Policy Server
I've seen a few posts about this, but is there a decent implementation somewhere that actually works? I haven't gotten a single thing to return a crossdomain.xml except the standalone Python example, which isn't really the best solution. I suppose I'll try an Apache VirtualHost that no matter what you send it just responds with a crossdomain.xml file.
Anyone know why did Adobe decide to take this stupid, stupid tact of setting up a separate server from your web server? What was wrong with a simple crossdomain.xml file in the root of your web site? Then to make matters worse, make this thing a strict requirement but don't release a policy server to go with it? Do you guy even want customers?
I find it particularly ironic the only solution that will likely work is to basically serve up the crossdomain.xml file we were serving (with Flash 9) from our web site on a different port (843). Great solution. Way to go. No more secure than before, but you've added the overhead of a separate server or custom virtualhost and another port open on the firewall. Brilliant.
This one problem has so soured my view of Flex that this is pretty much the last RIA our company is building with it. All new projects have already switched to either GWT or SproutCore.
Hi Stacie,
Could you provide more detail on what happens when a document won't open. For example:
* Is a gray background displayed?
* Do you receive an error message (if so, what is it exactly)?
* What client OS are you using (version/service pack/etc)?
* What version of Acrobat are you using (7.0.0, 7.0.1, 7.0.2, 7.0.5, etc.)?
Any more detail (even little ones) can be useful in diagnosing the problem.
Thanks,
-Bill
Similar Messages
-
Non English caracters in Policy Server invitation mail
Letters that are not in the English alphabet do not come out as they should when invitation and confirmation mails are sent from Adobe Policy Server.
In my case the Norwegian letters Æ Ø Å are not showing correct. But I'm guessing this goes for all other non eng. letters.
Example Š= å
I have installed Adobe Policy Server (automatic install) with JBOSS/Tomcat and use the IIS smtp server. Does anyone know where I have to do changes to get things correct?
Regards
Michael SletvoldHello Chris
Thank you for pointing me in the right direction. However I can not get it to work. It said utf8 and not utf-8 in the jboss-run.bat so I have tired both entries in the run.bat file (one at a time):
run.bat
set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -Dfile.encoding=utf-8
set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -Dfile.encoding=utf8
I also changed the jboss-run.bat to -Dfile.encoding=utf-8 without any sucsess.
The regional settings on the win2003 server is set to Norwegian and I have a full server restart after each time I make a change in the *.bat file. Any tip on what I might be doing wrong would be appretiated.
Regards
Michael -
NPS: Event 6274 - Network Policy Server discarded the request for a user
Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
Some computers are affected more than others, although they are identical hardware and based on a standard image.
In the event log of the NPS servers I can see the following messages:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/05/2014 8:47:58 a.m.
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NT147.domain.local
Description:
Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
Security ID: NULL SID
Account Name: host/DPC0387.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3c-xx-xx-xx-xx-xx
Calling Station Identifier: 00-xx-xx-xx-xx-xxNAS:
NAS IPv4 Address: 10.nnn.nnn.nnn
NAS IPv6 Address: -
NAS Identifier: ND246
NAS Port-Type: Ethernet
NAS Port: 71RADIUS Client:
Client Friendly Name: Network Device Management Subnet
Client IP Address: 10.nnn.nnn.nnnAuthentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NT147.domain.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 384F322E317838316564303034313030306230666632
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
Here's the packet trace that matches the event log entry above:
No. Time Source Destination Protocol Length Time from request Info
1 0.000000 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
2 2.470423 Universa_xx:xx:xx Nearest EAPOL 60 Start
3 2.472870 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
4 2.539416 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
5 2.544206 Universa_xx:xx:xx Nearest EAPOL 60 Start
6 2.548804 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
7 2.550050 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
8 2.552597 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=249, l=208)
9 2.556043 10.NPS_Server 10.switch RADIUS 136 0.003446000 Access-Challenge(11) (id=249, l=90)
10 2.565876 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
11 2.569472 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=250, l=208)
12 2.572566 10.NPS_Server 10.switch RADIUS 136 0.003094000 Access-Challenge(11) (id=250, l=90)
13 2.580254 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
14 2.586544 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
15 4.564841 Universa_xx:xx:xx Nearest EAPOL 60 Start
16 4.568530 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
17 4.569876 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
18 4.582263 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=252, l=208)
19 4.586006 10.NPS_Server 10.switch RADIUS 136 0.003743000 Access-Challenge(11) (id=252, l=90)
20 4.591896 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
21 4.592692 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
22 4.599634 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=253, l=315)
23 4.600887 10.NPS_Server 10.switch IPv4 1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
24 4.609920 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 1514 Server Hello, Certificate, Certificate Request, Server Hello Done
25 4.610516 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
26 4.617407 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=254, l=216)
27 4.618352 10.NPS_Server 10.switch RADIUS 288 0.000945000 Access-Challenge(11) (id=254, l=242)
28 4.623650 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 176 Server Hello, Certificate, Certificate Request, Server Hello Done
29 4.643316 Universa_xx:xx:xx Nearest TLSv1 361 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
30 4.649607 10.switch 10.NPS_Server RADIUS 601 Access-Request(1) (id=255, l=555)
31 4.656950 10.NPS_Server 10.switch RADIUS 199 0.007343000 Access-Challenge(11) (id=255, l=153)
32 4.662734 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 87 Change Cipher Spec, Encrypted Handshake Message
33 4.681106 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
34 4.788536 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=2, l=216)
35 4.789735 10.NPS_Server 10.switch RADIUS 173 0.001199000 Access-Challenge(11) (id=2, l=127)
36 4.795723 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 61 Application Data
37 4.796372 Universa_xx:xx:xx Nearest TLSv1 93 Application Data
38 4.802368 10.switch 10.NPS_Server RADIUS 331 Access-Request(1) (id=3, l=285)
39 4.803363 10.NPS_Server 10.switch RADIUS 189 0.000995000 Access-Challenge(11) (id=3, l=143)
40 4.808905 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
41 4.809501 Universa_xx:xx:xx Nearest TLSv1 77 Application Data
42 4.817342 10.switch 10.NPS_Server RADIUS 315 Access-Request(1) (id=4, l=269)
43 4.822986 10.NPS_Server 10.switch RADIUS 189 0.005644000 Access-Challenge(11) (id=4, l=143)
44 4.828973 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
45 4.833318 Universa_xx:xx:xx Nearest TLSv1 829 Application Data
46 4.840610 10.switch 10.NPS_Server RADIUS 1073 Access-Request(1) (id=5, l=1027)
47 4.845946 10.NPS_Server 10.switch RADIUS 189 0.005336000 Access-Challenge(11) (id=5, l=143)
48 4.850938 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
49 4.907924 Universa_xx:xx:xx Nearest TLSv1 141 Application Data
50 4.913390 10.switch 10.NPS_Server RADIUS 379 Access-Request(1) (id=6, l=333)
51 4.917535 10.NPS_Server 10.switch RADIUS 221 0.004145000 Access-Challenge(11) (id=6, l=175)
52 4.922877 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 109 Application Data
53 4.923472 Universa_xx:xx:xx Nearest TLSv1 61 Application Data
54 4.930319 10.switch 10.NPS_Server RADIUS 299 Access-Request(1) (id=7, l=253)
55 4.937348 10.NPS_Server 10.switch RADIUS 381 0.007029000 Access-Challenge(11) (id=7, l=335)
56 4.942543 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 269 Application Data
57 4.944791 Universa_xx:xx:xx Nearest TLSv1 125 Application Data
58 4.951408 10.switch 10.NPS_Server RADIUS 363 Access-Request(1) (id=8, l=317)
59 4.954022 10.NPS_Server 10.switch RADIUS 355 0.002614000 Access-Accept(2) (id=8, l=309)
60 4.981482 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Success
61 32.590347 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
62 62.592420 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
63 92.595043 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
64 122.597856 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
65 152.600618 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)A belated thanks for your reply.
Our environment doesn't have NPS accounting configured so that was easy to rule out.
The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard. At the start of a dot1x authentication request a RADIUS session ID is created. For whatever reason the
RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured. The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
Policy Server discarded the request for a user." occurs.
It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012? -
ACROBAT 8 - HOW TO CONNECT AND USE THE LiveCycle Policy Server?
Hello everybody!!! I've just bought the ACROBAT 8.0, and I'm trying to use the LiveCycle Policy Server. The point is, I couldn't connect to the server.... is there any especific way to do it? It is the same configuration to connect to a normal web site server, right?
I need to control a copyrighted PDF over the web restricting the massive copy
THANK YOU VERY MUCHNo it's not exactly like connecting to a normal web server. The connection must be made via https, not http. So the app server has to be configured for SSL. Also the connection will not be made in Acrobat if there are ANY warnings about the SSL cert. So if you can't go to https://serverName:serverPort in IE and get there with no warnings then you won't be able to connect via Policy Server. Also, you can't connect to Policy Server via Acrobat using a Policy Server admin user. It must be a user who doesn't have admin privileges.
Chris
Adobe Enterprise Developer Support -
Hello everyone:
I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
Reason Code: 23
Reason:
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
There is nothing in the EAP logs that is obvious too:
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
So, basically, the sequence is this:
request , challenge, request , challenge, request, reject
Any idea what might be happening?
Thank you.Hi,
Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
Here is an article about the Certificate requirements of PEAP,
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
http://support.microsoft.com/kb/814394
If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
To export a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree under the logical store that contains the certificate to export, click
Certificates.
In the details pane, click the certificate that you want to export.
On the Action menu, point to
All Tasks, and then click Export.
In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
Provide the following information in the Certificate Export Wizard:
Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
If required, in Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click
Next.
In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
Next, and then click Finish.
To import a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree, click the logical store where you want to import the certificate.
On the Action menu, point to
All Tasks, and then click Import to start the Certificate Import Wizard.
Type the file name containing the certificate to be imported. (You can also click
Browse and navigate to the file.)
If it is a PKCS #12 file, do the following:
Type the password used to encrypt the private key.
(Optional) If you want to be able to use strong private key protection, select the
Enable strong private key protection check box.
(Optional) If you want to back up or transport your keys at a later time, select the
Mark key as exportable check box.
Do one of the following:
If the certificate should be automatically placed in a certificate store based on the type of certificate, click
Automatically select the certificate store based on the type of certificate.
If you want to specify where the certificate is stored, select
Place all certificates in the following store, click
Browse, and choose the certificate store to use.
If issue persists, you may try to re-issue the certificate.
For detailed procedure, you may refer to the similar threads below,
Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
Hope this helps.
Steven Lee
TechNet Community Support -
NAC Framework with TrendMicro Policy Server? External Posture Assessment?
Hi
I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
https://win2k3std:4343/antibody
And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
Posture Validation Failure on External Policy
Does anyone have any experience or help with this. Thanks very much.
Jason HumesPlease check the links for the Configuration and Troubleshoot of NAC
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860 -
Using Windows Network Policy Server to authenticate Prime Infrastructure 1.4 admin access
I am using Prime Infrastructure 1.4 and I am needing to set up RADIUS Authencation. I am using Microsoft Network Policy Server. I have done all of the setup on both systems. I have matched up the settings the best I can on both systems. I am trying to use CHAP. I keep getting username or passwrod is not valid. In a effort to test I changed the Authentication type to PAP (I do not want to use this because it is not encrypted) But in a effort of testing I changed the setting on both the NPS and on Prime. I am now able to log in. Changing back to CHAP it fails and states the Username or Password is invalid. SO, PLEASE HELP!!!!
Ok, I was able to resolve this over the weekend. The actual fix is a little complicated. You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius. They are as as follows:
NCS:role0=Admin
NCS:virtual-domain0=ROOT-DOMAIN
"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that. -
Cannot connect to Policy Server
Hi -
I've just started using Policy Server and am trying to connect to it using the SDK.
I've got a very small amount of source code which I took from the API documentation which should literally create the properties & then calls EDCFactory.connect.
When I try and connect I keep getting the error message:
Exception connecting to the Server -- An error occured while performing this operation(error code bin: 1, hex: 0x1)
I've seen a couple of other people getting this error on this list but haven't really found a solution.
I have imported a new config.xml file to set WebServicesEnabled to true (but not restarted the server - do I need to?), and I've created an external user that I'm using to connect to the policy server (I have also tried with the administrator).
I'm running the client that's connecting on my local machine, and trying to connect to the policy server machine. I can enter the /edcws/services/EDCPolicyService?wsdl url into a web browser from my local machine and I get an xml response, so I presume that the server is contactable.
Can anyone point me in the right direction as to how to debug this issue?Hi Bill -<br /><br />Thanks for responding - the full strack trace is as follows ... the thing that I noticed was that I get an error from the WSSecurityHandler saying the message has an invalid timestamp. But I must be honest I don't know how to set this.<br /><br />I figured maybe this is some server configuration that I haven't performed?<br /><br />Anyway, many thanks for responding.<br /><br />Anil.<br /><br />Stack Trace:<br />------------<br /><br />The exception is: Exception connecting to the Server -- An error occured while performing this operation(error code bin: 1, hex: 0x1)<br />com.adobe.edc.sdk.SDKException: Exception connecting to the Server -- An error occured while performing this operation(error code bin: 1, hex: 0x1)<br /> at com.adobe.edc.sdk.impl.ExceptionHandler.throwException(ExceptionHandler.java:78)<br /> at com.adobe.edc.sdk.impl.ExceptionHandler.throwException(ExceptionHandler.java:88)<br /> at com.adobe.edc.sdk.EDCFactory.connect(EDCFactory.java:190)<br /> at com.semantico.drm.client.ApplyPolicy.createConnection(ApplyPolicy.java:45)<br /> at com.semantico.drm.client.ApplyPolicy.main(ApplyPolicy.java:25)<br />Caused by: com.adobe.edc.sdk.SDKException: WSSecurityHandler: security processing failed. Exception Message -- An error was discovered processing the <wsse:Security> header. (WSSecurityEngine: Invalid timestamp The security semantics of message have expired) -- Internal server error(error code bin: 1032, hex: 0x408)<br /> at com.adobe.edc.sdk.impl.ExceptionHandler.throwException(ExceptionHandler.java:54)<br /> at com.adobe.edc.sdk.impl.ExceptionHandler.throwException(ExceptionHandler.java:88)<br /> at com.adobe.edc.sdk.impl.ExceptionHandler.throwException(ExceptionHandler.java:36)<br /> at com.adobe.edc.sdk.impl.soap.SOAPConnection.getAssertion(SOAPConnection.java:434)<br /> at com.adobe.edc.sdk.impl.soap.SOAPClientFactoryImpl.<init>(SOAPClientFactoryImpl.java:97)<b r /> at com.adobe.edc.sdk.EDCFactory.connect(EDCFactory.java:187)<br /> ... 2 more<br />Caused by: com.adobe.edc.common.PolicyServiceException<br /> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)<br /> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)<br /> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)<br /> at java.lang.reflect.Constructor.newInstance(Unknown Source)<br /> at java.lang.Class.newInstance0(Unknown Source)<br /> at java.lang.Class.newInstance(Unknown Source)<br /> at org.apache.axis.encoding.ser.BeanDeserializer.<init>(BeanDeserializer.java:90)<br /> at org.apache.axis.encoding.ser.BeanDeserializerFactory.getGeneralPurpose(BeanDeserializerFa ctory.java:88)<br /> at org.apache.axis.encoding.ser.BaseDeserializerFactory.getDeserializerAs(BaseDeserializerFa ctory.java:90)<br /> at org.apache.axis.encoding.DeserializationContext.getDeserializer(DeserializationContext.ja va:449)<br /> at org.apache.axis.encoding.DeserializationContext.getDeserializerForType(DeserializationCon text.java:529)<br /> at org.apache.axis.message.SOAPFaultDetailsBuilder.onStartChild(SOAPFaultDetailsBuilder.java :157)<br /> at org.apache.axis.encoding.DeserializationContext.startElement(DeserializationContext.java: 1015)<br /> at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)<br /> at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)<br /> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch( Unknown Source)<br /> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)<br /> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)<br /> at org.apache.xerces.parsers.DTDConfiguration.parse(Unknown Source)<br /> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)<br /> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)<br /> at javax.xml.parsers.SAXParser.parse(Unknown Source)<br /> at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:225)<br /> at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:645)<br /> at org.apache.axis.Message.getSOAPEnvelope(Message.java:424)<br /> at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:62) <br /> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:173)<br /> at org.apache.axis.client.Call.invokeEngine(Call.java:2735)<br /> at org.apache.axis.client.Call.invoke(Call.java:2718)<br /> at org.apache.axis.client.Call.invoke(Call.java:2394)<br /> at org.apache.axis.client.Call.invoke(Call.java:2317)<br /> at org.apache.axis.client.Call.invoke(Call.java:1774)<br /> at com.adobe.edc.sdk.impl.soap.SOAPConnection.getAssertion(SOAPConnection.java:430)<br /> ... 4 more
-
Network Policy Server Event ID 6272 not being forwarded to Event Collector.
Hi there
I have configured an Event Subscription to collect events from 2 DCs that run RADIUS for network switches. It appears the events are being forwarded okay, I am getting the Security events (Logon and Logoff) on the event collector PC. However I am not getting
any of the Network Policy Server security events (specifically Event IDs 6272), to centrally audit RADIUS logins to switches.
The subscription is collector initiated, and I have added Network Service to the Event Log Readers Group. Is there something I am missing in the setup requirements for these events to be forwarded?
Thank you,
Kind regards
HyltonHi Gabriel101,
Could you offer us more information about your environment, such as what edition server you are using, whether your AD and NPS role on the same server, whether your NPS working
properly now, whether you can receive others security auditing.
The related KB:
NPS Local Log File Status
http://technet.microsoft.com/en-us/library/cc735386(v=ws.10).aspx
Event ID 6272 — NPS Authentication Status
http://technet.microsoft.com/en-us/library/cc735388(v=ws.10).aspx
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access
Dear all,
How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.
I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
Thanks for your help.
DennisOk, I was able to resolve this over the weekend. The actual fix is a little complicated. You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius. They are as as follows:
NCS:role0=Admin
NCS:virtual-domain0=ROOT-DOMAIN
"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that. -
Network Policy Server Two-factor authentication OTP
Hello,
I don't have much knowledge about the Network Policy Server so before digging into this; I would like to know if it offers two-factor authentication. If so, what are the possibilites? I'm looking for a validation based on a one-time password OTP (hardware/software
token or sms) and the Active Directory user/pwd.
Is there anything builtin in the Network Policy Server offering this?
Thank you!Hi,
NPS supports smart card.
Two-factor authentication provides improved security because it requires the user to meet two authentication criteria: a user name/password combination and a token or certificate.
A typical example of two-factor authentication with a certificate is the use of a smart card.
To use smart cards for remote access authentication, we may do the following:
Configure remote access on the remote access server.
Install a computer certificate on the remote access server computer.
Configure the Smart card or other certificate (TLS) EAP type in remote access policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
For detailed information, please refer to the link below,
Using smart cards for remote access
http://technet.microsoft.com/en-us/library/cc783310(v=WS.10).aspx
Best Regards.
Steven Lee
TechNet Community Support -
Network Policy Server Policies
We are using Windows Network Policy Server application as a radius server for VPN connections using windows server 2008 R2.
On my firewall, we currently have only 1 VPN profile and we have a Network Policy that saysif they are not part of this windows group, they cannot connect to the VPN.
I have setup two additional vpn profiles for different vendors, etc and set up the test accounts to use different groups and setup new network policies for each one. The issue I am running into is all NPS network policies work with each vpn profile. I would
like to know how can you setup a policy so they differenciate between each vpn policy so if user is on vpn profile 1 it will use network policy 1 and not allow them access to any of the other vpn profile 2 or 3 because they do not meet the requirements for
them based off the network policy that is defined.Hi,
According to your description, my understanding is that you wanted the NPS pociles to work differing from the firewall rules/profiles. If I misunderstood anything, please feel free to let me know.
Based on my experience, it seems that NPS won't do that with firewall profiles. If you want to define different network policies to different user group. You can select the specific user group when specifying conditions of the network policy. More information:
Network Policy Conditions Properties
Best regards,
Susie -
6274: Network Policy Server discarded the request for a user
How to reproduce this event:
6274: Network Policy Server discarded the request for a userHello,
according to the following just use an older RADIUS client version:
Warning: NPS discarded the request for a user
This monitor returns the number of events when the Network Policy Server discarded the request for a user.
Type of event: Warning. Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS
client.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
Use of Adobe Policy server to implement security functions
Hello Folks,
Has anyone explored the possibilities to implement security features for adobe offline scenario using Adobe Policy Server?
Is there any other means by which I can implement features like password protected or encryption in offlince scenario?
SAP documentation has pointers to Adobe Policy server, but no comprehensive documentation found on the same.
Thanks & Regards,
ChitraliHi,
You can add security features like password protection and limits usage, such as no printing, etc. Here is a link to the Java API documentation http://help.sap.com/javadocs/NW04S/current/wd/com/sap/tc/webdynpro/clientserver/adobe/pdfdocument/api/IWDPDFDocumentCreationContext.html#setProtection(java.lang.String,%20java.lang.String,%20com.sap.tc.webdynpro.clientserver.adobe.pdfdocument.api.WDPDFDocumentProtectPermission[])
I believe you can do the same stuff with the ABAP API.
You have to check if it works in your version, because sometimes the API is there but doesn't work 100%.
You can also sign docs (there is some info about that in the above Java API link).
Hope this helps. -
Livecycle Policy Server and Livecycle Document Security
Do I need Document Security to use Policy Server??
Hello,
I've been hunting around but can't find it. Is there a concise refernce for how to use Adobe Acrobat8 Security features with the Adobe Document Center? Is it so new that there's no book (Quick Start, etc.) on it?
I send PDFs to people. But I only want them to be able to print the PDF, not copy any of its content. I also want the PDF to "self destruct" after a 3 month period. I was going to use Pinion Software's AutoShred product, but then I stumbled upon Adobe8 and the Document Center, which seemed like a perfect fit. So I immediately upgraded to Adobe8 and signed up for the trial at the Document Center.
I have created security policies. But when I look at the policy, there is nothing allowing the detailed modifications permitted in Acrobat8 - Secure / Show Security Properties / SecurityTab / and the list for Document Restrictions Summary.
For some reason, when I set up a security policy - most restrictive to only permit printing and file non-access after 3 months - the "page extraction: allowed" always shows up when I examine Show Security Properties / Security Tab / Document Restrictions Summary, even though for everything else it is "Not allowed" which is what I want.
I thought maybe its a bug, because when I close the file and then reopen it, the page extraction is grayed out. But I don't know if people I send the file to will be able to extract the pages, thus getting around my objective of not allowing them to copy/paste any of my proprietary content onto some other file format.
Any help on this?
Thanks,
Robert -
Policy Server Document displaying no content inside Adobe Acrobat 7.0
When I apply a policy to a document and login in I am able to view the document the first time. However when I try to re-open the document, it will open in Adobe Acrobat Professional 7.0 but open up with a grey background with no content. We are currently piloting the adobe Policy Server. I have ab out 35 external users on this policy and all of them are active users.
Hi Stacie,
Could you provide more detail on what happens when a document won't open. For example:
* Is a gray background displayed?
* Do you receive an error message (if so, what is it exactly)?
* What client OS are you using (version/service pack/etc)?
* What version of Acrobat are you using (7.0.0, 7.0.1, 7.0.2, 7.0.5, etc.)?
Any more detail (even little ones) can be useful in diagnosing the problem.
Thanks,
-Bill
Maybe you are looking for
-
We are new customers and have had tmobile for 6 years with unlimited data never using more than 2 gig a month for a total of 4 phones. 2 weeks in and we get a message that we have used 75% of our 4 gig plan.2 days later we get a message that we have
-
Creating Global Roles in 9.1 using WLST
Hi, Did anyone try creating Global Roles in Weblogic 9.1 ? Since in Weblogic 9.1, the Authorizer and Role Mapper providers are XACML based, I am not sure if we can use WLST offline to create global roles. Can someone please shed some light on this. T
-
Where is the em console GUI in 10g?
I upgraded to 10.2.0.1 from 9i. Since I didn't uninstall 9i, I can still run the em console from the 9i program menu. But what about em console in 10g? I am used to using the 9i em console and look at table contents, etc. I did find "Database Control
-
How to manage route entries on user Mac laptop?
Hi, I have several Mac's in a small office and one has route entries no other Mac show. How can I permanently rid these entries. I have restarted the router and then the Macs and this has not worked. My route table from a netstat has some of the foll
-
HTTP adapter: Query string with no payload
Hi, I have a requirement where I want to send an HTTP request where the only thing I need to send is the Query String (ie. no payload details) Is this possible to do this ? I know how to set the query string (TargetURL) but unsure how to suppress the