MAC-Based Authentication

I am sorry if this has been asked before or it is the wrong place to ask this.
I just want to know how secure is MAC-Based Authentication on an AP340 access-point (not bridge) with version 11.07.
I've done this by adding 'Dest MAC Address' in 'Address Filters' under 'Association' in 'Setup'.
Also selected 'Disallowed' for 'Default Unicast Address Filter' for all the relevant authentication types in 'Advanced' for 'AP Radio' of the 'Network Ports' in 'Setup'.
Thanks for any suggestions.

If an attacker has a network analizer, they can see the MAC address in use (even if WEP is being used as the MAC must not be encrypted)
Some 802.11 NICs allow the user to configure a MAC address into the NIC.
So the attacker *could*:
1. observe a valid NIC in use
2. program that MAC into their NIC
3. Wait till the valid user has gone home
4. Use the NIC they have programmed to access your network from the safty of the parking lot.
LEAP or VPNs provide a much more secure solution

Similar Messages

  • 802.1x mac based authentication

    We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

    Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
    The 2 options would be standard port security or 802.1x port security if you switches support this.
    In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
    You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
    standard port base security by MAC:
    http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
    802.1x port based security:
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

  • 802.1x Mac-Adress Based Authentication

    I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

    We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
    We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
    Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

  • How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

    Hi dearI 
    How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

    Olivier,
    You can't reference WLP visitor roles in weblogic.xml, but you can
    reference global roles (created using the WLS console):
    - <security-role-assignment>
    <role-name>PortalSystemAdministrator</role-name>
    <externally-defined />
    </security-role-assignment>
    -Phil
    "Olivier" <[email protected]> wrote in message
    news:[email protected]..
    >
    We need to have login page to our portal app.
    When using "form based" authentication is it possible to map the securityon a
    "entitlement role" ?
    Our need is to be abled to give direct url acces to some pages of theportal (for
    exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
    Label=mypage")"
    by email to portal users) and need a simple mecanism of authenticationbefore
    redirecting to the portal page.
    Inste

  • ActiveSync with Certificate-Based Authentication

    We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
    What has been done so far:
    OWA over https works fine. A public, trusted certificate is in place.
    Setup ActiveSync against this Exchange server: works fine, using user name/password.
    Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
    Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
    Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
    After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
    The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
    Any help will be greatly appreciated.
    Roman.

    No-one with this experience?
    We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
    That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

  • Port-Based Authentication on 877

    Hi 
    I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
    authentication control-direction in
    authentication event fail retry 1 action authorize vlan xx
    authentication event no-response action authorize vlan xx
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication port-control auto
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 10
    dot1x timeout supp-timeout 10
    As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
    Anyone can please let explain me why it is happing 
    Regards,

    Any input?

  • Mac adress authentication with Radius

    Hello all
    we have an WiFi architecture based on two Radius servers (ACS 3.2)
    We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
    But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
    Ideas ?
    Regards

    First ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.

  • SRW switches and MAC-based filtering

    Hello, i looking for some guide how i can setup MAC-based filtering in ACL.
    Please have step-by-step guide?
    Thank you
    Tomas

    802.1X authentication and MAC-based address filtering can be administered on SRW switches via their web based GUI.
    There is very good documentation on each model...
    example:
    http://www.cisco.com/en/US/products/ps9988/index.html
    then select acl....
    http://www.cisco.com/en/US/products/ps9967/products_qanda_item09186a0080a363de.shtml
    bingo?

  • How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

    How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
    Identity provider here is Oracle identity provider 
    harika kakkireni

    Hi,
    The following materials for your reference:
    Consuming List.asmx on a claims based sharepoint site
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
    Sharepoint Claims based authentication and Single Sign on
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
    Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
    Best Regards
    Dennis Guo
    TechNet Community Support

  • Cannot create dataset from claims based authentication sharepoint site in report builder 3.0

    I have a sharepoint site, which is configured as claims based authentication (ref:
    http://ashrafhossain.wordpress.com/2011/05/25/how-to-configure-claim-based-authentication-for-sharepoint-project-server-2010/) . both AD and asp.net members can log in to the site successfully. My user need to use the report build to create report
    on this sharepoint site. As a result, the site is also integrated with reporting service. I try to create a report in the sharepoint site by clicking "New Document" -> "Report builder Report". The report builder will comes out and ask for credential to
    connect to the report server. I use asp.net member to login and it can let me to create a data source which connect to a the list of the sharepoint site with credential option "Use current Windows user. Kerberos delegation might be required". However, when
    I try to create a data set and click the query designer, error "Server was unable to process request. ---> Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" appear as below:
    Besides, non of my AD account can be used to login to the report builder. Errors below found in the ULS log:
    09/26/2012 14:47:27.75 w3wp.exe (0x116C)
    0x11F4 SharePoint Foundation
    Claims Authentication fo1t
    Monitorable SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated.
    (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
    09/26/2012 14:47:27.76 w3wp.exe (0x140C)
    0x0F38 SharePoint Foundation
    Claims Authentication fsq7
    High Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message
    response)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken
    rst)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
    524a2f96-f5ff-4c96-80d1-f08d3c7ef14f
    09/26/2012 14:47:27.76 w3wp.exe (0x140C)
    0x0F38 SharePoint Foundation
    Claims Authentication 8306
    Critical An exception occurred when trying to issue security token: The security token username and password could not be validated..
    524a2f96-f5ff-4c96-80d1-f08d3c7ef14f

    Hi Foxvito,
    Claims authentication types supported by SharePoint 2010 are Windows Claims, forms-based authentication Claims, and SAML Claims. In SAML-Claims mode, SharePoint Server accepts SAML tokens from a trusted external Security Token Provider (TST). From the
    blog you referenced, it seems to use the SAML Claims authentication.
    However, the Reporting Services client applications: Report Builder, the Report Designer in Business Intelligence Development Studio, and Management Studio do not support connecting and authenticating with LiveID or SAML Claims based SharePoint Web applications.
    That's because the SAML Claims don't use the Reporting Services authentication endpoint. So, you have to change the Claims authentication type to use Report Builder on the SharePoint site.
    References:
    Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
    Claims Authentication and Reporting Services
    Regards,
    Mike Yin
    Mike Yin
    TechNet Community Support

  • Claims Based Authentication and Editing User Profiles

    Hi All,
    I have an interesting issue where I have a SharePoint Farm setup with both the intranet and mysites web applications setup using Claims Based Authentication. While everything seems to work fine, you are able to search for users, view properties and users
    can change their own profile properties. However when you configure a profile administration account (an account with the "manage user profiles" permission on the User Profile Service Application) and you attempt to use that account to edit
    another users profile you get hit with a generic error page. 
    Delving deeper you get the following errors:
    ULS:
    Date    Process    Thread Id    Area    Category    Event Id    Level    Correlation    Message
    5/7/2013 00:31:44:64    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Name=Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)
    5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|DOMAIN\sp_config, ClaimsCount=24
    5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Site=/
    5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    00000    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     UserAgent not available, file operations may not be optimized.
    at Microsoft.SharePoint.SPFileStreamManager.CreateCobaltStreamContainer(SPFileStreamStore spfs, ILockBytes ilb, Boolean copyOnFirstWrite, Boolean disposeIlb)  
    at Microsoft.SharePoint.SPFileStreamManager.SetInputLockBytes(SPFileInfo& fileInfo, SqlSession session, PrefetchResult prefetchResult)  
    at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBufferFactory.CreateFromDocumentRowset(Guid databaseId, SqlSession session, SPFileStreamManager spfstm, Object[] metadataRow, SPRowset contentRowset, SPDocumentBindRequest& dbreq, SPDocumentBindResults&
    dbres)  
    at Microsoft.SharePoint.SPSqlClient.GetDocumentContentRow(Int32 rowOrd, Object ospFileStmMgr, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)  
    at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
    Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
    pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
    pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
    Guid& pgDocScopeId)  
    at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
    Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
    pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
    pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
    Guid& pgDocScopeId)  
    at Microsoft.SharePoint.Library.SPRequest.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean&
    pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified,
    String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean&
    pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid&
    pgDocScopeId)  
    at Microsoft.SharePoint.SPWeb.GetWebPartPageContent(Uri pageUrl, Int32 pageVersion, PageView requestedView, HttpContext context, Boolean forRender, Boolean includeHidden, Boolean mainFileRequest, Boolean fetchDependencyInformation, Boolean& ghostedPage,
    String& siteRoot, Guid& siteId, Int64& bytes, Guid& docId, UInt32& docVersion, String& timeLastModified, Byte& level, Object& buildDependencySetData, UInt32& dependencyCount, Object& buildDependencies, SPWebPartCollectionInitialState&
    initialState, Object& oMultipleMeetingDoclibRootFolders, String& redirectUrl, Boolean& ObjectIsList, Guid& listId)  
    at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.FetchWebPartPageInformationForInit(HttpContext context, SPWeb spweb, Boolean mainFileRequest, String path, Boolean impersonate, Boolean& isAppWeb, Boolean& fGhostedPage, Guid& docId,
    UInt32& docVersion, String& timeLastModified, SPFileLevel& spLevel, String& masterPageUrl, String& customMasterPageUrl, String& webUrl, String& siteUrl, Guid& siteId, Object& buildDependencySetData, SPWebPartCollectionInitialState&
    initialState, String& siteRoot, String& redirectUrl, Object& oMultipleMeetingDoclibRootFolders, Boolean& objectIsList, Guid& listId, Int64& bytes)  
    at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.GetWebPartPageData(HttpContext context, String path, Boolean throwIfFileNotFound)  
    at Microsoft.SharePoint.ApplicationRuntime.SPVirtualPathProvider.GetCacheKey(String virtualPath)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultFromCacheInternal(VirtualPath virtualPath, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate)  
    at System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection)  
    at System.Web.UI.Page.ApplyMasterPage()  
    at System.Web.UI.Page.PerformPreInit()  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest()  
    at System.Web.UI.Page.ProcessRequest(HttpContext context)  
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  
    at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)  
    at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)  
    at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
    5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    aiv4w    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Spent 0 ms to bind 33542 byte file stream
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z6    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     User was not successfully retrieved: i:0#.w|DOMAIN\AUSER in ProfileUI.OnInit. Seeing if this is a system account
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z7    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     User i:0#.w|DOMAIN\AUSER not found and not a system account.
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7m    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     ProfileUI: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7h    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     ProfileEditor: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    8nca    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Application error when access /_layouts/15/EditProfile.aspx, Error=DOMAIN\AUSER
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    Runtime    tkau    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    ajlz0    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.HandleError(Exception e)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest()  
    at System.Web.UI.Page.ProcessRequest(HttpContext context)  
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    aat87    Monitorable    4001199c-6bd8-c03d-920f-55177fbff00c  
    5/7/2013 00:31:44:73    App Pool: MySites    0x1DC8    SharePoint Foundation    Monitoring    b4ly    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Leaving Monitored Scope (Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)).
    Execution Time=87.1739285300227
    It seems similar to an issue in the blog post here: http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013/ however I tried what was suggested and it didn't work.
    Any help with this is appriciated.

    This line offers clues about the actual problem:
    Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER 
    According to the MSDN link (http://msdn.microsoft.com/en-us/library/microsoft.office.server.userprofiles.usernotfoundexception.aspx)
    it is not able to find the user in the profile store. Additionally the link you mentioned (http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013)
    suggests that the account being used to validate accounts on the production domain may have a problem.
    If there a way you can test that account in isolation against the DC?
    With Regards Shailen Sukul Entrepreneur/Software Architect/Developer/Consultant/Trainer (BSc | Mct | Mcpd (.Net 2/3.5/SharePoint2010) | Mcts (Sharepoint 2010/MOSS/WSS), Biztalk, Web, Win, Dist Apps) | Mcitp(SharePoint) | Mcsd.NET | Mcsd | Mcad) MSN | Skype
    | GTalk Id: shailensukul Twitter: http://twitter.com/shailensukul Website: http://sukul.org Blog: http://shailen.sukul.org/ http://www.linkedin.com/in/shailensukul

  • Claims Based Authentication SPSecurityTokenService.Issue() failed: The security token username and password could not be validated.

    Please excuse the lousy table...Its late :-)
    I have a multi-server SP2010 farm.  Patched up to
    Configuration database version: 14.0.6106.5002
    My goal is to have a claims based web application that authenticated to ADAM for Extranet.  I have configured the servers exactly to MSDN and technet specs (following this spec to the
    letter (
    http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
    IT WORKS IN DEV!!! , which is a single server farm.  However, it does not work in production.  I get the following:
    Claims Auth log entries:
    1:06:25 AM
    w3wp.exe (0x0EDC)                      
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    f2ut
    Verbose
    Authenticated with login provider. Validating request security token.
    1:06:25 AM
    w3wp.exe (0x0EDC)                      
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    0
    Verbose
    Using membership provider 'ADAMProvider'.
    1:06:25 AM
    w3wp.exe (0x0EDC)                      
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    0
    Verbose
    Doing password check on '[email protected]'.
    1:06:46 AM
    w3wp.exe (0x0EDC)                      
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    0
    Verbose
    Failed password check on '[email protected]'.
    1:06:46 AM
    w3wp.exe (0x0EDC)               
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    0
    Unexpected
    Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
    token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
    1:06:46 AM
    w3wp.exe (0x0EDC)                      
    0x1790
    SharePoint Foundation        
    Claims Authentication        
    fo1t
    Monitorable
    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
    could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
    1:06:46 AM
    w3wp.exe (0x1B34)                      
    0x08A0
    SharePoint Foundation        
    Claims Authentication        
    fsq7
    High   
    Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.    
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)    
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)  
      at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)    
    at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
    1:06:46 AM
    w3wp.exe (0x1B34)                      
    0x08A0
    SharePoint Foundation        
    Claims Authentication        
    8306
    Critical
    An exception occurred when trying to issue security token: The security token username and password could not be validated..
    1:06:46 AM
    w3wp.exe (0x1B34)                      
    0x08A0
    SharePoint Foundation        
    Claims Authentication        
    f2un
    Verbose
    Form authentication failed.
    I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose). 
     I found plenty out there and nothing directly correlates with this issue. 
    I searched on all parts of the errors I got.
    This contains an interesting blurb about setting up access for the apppool id correctly. 
    That’s not the case for me.  It works in dev and the same id are used there. 
    http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
    This was good but it doesn’t give specs on what the environment looks like:
    http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
    The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
    http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
    Any and all help would be greatly appreciated!

    Hi.
    You say its a multiserver farm, do you have more than one web server then?
    If thats the case, have you tried accessing the site on each server directly?
    Found this for you, maybe that can help?
    Troubleshooting Exceptions: System.ServiceModel.FaultException`1
    http://msdn.microsoft.com/en-us/library/bb907220.aspx
    and this:
    SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
    http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
    and
    This seems to be a good guide:
    http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
    Good luck
    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com

  • Sharepoint 2010 on Windows 2012R2 and claims based authentication

    Hello,
    We have installed a sharepoint 2010 SP2 CU dec 2014 on a Windows 2012R2 server.
    The installation went without problems.
    However, we want to use claims based authentication on a certain web app pool.
    Therefore some configuration on IIS is required.
    The first issue we ran into, is the web application pool uses ASP.NET 2.0, which is the default settings.
    However, using this ASP.NET Version 2.0 the feature "Providers" and ".net users" are invisible.
    When changing the .net version to 4.0, the features comes back again.
    I can fill in the connection strings without problem.
    The providers feature however, gives me the following errors:
    There is a duplicate .... sections defined.
    When googling on this error, it seems that on .net 4.0 these sections are already globbally defined in the machine.config, So i removed these entries in the machine.config
    These are the lines that are "double"
    <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false"
    allowDefinition="MachineToApplication"/>
    <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere"
    />
    <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"
    />
    <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false"
    allowDefinition="MachineToApplication" />                                          
    So after removing these lines, i can get into Providers feature in IIS.
    but, when i click on "Add..." i get the following error:
    Add Provider
    There was an error while performing this operation.
    Details:
    This method cannot be called during the application's pre-start initialization phase.
    OK   
    I spent to much time already to solve this issue and i hope  that someone can give me some advice to address this issue.

    The STS web.config:<?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <system.serviceModel>
    <!-- Behavior List: -->
    <behaviors>
    <serviceBehaviors>
    <behavior name="SecurityTokenServiceBehavior">
    <!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
    This configuration enables publishing of such data over HTTP GET.
    This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
    -->
    <serviceMetadata httpGetEnabled="true" />
    <!-- Default WCF throttling limits are too low -->
    <serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
    </behavior>
    </serviceBehaviors>
    </behaviors>
    <!-- Service List: -->
    <services>
    <service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="SecurityTokenServiceBehavior">
    <!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default
    standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
    <endpoint address="" binding="customBinding" bindingConfiguration="spStsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
    <!-- This is the HTTP endpoint that supports clients requesting service tokens. -->
    <endpoint name="ActAs" address="actas" binding="customBinding" bindingConfiguration="spStsActAsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
    <!-- This is the HTTP endpoint that supports IMetadataExchange. -->
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
    <service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
    <endpoint address="" binding="customBinding" bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding" contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
    </service>
    </services>
    <!-- Binding List: -->
    <bindings>
    <customBinding>
    <binding name="spStsBinding">
    <binaryMessageEncoding>
    <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
    </binaryMessageEncoding>
    <httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
    </binding>
    <binding name="spStsActAsBinding">
    <security authenticationMode="SspiNegotiatedOverTransport" allowInsecureTransport="true" defaultAlgorithmSuite="Basic256Sha256" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
    <binaryMessageEncoding>
    <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
    </binaryMessageEncoding>
    <httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
    </binding>
    <binding name="SPWindowsTokenCacheServiceHttpsBinding">
    <security authenticationMode="IssuedTokenOverTransport" />
    <textMessageEncoding>
    <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
    </textMessageEncoding>
    <httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
    </binding>
    </customBinding>
    </bindings>
    </system.serviceModel>
    <system.webServer>
    <security>
    <authentication>
    <anonymousAuthentication enabled="true" />
    <windowsAuthentication enabled="true">
    <providers>
    <clear />
    <add value="Negotiate" />
    <add value="NTLM" />
    </providers>
    </windowsAuthentication>
    </authentication>
    </security>
    <modules>
    <add name="WindowsAuthenticationModule" />
    </modules>
    </system.webServer>
    <system.net>
    <connectionManagement>
    <add address="*" maxconnection="10000" />
    </connectionManagement>
    </system.net>
    <connectionStrings>
    <add connectionString="Server=sqldb_qa_sharepoint2010;Database=SG_SHP_Claims_Authentication;Integrated Security=true" name="SHP_Claims_Authentication" />
    </connectionStrings>
    </configuration>
    I have backupped the machine.config and restored it (the file i edited was in the following dir: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Machine.config)

  • Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

    Hi,
    We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
    Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
    balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
    The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
    and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
    We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
    They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
    The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
    My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
    Best regards,
    Simon

    I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
    that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
    proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
    http://blog.auth360.net

  • Issue with form based Authentication in three tier sharepoint 2013 environment.

    Hi,
    We are facing issue with form based Authentication in three tier environment.
    We are able to add users to the database and in SharePoint.
    But we are not able to login with created users.
    In single tier everything working fine
    Please help , Its urgent ... Thanks in advance.
    Regards,
    Hari
    Regards, Hari

    if the environments match, then it sounds like a kerberos double-hop issue
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

Maybe you are looking for

  • Problem in Service Pricing Procedure

    Dear Experts, I am facing on interesting problem In service prices in Purchase Order - I have One vendor for material supply. So Material Pricing procedure has been assigned to him through Schema group vendor. and as a price determination process pri

  • Text Colour Changed when rectangle overlaps

    Hi, I need tips to change text colour in a paragraph when 2 rectangles ovelaps. Basically all texts in the paragraph is filled with black colour. 2 rectangles are placed below the text as background. One of the retangles is filled in dark blue and th

  • Question regarding JRockit

    Hi All, Question regarding JRockit. I do not know this software nor am I a java developper. What I would like to do is monitor JVM running inside OC4J in Oracle e-Business Suite. Could this tool be use to do so? Also, I think want I really need is JR

  • Can't open garageband 11 !!

    i just download it from app store and its said that it download and after it finish it start download again !! whats wrong with it ?

  • CPIO hangs when trying to expand Database 9.2 files

    So that we may better diagnose DOWNLOAD problems, please provide the following information. - Server name Sun 220 - Filename solaris64_9.2.0.1.0.Disk1.cpio - Date/Time 7/12/2002 - Browser + Version - O/S + Version Solaris 2.8 - Error Msg None. When I