ISE 1.2 web authentication problem with wired clients
Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not run
Guest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info
Similar Messages
-
ISE and central web authentication
Hello all,
I have followed the steps in this document in detail:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
but then the "second" MAB authenticatino doesn't happen.
In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
this is a red line with the error message "11213 No response received from Network Access Device".
(i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
Any ideas ?
regards,
GeertBy the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used. -
Office Web Apps Server 2013 - Word Web App - Problem with Tab space
Hello We have Office Web Apps Server 2013 running with SharePoint 2013. Users Editing a Word document with Office Web Apps, can't use "Tabs", any Word document with Tabs; the tabs are replaced with a single space.
Has anyone noticed this? Is this a bug?
-thanks
thomas
-TomYes, currently the Word Web App does not support
Tab Keyboard shortcut for editing document content .
For more information, you can have a look at
the article:
http://office.microsoft.com/en-us/office-online-help/keyboard-shortcuts-in-word-online-HA010378332.aspx?CTT=5&origin=HA010380212
http://social.technet.microsoft.com/Forums/en-US/3f5978d3-67a1-4c8c-981f-32493d72610b/office-web-apps-server-2013-word-web-app-problem-with-tab-space?forum=sharepointgeneral -
Good external HD? Also, problems with wired TM use?
I have a multi part question here:
I recently got a new MBP and I want to get an external hard drive to use with Time Machine. Is there any sort of consensus on which external hard drives generally work well? I have a 500 GB Western Digital MyBook that has been a constant source of problems. I frequently am unable to eject it and have had to use Disk Utility many times just to get my (old Powerbook G4) computer to see it. I really don't want to get another WD product. Are there any consistently good products out there?
Also, I've just been perusing this forum. I see many people suffering with Snow Leopard and TM using wireless backup. Have there also been many problems with wired backups? I don't use wireless at home, which is where I will keep my TM backups.
Finally, I move my computer around a lot so I won't have it plugged into its TM drive most of the time. I plan on plugging it in each evening before I go to sleep. Is that an appropriate method of using TM?Pondini wrote:
That's why I'd recommend backing-up more often, but if you don't, another app may be better.
CCC or SD are most often used to make full "bootable clones." When your hard drive fails (and
they all do, sooner or later), you can boot and run from them immediately; with TM, you need to
have the disk replaced (or have another external) to restore your system to.
If anyone is going to take action based on the advice above (or other suggestions) they will need to recognize there is a different set of risks.
When you make a clone of a machine you end up with a clone and you can boot from it.
If you then make a fresh clone a day later you really need to have a different disk around or you are taking a lot of risk. The process of creating the new clone might fail. If it does and you do not have a second drive then you have lost the previous clone while creating the newer clone. In other words you have no backup.
You really should have a series of disk drives so you can put a few good ones on the shelf while making a new copy. You might want to think about where you store them.
Even when using TM you have to think about what will happen if the TM device fails.
Conclusion?
Some people do not make backups.
Some people store only files they think are critical on a server in a cloud (like leaving emails on the Google server for gmail).
Some make a back up to TM under the assumption they are really protecting against a failure with their computer but not a fire or other site wide problem.
Some will use TM for backups and still use CC or similar to make a clone every so often. The failure states can vary so incremental backups make sense for some problems and a bootable close covers some other risks.
If a person is really worried then a series of backups are needed with off-site storage for some or all of backups. That way the computer's data is protected from a local problems and from a site wide problem.
Each person can choose what they want to do, what they afford and how they will contain or reduce the risks. Maybe not all risks are worth dealing with. Just think it through before you commit to a solution.
John -
Problem with Variable Client Support
Hello,
I work with Labview 8.5 and Crio 9014.
I have a problem with Variable Client Support. When I try to compile my project I have the following error:
"The Network Variable Engine and Variable Client Support must be installed on the RT target for this application to function properly..."
I have read that we have to install the Variable Client Support in Measurement and Automation by right-clicking on the software and then choosing add/remove software but I can't install the appropriate shared variable components because I can't see neither Network Variable Engine and Variable Client Support. So what can I do?
Can somebody help me?
ThanksI have exactly the same problem. I wanted go through the "Getting Started with the LabVIEW RT module" and when I use wizard for generating new project I get same notification in my VI...
The Network Variable Engine and Variable Client Support must be installed on the RT target
for this application to function properly. If the Network Variable Engine is not supported on
the target (e.g. FP-2000 with <32MB of RAM), open the project and move the variable library
to My Computer in the project. Doing this will deploy the variables to localhost but
will still require that Variable Client Support be installed on the RT target.
Could someone help please ?
Attachments:
ni.png 95 KB -
Hello,
I experiance problems with QuickVPN client (version 1.4.1.2). I'm trying to connect to router SA520 with 1.1.65 firmware,
vpn tunell is established, but client says "The remote gateway is not responding. Do you want to wait?"
in case i click no, it drops vpn tunell
QuickVPN client log looks like this:
2010/08/18 12:13:27 [STATUS]OS Version: Windows 7
2010/08/18 12:13:27 [STATUS]Windows Firewall Domain Profile Settings: ON
2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
2010/08/18 12:13:27 [STATUS]One network interface detected with IP address 192.168.1.100
2010/08/18 12:13:27 [STATUS]Connecting...
2010/08/18 12:13:27 [DEBUG]Input VPN Server Address = vpn.in-volv.lv
2010/08/18 12:13:28 [STATUS]Connecting to remote gateway with IP address: 78.28.223.10
2010/08/18 12:13:28 [WARNING]Server's certificate doesn't exist on your local computer.
2010/08/18 12:13:30 [STATUS]Remote gateway was reached by https ...
2010/08/18 12:13:30 [STATUS]Provisioning...
2010/08/18 12:13:39 [STATUS]Success to connect.
2010/08/18 12:13:39 [STATUS]Tunnel is configured. Ping test is about to start.
2010/08/18 12:13:39 [STATUS]Verifying Network...
2010/08/18 12:13:44 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:47 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:50 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:53 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:56 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:14:08 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/08/18 12:14:12 [STATUS]Disconnecting...
2010/08/18 12:14:15 [STATUS]Success to disconnect.
Server logs look like this:
2010-08-18 12:28:49: INFO: Adding IPSec configuration with identifier "arvils"
2010-08-18 12:29:02: INFO: Configuration found for 83.243.93.200[500].
2010-08-18 12:29:02: INFO: Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
2010-08-18 12:29:02: INFO: Beginning Identity Protection mode.
2010-08-18 12:29:02: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 12:29:02: INFO: Received Vendor ID: RFC 3947
2010-08-18 12:29:02: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: For 83.243.93.200[500], Selected NAT-T version: RFC 3947
2010-08-18 12:29:02: INFO: NAT-D payload matches for 78.28.223.10[500]
2010-08-18 12:29:02: INFO: NAT-D payload does not match for 83.243.93.200[500]
2010-08-18 12:29:02: INFO: NAT detected: PEER
2010-08-18 12:29:02: INFO: Floating ports for NAT-T with peer 83.243.93.200[4500]
2010-08-18 12:29:02: INFO: ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:e2cd855a75fc0887:6dc3b2e025152444
2010-08-18 12:29:02: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 12:29:02: INFO: Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
2010-08-18 12:29:02: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
2010-08-18 12:29:02: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 12:29:02: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=47693803(0x2d7bfeb)
2010-08-18 12:29:02: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=1079189482(0x40531fea)
2010-08-18 12:35:57: INFO: an undead schedule has been deleted: 'pk_recvupdate'.
2010-08-18 12:35:57: INFO: Purged IPsec-SA with proto_id=ESP and spi=1079189482(0x40531fea).
2010-08-18 12:40:46: INFO: Configuration found for 83.243.93.200[500].
2010-08-18 12:40:46: INFO: Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
2010-08-18 12:40:46: INFO: Beginning Identity Protection mode.
2010-08-18 12:40:46: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 12:40:46: INFO: Received Vendor ID: RFC 3947
2010-08-18 12:40:46: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: For 83.243.93.200[500], Selected NAT-T version: RFC 3947
2010-08-18 12:40:46: INFO: NAT-D payload matches for 78.28.223.10[500]
2010-08-18 12:40:46: INFO: NAT-D payload does not match for 83.243.93.200[500]
2010-08-18 12:40:46: INFO: NAT detected: PEER
2010-08-18 12:40:46: INFO: Floating ports for NAT-T with peer 83.243.93.200[4500]
2010-08-18 12:40:46: INFO: ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:28447d39874689f9:a2b7da19d8d86413
2010-08-18 12:40:46: INFO: Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
2010-08-18 12:40:46: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
2010-08-18 12:40:46: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 12:40:47: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=259246202(0xf73c87a)
2010-08-18 12:40:47: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=3642234214(0xd9181566)
2010-08-18 12:43:27: INFO: IPsec-SA expired: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=33356156(0x1fcf97c)
2010-08-18 12:45:47: INFO: an undead schedule has been deleted: 'pk_recvupdate'.
2010-08-18 12:45:47: INFO: Purged IPsec-SA with proto_id=ESP and spi=3642234214(0xd9181566).
The most interesting thing is that sometimes this message appears, sometimes not (with the same configuration).
Please help!Hi,
I have some problem. I am using Windows 7 Entreprice x64. I use SA520 Firmware 1.1.65 and QuickVPN 1.4.1.2 port 60443.
"The remote gateway is not responding. Do you want to wait"
2010-08-18 17:25:51: INFO: Adding IPSec configuration with identifier "username"
2010-08-18 17:25:51: INFO: Adding IKE configuration with identifer "username"
2010-08-18 17:26:04: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:26:04: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=>xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:04: INFO: Beginning Identity Protection mode.
2010-08-18 17:26:04: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:26:04: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:26:04: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:26:04: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:26:04: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:04: INFO: NAT detected: ME PEER
2010-08-18 17:26:04: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:26:04: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:ed4f291c71c1b688:7e6a8a0968f878fb
2010-08-18 17:26:04: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 17:26:04: INFO: Responding to new phase 2 negotiation: 172.22.5.10[0]<=> xxx.xxx.xxx.xxx[0]
2010-08-18 17:26:04: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.170.224/32
2010-08-18 17:26:04: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 17:26:05: INFO: IPsec-SA established[UDP encap 48540->4500]: ESP/Tunnel xxx.xxx.xxx.xxx->172.22.5.10 with spi=239099274(0xe405d8a)
2010-08-18 17:26:05: INFO: IPsec-SA established[UDP encap 4500->48540]: ESP/Tunnel 172.22.5.10-> xxx.xxx.xxx.xxx with spi=3886848189(0xe7ac98bd)
2010-08-18 17:26:07: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:26:07: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:07: INFO: Beginning Identity Protection mode.
2010-08-18 17:26:07: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:26:07: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:26:07: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:26:07: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:26:07: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:07: INFO: NAT detected: ME PEER
2010-08-18 17:26:07: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:26:07: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
2010-08-18 17:27:14: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=699f34b434d4318c:df4adca414787d36.
2010-08-18 17:27:14: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:27:14: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
2010-08-18 17:27:14: INFO: Beginning Identity Protection mode.
2010-08-18 17:27:14: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:27:14: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:27:14: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:27:14: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:27:14: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:27:14: INFO: NAT detected: ME PEER
2010-08-18 17:27:15: INFO: ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
2010-08-18 17:27:15: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:27:15: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
2010-08-18 17:27:15: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 17:28:20: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=3fe5eb0bddbf2b9a:f5c11d7f813ca74a.
2010-08-18 17:28:21: INFO: ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
With windows XP Pro i dont have this problem.
Is there a detailed configuration guide?
10x -
I encountered a problem with some client machines that use Firefox version 24ESR and IE8.
Ajax requests of aspx pages from Firefox are getting the following error from the iis server (iis version 7.5):
Bad Request - Request Too Long
HTTP Error 400. The size of the request headers is too long.
From analyzing the request that was sent to the server, I saw that the request consist of only the viewstate of the aspx page.
I tried to disable the viewstate for one page and the server got the request correctly.
I do not encounter any issues on these laptops with postback requests from Firefox or when running the same application with IE8.Sometimes that means that the page address sent is loo long.
Check the link address you are using.
I can't help you further and will send for more help. -
Fix many web access problems with IFS 9.0.1 on Solaris (and other OS's)...
When the installation is done according to the documentation,
web access does not work because the scripts that add entries to
the jserv.properties file add duplicate references to
wrapper.env and wrapper.classpath. Look at the jserv.properties
file below and look at the remarked-out (#) lines of the
duplicate references. For example, look at the references to the
wrapper.env=LD_LIBRARY_PATH
Oracle, please note this bug so the web access problems are
minimized when the product is intstalled.
Thank you,
William T.
# Apache JServ Configuration
File #
################################ W A R N I N G
# Unlike normal Java properties, JServ configurations have some
important
# extensions:
# 1) commas are used as token separators
# 2) multiple definitions of the same key are concatenated in
a
# comma separated list.
# Execution parameters
# The Java Virtual Machine interpreter.
# Syntax: wrapper.bin=[filename] (String)
# Note: specify a full path if the interpreter is not visible in
your path.
wrapper.bin=/d3/Apache/jdk/bin/java
# Arguments passed to Java interpreter (optional)
# Syntax: wrapper.bin.parameters=[parameters] (String)
# Default: NONE
wrapper.bin.parameters=-Xms64m
wrapper.bin.parameters=-Xmx128m
# Apache JServ entry point class (should not be changed)
# Syntax: wrapper.class=[classname] (String)
# Default: "org.apache.jserv.JServ"
# Arguments passed to main class after the properties filename
(not used)
# Syntax: wrapper.class.parameters=[parameters] (String)
# Default: NONE
# Note: currently not used
# PATH environment value passed to the JVM
# Syntax: wrapper.path=[path] (String)
# Default: "/bin:/usr/bin:/usr/local/bin" for Unix systems
# "c:\(windows-dir);c:\(windows-system-dir)" for Win32
systems
# Notes: if more than one line is supplied these will be
concatenated using
# ":" or ";" (depending wether Unix or Win32) characters
# Under Win32 (windows-dir) and (windows-system-dir) will
be
# automatically evaluated to match your system
requirements
# CLASSPATH environment value passed to the JVM
# Syntax: wrapper.classpath=[path] (String)
# Default: NONE (Sun's JDK/JRE already have a default classpath)
# Note: if more than one line is supplied these will be
concatenated using
# ":" or ";" (depending wether Unix or Win32) characters.
JVM must be
# able to find JSDK and JServ classes and any utility
classes used by
# your servlets.
# Note: the classes you want to be automatically reloaded upon
modification
# MUST NOT be in this classpath or the classpath of the
shell
# you start the Apache from.
wrapper.classpath=/d3/Apache/jdk/lib/tools.jar
wrapper.classpath=/d3/Apache/Jserv/libexec/ApacheJServ.jar
wrapper.classpath=/d3/Apache/Jsdk/lib/jsdk.jar
# An environment name with value passed to the JVM
# Syntax: wrapper.env=[name]=[value] (String)
# Default: NONE on Unix Systems
# SystemDrive and SystemRoot with appropriate values on
Win32 systems
wrapper.env=PATH=/d3/bin
# An environment name with value copied from caller to Java
Virtual Machine
# Syntax: wrapper.env.copy=[name] (String)
# Default: NONE
# Uncomment the following lines to set the default locale and
NLS_LANG
# setting based on the environment variables.
# wrapper.env.copy=LANG
# wrapper.env.copy=NLS_LANG
# Copies all environment from caller to Java Virtual Machine
# Syntax: wrapper.env.copyall=true (boolean)
# Default: false
# Protocol used for signal handling
# Syntax: wrapper.protocol=[name] (String)
# Default: ajpv12
# General parameters
# Set the default IP address or hostname Apache JServ binds (or
listens) to.
# If you have a machine with multiple IP addresses, this address
# will be the one used. If you set the value to localhost, it
# will be resolved to the IP address configured for the locahost
# on your system (generally this is 127.0.0.1). This feature is
so
# that one can have multiple instances of Apache JServ listening
on
# the same port number, but different IP addresses on the same
machine.
# Use bindaddress=* only if you know exactly what you are doing
here,
# as it could let JServ wide open to the internet.
# You must understand that JServ has to answer only to Apache,
and should not
# be reachable by nobody but mod_jserv. So localhost is usually a
# good option. The second best choice would be an internal
network address
# (protected by a firewall) if JServ is running on another
machine than Apache.
# Ask your network admin.
# "*" may be used on boxes where some of the clients get
connected using
# "localhost"and others using another IP addr.
# Syntax: bindaddress=[ipaddress] or [localhost] or [*]
# Default: localhost
bindaddress=localhost
# Set the port Apache JServ listens to.
# Syntax: port=[1024,65535] (int)
# Default: 8007
port=8007
# Servlet Zones parameters
# List of servlet zones Apache JServ manages
# Syntax: zones=[servlet zone],[servlet zone]... (Comma
separated list of String)
# Default: NONE
zones=root
# Configuration file for each servlet zone (one per servlet zone)
# Syntax: [servlet zone name as on the zones list].properties=
[full path to configFile]
(String)
# Default: NONE
# Note: if the file could not be opened, try using absolute
paths.
root.properties=/d3/Apache/Jserv/etc/zone.properties
# Thread Pool parameters
# Enables or disables the use of the thread pool.
# Syntax: pool=true (boolean)
# Default: false
# WARNING: the pool has not been extensively tested and may
generate
deadlocks.
# For this reason, we advise against using this code in
production environments.
pool=false
# Indicates the number of idle threads that the pool may contain.
# Syntax: pool.capacity=(int)>0
# Default: 10
# NOTE: depending on your system load, this number should be low
for contantly
# loaded servers and should be increased depending on load
bursts.
pool.capacity=10
# Indicates the pool controller that should be used to control
the
# level of the recycled threads.
# Syntax: pool.controller=[full class of controller] (String)
# Default: org.apache.java.recycle.DefaultController
# NOTE: it is safe to leave this unchanged unless special
recycle behavior
# is needed. Look at the "org.apache.java.recycle" package
javadocs for more
# info on other pool controllers and their behavior.
pool.controller=org.apache.java.recycle.DefaultController
# Security parameters
# Enable/disable the execution of org.apache.jserv.JServ as a
servlet.
# This is disabled by default because it may give informations
that should
# be restricted.
# Note that the execution of Apache JServ as a servlet is
filtered by the web
# server modules by default so that both sides should be enabled
to let this
# service work.
# This service is useful for installation and configuration
since it gives
# feedback about the exact configurations Apache JServ is using,
but it should
# be disabled when both installation and configuration processes
are done.
# Syntax: security.selfservlet=true (boolean)
# Default: false
# WARNING: disable this in a production environment since may
give reserved
# information to untrusted users.
security.selfservlet=true
# Set the maximum number of socket connections Apache JServ may
handle
# simultaneously. Make sure your operating environment has
enough file
# descriptors to allow this number.
# Syntax: security.maxConnections=(int)>1
# Default: 50
security.maxConnections=50
# Backlog setting for very fine performance tunning of JServ.
# Unless you are familiar to sockets leave this value commented
out.
# security.backlog=5
# List of IP addresses allowed to connect to Apache JServ. This
is a first
# security filtering to reject possibly unsecure connections and
avoid the
# overhead of connection authentication.
# <warning>
# (please don't use the following one unless you know what you
are doing :
# security.allowedAddresses=DISABLED
# allows connections on JServ'port from entire internet.)
# You do need only to allow YOUR Apache to talk to JServ.
# </warning>
# Default: 127.0.0.1
# Syntax: security.allowedAddresses=[IP address],[IP Address]...
(Comma
separated list of IP addresses)
#security.allowedAddresses=127.0.0.1
# Enable/disable connection authentication.
# NOTE: unauthenticated connections are a little faster since
authentication
# handshake is not performed at connection creation.
# WARNING: authentication is disabled by default because we
believe that
# connection restriction from all IP addresses but localhost
reduces your
# time to get Apache JServ to run. If you allow other addresses
to connect and
# you don't trust it, you should enable authentication to
prevent untrusted
# execution of your servlets. Beware: if authentication is
disabled and the
# IP address is allowed, everyone on that machine can execute
your servlets!
# Syntax: security.authentication=[true,false] (boolean)
# Default: true
security.authentication=false
# Authentication secret key.
# The secret key is passed as a file that must be kept secure
and must
# be exactly the same of those used by clients to authenticate
themselves.
# Syntax: security.secretKey=[secret key path and filename]
(String)
# Default: NONE
# Note: if the file could not be opened, try using absolute
paths.
#security.secretKey=./etc/jserv.secret.key
# Length of the randomly generated challenge string (in bytes)
used to
# authenticate connections. 5 is the lowest possible choice to
force a safe
# level of security and reduce connection creation overhead.
# Syntax: security.challengeSize=(int)>5
# Default: 5
#security.challengeSize=5
# Logging parameters
# Enable/disable Apache JServ logging.
# WARNING: logging is a very expensive operation in terms of
performance. You
# should reduced the generated log to a minumum or even disable
it if fast
# execution is an issue. Note that if all log channels (see
below) are
# enabled, the log may become really big since each servlet
request may
# generate many Kb of log. Some log channels are mainly for
debugging
# purposes and should be disabled in a production environment.
# Syntax: log=[true,false] (boolean)
# Default: true
log=true
# Set the name of the trace/log file. To avoid possible
confusion about
# the location of this file, an absolute pathname is recommended.
# This log file is different than the log file that is in the
# jserv.conf file. This is the log file for the Java portion of
Apache
# JServ.
# On Unix, this file must have write permissions by the owner of
the JVM
# process. In other words, if you are running Apache JServ in
manual mode
# and Apache is running as user nobody, then the file must have
its
# permissions set so that that user can write to it.
# Syntax: log.file=[log path and filename] (String)
# Default: NONE
# Note: if the file could not be opened, try using absolute
paths.
log.file=/d3/Apache/Jserv/logs/jserv.log
# Enable the timestamp before the log message
# Syntax: log.timestamp=[true,false] (boolean)
# Default: true
log.timestamp=true
# Use the given string as a data format
# (see java.text.SimpleDateFormat for the list of options)
# Syntax: log.dateFormat=(String)
# Default: [dd/MM/yyyy HH:mm:ss:SSS zz]
log.dateFormat=[dd/MM/yyyy HH:mm:ss:SSS zz]
# Since all the messages logged are processed by a thread
running with
# minimum priority, it's of vital importance that this thread
gets a chance
# to run once in a while. If it doesn't, the log queue overflow
occurs,
# usually resulting in the OutOfMemoryError.
# To prevent this from happening, two parameters are used:
log.queue.maxage
# and log.queue.maxsize. The former defines the maximum time for
the logged
# message to stay in the queue, the latter defines maximum
number of
# messages in the queue.
# If one of those conditions becomes true (age > maxage || size
maxsize),# the log message stating that fact is generated and the log
queue is
# flushed in the separate thread.
# If you ever see such a message, either your system doesn't
live up to its
# expectations or you have a runaway loop (probably, but not
necessarily,
# generating a lot of log messages).
# WARNING: Default values are lousy, you probably want to tweak
them and
# report the results back to the development team.
# Syntax: log.queue.maxage = [milliseconds]
# Default: 5000
log.queue.maxage = 5000
# Syntax: log.queue.maxsize = [integer]
# Default: 1000
log.queue.maxsize = 1000
# Enable/disable logging the channel name
# Default: false
# log.channel=false
# Enable/disable channels, each logging different actions.
# Syntax: log.channel.[channel name]=[true,false] (boolean)
# Default: false
# Info channel - quite a lot of informational messages
# hopefully you don't need them under normal circumstances
# log.channel.info=true
# Servlets exception, i.e. exception caught during
# servlet.service() processing are monitored here
# you probably want to have this one switched on
log.channel.servletException=true
# JServ exception, caught internally in jserv
# we suggest to leave it on
log.channel.jservException=true
# Warning channel, it catches all the important
# messages that don't cause JServ to stop, leave it on
log.channel.warning=true
# Servlet log
# All messages logged by servlets. Probably you want
# this one to be switched on.
log.channel.servletLog=true
# Critical errors
# Messages produced by critical events causing jserv to stop
log.channel.critical=true
# Debug channel
# Only for internal debugging purposes
# log.channel.debug=true
#wrapper.classpath=/d3/ord/jlib/ordim.zip
#wrapper.classpath=/d3/ord/jlib/ordhttp.zip
# Oracle XSQL Servlet
wrapper.classpath=/d3/lib/oraclexsql.jar
# Oracle JDBC
wrapper.classpath=/d3/jdbc/lib/classes12.zip
# Oracle XML Parser V2 (with XSLT Engine)
wrapper.classpath=/d3/lib/xmlparserv2.jar
# Oracle XML SQL Components for Java
wrapper.classpath=/d3/rdbms/jlib/xsu12.jar
# XSQLConfig.xml File location
wrapper.classpath=/d3/xdk/admin
# Oracle BC4J
wrapper.classpath=/d3/ord/jlib/ordim.zip
wrapper.classpath=/d3/ord/jlib/ordvir.zip
wrapper.classpath=/d3/ord/jlib/ordhttp.zip
wrapper.classpath=/d3/BC4J/lib/jndi.jar
wrapper.classpath=/d3/BC4J/lib/jbomt.zip
wrapper.classpath=/d3/BC4J/lib/javax_ejb.zip
wrapper.classpath=/d3/BC4J/lib/jdev-rt.jar
wrapper.classpath=/d3/BC4J/lib/jbohtml.zip
wrapper.classpath=/d3/BC4J/lib/jboremote.zip
wrapper.classpath=/d3/BC4J/lib/jdev-cm.jar
wrapper.classpath=/d3/BC4J/lib/jbodomorcl.zip
wrapper.classpath=/d3/BC4J/lib/jboimdomains.zip
wrapper.classpath=/d3/BC4J/lib/collections.jar
wrapper.classpath=/d3/Apache/Apache/htdocs/onlineorders_html
#wrapper.classpath=/d3/Apache/Apache/htdocs/OnlineOrders_html/Onl
ineOrders.jar
# The following classpath entries are necessary for EJBs to run
in IAS or DB when
present
wrapper.classpath=/d3/lib/aurora_client.jar
wrapper.classpath=/d3/lib/vbjorb.jar
wrapper.classpath=/d3/lib/vbjapp.jar
# Oracle Servlet
wrapper.classpath=/d3/lib/servlet.jar
# Oracle Java Server Pages
wrapper.classpath=/d3/jsp/lib/ojsp.jar
# Oracle Util
wrapper.classpath=/d3/jsp/lib/ojsputil.jar
# Oracle Java SQL
wrapper.classpath=/d3/sqlj/lib/translator.zip
# Oracle JDBC
#wrapper.classpath=/d3/jdbc/lib/classes12.zip
# SQLJ runtime
wrapper.classpath=/d3/sqlj/lib/runtime12.zip
# Oracle Messaging
wrapper.classpath=/d3/rdbms/jlib/aqapi.jar
wrapper.classpath=/d3/rdbms/jlib/jmscommon.jar
# OJSP environment settings
#wrapper.env=ORACLE_HOME=/d3
# The next line should be modified to reflect the value of the
SID for your
webserver.
#wrapper.env=ORACLE_SID=cmpdb
#wrapper.env=LD_LIBRARY_PATH=/d3/lib
## Enable the flag below if you are using jdk 1.2.2_05a or above
#wrapper.env=JAVA_COMPILER=NONE
# Advanced Queuing - AQXML
wrapper.classpath=/d3/rdbms/jlib/aqxml.jar
#wrapper.classpath=/d3/rdbms/jlib/xsu12.jar
#wrapper.classpath=/d3/lib/xmlparserv2.jar
wrapper.classpath=/d3/lib/xschema.jar
#wrapper.classpath=/d3/jlib/jndi.jar
wrapper.classpath=/d3/jlib/jta.jar
oemreporting.properties=/d3/Apache/Jserv/oemreporting/oemreportin
g.properties
zones = root, oemreporting
wrapper.classpath=/d3/jlib/share-opt-1_1_9.zip
wrapper.classpath=/d3/jlib/caboshare-opt-1_0_3.zip
wrapper.classpath=/d3/jlib/marlin-opt-1_0_7.zip
wrapper.classpath=/d3/jlib/tecate-opt-1_0_4.zip
wrapper.classpath=/d3/jlib/ocelot-opt-1_0_2.zip
wrapper.classpath=/d3/jlib/regexp.jar
wrapper.classpath=/d3/jlib/sax2.jar
#wrapper.classpath=/d3/jlib/servlet.jar
wrapper.bin.parameters= -DORACLE_HOME=/d3
#wrapper.env=LD_LIBRARY_PATH=/d3/lib32
wrapper.env.copy=DISPLAY
wrapper.bin.parameters=-DORACLE_HOME=/d3
#wrapper.classpath=/d3/lib/vbjorb.jar
#wrapper.classpath=/d3/lib/vbjapp.jar
wrapper.classpath=/d3/classes/classesFromIDLVisi
wrapper.classpath=/d3/jlib/swingall-1_1_1.jar
wrapper.classpath=/d3/jlib/ewtcompat3_3_15.jar
wrapper.classpath=/d3/jlib/ewt-3_3_18.jar
wrapper.classpath=/d3/jlib/share-1_1_9.jar
wrapper.classpath=/d3/jlib/help-3_2_9.jar
wrapper.classpath=/d3/jlib/ice-5_06_3.jar
wrapper.classpath=/d3/jdbc/lib/classes111.zip
wrapper.classpath=/d3/classes
wrapper.classpath=/d3/jlib/oembase-9_0_1.jar
wrapper.classpath=/d3/jlib/oemtools-9_0_1.jar
wrapper.classpath=/d3/jlib
wrapper.classpath=/d3/jlib/javax-ssl-1_1.jar
wrapper.classpath=/d3/jlib/jssl-1_1.jar
wrapper.classpath=/d3/jlib/netcfg.jar
wrapper.classpath=/d3/jlib/dbui-2_1_2.jar
#wrapper.classpath=/d3/lib/aurora_client.jar
#wrapper.classpath=/d3/lib/xmlparserv2.jar
wrapper.classpath=/d3/network/jlib/netmgrm.jar
wrapper.classpath=/d3/network/jlib/netmgr.jar
wrapper.classpath=/d3/network/tools
wrapper.classpath=/d3/jlib/kodiak-1_2_1.jar
wrapper.classpath=/d3/sysman/jlib/netchart360.jar
wrapper.classpath=/d3/jlib/pfjbean.jar
wrapper.env=SHLIB_PATH=/d3/lib32
wrapper.env=LIBPATH=/d3/lib32
wrapper.classpath=/d3/ultrasearch/lib/isearch_midtier.jar
wrapper.classpath=/d3/ultrasearch/lib/isearch_query.jar
wrapper.classpath=/d3/ultrasearch/lib/jgl3.1.0.jar
wrapper.classpath=/d3/lib/mail.jar
wrapper.classpath=/d3/lib/activation.jar
wrapper.classpath=/d3/ultrasearch/jsp/admin/config
# Additions for iFS
## DO NOT REMOVE OR ALTER THE FOLLOWING LINE ....
# iFS true
# Uncomment if you want to use the same Jserv as other
applications
wrapper.classpath=/d3/9ifs/custom_classes
wrapper.classpath=/d3/9ifs/settings
wrapper.classpath=/d3/9ifs/lib/adk.jar
wrapper.classpath=/d3/9ifs/lib/email.jar
wrapper.classpath=/d3/9ifs/lib/http.jar
wrapper.classpath=/d3/9ifs/lib/release.jar
wrapper.classpath=/d3/9ifs/lib/repos.jar
wrapper.classpath=/d3/9ifs/lib/utils.jar
wrapper.classpath=/d3/9ifs/lib/webui.jar
wrapper.classpath=/d3/9ifs/lib/provider.jar
wrapper.classpath=/d3/jlib/javax-ssl-1_2.jar
wrapper.classpath=/d3/jlib/jssl-1_2.jar
wrapper.env=ORACLE_HOME=/d3
wrapper.env=ORACLE_SID=cmpdb
wrapper.env=LD_LIBRARY_PATH=/d3/lib:/d3/ctx/lib:/d3/lib32
wrapper.env=NLS_LANG=.US7ASCII
## Additions for the iFS zone
# Uncomment if you want to use the same Jserv as other
applications
zones=ifs
ifs.properties=/d3/Apache/Jserv/etc/ifs.properties
# End iFS sectionAbout your home page; Manually set up Firefox with the window(s) and tab(s)
the way you want them to be. Then;
'''''Firefox Options > General > Homepage'''''.
Press the button labeled ''''Use Current'''.'
=====================================
Open a new window or tab. In the address bar, type '''''about:config'''''.
If a warning screen comes up, press the '''''Be Careful''''' button.
This is where Firefox finds information it needs to run.
At the top of the screen is a search bar. Enter '''''browser.newtab.url'''''
and press enter. '''''browser.newtab.url'''''
tells Firefox what to show when a new tab is opened.
If you want, right click and select '''''Modify'''''. You can change the
setting to;<BR><BR>about:home (Firefox default home page),<BR>
about:newtab (shows the sites most visited),<BR>
about:blank (a blank page),<BR>
or you can enter any web page you want.<BR><BR>
The same instructions are used for the new window setting, listed as
'''''browser.startup.homepage'''''. -
Form-based authentication problem with weblogic
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=trueHi...
Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
cheers...
Jerson
"John Wang" <[email protected]> wrote:
>
Hi Jerson,
I tried your code this weekend, it didn't work in my case. But
I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
Thanks.
-John
"Jerson Chua" <[email protected]> wrote:
I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
Jerson
package com.cyberj.catalyst.web;
import weblogic.servlet.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
int authenticated = sa.weak(request, response);
if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
response.sendRedirect("fail_login.jsp");
} else {
response.sendRedirect("Home.jsp");
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
doPost(request, response);
"Jerson Chua" <[email protected]> wrote:
The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
Has anyone solved this problem? I've tried the example itself and the same problem occurs.
Jerson
"Cameron Purdy" <[email protected]> wrote:
Jerson,
First try it redirected (raw) to see if that indeed is the problem ... then
if it works you can "fix" it the way you want.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hi...
Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
another indirection where I will redirect it to another servlet but the
password is encrypted.
What do you think?
thanks....
Jerson
"Cameron Purdy" <[email protected]> wrote:
Maybe redirect to the current URL after killing the session to let the
request clean itself up. I don't think that a lot of the request (such
as
remote user) will be affected by killing the session until the nextrequest
comes in.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hello guys...
I've a solution but it doesn't work yet so I need your help. Because
one
of the reason for getting form base authentication failed is if an
authenticated user tries to login again. For example, the one mentionedby
John using the back button to go to the login page and when the user logsin
again, this error occurs.
So here's my solution
Instead of submitting the page to j_security_check, submit it to a
servlet
which will check if the user is logged in or not. If yes, invalidates its
session and forward it to j_security_check. But there's a problem in this
solution, eventhough the session.invalidate() (which actually logs theuser
out) is executed before forwarded to j_security_check, the user doesn't
immediately logged out. How did I know this, because after calling
session.invalidate, i tried calling request.RemoteUser() and it doesn't
return null. So I'm still getting the error. What I want to ask you guyis
how do I force logout before the j_security_check is called.
here's the code I did which the login.jsp actually submits to
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
if (request.getRemoteUser() != null) {
HttpSession session = request.getSession(false);
System.out.println(session.isNew());
session.invalidate();
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
cookies.setMaxAge(0);
getServletContext().getRequestDispatcher("/j_security_check").forward(reques
t, response);
public void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
doPost(request, response);
let's help each other to solve this problem. thanks.
Jerson
"Jerson Chua" <[email protected]> wrote:
I thought that this problem will be solved on sp6 but to my
disappointment, the problem is still there. I'm also using RDBMSRealm,same
as John.
Jerson
"Cameron Purdy" <[email protected]> wrote:
John,
1. You are using a single WL instance (i.e. not clustered) on that
NT
box
and doing so without a proxy (e.g. specifying http://localhost:7001),
correct?
2. BEA will pay more attention to the problem if you upgrade to SP6.If
you don't have a reason NOT to (e.g. a particular regression), then
you
should upgrade. That will save you one go-around with support: "Hi,I
am
on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
it.
Call back if that doesn't work."
3. Make sure that you are not doing anything special before or after
J_SECURITY_CHECK ... make sure that you have everything configuredand
done
by the book.
4. Email BEA a bug report at [email protected] ... see what they say.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Cameron,
It seems to me that the problem I encountered is different a little
from
what you have, evrn though the error message is the same eventually.
Everytime I go through, I always get that error.
I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
to
work
around this problem? If it was a BUG as you
pointed out, is there a way we can report it to the Weblogic
technical support and let them take a look?
Thnaks.
-John
"Cameron Purdy" <[email protected]> wrote:
John,
I will verify that I have seen this error now (after having read
about it
here for a few months) and it had the following characteristics:
1) It was intermittent, and appeared to be self-curing
2) It was not predictable, only seemed to occur at the first
login
attempt,
and may have been timing related
3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
proxy
was
Apache (Stronghold)
4) After researching the newsgroups, it appears that this "bug"
may
have gone away temporarily (?) in SP5 (although Jerson Chua
<[email protected]> mentioned that he still got it in SP5)
I was able to reproduce it most often by deleting the tmpwar and
tmp_deployments directories while the cluster was not running,
then
restarting the cluster. The first login attempt would fail(roughly
90%
of
the time?) and that server instance would then be ignored by the
proxy
for a
while (60 seconds?) -- meaning that the proxy would send all
traffic,
regardless of the number of "clients", to the other server in thecluster.
As far as I can tell, it is a bug in WebLogic, and probably has
been
there
for quite a while.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I
am
having
the following problem with the form-based authentication login
mechanism.
Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it
is
OK.
But
if I login and use the browser's BACK button to back the login
page
and
try
to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons
could
cause it: HTTP sessions are disabled. An old session ID was stored
in
the
browser."
Normally, if you login and want to relogin without logout first,
it
supposes to direct you to the existing user session. But I don'tunderstand
why it gave me this error. I also checked my property file, it
appears
that
the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true -
Authentication problem with JWS and TOMCAT
Hi everyone !
I have a problem with Java Web Start (1.0.1) and Tomcat (4.0.4).
I'm trying to call my application via Web server Tomcat with restricting access.
My configuration is the following :
The deployment descriptor web.xml is:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<mime-mapping>
<extension>jar</extension>
<mime-type>application/java-archive</mime-type>
</mime-mapping>
<mime-mapping>
<extension>java</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<mime-mapping>
<extension>jnlp</extension>
<mime-type>application/x-java-jnlp-file</mime-type>
</mime-mapping>
<mime-mapping>
<extension>JNLP</extension>
<mime-type>application/x-java-jnlp-file</mime-type>
</mime-mapping>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>standard</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MY APPL</realm-name>
</login-config>
</web-app>
And jnlp File is:
<jnlp
spec="1.0+"
codebase="http://host:8080/Official/"
href="Application.jnlp">
<information>
<title>Application release 0.10</title>
<vendor> XXXX </vendor>
<homepage href="/"/>
<description>Application</description>
<description kind="short">My Application</description>
<icon href="Icon.gif"/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.3"/>
<jar href="Jar1.jar"/>
<jar href="Jar2.jar"/>
<jar href="Jar3.jar"/>
<jar href="Jar4.jar"/>
<jar href="Jar5.jar"/>
<jar href="Jar6.jar"/>
<jar href="Jar7.jar"/>
<jar href="Jar8.jar"/>
<jar href="Jar9.jar"/>
<jar href="Jar10.jar"/>
<jar href="MyApplication.jar"/>
</resources>
<application-desc main-class="com.xxxx.tool.cm.MyApplication"/>
</jnlp>
With the above configuration the Java Web Start not work.
I'm expecting the message box for insert username and password instead it returns the messagge error :
An error occurred while launching/running the application.
Vendor: XXXX
Category: Download Error
Unable to load resource: http://host:8080/Official/Application.jnlp
The Exception error is:
JNLPException[category: Download Error : Exception: java.lang.NullPointerException : LaunchDesc: null ]
at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown Source)
at com.sun.javaws.cache.DownloadProtocol.isLaunchFileUpdateAvailable(Unknown Source)
at com.sun.javaws.LaunchDownload.getUpdatedLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.downloadResources(Unknown Source)
at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I have tried to remove the restrict access in the deployment descriptor (web.xml) and java Web Start WORKS !!!!!!
I'll appreciate any idea or hint!
Thanks in advanceCheck this out
http://forum.java.sun.com/thread.jsp?forum=38&thread=456250
Mad Einstein -
802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3
I wondered if anyone can help or shed any light on the following problem.
I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
2. My config is as below:
aaa new-model
aaa authentication dot1x default group radius
aaa authenication login default group radius
dot1x system-auth-control
interface f0/1
switchport mode access
dot1x port-control auto
end
I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
I even tried using local authenication with 802.1x, this did not work
4. If I have a certificate, will this automatically give me access to the 802.1x port?
5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
Am I missing anything?
Any advise will be greatly appreciated
Chris -
Localizing Analytics Web Catalog - problem with variables
I tried to localize strings in OBI EE Web Catalog. I exported those captions using catalog manager, translate messages in XML file and put them to \Web\Res\l_xx\Captions. It works quite good.
But there is problem with variables in Title. Replacement of variables STOP working :-( At the page is displayed for example: "@{biServer.variables['MaxDate']}". Variable replacemen works fine in narrative views.
Do you have some ideas?
Thanks.We have the same problem with presentation variables in titles using externalize strings option, they stopped working after tranlation.
We tried with Oracle BI EE 10.1.3.2.1 and 10.1.3.3.3 with same result.
Any ideas?
Thanks -
Printing problem with wired PC, not with wireless Macs
WindowsXP PC will not communicate with wireless printer, which is plugged into the Airport Extreme usb port. No problem with wireless printing to same printer with MacBook Air. WindowsXP PC is connected to tthe AirPort Extreme via Ethernet port.
Yes, I did install the Bonjours for Windows software and I still get the message thet the PC does not communicate with the printer.
-
Web authentication different user same client
Hi,
We are currently building a guest WLAN. The authentication works with LDAP via web authentication. Users can log on via smartphones and Windows laptops. Now we have a little problem with the Windows laptops, discovered in the testing phase. When user A is successful logon to the laptop through web authentication and then log off the laptop. User B can simply work under the same credentials of user A, without problems. This is not desirable, another user must then log in to the laptop with own credentials.
The WLC 5508 remember the client MAC address, not the user.
Any tips?
Thank you!When the user logs off the session remains active on the WLC.
We have the "User Idle Timeout" set on 100000 sec. Unchecked the "Enable Session Timeout". This to logout users after a certain time via a time trigger. Guests 24 hours, students half year, staff 1 year. (If the WLC not often need to restart).
For non domain devices this is not a problem, since users are not dependent on the Windows domain then.
How can we debug users, lets say user A en B on one laptop? -
WebAccess problem with Windows Client 8
Hi,
We have a problem, with external access with windows 8 client Only, with the following error
The user "user@domain", on client computer "IP:33050", has initiated an outbound connection. This connection may not be authenticated yet.
There's Gateway and Webaccess on the same server
thanks
Rémy
http://www.blogotec.fr MCITP Server Administrator MCTS VirtualisationHi,
Have you tried to turn off Windows Firewall, then test the result again, check whether Firewall is the culprit. Seems the outbound connection is blocked in Windows Firewall, check your Connection Security Rule Properties in Windows Firewall.
Connection Security Rule Properties Page: Authentication Tab
http://technet.microsoft.com/en-us/library/dd448596(v=ws.10).aspx
Yolanda Zhu
TechNet Community Support
Maybe you are looking for
-
I also wrote an e-mail on MobileMe and when I sent it I received a Firefox blocking a pop-up on that e-mail, something I have never seen before. Then, I discovered that the contacts I addressed that e-mail to were not the current e-mail addresses. Th
-
How to create a new "tab" in the Library?
Ok I know how to add, change and create playlists but I can't see how to do the to the library. My issue is... I have some music clips (mpeg4) which I've sync'd to my Ipod Video and are located in the "movies" tab (both in iTunes and on the iPod). I
-
Inbound processing Workflow r12.1.3
Dear all, We would like to setup inbound processing in r12.1.3. So that once approved or rejectect then it should process. I have created folders PROCESS & DISCARD. there are below issues that I am currently facing. 1) While in user prefrences if the
-
Tomahawk panelTabbedPane Styles
Hello I tried specifying CSS style info for activeTabStyleClass and inactiveTabStyleClass, and strangely I could change the tab label background color but not the font/size/color of the text. I have seen in the generated html that is part of a text i
-
Component-based branding in PeopleTools 8.54 not functioning
Has anyone been able to get component-based branding to work in PeopleTools 8.54? I've tried attaching custom stylesheets and Javascripts (via App Designer and PeopleTools > Portal > Branding > Component Branding) to a classic component with no luck.