the maximum and enable sendfile support.
  max xmit = 131072
  use sendfile = yes
  ; The darwin_streams module gives us named streams support.
  stream support = yes
  ea support = yes
  ; Enable locking coherency with AFP.
  darwin_streams:brlm = yes
  ; Core files are invariably disabled system-wide, but attempting to
  ; dump core will trigger a crash report, so we still want to try.
  enable core files = yes
  ; Configure usershares for use by the synchronize-shares tool.
  usershare max shares = 1000
  usershare path = /var/samba/shares
  usershare owner only = no
  usershare allow guests = yes
  usershare allow full config = yes
  ; Filter inaccessible shares from the browse list.
  com.apple:filter shares by access = yes
  ; Check in with PAM to enforce SACL access policy.
  obey pam restrictions = yes
  ; Don't be trying to enforce ACLs in userspace.
  acl check permissions = no
  ; Make sure that we resolve unqualified names as NetBIOS before DNS.
  name resolve order = lmhosts wins bcast host
  ; Pull in system-wide preference settings. These are managed by
  ; synchronize-preferences tool.
  include = /var/db/smb.conf
  [printers]
  comment = All Printers
  path = /tmp
  printable = yes
  guest ok = no
  create mode = 0700
  writeable = no
  browseable = no
  ; Site-specific parameters can be added below this comment.
  ; END required configuration.
  Any help would be much appreciated!!
  Thanks.

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• T5-2 ILOM authentication via Active Directory

  Hello,
  We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
  (ActDir) ServerUserAuth - Error 0, failed to validate user group access
  We have a group defined and I have set it under Admin groups using the DN.
  Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
  TIA.
  Jeff

  Hello Man !
  your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
  I have Cisco aironet 1142n access point. I have no ACS / WLC
  but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
  These APs are standalone. Please provide any configuration document
  "How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
  Thanks & Regards,
  Rizwan Haider Siddiqui.

• SJSAS7 - Access to Active Directory LDAP

  Hi All
  Is it possible to connect SJSAS7 to Active Directory via LDAP. I know that this can be done with other app servers like WebSphere 4 & 5.
  I would like to use our existing Active Directory infrastructure for authentication of Admin and Application users.
  Does anyone have information how to configure this or can point me to some documents with this info.
  Any help would be much appreciated.
  TIA
  Tony Hawes

  Although I haven't tried it, I would guess that this is possible. We are using the LDAP realm with Sun's directory server and a few years ago I used the standard LDAP provider in the JDK to connect to Active Directory. The only problem I had was that I had to connect with a user that had the form "domain/user" instead of a common name. The online help in the admin console describes the properties you can use.
  HTH,
  Gunnar

• Need help to access the active directory

  Hi.
  I have WinXP and I want to connect to its active directory using JNDI to get the users informations..
  I have read from sun tutorial the following :
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
  but the problem is I have never used win active directory before, so I don't
  know its syntax inside my system.
  what should I put instead of : ldap://localhost:389/o=JNDITutorial
  to access the MS active directory ?
  what should I put instead of o=JNDITutorial to access the users informations ?
  should I modify com.sun.jndi.ldap.LdapCtxFactory ?
  should I download LDAP server for windows ?
  your help is really appreciated ....

  Using SIMPLE authentication against the Active Directory, you can use either the fully distinguished name (not a relative distinguished name), a userPrincipalName or a NT Domain style name.
  Eg.
  "CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Comor
  "[email protected]"or
  "ANTIPODES\jsmith"If you are using the distinguished name form, even if your initial LDAP Context URL is something like:
  "LDAP://mydc.antipodes.com:389/OU=IT Admins,DC=Antipodes,DC=Com"you cannot just use the Relative Distingusihed Name (RDN) "CN=John Smith", you must use the full distinguished name:
  "CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Com"Regarding the userPrincipalName, even if there is no value for the userPrincipalName attribute there is an implicit userPrincipalName which is constructed from the user's samAccountName attribute (a mandatory attribute) and the dns name of the domain.
  Assume the following attributes for the user object:
  Distinguished Name: CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Com
  samAccountName: jsmith
  userPrincipalName: J.Smith@IT Admins.Antipodes.Com
  givenName: John
  sn: Smith
  displayName: Smith, John
  An explicit userPrincipalName is the value stored in the user's userPrincipalName attribute.
  You could then either use the explicit form "J.Smith@IT Admins.Antipodes.Com" or the implicit form "[email protected]"Even if the userPrincipalName attribute had no value, you could still use the implicit form "[email protected]" to authenticate the user.

• Xserve file share control via active directory

  I have an Intel Xserve running 10.4.11
  It has one directory shared via SMB for windows users
  I want to join this server to an active directory, that seems fairly straightforward to do.
  However am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD.
  or will this still have to be done from the Xserve?
  TIA

  Hi
  +"am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD?"+
  Not really. Re-sharing a share is never a good idea especially with disparate platforms.
  +"I want to join this server to an active directory, that seems fairly straightforward to do"+
  If I've understood you correctly you 'bind' the Server to Active Directory using the Active Directory plug-in available in the Directory Access application (/Applications/Utilities). When binding use an AD account name and password that has authority for the AD Domain. The Server should then behave as an NT Domain Member would.
  +"Will this still have to be done from the Xserve?"+
  Once bound launch WorkGroup Manager and you should 'see' AD Users and Groups. In Workgroup Manager enable the ACLs option for desired volumes if you've not already done so. That's if you want to use ACLs? You could just as easily use the Standard POSIX Permissions model. If you do want to enable ACLs you must restart the Server afterwards for them to 'take'. Enabling/Disabling ACLs always requires a restart on 10.4 Server. On successful log-in start creating your shares if you've not already done so. You can use the Finder or WorkGroup Manager to do this. If using ACLs don't share the volume, share directories/folders instead as ACLs propagate better that way. Add desired Users/Groups from the AD node into the ACLs window. Leave the POSIX Permissions at their defaults. Apply desired privileges. Click Save. When saved click on the gear wheel at the bottom of the window. Select Propagate Permissions. The ACLs checkbox should be automatically ticked. Leave everything else as it is and fire it off.
  That should be it?
  Tony

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Can I configure WS-Sec authentication via Active Directory with OSB or OWSM

  Hi
  I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
  Regards,
  Néstor Boscán

  Hi.
  OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
  OWSM
  http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
  and
  http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
  hope this helps
  best
  rolando

• 10.7.4 Web Access for Active Directory Users

  Does anyone know how to permantly set the AuthType in Web Services to Basic ?
  The reason I ask is I have a web site I want to protect and allow active directory users access to it.
  I have added the users to a local group, added the group to the Who Can Access option.
  Local users can log in but not Active Directory.  If I edit the conf file for the site in /etc/apache2/sites and change the AuthType from Digist to Basic it works fine until I change something in the server app then the conf file gets rewritten.
  Dan

  I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
  [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
  setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
  adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
  [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
  Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
  Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
  When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
  Not feeling the Mac OS X love tonight.
  Bill
  System is bound to active directory - green light in Directory Utility

• Authentication of Unix or Linux Systems via Active Directory

  Hi,
  Is there a inbuilt solution in Windows 2012 R2 which can be used to authenticate Unix or Linux users ?
  I understand there are there are many 3rd Party solution for this but I want to know if there is any available inbuilt in Windows Server.
  Thanks
  Vivek

  What do you mean exactly?
  You can start with these:
  Mixing It Up: Windows, UNIX, And Active Directory: https://technet.microsoft.com/fr-fr/magazine/2005.01.activedirectory(en-us).aspx
  How to Join UNIX / Linux to Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/25944.how-to-join-unix-linux-to-active-directory.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile