Localy configured security policy in domain environment

Hello.
I have run in to a problem when configuring security policy for servers in my domain. Due to the large size of my environment and many different local administrators on servers quite a few of those administrators has configured local security policys on
their servers instead of asking for our central IT-dep to create domain based GPO's for those settings.
It's quite often settings that give a account the right to logon as a batchjob and so on. This creates the problem for us that work centraly that we can't configure central GPO since we will overwrite the localy configured ones and that will quite often
create a application to stop working.
So my question is if there's any way to make a inventory to find out what servers has a local configured  policy so that i can change that to a central one.
/Lee

You can use secedit to get the local security policy. You can use
psexec to get it remotely and store the content in a share. Once done, you can fetch the data using Powershell and get what you need.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Similar Messages

  • Help with configuring security policy

    Hi guys,
    I've got two questions, in the same vein around SCEP and SCCM policies (2012 R2). After looking a bit within the console and some searching around, I don't see anything glaringly obvious to address the following questions, though its possible I've overlooked
    it.
    1) Is it possible to create a policy to prevent anyone NOT in the DomainAdmins group the ability to override a detected virus?
    2) Is there a way to initiate a shutdown if the SCEP service fails or is stopped at any time?
    Thanks in advance for any suggestions.
    --Gabe

    Hi,
    1. What is "override a detected virus"?
    2. You could take a look at System Center Orchestrator.
    http://technet.microsoft.com/en-us/library/hh206052.aspx
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Using WLST to configure security in application deployments ?

    Hi,
    I would like to configure security (create roles and policies) in an application through WLST.
    I did not manage to find what MBeans are available for this, not how to navigate to them.
    Is it possible to configure security for an application (that is not in the domain or server realms, but as in the console from the security tab of a specific deployed application) through WLST ?
    Thanks for your help.
    Hugues

    Bengt,
    Configuring security policy via MBeans is not supported, console uses
    internal api to achieve that. Said that, I will see if I can do anything.
    Thanks,
    -satya
    Bengt Rodehav wrote:
    We use WLST to configure our servers. Unfortunately we haven't found out how to configure a security policy via WLST.
    In our case we need to define a security policy on our JMS queues. Presently we have to do this manually via the administration console. Can this be done with WLST?
    Bengt Rodehav

  • How to configure Security services in OSB 11g..

    We are integration OSB with BANK application, we will be using SSL certificate for the same.
    Please help how to configure security policy in OSB.
    I checked below link policy defination
    http://tim.blackamber.org.uk/?p=825
    but in OSB proxy service we are not able see Policy button.
    Please help.
    Thanks,
    Mihir

    Please post your query in SOA Suite forum -
    SOA Suite
    Regards,
    Anuj

  • GRC 10.1 custom security policy

    On GRC Java system, I am not able to create custom security policy under UME->Configuration->Security Policy. I am able to create on all other systems except GRC and NWDI system   I it related to support pack level or facility is not available on these releases
    Thanks Shankar

    Shailendra:
    Might be because there is no Java stack.  AC and PC now run on the ABAP stack and I think SAP recommends not using dual stack.  The only Java stack in the GRC 10.0 landscape that I'm aware of is for ADS.
    Thanks.
    Matt

  • Activating Security Policy at Portal Logon Page

    Hi @ll,
    Iu2019m not able to activate the password security policy check at portal logon page. For this purpose, I have already checked the Enforce Password Security Policy at Logon (System Administration->System Configuration->UME Configuration->Security Policy) and restarted the server too. But it is failed to appear at logon page.
    Plesae suggest me to resolve this problem.
    Thanks
    Gautam Singh

    Hi Gautam Singh,
    You say you are customizing the portal logon screen. Are you doing a simple modification by just changing UME properties as described in [Logon Screen Customization|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/43/fc3ae22adb025fe10000000a1553f7/frameset.htm] or are you actually changing .par files and creating your own logon application?
    Are you using config tool, the user management configuration Web Dynpro UI, or visual admin  to change the properties?
    Have you assigned the UME actions Logon_Help and Selfregister_User to the Anonymous Users group?
    -Michael

  • Configuring group policy for user profiles in Windows Server 2012 R2 Domain

    Requesting some experts advise on configuring group policy for user profiles.
    We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
    The settings which I am concerned:
    1. Folder Redirection: Desktop, Documents, Favorites.
    2. Quota for Folder Redirection - 1 GB per user.
    3. Map a networked drive - 1 GB per user.
    4. Roaming profile - (Will ignore if it does not suit our requirement). 
    The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
    Thanks a lot for your valuable time and efforts.

    Hi,
    >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    This depends on where our outlook data files are stored. If these data files are stored under
    drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
    However, regarding your question, we can refer to the following thread to find the solution.
    Roam outlook profiles without roaming profiles
    http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
    In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
    Configuring Folder Redirection
    http://technet.microsoft.com/library/cc786749.aspx
    Hope it helps.
    Best regards,
    Frank Shen

  • Configuring Kerberos across 2 domains?

    Hi
    I am trying to set up a 3rd party application to use Single Sign On using Kerberos authentication across two Domains and am having troubles. DOMAIN1.COM is a W2K domain and DOMAIN2 is a Citrix farm. My application is a Solaris (5.9) hosted Java app (1.4.2_08) running under a Weblogic 8.1.
    I've generated the keytab files etc and can successfully authenticate using kinit. I can successfully sign in from my desktop when I configure my environment to use only just domain, either DOMAIN1.COM or DOMAIN2, but I am hitting this error when trying to authenticate with a user accouint on DOMAIN2 (it works fine for a user account on DOMAIN1):
    <000000> <Found Negotiate with SPNEGO token>
    *<000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))*
    The application uses the JAAS login framework to perform the authentication. The steps I have followed are:
    1. We have generated the keytab file for both domains and have tested that we can generate tickets using kinit command
    2. When I start my WL server I am using the DOMAIN1.COM domain credentials i.e.
    JAVA_OPTIONS="-ms1024m ...etc... -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=ldap-domain1.com -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
    3. I've configured my krb5Login.conf to use DOMIAN1.COM e.g.
    com.sun.security.jgss.initiate
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/[email protected]" useKeyTab=true
    keyTab=krb5.keytab storeKey=true debug=true;
    com.sun.security.jgss.accept
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/[email protected]" useKeyTab=true
    keyTab=krb5.keytab storeKey=true debug=true;
    4. I've configured my /etc/krb5/krb5.conf to use DOMAIN2 as default.
    [libdefaults]
    default_realm=DOMAIN2
    default_tkt_enctypes = des-cbc-md5
    default_tgs_enctypes = des-cbc-md5
    [realms]
    DOMAIN1.COM = {
    kdc=ldap-domain1.com:88
    admin_server=ldap-domain1.com
    DOMAIN2 = {
    kdc=kdc1.domain2:88
    kdc=kdc2.domain2:88
    admin_server=ADMINSERVER2
    [domain_realm]
    mydomain.com=DOMAIN2
    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    autologin = true
    forward = true
    encrypt = true
    I am not a Java developer so this is all new to me so hopefully someone can give me some guidance. I've been told the reason I can't authenticate is because I don't have a trust relationship set up between the two domains. But our Active Directory team have stated that setting up a trust relationship is not an option.
    The software supplier has said that the application should work across both domains without the trust relationship but they are unwilling to assist (as they have been paid already!). The way I have been led to understand it is that when we try and access the app over the DOMAIN2 the app should default to the default domain set in the /etc/krb5/krb5.conf file. Am I misguided? I don't understand how the JAAS login framework works with Kerberos and I would greatly appreciate some guidance on a possible config or code change I can make to resolve this issue?
    Thanks

    Hi
    Thanks for the reply. I couldn't see krb5.conf in the logs so I added it to the JAVA_OPTIONS and re-ran a test but it failed with the same error. Here some output from my logs:
    ####<Nov 4, 2009 5:38:07 PM GMT> <Info> <Management> <aukobpcs> <aukobpcs_dd1> <main> <<WLS Kernel>> <> <BEA-141187> <Java system properties are defined as follows:
    java.security.auth.login.config = /opt/bea/user_projects/domains/onebill_online/krb5Login.conf
    java.security.krb5.conf = /etc/krb5/krb5.conf
    java.security.policy = /opt/bea/weblogic81/server/lib/weblogic.policy
    java.specification.name = Java Platform API Specification
    java.specification.vendor = Sun Microsystems Inc.
    java.specification.version = 1.4
    java.util.prefs.PreferencesFactory = java.util.prefs.FileSystemPreferencesFactory
    java.vendor = Sun Microsystems Inc.
    java.vendor.url = http://java.sun.com/
    java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi
    java.version = 1.4.2_11
    vde.home = ./aukobpcs_dd1/ldap
    weblogic.Name = aukobpcs_dd1
    weblogic.StdoutDebugEnabled = true
    weblogic.StdoutSeverityLevel = 64
    weblogic.management.server = http://aukobpcs.dc-dublin.de:7001
    weblogic.security.enableNegotiate = true
    ####<Nov 4, 2009 5:40:22 PM GMT> <Info> <HTTP> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=19509258,name=bpa,context-path=/bpa)] *.jsp: initialization complete>
    ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
    ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
    ####<Nov 4, 2009 5:40:23 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
    GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
         at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
         at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
         at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)
         at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:672)
         at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:617)
         at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
         at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)
         at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
         at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
         at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3823)
         at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
         at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
         at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
    Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm DOMAIN1.COM
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
         at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
         ... 21 more
    Caused by: KrbException: Cannot get kdc for realm DOMAIN1.COM
         at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
         at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
         at sun.security.krb5.KrbAsReq.send(DashoA12275:300)
         at sun.security.krb5.Credentials.acquireTGT(DashoA12275:360)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
         ... 35 more
    If you have any other suggestions I could try that will be great, otherwise we'll look at implementing workaround to this issue (probably having a separate WL server for each domain)
    Thanks

  • Unable to configure security

    I am stuck in a security exception while configuring security for WCM spaces.
    I have configured the security using oracle fusion middleware control and had generated the keystores.
    However when I run the application, it is giving me the below exception
    <WsmMessageLogger><logSevere> The specified keystore file C:\JDeveloper\system11.1.1.2.36.55.36\DefaultDomain\config\fmwconfig\default-keystore.jks cannot be found; it either does not exist or its path is not included in the application classpath.
    <WsmMessageLogger><logSevere> Keystore is not properly configured in JPS config.
    <WsmLogUtil><log> Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=null, composite=null, modelObj=http:/
    The issue here is when I configure the security, it updates the jps-config and other files in location “D:\Oracle\Middleware1\user_projects\domains\base_domain\config\fmwconfig” . So after deploying, it should ideally deploy those files in application data , something like C:\JDeveloper\system11.1.1.2.36.55.36\DefaultDomain\config\...... However, when I try to see the details of the jps-config file in the location, it is still pointing to old keystores and is not getting updated. I even tried deleting the whole “system11.1.1.2.36.55.36\DefaultDomain” folder and generating them again after server restarts
    If I try to manually overwrite the keystore in application data files, it gives me the below exception.
    <WsmLogUtil><log> Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=null, composite=null, modelObj=http://oracle.webcenter.spaces.internal.view.ws/#wsdl.endpoint(SpacesWebService/SpacesWebServiceSoapHttpPort), policy=null, policyVersion=null, assertionName=null.
    oracle.wsm.common.sdk.WSMException: WSM-00055 : The keystore located at C:\JDeveloper\system11.1.1.2.36.55.36\DefaultDomain\config\fmwconfig\default-keystore.jks can ot be loaded due to java.io.IOException. Ensure that valid keystore type and password are configured.

    I configured the keysotre as well and I am able to access webservice using webservice client as well but there are certain method for which i need SpaceClient API for space RSS feed
    following is the code to access
    GroupSpaceWSContext context;
    context = new GroupSpaceWSContext();
    GroupSpaceWSClient groupSpaceWSClient;
    context.setEndPoint("http://webcenterhost:port/webcenter/SpacesWebService");
    context.setSamlIssuerName("http://webcenterhost:port/webcenter");
    context.setRecipientKeyAlias("producer");
    try {
    groupSpaceWSClient = new GroupSpaceWSClient(context);
    System.out.println("retun "+groupSpaceWSClient.getPublicGroupSpaces("Space Name"));
    } catch (GroupSpaceWSException e) {e.printStackTrace();}
    while running I am getting following errororacle.webcenter.spaces.ws.client.GroupSpaceWSException: javax.xml.ws.soap.SOAPFaultException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
    at oracle.webcenter.spaces.ws.client.GroupSpaceWSClient.getPublicGroupSpaces(GroupSpaceWSClient.java:828)

  • OPSS java security policy provider error

    hi am geting the security error when deploying application my logs is
    *** Using HTTP port 7101 ***
    *** Using SSL port 7102 ***
    "C:\Documents and Settings\Desmond\Application Data\JDeveloper\system11.1.2.1.38.60.81\DefaultDomain\bin\startWebLogic.cmd"
    [waiting for the server to complete its initialization...]
    JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m
    WLS Start Mode=Development
    CLASSPATH=C:\oracle\MIDDLE~1\ORACLE~1\modules\oracle.jdbc_11.1.1\ojdbc6dms.jar;C:\oracle\MIDDLE~1\patch_wls1035\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\oracle\MIDDLE~1\patch_jdev1112\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\oracle\MIDDLE~1\JDK160~1\lib\tools.jar;C:\oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic_sp.jar;C:\oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic.jar;C:\oracle\MIDDLE~1\modules\features\weblogic.server.modules_10.3.5.0.jar;C:\oracle\MIDDLE~1\WLSERV~1.3\server\lib\webservices.jar;C:\oracle\MIDDLE~1\modules\ORGAPA~1.1/lib/ant-all.jar;C:\oracle\MIDDLE~1\modules\NETSFA~1.0_1/lib/ant-contrib.jar;C:\oracle\MIDDLE~1\ORACLE~1\modules\oracle.jrf_11.1.1\jrf.jar;C:\oracle\MIDDLE~1\WLSERV~1.3\common\derby\lib\derbyclient.jar;C:\oracle\MIDDLE~1\WLSERV~1.3\server\lib\xqrl.jar
    PATH=C:\oracle\MIDDLE~1\patch_wls1035\profiles\default\native;C:\oracle\MIDDLE~1\patch_jdev1112\profiles\default\native;C:\oracle\MIDDLE~1\WLSERV~1.3\server\native\win\32;C:\oracle\MIDDLE~1\WLSERV~1.3\server\bin;C:\oracle\MIDDLE~1\modules\ORGAPA~1.1\bin;C:\oracle\MIDDLE~1\JDK160~1\jre\bin;C:\oracle\MIDDLE~1\JDK160~1\bin;C:\forms;C:\product\11.2.0\dbhome_1\bin;C:\product\11.2.0\dbhome_1;C:\DevSuiteHome_1\BIN;C:\DevSuiteHome_1\jlib;C:\Program Files\PHP;C:\Program Files\PC Connectivity Solution\;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;C:\Program Files\Common Files\DivX Shared;c:\Program Files\Java\jdk1.6.0_21\bin;C:\product\11.2.0\dbhome_1\BIN;C:\DevSuiteHome_1;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared;C:\mywls;C:\mydomain\base_domain\bin;C:\Program Files\Java\jre6\bin\client;C:\Program Files\Java\jre6\bin;C:\Program Files\Java\jdk1.6.0_21\jre\bin;C:\Program Files\Java\jdk1.6.0_21\bin;C:\Program Files\Java\jdk1.6.0_21;C:\Program Files\Java\jre6;C:\DevSuiteHome_1\forms;C:\DevSuiteHome_1\cgenf61\admin;C:\DevSuiteHome_1\forms;C:\forms\sms_code.pll;C:\mywls\wlserver\bin;C:\Java\jdk1.6.0_21;C:\oracle\MIDDLE~1\WLSERV~1.3\server\native\win\32\oci920_8
    * To start WebLogic Server, use a username and *
    * password assigned to an admin-level user. For *
    * server administration, use the WebLogic Server *
    * console at http:\\hostname:port\console *
    starting weblogic with Java version:
    java version "1.6.0_24"
    Java(TM) SE Runtime Environment (build 1.6.0_24-b50)
    Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode)
    Starting WLS with line:
    C:\oracle\MIDDLE~1\JDK160~1\bin\java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m -Dweblogic.Name=DefaultServer -Djava.security.policy=C:\oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic.policy -Djavax.net.ssl.trustStore=C:\DOCUME~1\Desmond\LOCALS~1\Temp\trustStore8732822766352054612.jks -Djbo.debugoutput=silent -Doracle.jdeveloper.adrs=true -Dweblogic.nodemanager.ServiceEnabled=true -Xverify:none -da -Dplatform.home=C:\oracle\MIDDLE~1\WLSERV~1.3 -Dwls.home=C:\oracle\MIDDLE~1\WLSERV~1.3\server -Dweblogic.home=C:\oracle\MIDDLE~1\WLSERV~1.3\server -Djps.app.credential.overwrite.allowed=true -Dcommon.components.home=C:\oracle\MIDDLE~1\ORACLE~1 -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Ddomain.home=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1 -Djrockit.optfile=C:\oracle\MIDDLE~1\ORACLE~1\modules\oracle.jrf_11.1.1\jrocket_optfile.txt -Doracle.server.config.dir=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\config\FMWCON~1\servers\DefaultServer -Doracle.domain.config.dir=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\config\FMWCON~1 -Digf.arisidbeans.carmlloc=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\config\FMWCON~1\carml -Digf.arisidstack.home=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\config\FMWCON~1\arisidprovider -Doracle.security.jps.config=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\config\fmwconfig\jps-config.xml -Doracle.deployed.app.dir=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\servers\DefaultServer\tmp\_WL_user -Doracle.deployed.app.ext=\- -Dweblogic.alternateTypesDirectory=C:\oracle\MIDDLE~1\ORACLE~1\modules\oracle.ossoiap_11.1.1,C:\oracle\MIDDLE~1\ORACLE~1\modules\oracle.oamprovider_11.1.1 -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.jdbc.remoteEnabled=false -Dwsm.repository.path=C:\DOCUME~1\Desmond\APPLIC~1\JDEVEL~1\SYSTEM~1.81\DEFAUL~1\oracle\store\gmds -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=C:\oracle\MIDDLE~1\patch_wls1035\profiles\default\sysext_manifest_classpath;C:\oracle\MIDDLE~1\patch_jdev1112\profiles\default\sysext_manifest_classpath weblogic.Server
    <22 Dec 2011 10:11:07 AM> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
    <22 Dec 2011 10:11:07 AM> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
    <22 Dec 2011 10:11:07 AM> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Client VM Version 19.1-b02 from Sun Microsystems Inc.>
    <22 Dec 2011 10:11:07 AM> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 >
    <22 Dec 2011 10:11:08 AM> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
    <22 Dec 2011 10:11:08 AM> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
    <22 Dec 2011 10:11:08 AM> <Notice> <LoggingService> <BEA-320400> <The log file C:\Documents and Settings\Desmond\Application Data\JDeveloper\system11.1.2.1.38.60.81\DefaultDomain\servers\DefaultServer\logs\DefaultServer.log will be rotated. Reopen the log file if tailing has stopped. This can happen on some platforms like Windows.>
    <22 Dec 2011 10:11:08 AM> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to C:\Documents and Settings\Desmond\Application Data\JDeveloper\system11.1.2.1.38.60.81\DefaultDomain\servers\DefaultServer\logs\DefaultServer.log00004. Log messages will continue to be logged in C:\Documents and Settings\Desmond\Application Data\JDeveloper\system11.1.2.1.38.60.81\DefaultDomain\servers\DefaultServer\logs\DefaultServer.log.>
    <22 Dec 2011 10:11:08 AM> <Notice> <Log Management> <BEA-170019> <The server log file C:\Documents and Settings\Desmond\Application Data\JDeveloper\system11.1.2.1.38.60.81\DefaultDomain\servers\DefaultServer\logs\DefaultServer.log is opened. All server side log events will be written to this file.>
    oracle.security.jps.JpsRuntimeException: Cannot read from policy store.
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:440)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.<init>(XmlPolicyStore.java:227)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:100)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:74)
         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
         at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
         at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:850)
         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
         at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
         at java.lang.Class.newInstance0(Class.java:355)
         at java.lang.Class.newInstance(Class.java:308)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1339)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    Caused by: oracle.security.jps.JpsRuntimeException: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:166)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:187)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.loadXmlDataStore(XmlDataStore.java:418)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.<init>(XmlDataStore.java:283)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.getInstance(XmlDataStore.java:216)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:436)
         ... 28 more
    Caused by: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:80)
         at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:99)
         at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:316)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
         ... 34 more
    Caused by: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:69)
         ... 37 more
    <22 Dec 2011 10:11:10 AM> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider>
    <22 Dec 2011 10:11:10 AM> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
    weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:293)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
         at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
         Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
         at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:899)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
         at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         Truncated. see log file for complete stacktrace
    Caused By: java.security.PrivilegedActionException: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:284)
         at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:270)
         Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsException: [PolicyUtil] Unable to obtain default JPS Context!
         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:860)
         at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:844)
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:844)
         at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
         Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsRuntimeException: Cannot read from policy store.
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.buildFromFile(XmlPolicyStore.java:440)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStore.<init>(XmlPolicyStore.java:227)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:100)
         at oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider.getInstance(XmlPolicyStoreProvider.java:74)
         at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
         Truncated. see log file for complete stacktrace
    Caused By: oracle.security.jps.JpsRuntimeException: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:166)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:187)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.loadXmlDataStore(XmlDataStore.java:418)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStore.<init>(XmlDataStore.java:283)
         Truncated. see log file for complete stacktrace
    Caused By: javax.xml.stream.XMLStreamException: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:80)
         at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:99)
         at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:316)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
         Truncated. see log file for complete stacktrace
    Caused By: javax.xml.stream.XMLStreamException: Premature end of file encountered
         at weblogic.xml.stax.XMLStreamReaderBase.prime(XMLStreamReaderBase.java:69)
         at weblogic.xml.stax.XMLStreamReaderBase.setInput(XMLStreamReaderBase.java:99)
         at weblogic.xml.stax.XMLStreamInputFactory.createXMLStreamReader(XMLStreamInputFactory.java:316)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntryStax(XmlDataStoreParser.java:98)
         at oracle.security.jps.internal.core.datastore.xml.XmlDataStoreParser.getDataStoreEntry(XmlDataStoreParser.java:180)
         Truncated. see log file for complete stacktrace
    >
    <22 Dec 2011 10:11:10 AM> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <22 Dec 2011 10:11:10 AM> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <22 Dec 2011 10:11:10 AM> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    Process exited.
    this is what i have try to do
    delete the jazn-data.xml file under the DefaultDomain
    and i try to in the folder of C:\Oracle\Middleware\user_projects\domains\UCM_dom ain\config\fmwconfig open cwallet.sso, go to properties of it and then security.Enable full control,modify,Read and execute,read and write permissions for the current user and apply it. but there is no security option when i right click cwallet.sso
    and my acess log is
    27.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx?_afrLoop=49432564240140&_afrWindowMode=0&Adf-Window-Id=w0 HTTP/1.1" 302 315
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/adfAuthentication HTTP/1.1" 302 313
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx HTTP/1.1" 200 5821
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx?_afrLoop=49432609646747&_afrWindowMode=0&Adf-Window-Id=w0 HTTP/1.1" 302 315
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/adfAuthentication HTTP/1.1" 302 313
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx HTTP/1.1" 200 5821
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx?_afrLoop=49432662731333&_afrWindowMode=0&Adf-Window-Id=w0 HTTP/1.1" 302 315
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/adfAuthentication HTTP/1.1" 302 313
    127.0.0.1 - - [22/Dec/2011:12:10:09 -0800] "GET /StoreFrontModule/faces/login.jspx HTTP/1.1" 200 5821
    Edited by: user603350 on 2011/12/22 12:04 PM
    Edited by: user603350 on 2011/12/22 12:17 PM
    Edited by: user603350 on 2011/12/22 1:12 PM

    The problem is that your WLS domain is created in a directory whose path contains blank spaces (e.g. "...\Document and Settings\...").
    Please, have a look at this message for a solution: {message:id=9588131}
    Dimitar

  • EAP-TLS client security policy enforcement question using ISE

    Hi Experts ,
    I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
    I am using EAP-TLS and machine authentication.
    In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    I am not sure ... will it get pushed through AD ? how will it happen ?
    It would be really helpful if someone could put light on this ..

    Hello Vino,
    Some answers below :
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
    It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
    If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
    In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
    In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
    Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
    Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
    I hope it helps.

  • Security policy from old GPO still applying after removal

    We have a Server 2k3 domain with a mix of 2k8R2 (PDC) and 2k3 DCs. We are currently in the process of
    replacing older 2k3 DC policies with newer policies. Policy A (AKA "Old policy") has always been a problem as it contains settings which cause errors in the event logs of the DCs it is applied to (ID 1020 "Windows cannot create
    registry key CurrentControlSet\Control\Session Manager. (The parameter is incorrect)" and 1096 "Windows cannot access the registry policy file, \\domain.com\sysvol\domain.com\Policies\{GUID}\Machine\registry.pol. (The parameter is incorrect)").
    Policy B (AKA "New policy") has been wonderful in a completely different AD Forest/Domain that we created it in but is not happy after we copied it to this Domain.
    The new policy was exported as a Backup and imported by creating a new GPO on this domain and choosing "Import settings". We've previously encountered both the "hidden file" and "read only" issues with copying GPOs so we avoided
    those by ensuring hidden files were copied and removing "read only" from the policy folder. The new policy was then applied to the Domain Controller OU with a higher precedence than the old policy. Neither policy is set to enforced
    and the links for both were enabled, both policies are set with GPO Status "Enabled" so the new policy should have overridden the older policy settings. After several gpupdate /force and reboots, the 2k3
    domain controllers are showing in RSOP a Red x on "Computer policy" with "Group policy Infrastructure" as failed with details "Group Policy Infrastructure processed successfully but failed to log resultant set of policy information".
    Under general with "Display all GPOs and filtering status" Old policy is lower than new policy.
    When drilling down to "User Rights Assignment" you can see that "Old Policy" is still the winning policy for all settings. When under "Administrative Templates" "New policy" is the winning policy there. So it
    seems that the new policy is applying for admin template settings but not for security policies.
    I then disabled the old policy which reflected under the general tab filtering status "Disabled" but the user rights assignment still showed Old policy as winning. I tried modifying the Old policy and saw that the serial number for the policy updated
    in the RSOP general tab. Then I completely removed the link for the policy from the DC OU and the policy disappeared from the general tab but still showed under User Rights Assignment.
    I've tried clearing the Cached group policy from the machine with:
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
    and deleting [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft] from registry and c:\windows\system32\GroupPolicy from HD.
    Usually I'll get an error from RSOP about RSOP already running until I gpupdate /force and then I'm back at square one.
    I've confirmed that the issue is not replication, the machine shows no errors in FRS and I've performed non-authoritative SYSVOL restore on this server. repadmin
    shows no errors.
    I have not yet tried to demote/repromote the server as I'm unconvinced that will have any effect. I've seen this kind of issue on 2k3 servers where even after removing the server from the domain entirely the policies from the domain still remain in effect
    to where you cannot even modify a setting from local gpedit.msc.
    It seems that something is causing security policies to stick from the old policy but is allowing admin template policies to apply from the new policy. Where would these old settings be cached from, and how can I get them to go away?

    I've now also tried putting the machine in an OU with inheritance blocking an no policies applied.
    I've tried deleting [HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\History] and reboot.
    I've turned on all the logging (http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx) and I can even see the .inf files created in c:\windows\security\templates\policy
    for each GPO and the policy shows the correct settings.
    NTRights (http://ss64.com/nt/ntrights.html,
    http://support.microsoft.com/kb/315276) allows me to set the setting manually and AccessChk shows me the current settings
    http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx but I still cannot get RSOP to come back clean. I can also see in c:\windows\security\logs that some of the security settings
    I'm working show up; "remove SeDebugPrivilege." for example shows up as having been removed from the local administrator which was one of the changes I made.
    I've opened up a ticket with Microsoft Support but they haven't had any fresh ideas either. My best guess at this point is that policy is actually applying but RSOP is busted. I have no idea how to reset the RSOP data however.
    At this point I'm trying to run WMIDiag to see if there's an issue with WMI as several of the misc errors in the gpedit.log file come up with WMI related issues in google ("InitializeRSOP failed with 0x80070102", "GetObject for event source
    of RSOP_ExtensionEventSource.id="{GUID}" failed with 0x80041002").
    I should clarify that AccessChk seems to indicate that the User Rights Assignment settings ARE applying but are not showing correctly in RSOP.

  • Service level accounts and security policy

    Hello Experts,
    We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.
    Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.
    It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.
    If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.
    Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.
    Is there any good suggestions for this kind of scenario?
    Thanks

    Thanks Scott,
    This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.
    It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.
    Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:
    OsoftDatabaseADMIN
    OsoftDatabaseSYSADMIN
    OsoftDatabaseUSER
    Then use Service Manager password reset function and it will update all COM+ apps in one go.

  • How do I resolve this error in Safari Your page is blocked due to a security policy that prohibits access to Category Remote Proxies"?

    I'm trying to access several pages and keep geting "Your page is blocked due to a security policy that prohibits access to Category Remote Proxies" After going over all my security stuff I just can't find where I would correct the error.
    Is there anyone who could help me?
    Thanks
    Fr. Gary

    very strange,
    1. check time and date on your computer
    2. reset network configuration, make sure there are no proxy servers and you get DNS from your router not manual
    3. Reset certificates database
    Go to Terminal (Applications>Utilities)
    sudo rm /var/db/crls/*cache.db
    (you will be prompted for your password)
    and reboot the computer
    post back

  • Implementing Sites for a new Single Domain Environment and effects on Exchange

    Copied from the Active Directory forums as the suggestion of replies.
    I didn't find exactly what I was looking for so decided to create my own question to get some direct feedback.
    Currently we have a single domain environment with two domain controllers located at two separate sites. When the domain was first set up, no configuration was done in the Sites and Services module for Active Directory. The two domain controllers we have are
    currently located in the Default-First-Site-Name container. We do not have any subnets configured with the Sites and Services module.
    These two domain controllers are located at two different sites with different IP schemes and the sites are connected with a high speed site-to-site VPN. We also have 2 satellite offices with their own IP schemes as well with more offices to come. In the future
    domain controllers will be placed at these satellite offices which are connected with a slower site-to-site VPN to the main offices.
    All replication and network functions are working well now, but I would like to know what the effects would be and what to watch out for if I create sites for our environment. I am particularly concerned about our Exchange 2010 server and need to make sure
    that the change will not disrupt communications between it and the domain controllers.
    I would like to create a site for each of our locations and link the subnet to that site now so that when we install the domain controllers the configuration is ready.
    Any suggestions or input is highly appreciated thank you in advance.

    Exchange will be an issue only if your Exchange servers span sites when your new Windows sites are created.  If you have Exchange servers all in a single location, adding sites to your Windows forest will cause no issues.  However, if you have
    Exchange servers in both locations, as soon as a new site is defined for an Exchange server in a separate location from your other Exchange servers, you will start having issues.  Let me give some examples so you can see what problems might occur:
    Two datacenters, one Windows site, Exchange mailbox servers in both locations (primary and DR), but hub and CAS roles only in the primary datacenter:
    In this situation, as soon as your second site is defined, the server in the DR datacenter will no longer be receiving mail - there is no hub to deliver it - and users will no longer be able to access their mailboxes - there is no CAS to support them. 
    Solution:  Add hub and CAS to second datacenter and all is well with the world.
     Two datacenters, one Windows site, Exchange multirole servers in both locations (primary and DR), but CAS Array defined:
    Now we have a little bit better setup, since we have all roles in both locations.  However, the CAS array in the primary site isn't going to be able to support your client connections in the DR site - so users will be connecting directly to the CAS
    servers in the DR site (not optimum).  Solution:  Define a second CAS array for the DR site, with its own load balancer and configure the databases in your DR location to use that CAS array as the RPC Client Access Server.
    There are other oddities, but as you can see, there will definitely be issues if your Exchange servers aren't all in the same location and you start defining Windows sites ...

Maybe you are looking for