PEAP with Windows logon to domain

Similar Messages

• ACS 4.1 support with Windows Server 2012 Domain controller

  I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
  In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
  Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
  Regards,
  Junaid

  Junaid,
  ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
  ACS 5.4 patch 2 supports Windows 2012 AD.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
  Regards,
  Jatin
  **Do rate helpful posts**

• MS-PEAP with windows zero configuration problem

  Hello,
  Here is my configuration
  1130 AP, WLSE Express (radius)
  authentication : PEAP with ms-chapv2
  My user database is on the WLSE.
  MS-Peap works fine with my intel pro/wireless client but always failed with the integrated WZC client on XP SP2. I already patch it with KB885453 but this doesn't help.
  Is there some specials parameters on the radius to make it works with WZC ?
  Thanks for your help

  Untick the option to verify certificate in the windows config. PEAP is server side, client can ignore it. Also, check if you are trying to use windows initial login - if so, machine authentication must be enabled.
  Hope that helps.

• Exchange 2007 with windows 2012 R2 domain controllers environment.

  Hello,
  I am planning to upgrade to AD windows 2012 R2 from 2008 in 2003 on funtional level for domain and forrest, my question is, is 2007 exchange (Version build: 08.03.0245.001) supported on 2012 R2 domain environment on 2008 funtional level?
  I am planning to upgrade exchange later in december to exchange 2013 but not now.
  Thanks in advance

  Hello,
  At present, there is no official article to verify whether exchange 2007 is supported on windows server 2012 R2 domain.
  But I agree with damird's suggestion.
  And you don't install exchange 2007 on windows server 2012 r2.
  If you have any feedback on our support, please click
  here
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Odd Run As issue with Windows 8.1 - Run As domain administrator not working

  I'm having an odd issue on a Windows 8.1 laptop. I log in with my standard account, but want to open things like group policy management with my special separate domain admin account. so I press shift, right click, run as a different user - fill in my username
  and password and get an access denied message. I verified I was using the right account info, verified UAC was turned off. I can run it as my non-domain admin account but of course I don't have access to everything. In the event viewer, I'm getting these messages:
  Application log:
  svchost (1648) SRUJet: An attempt to open the file "C:\Windows\system32\SRU\SRU.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).
  This and a few other similar messages show up in the application log, over and over again.
  Also the Application log has a couple of these, showing up only when I try to open as the domain admin account:
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required. 
  DETAIL -
  1 user registry handles leaked from \Registry\User\S-1-5-21-1856965257-1504725669-3833077565-143885_Classes:
  Process 1072 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1856965257-1504725669-3833077565-143885_CLASSES
  Any help would be greatly appreciated.  I'm at a complete loss.
  As a quick edit - I also am not out of space on the hard drive, I have many gigs on my partition left.

  Hi,
  This issue may occur if you do not have the appropriate permissions assigned to the folder.
  Please make sure you have the sufficient permission to access the folder:
  logon with that domain admin account to check if you could access that file.
  If it works fine, logon with that domain standard user account do it again.
  In addition, why didn't you run as administrator directly(don't use
  Run as different user)?
  Karen Hu
  TechNet Community Support

• Standard Domain Accounts don't work with Windows 8.1 Pro

  I have AD running on Server 2012 with Windows 7 systems. I recently purchased a few Windows 8.1 laptops that I connected to the domain. They are fully updated to the latest windows 8.1 version, and all security updates are installed. 
  When I log in as an domain administrator user, then I can log in. No problems.
  However, when I log in as a standard domain user, it signs me off immediately. It says 'Welcome' .... 2 seconds pass... 'Signing Out' and I'm back to the login page. I tried this with Windows 8 systems, and it works but as soon as it is updated
  to Windows 8.1, I start having this problem. 
  Event Viewer does show some errors when a standard domain user logs in. 
  9009 - Desktop Window Manager - The desktop window manager has exited with code 0xd00002fe
  Then,
  4006 - WinLogin - The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\System32\userinit.exe
  1542 - User Profile Service - Windows cannot load classes registry file. Detail - The system cannot find the file specified.
  I installed Windows 8 Pro using the Dell CD that came with the laptop. I updated to Windows 8.1 using windows store, and then windows update for the latest windows 8.1 update.
  I have searched these forums, and made sure that winlogon executable is correct. I have recreated the user profile. I have tried multiple accounts and while they work on Windows 7, and windows 8, they fail on all windows 8.1 laptops. 
  Please assist. Thank you

  Hi,
  Try to run the two commands in command prompt:
  Net localgroup Users Interactive /add
  Net localgroup Users "Authenticated Users" /add
  Then what’s the result?
  Alex Zhao
  TechNet Community Support

• Need to collect the Windows logon and logoff events across the Domain in a DC eviornment, for different machines and user accounts.

  Hello All,
  I am trying to build a Tool to collect the info about all the user's who login and logoff on daily basis in a domain network. I am using a windows 2008 server as a DC and have xp, win 7, win 8 , win 12 server as clients in the network.
  There are few questions in my mind which I am not able to answer.
  1> When a user tries to login to the DC network, he/ she gets authenticated using the kerberos protocol. does these authentication gets logged on the AD server by default? I have see a way to enable it from registry but even that's not giving me the expected
  output in the eventvwr.
  2> Do I have to use Audit policies to monitor all the user's log off and log on activities?
  3> Is there a way to collect these information from any place on the AD server other than the Eventvwr?
  Please help me in finding the solutions to these query's  of mine.
  Thanks.

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Administrative Tools → Group Policy Management.
  2. In the left pane, navigate to Forest: <domain_name>→ Domains → <domain_name>→ Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up
  menu. </domain_name></domain_name>
  <domain_name><domain_name>3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies → Windows Settings → Security Settings → Local Policies → Audit Policy. </domain_name></domain_name>
  <domain_name><domain_name>4. Set the Audit account management and the Audit directory service access policy to "Success". Set the Audit logon events policy to  "Success" and "Failure". </domain_name></domain_name>
  5. Navigate to Start → Run and type '"cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.
  Number of events could be excessive so you need to adjust size of Security log ( 1gb for example ) 
  Usage of EventCombMT Tool (part of
  MS ALtools )
   This tool gathers specific events from several different servers to one central location.
   Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search
   Click the Searches menu > replace Event ID field values with
  4624  LOGON / 4634  LOGOFF
   Click Search and wait for the process to complete the operation.
   After the search is done the output directory contains the log files for the domain controllers where events with the specified Event ID’s were found.
  Alternatively you can try Netwrix Auditor for Active Directory solution with 20 days of free trial to generate such reports.
  --- Jeff (Netwrix)

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• User Logon Name (pre-Windows 2000) and Domain Name Don't have the same Value

  Hi
  is it possible to have User Logon Name (pre-Windows 2000) and Domain Name with different value?
  Exemple:
  domain name domain1.com
  and User Logon Name (pre-Windows 2000) Domain2\user

  If you have trust in place, then also you can use trusted domain name to login from trustee domain. Also, UPN suffix can be added.
  http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• PEAP Windows Logon -Machine & User Authentication -Multiple VLANS

  Windows Client <==> Access Point <==> Radius <==> Windows DC/AD
  Windows OS : XP Client SP 2
  Supplicant : Built-in Wireless Supplicant
  Authentication : 802.1x PEAP(MS-Chapv2)
  Access Point : Aironet 1200
  Radius : ACS 3.3
  Adaptors : Built-in
  CA : Microsoft
  I have a single SSID and am using a RADIUS server to assign users to different VLANs. When a computer boots up, machine authentication is used and the ACS tells the access point which VLAN to be on (i.e. VLAN1 192.168.1.x). Then when the user logs on the ACS tells the access point to switch the computer to a different VLAN (i.e. VLAN2 192.168.2.x). The problem is that the windows logon scripts do not run. Once the computer finishes booting, I quickly check its IP address and it still thinks it is on 192.168.1.x (VLAN1) when it is actually on VLAN2 and needs a 192.168.2.x address. If I give the machine time, it will eventually switch its IP to the 192.168.2.x address.
  Has anyone else run across this? I assume that there is no fix and that it is a Microsoft problem. Obviously, it can't do the logon script if it does not have a valid IP for its VLAN. I also never know who will be logging into the computer to put the computer in the correct VLAN ahead of time.
  Note: If the machine and user are both set to use the same VLAN, the computer does not have to switch IPs and the windows logon script works fine.
  Thanks
  Steve

  Hi there.
  I've tried that solution, and I had a similar problem. My problem was on the DHCP server side: there was a superscope defined with the different scopes for each VLAN. When I'd the MAC Address from one machine registered at the DHCP database, the settings were always the same. Then I deleted the superscope and only defined scopes for each VLAN. It's working fine now.
  Hope this helps you.
  Regards,
  João

• PEAP works with Windows zero but not with CSSC

  I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.
  When using CSSC I get asked for the password and authentication fails.  ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.
  Any suggestions?
  Seth

  Look at this ....
  Server Validation
  –The Personal stores are not used for server validation.
  –When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.
  –Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.
  –The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• SnpsFTP not working with Windows domain/username

  Hi All
  We are using the following script to delete a file in FTP server. Works well with UNIX FTP server but fails with WINDOWS FTP server. Windows FTP username happens to be of format "domain/username". Is backslash causing the issue?
  Jython
  import snpsftp
  ftp = snpsftp.SnpsFTP('#PVV_SFTP_SERVER', ur"#PVV_SFTP_USER", 'PVV_PLAINPWD')
  ftp.delete ('#PVV_SFTP_FOLDER/#PVV_FILE_NAME');
  ftp.close()
  Error Message
  org.apache.bsf.BSFException: exception from Jython:
  Traceback (most recent call last):
  File "<string>", line 2, in <module>
  File "/apps/oracle/product/ODI11116_frsh/oracledi.sdk/lib/Lib/snpsftp.py", line 50, in __init__
  self.connect(host, port)
  File "/apps/oracle/product/ODI11116_frsh/oracledi.sdk/lib/Lib/snpsftp.py", line 58, in connect
  self.ftp.connect(host, port)
  File "/apps/oracle/product/ODI11116_frsh/oracledi.sdk/lib/Lib/ftplib.py", line 129, in connect
  raise socket.error, msg
  socket.error: (146, 'Connection refused')
  Regards
  Prasad Jayakumar

  There is a misunderstanding from my side. Windows server uses SFTP. Is there any script or ODI tools available to delete a file in remote server via SFTP. Thank you.

• Windows 2008 R2 domain controllers with Windows 2003 forest functional level Supported after Windows 2003 support ends in July 2015

  Hi
  Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
  Thanks

  When Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
  So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Need help with two-factor auth for windows logon using CSS

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace