Lync2013 Dual Factor authentication using PingFederate ADFS

Similar Messages

• Oracle ADF 11g – Authentication using Custom ADF Login Form Problem

  Hi Guys,
  I am trying to Authenticate my adf application using custom Login Form.
  following this..
  http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/#respond
  But my Login Page is not Loading.I think its sending request in chain.my jdev version is 11.1.1.5.Any Idea.
  Thanks,
  Raul

  Hi Frank,
  I deleted bounded code and In another Unit Test I created a simple login.jspx page and applied form based authentication but still facing same problem means something wrong in starting.
  My login.jspx page is
  <?xml version='1.0' encoding='UTF-8'?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
            xmlns:f="http://java.sun.com/jsf/core"
            xmlns:h="http://java.sun.com/jsf/html"
            xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
    <jsp:directive.page contentType="text/html;charset=UTF-8"/>
    <f:view>
      <af:document id="d1" >
        <af:form id="f1" >
          <af:panelFormLayout id="pfl1">       
            <af:inputText label="USERNAME" id="it1"
                          />       
            <af:inputText label="PASSWORD" id="it2"
                            />
            <af:commandButton text="LOG IN" id="cb1" />
            <f:facet name="footer">       
            </f:facet>                 
          </af:panelFormLayout>
        </af:form>
      </af:document>
    </f:view>
  </jsp:root>
  Don't know wht real problem is

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Apple ID - Two Factor Authentication (and why I stopped using it)

  The Apple devices I use every day consist of the following:
  2009 MacBook Pro 17" (home)
  iPhone 6 (home)
  2012 MacBook Pro Retina (work)
  My home devices are all logged in using my Apple ID as usual, and my work laptop uses a Apple ID specific to work, but with my personal Apple ID logged in for iMessage and FaceTime (pretty standard, I presume, for people with full-time work laptops they can bring home, etc.). Now, since I have multiple devices which are constantly syncing everything back and forth, whether it be something as simple as my contacts or as delicate and near and dear to my heart as my photo collection, I felt that maybe I should use two factor authentication for my home Apple ID, just to be on the safe side. I recognize that the two factor authentication only protects iMessage and FaceTime currently, but I implemented it with hopes that someday they will incorporate everything about iCloud and other services synced between Apple devices that you would assume should be covered by a two factor authentication update/overhaul.
  I liked this idea very much, as I use two factor for almost everything I can, but things started to fall apart one day when I had to switch to a temporary work laptop and decided to log in to iMessage with a new app specific password, as you would need to on a new device (unless you wrote down the original iMessage password, which is a terrible thing to do). When I went to create my new iMessage password for work laptop B, I decided to revoke work laptop A's iMessage password while it went in for repairs. This wasn't so bad until something seemed funny about my phone, as it was asking for me to log into iMessage again. Now, I had created a separate password for work laptop A's iMessage when I first logged in a while back, as well as a separate password for the temporary work laptop B so it didn't interfere with my other generated passwords. Apparently this didn't matter.
  I continued and created a new app password for my phone, but when I got home, wouldn't you know it, I had to log into iMessage on my home laptop again as well. I had to create a new password for that, which seemed to work for a while, but then I was prompted to enter my iMessage password on my phone again once I revoked my home laptop's iMessage password. Not following? No, me either. It seemed to me that creating separate app specific passwords for me to use across my devices didn't stay as separate as I thought they should, but instead they somehow seemed to be dependent on one another. Since I had a frustrating time trying to activate iMessage again on my iPhone and laptops on multiple occasions while this was happening, I decided to disable two factor authentication altogether.
  I suppose I should ask a question here, so here goes: has anyone else encountered this horrific two factor authentication/app specific password management issue for their own account? Have you been able to resolve it, and if so, any helpful suggestions? Thanks!

  I had also thought that initially, but after turning it on, I went to sign into iMessage with my Apple ID and regular Apple ID password, but it prompted me to create an app specific password to sign in since I had two factor authentication on, as it wouldn't let me use my regular Apple ID password to log in (which I could use to log in for everything else but iMessage and FaceTime). It was nice since I was prompted to provide a code sent to an Apple device of my choosing when signing into the Apple ID management site or iCloud.com, but forcing me to create app specific passwords for iMessage and FaceTime is kind of ridiculous and frustrating. Maybe there's a way to have two factor authentication without the need for app specific passwords? Or if not, then perhaps that would be a great option to present users when turning that feature on.

• Scan to Email not working - Invalid Credentials error (using gmail and 2-factor authentication)

  I configured the HP OfficeJet 8600 printer for scan to email using the Embedded Web Server interface. In the Web interface, I added/entered an email address for my gmail account, and set the correct SMTP server details, and entered 465 for the port number. I checked the "Always use secure connection" box, as well as the "SMTP requires authentication for outgoing email messages" box. I entered correct SMTP user ID and password. Yet when I did a test, I got an error "Invalid credentials" After a lot of frustration, and trying all sorts of things, I eventually got the idea to try another email account. This time I tried a different email account, a netzero email account, configured the smtp server details for it etc. And this time when I tested the netzero email address it worked. I tried the scan to email on the printer, and it worked for the Netzero email account. it just didnt work for the gmail account. I had a while back turned on 2-factor authentication. I went to gmail settings and requested an "App password" for my HP printer. Google/gmail displayed a 16 character password, which I then entered into the password box in the HP OfficeJet printer Embedded Web Server interface (instead of my usual password), for the gmail account. And this time when I tested the email account - it worked! Problem solved! .. I share this just in case anyone else is having the same problem I had, and is going through the same frustrating experience I endured!  

  Thank you. This helped TREMENDOUSLY! 

• Can you use Multi Factor Authentication server with Central NPS and RD Gateway?

  Hi,
  Does anyone have any experience getting the Azure Multi-Factor Authentication (MFA) on-premise server, working with a Remote Desktop Gateway server, and a centralised NPS server?  I can get a solution whereby a user can get the second token (phone call/sms
  etc.) but the connection never gets established.  It looks like its looping as it repeats the phone call/text for a second time but again no connection.  I can’t figure out why.
  All the blogs are very vague as to whether you can combine a new MFA NPS connection policy with an existing username/group membership NPS policy on a centralised NPS server (with RAP/CAP policies).
  I need to understand whether we can combine both an MFA Radius policy with a Username/Password plus group membership NPS policy together to achieve two factor authentication.
  Do you have the Remote Desktop Gateway Server connect to the Central NPS server and then the NPS server use the MFA server as its proxy server? In effect turning the NPS server into a proxy Radius server?  
  Or do you configure the Remote Desktop Gateway server to use the MFA server as the proxy Radius server, and configure the MFA server to send on Radius requests to the central NPS server?
  Or either of these scenarios not supported and you can only use the MFA server as the only Radius server in the auth. process? (bypassing NPS policies?)
  Thanks if someone can assist,
  I’ve been using these blogs but to no successful effect:
  http://technet.microsoft.com/en-us/library/dn394287.aspx
  http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
  http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/

  Hi Michael,
  Thank you for posting in Windows Server Forum.
  After going through your description, I can say that we can use MFA server with central NPS and RD Gateway. Also the link which you have provided points the step to apply. In addition you can refer below article.
  Configure Remote Desktop Gateway to use Multi-Factor AuthenticationConfigure Remote Desktop Gateway to use Multi-Factor Authentication 
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Two-factor authentication by using Digital Cert

  Dear Friends,
  I am trying to implement two-factor authentication on any connect vpn. While uploading identity certificate on the windows 2008 server ,getting below mentioned error
  Please help on this.
  Regards,
  Shinu Mathew

  Hi Lars,
  If you are using SMS PASSCODE, go to  http://www.smspasscode.com/support  and ask them to send you the setup guide or walk you through the configuration.
  Kind Regards
  Lars (@smspasscode).

• Zuul - Simple two-factor authentication for SSH unless using publickey

  To quote myself:
  I wrote:I have a few machines I want to access using SSH. I use public keys when connecting from a trusted computer. However, I also want to access the machines from other computers using passwords. To eliminate the consequences of brute force password cracking or even stolen passwords, I been looking for a two-factor authentication scheme to use if anything but public keys are used. The method described here lets me log in using publickeys without any further hassle, while I must enter a second, one time password delivered to my mobile phone by email if I use a password.
  Comments are welcome! (Especially on a better way to figure out what authentication method the current SSH session used)
  https://github.com/halhen/techsperiment … aster/zuul

  Finally, this is what I looking. Thanks for giving the link.

• Questions regarding authentication used in SRDemo ADF Tutorial

  Hello,
  I am currently in the process of learning ADF with the help of SR Demo application from OTN.
  I have a few questions regarding the authentication used in SRDemo ADF Tutorial.
  1) Why do I need to specify the list of the all the users in the jazn-data.xml file with the name and credential attributes?
  2) How I change the authentication mechanism to point to database tables.(If it's not using, correct me if I am wrong).
  3) The prompt which I am getting for authentication is like OEM authentication. Can I change this to a normal authentication login page?
  4) As an option I would like to pass the person who logged in to windows , should be able to log in to the application. How can I pass the username(which I have in a java string) to my application and get logged in?
  Any help is highly appreciable.
  Thanks

  Read these two, should help
  http://technology.amis.nl/blog/?p=1462
  http://stegemanoracle.blogspot.com/2006/02/using-custom-login-module-with-jdev.html
  But to be honest, I couldn't get it working.

• Two Factor Authentication on Windows Server 2008 R2

  We have a small 2008 R2 Active Directory environment with 2 domain controllers and 13 member servers. We have no additional features such as an RDP gateway or Federation Services - just a plain AD setup. We now have a requirement from our client to have
  a two factor authentication solution for each time we logon to any server, either using RDP or locally. We only have 4 admins that ever logon to these servers - we do not have any "regular" users.
  Is there anything out there that would work in this environment without having to modify our AD (at least nothing major)?
  Thanks

  Hi,
  You may consider smart card:
  Smart Card Overview
  http://technet.microsoft.com/en-us/library/hh831433.aspx
  Understanding Requirements for Connecting to a Remote Desktop Gateway Server
  http://technet.microsoft.com/en-us/library/cc770519.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Having trouble with Google 2 factor authentication and Mac Calendar

  Hello!  I recently started using Google 2-factor authentication on my Google Apps (Pro) account, and have successfully configured my gmail settings in OS X Mail so that inbound/outbound work correctly.  Here's where the problem is:  OS X uses a single password in the system account settings for calendar/contacts/notes, etc, so enter the login/password once and check the boxes for what services you want to use. But Google sees these as distinctly different apps, so when I enter an app-specific password, it only registers for one (i.e.:  contacts), but not for another or the rest of them (like calendar).  Has anyone had experience in setting this up? How can you get app-specific passwords to work with the rest of the OS X system applications besides mail?
  Thank you!

  Unfortunately, I already tried this several times prior to posting here.  The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.

• Visual Studio 2013 Community Azure Login Not Working with Two-factor Authentication

  Has anybody had any problems logging in to Azure to publish when using Visual Studio 2013 Community and with two-factor authentication turned on?
  I couldn't log on until I turned off two-factor authentication.
  Regards

  Hello John,
  Thanks for posting here!
  You can try and set a credential helper like
  git-credential-winstore in order to cache your credentials. See if that helps.
  Couple of questions here:
  1) Are you using a MSA account by any chance?
  2) When you turn on two-factor authentication, do you get any error message?
  3) Did you try with different browsers?
  Looking forward to your response!
  Regards,
  Sadiqh

• How do I know if I set up Apple's two factor authentication?

  How can I tell if I ever set up Apple's two factor authentication and should make sure I can find the Recovery Key?

  Hi David,
  You can check to see whether you turned on two-step verification for your Apple ID by seeing if it will allow you to turn it off. Follow the instructions in this article, though you do not actually have to turn it off -
  Apple ID: Turning off two-step verification for your Apple ID - Apple Support
  Read this article for more information on two-step verification, including the Recovery Key -
  Frequently asked questions about two-step verification for Apple ID - Apple Support
  Thanks for using Apple Support Communities.
  Best,
  Brett L