Minimun privilege to LOCAL account for AnyConnect

Similar Messages

• Accounting for anyconnect users

  hi,
  is  it possible to do accounting for normal anyconnect users? i.e.  accouting for anyone who is logged on to the network using anyconnect?

  Hi,
  Check  out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP  monitoring and measuring the traffic load for IPsec  (Site-to-Site,  Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco  ASA. It allows the user to see traffic load on a VPN  tunnel over time  in graphical form.
  Advantage of VPNTTG over other SNMP based monitoring software's is   following: Other (commonly used) software's are working with static OID   numbers, i.e. whenever tunnel disconnects and reconnects, it gets   assigned a new OID number. This means that the historical data,  gathered  on the connection, is lost each time. However, VPNTTG works  with VPN  peer's IP address and it stores for each VPN tunnel  historical  monitoring data into the Database.
  For more information about VPNTTG please visit www.vpnttg.com

• Strange behaviour on OD Master (unwanted creation of local account)

  Hi all,
  we use an Apple XServe running Mac OS X Leopard Server 10.5.1 as our main file server machine (AFP, SMB/CIFS, OpenDirectory Master, iChat, Webserver, SVN) at our institute. All of our network users' accounts are managed within the LDAP directory of this server.
  We have got two additional local accounts (for administrative purpose only) on our server.
  Two of our OD users are using synchronized mobile home directories. Each time they connect their MacBooks to the network, their home directories get synchronized between MacBook and XServe.
  This is, in generally, running quite fine.
  One of these two mobile synchronized users from time to time (some days) encounters a strange problem since we upgraded our XServe from Tiger to Leopard. When it happens, he suddenly isn't able to login to any service running on the XServe (SSH, iChat, AFP).
  Looking into the server's logs we encountered strange messages regarding the account of the affected user ("xxxxx"):
  | system.log.5.bz2:Dec 15 20:24:35 whitehouse
  |/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient[83 154]:
  | -xaImportUser: Imported "xxxxx" with home "/Volumes/Holmes/Users/xxxxx" into
  | DSLocal because account was found in directory services.
  | system.log.5.bz2:Dec 15 22:47:15 whitehouse
  | /System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient[831 54]:
  | -xaRemoveInactiveExternalAccounts: removing "xxxxx" with home
  | "/Volumes/Holmes/Users/xxxxx" from DSLocal because account is not active.
  | system.log.5.bz2:Dec 15 22:47:18 whitehouse com.apple.loginwindow[83147]:
  | -xaImportUser: Imported "xxxxx" with home "/Volumes/Holmes/Users/xxxxx" into
  | DSLocal because account was found in directory services.
  | system.log.5.bz2:Dec 15 22:47:18 whitehouse com.apple.loginwindow[83147]:
  | -xaRemoveInactiveExternalAccounts: removing "xxxxx" with home
  | "/Volumes/Holmes/Users/xxxxx" from DSLocal because account is not active.
  | system.log.5.bz2:Dec 15 22:51:24 whitehouse
  | /System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient[221 ]:
  | -xaImportUser: Imported "xxxxx" with home "/Volumes/Holmes/Users/xxxxx" into
  | DSLocal because account was previously found in directory services.
  When looking at "/var/db/dslocal/nodes/Default/users/", we found out that the user has got a local account (there is a "xxxxx.plist" within this directory), but who created it (ManagedClient.app?) and why?
  Of course, there aren't any local accounts for our other OD users (but only for our two local administrative accounts).
  Looking into "xxxxx.plist" shows that the account is of the type "LocalCachedUser".
  So it seems as following: As soon as this "xxxxx.plist" is created, user "xxxxx" cannot login to any service anymore.
  The question is: Why is it created? Why only for this user? We have at least one other user who uses a synchronized home directory. But for him this hasn't happpened, yet.
  I have looked into the affected account's settings regarding synchronized home directories using Workgroup Manager (and also "ldapsearch" at the command line). I don't see any different settings between the affected account "xxxxx" and the other ones.
  Does anybody know why "xxxxx" gets a local cached account on the server from time to time? Shouldn't this type of account be created on a "third" machine (e.g. at on of our MacMinis) when user "xxxxx" logs in on it?
  I would be very glad if someone could point us into the right direction. Thank you very much in advance!
  Best regards,
  Steffen

  Hi,
  today the user whose account has been affected came back from Christmas holidays. Simply deleting the file "/var/db/dslocal/nodes/Default/users/xxxxx.plist" on the server fixed the problem.
  He is now able to login via SSH, iChat, and so on, again.
  So it is very obvious that the existence of the local cached Account (represented by "xxxxx.plist" within "/var/db/dslocal/nodes/Default/users/") was the reason for denying the authentication to the services.
  Now one question is left: Why was it created?
  Any ideas are welcome!
  Best regards,
  Steffen

• Can't get Administrator Privileges/Rights for Local Account in Administrators Group

  I'm using a Custom Command Shell, and for now just booting to cmd.exe. I've done the following:
  1) Added a LocalAccount under UserAccounts/LocalAccounts (pass 7) with Name, DisplayName, Password, Group
  2) Entered "Administrators" as the LocalAccount/Group (yes, it's definitely spelled correctly.)
  3) Set AutoLogon/Username to the Username created in Step 1, Enabled, LogonCount 9999, Password as per Step 1
  4) Added the "Application Security" package and set EnableLUA=False.
  The system boots after install, and it successfully logs in automatically to the command prompt. However, the user DOES NOT have Administrator privileges. For example, when trying to run Regsvr32 from the command prompt, I receive the following error message: 
  "dllregisterserver failed with error code 0x8002801c," which indicates some sort of privilege/rights issue.
  At the command prompt, when I type Net User LocalUserWhoShouldBeAdmin, I get the following:
      Local Group Memberships
      Global Group Memberships   *None
  Whereas when I type Net User Administrator, I get:
      Local Group Memberships    *Administrators
      Global Group Memberships   *None
  What must I do to successfully give the local user Administrator rights?

  Jamster,
  I figured out the solution, but I'm not sure your problem is the same...
  In my case, the problem was that the LocalAccount/Name was the same as the ComputerName. As a last resort, all I did was change the LocalAccount/Name to something other than the ComputerName, and voila, after re-installing the image the local account was
  suddenly a member of Administrators. Crazy... you'd think they'd be able to tell the difference between the ComputerName and a local account name! In case anyone's wondering, it has nothing to do with the length of the local account Name (I tested that.)

• Gathering children from disk for local accounts

  When trying to get mail get message "gathering children from disk for local accounts" and mail does not come in. Any ideas?
    Mac OS X (10.3.9)  

  I had exactly the same problem when we connected our xsan volume to a multimedia area for post-production work. You are never really safe with local users so I deleted them and created users on the server with exactly the same name and a local home folder in the Users directory defined in workgroup manager, at first login the home folder is created locally and left as is.
  Because we now have no actual local users (people only think they are) we have complete control over the SAN. Privileges expressly forbid access to the users created for local use only, everything is working well.
  You can find all the info you need in the OSX server 'open directory' manual. I wouldn't go down the root of scripting un-mounting and mounting volumes for particular users because your going to be fighting the system at something its designed to do. Its treating the SAN volume as direct attached storage which it needs to do in order to use for editing etc.

• How can I install WebOfTrust for a local account and save the profile so that it transfers to domain accounts that log on to that specific computer?

  We are creating images through ghost server to clone onto several laptops and one of the features we need to have configured is the Web of Trust extension in Firefox. I have configured a local account on the machine and set up Web of Trust and then copied the profile image in regedit to the default profile image and saved this. WOT works for local accounts but whenever I try domain accounts, Web of Trust needs to be disabled and re-enabled.

  Try using Web of Trust support:
  http://www.mywot.com/en/support
  Or post in their user support forum:
  http://www.mywot.com/en/forum

• DU does not account for some files in ../SyncServices/Local/DataReferences

  There are 9 files in my $HOME/Library/Application Support/SyncServices/Local/DataReferences/022 directory, as listed in ls -l. When I run du * in this directory, it only accounts for 3 of the 9 files. Using diff, it appears as though the files du ignores are duplicates. My first thought was that there are links to other files in this directory, but ls -l@ shows nothing out of the ordinary.
  Anyone know what is up with these files? The have similar names like:
  CF0057CF7C5E.com.apple.MobileSync
  vs
  CF0057CF7C5E.data

  There are 9 files in my $HOME/Library/Application Support/SyncServices/Local/DataReferences/022 directory, as listed in ls -l. When I run du * in this directory, it only accounts for 3 of the 9 files. Using diff, it appears as though the files du ignores are duplicates. My first thought was that there are links to other files in this directory, but ls -l@ shows nothing out of the ordinary.
  Anyone know what is up with these files? The have similar names like:
  CF0057CF7C5E.com.apple.MobileSync
  vs
  CF0057CF7C5E.data
  Try
  ls -la -i |sort -n
  If the identical files have the same number in column 1, then they are NOT 2 files with the same name, but rather 2 directory entries pointing at the same file. These would be hardlinks, not symlinks.

• AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

  Hi everyone,
  it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
  Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
  : Saved
  ASA Version 9.1(1)
  hostname ASA
  domain-name ingo.local
  enable password ... encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd ... encrypted
  names
  name 10.0.1.0 LAN-10-0-1-x
  dns-guard
  ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif Internal
  security-level 100
  ip address 10.0.1.254 255.255.255.0
  interface Vlan2
  nameif External
  security-level 0
  ip address dhcp setroute
  regex BlockFacebook "facebook.com"
  banner login This is a monitored system. Unauthorized access is prohibited.
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup Internal
  dns domain-lookup External
  dns server-group DefaultDNS
  name-server 10.0.1.11
  name-server 75.153.176.1
  name-server 75.153.176.9
  domain-name ingo.local
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network LAN-10-0-1-x
  subnet 10.0.1.0 255.255.255.0
  object network Company-IP1
  host xxx.xxx.xxx.xxx
  object network Company-IP2
  host xxx.xxx.xxx.xxx
  object network HYPER-V-DUAL-IP
  range 10.0.1.1 10.0.1.2
  object network LAN-10-0-1-X
  access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
  access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
  access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389 
  tcp-map Normalizer
    check-retransmission
    checksum-verification
  no pager
  logging enable
  logging timestamp
  logging list Threats message 106023
  logging list Threats message 106100
  logging list Threats message 106015
  logging list Threats message 106021
  logging list Threats message 401004
  logging buffered errors
  logging trap Threats
  logging asdm debugging
  logging device-id hostname
  logging host Internal 10.0.1.11 format emblem
  logging ftp-bufferwrap
  logging ftp-server 10.0.1.11 / asa *****
  logging permit-hostdown
  mtu Internal 1500
  mtu External 1500
  ip verify reverse-path interface Internal
  ip verify reverse-path interface External
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any echo External
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (Internal,External) dynamic interface
  object network LAN-10-0-1-x
  nat (Internal,External) dynamic interface
  object network HYPER-V-DUAL-IP
  nat (Internal,External) static interface service tcp 3389 3389
  access-group 100 in interface External
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server radius protocol radius
  aaa-server radius (Internal) host 10.0.1.11
  key *****
  radius-common-pw *****
  user-identity default-domain LOCAL
  aaa authentication ssh console radius LOCAL
  http server enable
  http LAN-10-0-1-x 255.255.255.0 Internal
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map External_map interface External
  crypto ca trustpoint srv01_trustpoint
  enrollment terminal
  crl configure
  crypto ca trustpoint asa_cert_trustpoint
  keypair asa_cert_trustpoint
  crl configure
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  crl configure
  crypto ca trustpool policy
  crypto ca server
  cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
  issuer-name CN=...
  database path disk0:/LOCAL_CA_SERVER/
  smtp from-address ...
  publish-crl External 44436
  crypto ca certificate chain srv01_trustpoint
  certificate <output omitted>
    quit
  crypto ca certificate chain asa_cert_trustpoint
  certificate <output omitted>
    quit
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate <output omitted>
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable External client-services port 44455
  crypto ikev2 remote-access trustpoint asa_cert_trustpoint
  telnet timeout 5
  ssh LAN-10-0-1-x 255.255.255.0 Internal
  ssh xxx.xxx.xxx.xxx 255.255.255.255 External
  ssh xxx.xxx.xxx.xxx 255.255.255.255 External
  ssh timeout 5
  ssh version 2
  console timeout 0
  no vpn-addr-assign aaa
  no ipv6-vpn-addr-assign aaa
  no ipv6-vpn-addr-assign local
  dhcpd dns 75.153.176.9 75.153.176.1
  dhcpd domain ingo.local
  dhcpd option 3 ip 10.0.1.254
  dhcpd address 10.0.1.50-10.0.1.81 Internal
  dhcpd enable Internal
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter use-database
  dynamic-filter enable interface Internal
  dynamic-filter enable interface External
  dynamic-filter drop blacklist interface Internal
  dynamic-filter drop blacklist interface External
  ntp server 128.233.3.101 source External
  ntp server 128.233.3.100 source External prefer
  ntp server 204.152.184.72 source External
  ntp server 192.6.38.127 source External
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1
  ssl trust-point asa_cert_trustpoint External
  webvpn
  port 44433
  enable External
  dtls port 44433
  anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
  anyconnect profiles profile1 disk0:/profile1.xml
  anyconnect enable
  smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
  smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
  webvpn
    anyconnect profiles value profile1 type user
  username write.ingo password ... encrypted
  username ingo password ... encrypted privilege 15
  username tom.tucker password ... encrypted
  class-map TCP
  match port tcp range 1 65535
  class-map type regex match-any BlockFacebook
  match regex BlockFacebook
  class-map type inspect http match-all BlockDomains
  match request header host regex class BlockFacebook
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 1500
    id-randomization
  policy-map TCP
  class TCP
    set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
    set connection timeout dcd
    set connection advanced-options Normalizer
    set connection decrement-ttl
  policy-map type inspect http HTTP
  parameters
    protocol-violation action drop-connection log
  class BlockDomains
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect dns preset_dns_map dynamic-filter-snoop
    inspect http HTTP
  service-policy global_policy global
  service-policy TCP interface External
  smtp-server 199.185.220.249
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command vpn-sessiondb
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command service-policy
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
  : end
  Many thanks,
  Ingo

  Hi Jose,
  here is what I got now:
  ASA(config)# sh run | begin tunnel-group
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool VPNPool
  authorization-required
  and DAP debugging still the same:
  ASA(config)# DAP_TRACE: DAP_open: CDC45080
  DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
  DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
  DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
  DAP_TRACE: Username: tom.tucker, DAP_add_AC:
  endpoint.anyconnect.clientversion="3.1.02026";
  endpoint.anyconnect.platform="win";
  DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
  DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
  Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
  Thanks,
  Ingo

• Service Accounts for Reporting Service in SQL Server Failover Cluster setup

  I am setting up 2 Report Services (SSRS) in SQL Failover Clustering (Version: 2012SP1) on Windows 2012, as part of scale out architecture.
  There are 2 options to configure the service account for SSRS:
  Option 1) Using domain accounts, as what I have done for DB Engine and SQL Agent.
  Option 2) accept the default, which is virtual account for SSRS. Per documentation URL:
  http://msdn.microsoft.com/en-us/library/ms143504.aspx
  which is the recommended one? is it option 2?
  There is security note on above URL as well, but does not clearly mention that option 1 is not recommended.
  Security Note:  Always run SQL Server services by using the lowest possible user rights. Use a MSA or  virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead
  of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted
  directly to a service SID, where a service SID is supported.
  Thanks very much for your help!

  Hi Luo Donghua,
  In SQL Server Failover Cluster Instance, personally two options can run well. If you use the virtual account for SQL Server Reporting Service. Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the features to
  simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment.
  Of cause, you can also use domain accounts in your clustering. 
  Just make sure your service account is set up here, or that it is using a proper built-in account.For more information, see:http://ermahblerg.com/2012/11/08/cluster-ssrs-in-2008/
  Thanks,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Creating Active Directory Accounts for vSphere 5.1 Services

  To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory.  I need to determine how many to create and what permissions they need.
  In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO.  I can use the default admin@system-domain.  Or I can add an account that is configured in Active Directory.  Or, I can also use an active directory group instead of an individual user.  What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server?  (I'm using multisite mode, so I can't use local accounts)
  In SQL Server, I need to choose an account to use for the SQL server service.  Should this account be an active directory account or a local user account?  If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine?  What AD group, if any should it be a part of?  What local permissions does it need?
  In vCenter Server, I need to choose an account to run the "vCenter Server Service" in.  Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
  I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
  For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems.  Or create separate groups for each management piece and assign permissions to the groups.  Is it better to consolidate some of these user names or split them out?  Any experiences / suggestions welcome.  Thanks.

  Hello,
  For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
  VMware View
  XenDesktop
  vCops
  HPSIM
  Solarwinds
  VMTurbo
  NetApp
  etc.
  One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
  For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies.  Once SSO is supported by more than one or two tools, you still need to maintain that separation.
  So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
  Best regards,
  Edward L. Haletky aka Texiwill

• Macbook bound to AD won't allow network login or new local account creation

  As the title states I am having an issue related to a macbook pro that is bound to active directory. The only option we tweak when binding the macs to AD is that we opt to "create mobile account" option under directory utility.
  It also seems that while we can login through the local admin account, new local accounts cannot be created (the account creation window hangs when you create account).
  Any help would be appreciated

  Hi
  To successfully bind a mac workstation to Active Directory certain things need to be in place:
  DNS has to be fully resolving on both pointers. This is done on the PDC or whatever server is the designated DNS Server.
  Date and Time settings need to be adjusted to reflect whatever is designated as the NTP Server in the AD environment. Adjust the Date & Time Preferences Pane and find out from the Windows Network Administrator what the NTP Server IP address is.
  You must use account credentials that has authority for the AD Domain. If you're trying to use your own account it may be restricted in what it can do? A domain account has special privileges not usually accorded to ordinary user accounts.
  This assumes you're (a) not the Active Directory Network Administrator and (b) you're using the Active Directory plug-in the login options section of the Accounts Preferences Pane. It's a good idea to click the "Open Directory Utility" button when binding to Active Directory. It's also a good idea to access the Advanced Section once the Utility has opened.
  If this is failing at the bind stage then perhaps you should review the details you've been given when binding to AD? It may be worthwhile to clear the workstation from the Computer OU before you try again?
  The above is not an exhaustive list but should help?
  Tony

• Question : Service Accounts for SQL Server 2012

  Hello,
  I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
  I was reading the following
  Configure Windows Service Accounts and Permissions
  and
  Windows Privileges and Rights
  Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
  Isn't it recommended to create separate account for every service and they should not be local accounts ?
  Hope to hear soon as to what industry standards are being followed for production systems ?
  Thank you very much in advance.
  Regards
  Nikunj

  From MSDN:
  Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
  at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
  When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
  not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
  From Glen Berry's Blog:
  You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
  where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
  You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
  or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
  secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
  Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
  program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
  location.
  Please Mark This As Answer if it solved your issue
  Please Mark This As Helpful if it helps to solve your issue
  Thanks,
  Shashikant

• Service Accounts for Browser Services and FD Launcher (Full-text Search)

  I am setting up SQL Failover Clustering (Version: 2012SP1) on Windows 2012. There are 2 options to configure the service account for Browser Services and FD Launcher :
  Option 1) Using separate domain accounts, as what I have done for DB Engine and SQL Agent.
  Option 2) accept the default, which is  local service for
  browser, and virtual account for
  FD Launcher. Per documentation URL: http://msdn.microsoft.com/en-us/library/ms143504.aspx
  which is the recommended one? is it option 2?
  There is security note on above URL as well, but does not clearly mention that option 1 is not recommended.
  Security Note:  Always run SQL Server services by using the lowest possible user rights. Use a
  MSA or
  virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not
  grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.

  Hi Luo Donghua,
  In SQL Server Brower, the default logon account is NT Authority\Local service and cannot be changed during SQL Server setup.SQL Server Browser is not a clustered resource and does
  not support failover from one cluster node to the other. SQL Server Browser should be installed and
  turned on for each node of the cluster. SQL Server Browser should be run in the security context of a low privileged user to minimize exposure to a malicious attack.
  You can change the account after the setup has been completed; For more information, see:http://msdn.microsoft.com/en-us/library/hh510203.aspx.
  In SQL Server full text filter daemon launcher, on Windows Vista and Windows Server 2008, the FDHOST Launcher service account also defaults to LOCAL SERVICE. If you provide a domain account in which to run the FDHOST Launcher service, we highly recommend
  that you use a low privilege account. On Windows 7 and Windows Server 2008R2 , we use Virtual Account or Managed Service account(MSA) in FD Launcher . We also need to note the account you used for
   FD Launcher should be different from the account that you use for the SQL Server service. For more information, see:
  http://msdn.microsoft.com/en-us/library/cc281953(v=sql.100).aspx
  So I recommend you use the option 2 to configure the service account for Browser Services and FD Launcher.
  Thanks,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Install Problem : Creating/Modifying OS Accounts for J2E

  Hi friends,
  I am trying install Sneak Preview SAP Netweaver 2004 Slim Edition. But i gave "Creating/Modifying OS Accounts for J2E" error. I am logging Administrator user of my local machine.
  How can I solve my problem?
  Thanks
  Mehmet
  P.S. My error message is below :
  ERROR 2006-04-11 11:06:37
  FSL-01002  Unable to create account mehmetavsar\SAPServiceJ2E. HRESULT=0x80005009

  Not sure if this will help you out, but I found a few interesting solutions to the issues discussed here.
  1)  Trying to install NWSp16 on my work laptop.
  2)  I initially received a domain/username issue.  <b>Resolution</b> required me to be plugged into the network either locally, or through a VPN (which causes another issue later on).
  3)  Once plugged in locally, the install process validates my username and the group privileges I have.
  4)  Creating/Modifying OS Accounts failed.  <b>Resolution</b> Since I was plugged into my work network, their password policy (when creating users) became necessary.  Meaning, you have to make sure the password you use during the install process for the two users that are created will pass your work's password policy.
  Once I corrected the passwords, the install process created the users without any issues.
  Hope this helps.
  Michael Lee

• Difference between- LOGGINGin to SQL SERVER AGENT as LOCAL-ACCOUNT and NETWORK-SERIVICE

  By defauld SQL-SERVER-AGENT is set to log in as local account... What is the difference between logging in to sql server agent as local account or as network service...??

  By defauld SQL-SERVER-AGENT is set to log in as local account... What is the difference between logging in to sql server agent as local account or as network service...??
  Hello ,
  Read and make out the difference
  http://stackoverflow.com/questions/510170/the-difference-between-the-local-system-account-and-the-networ
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272(v=vs.85).aspxk-service-acco
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  As a best practice use Account with minimum privileges to run SQL Server agent
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers