Powershell Web Access - Authorization failure

I've been beating my head against the wall on this one.
Setup Powershell web Access by doing the following:
1.   Install-WindowsFeature WindowsPowerShellWebAccess –IncludeManagementTools
2.   Install-PswaWebApplication –UseTestCertificate
3.   Add-PswaAuthroizationRule
–UserName Domain\Username –ComputerName
* –ConfigurationName MYCONFIG
I'm a domain administrator and I ran these three cmdlets from an administrator powershell window.
The PSWA window gives me this error:
If I run enter-pssession -computername COMPUTER
it works just fine, but not from pswa. I don't know what is wrong here. Nothing in the
event logs either.
This is from a Server 2012 machine to a Server 2012 machine.
Anyone have any ideas?

I did add a restrictive authorization rule. Step 3 that i performed was to run:
Add-PswaAuthroizationRule –UserName Domain\Username –ComputerName
* –ConfigurationName MYCONFIG
Did I miss something in this?

Similar Messages

Powershell web access limited to PowerShell 1.0?

Hello,
I setup PowerShell Web Access and it seems to be limited to PowerShell 1.0. I deployed module designed for PowerShell 2.0 and I'm getting error below when trying to import it. Is it expected?
Windows PowerShell
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
PS C:\Users\g\Documents>
Import-Module AAWebAdministration
Import-Module : The current Windows PowerShell host is: 'ServerRemoteHost' (version 1.0.0.0). The module
'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AAWebAdministration\AAWebAdministration.psd1' requires a
minimum Windows PowerShell host version of '2.0' to run.
+ CategoryInfo : ResourceUnavailable: (C:\Windows\syst...nistration.psd1:String) [Import-Module], Invalid
OperationException
+ FullyQualifiedErrorId : Modules_InsufficientPowerShellHostVersion,Microsoft.PowerShell.Commands.ImportModuleComm
and
PS C:\Users\g\Documents>

That is just for the ServerRemoteHost version, which doesn't mean that the actual PowerShell version is 1.0. It sounds like the module metadata is incorrect and should be adjusted.
You can go and edit the .psd1 file that is being referenced and set the powershellversion key to 2.0 and set the powershellhostversion to ''.
This should clear up that issue.
Boe Prox
Blog |
Twitter
PoshWSUS |
PoshPAIG | PoshChat |
PoshEventUI
PowerShell Deep Dives Book

PowerShell Web Access - Creating "Self-Serve" Behaviour

Hi all,
I am exploring PowerShell Web Access and I'm looking to set it up to offer self-serve capabilities to Dev/QA. Basically I want to Dev/QA to only be able to execute scripts (no running cmdlets, etc) and only in particular directories.
The goal of this is to allow Dev/QA to get access to the scripts I would normally run, but be able to run them when I'm away for whatever reason (while still keeping them out of the rest of the system).
Can anyone point me in the right direction?
Thanks.

I think you can better create Restricted PowerShell EndPoints in PowerShell to allow only the Script to be run (not even core cmdlets)
Have a look here:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/27/an-introduction-to-powershell-remoting-part-five-constrained-powershell-endpoints.aspx
Hope this helps
Knowledge is Power{Shell}.
This was the ticket. I set up a PSSessionConfiguration and hooked it up via Add-PswaAuthorizationRule.
Thanks.

PowerShell Web Access - Prefill Computer Name?

One of the devs asked me if there was some way to prefill the computer name field for the PSWA site (since we use the localhost machine quite often).
Is there any way to do this? He mentioned maybe query params?

If there is a query parameter or query string that can be added to the URL then I am not aware of it. Even so, it can be done.
You can modify the code in the logon.aspx file but it'll take some work. Start by stopping the website in IIS. Then locate the file at C:\Windows\Web\PowerShellWebAccess\wwwroot\en-US\logon.aspx. You need to add value="computername" to
the line <input id="targetNodeTextBox" name="computer-name" type="text" class="required" runat="server" clientidmode="Static" />. I added it after the word input and before id="targetNodeTextBox"...
The issue here is that you will have to take ownership of the file first, add modify and write permissions to a group (that you're in) or user (that's you) on the file, copy the file out of the directory, edit it as mentioned above, save it with a new name
and close the file, rename the file to logon.aspx, and then copy it back to the directory above. Painful (and
possibly a security risk?), but that's the only way in which I am aware.
Be sure to start the website in IIS before reloading your PSWA website.
Edit: Added a step to the instructions about adding permissions.

Web access how to stream to android and ipad`s

Hello.
At the moment I can log into my web access server from another pc and click on media files and be able to watch a film by streaming.
I am unable to do this on my android or ipad is there a step by step guide on how to get this to work?
I am new to owning a server 2012r2 so be gentle.
Thank you.

While PowerShell Web Access (PSWA) does require authorization rules to function, these rules do not specify what cmdlets can be used in a PSRemoting session. The PSWA authorization rules define what user, or group of users, can remotely connect to what computer,
or group of computers, through the PSWA gateway (the PSWA server).
What you need to research are session configurations and/or endpoints. These are separate from PSWA, but can be used in conjunction with PSWA (PSWA website > Optional connection settings > Configuration >
NameOfConfiguration), just as they can in a standard console-based PSRemoting session (Enter-PSSession -ComputerName
server01 -Configuration NameOfConfiguration -or- Invoke-Command -ComputerName
server01 -Configuration NameOfConfiguration).
Start your research with New-PSSessionConfigurationFile and then Register- and Unregister-PSSessionConfiguration. These have been great for our environment, allowing non-admin users access to run very specific cmdlets as an admin, without being an admin
on the computer.

Power Shell Web Access - How to limit the cmdlets and give regular users, access to perform tasks

It is possible to give to regular/standard users, powershell web access to give only, for example, "get-" cmdlets?
The ideia is to provide help desk tech users, a minimum level of access on some servers, and it will be usefull to give then, basic and restrcted access to a few cmdlets, performe harmless activities and mybe some level of access, not alloweing to to using
RDP, but PS, insted

While PowerShell Web Access (PSWA) does require authorization rules to function, these rules do not specify what cmdlets can be used in a PSRemoting session. The PSWA authorization rules define what user, or group of users, can remotely connect to what computer,
or group of computers, through the PSWA gateway (the PSWA server).
What you need to research are session configurations and/or endpoints. These are separate from PSWA, but can be used in conjunction with PSWA (PSWA website > Optional connection settings > Configuration >
NameOfConfiguration), just as they can in a standard console-based PSRemoting session (Enter-PSSession -ComputerName
server01 -Configuration NameOfConfiguration -or- Invoke-Command -ComputerName
server01 -Configuration NameOfConfiguration).
Start your research with New-PSSessionConfigurationFile and then Register- and Unregister-PSSessionConfiguration. These have been great for our environment, allowing non-admin users access to run very specific cmdlets as an admin, without being an admin
on the computer.

"Create PDF from Web Page" Yields Authorization Failure

Acrobat 9 Pro Extended running on Windows XP Service Pack 3:
When using "Create PDF from Web Page," certain linked pages result in an "Authorization Failure" error message. Is there any way to instruct Acrobat to disregard pages that are not downloadable and continue creating the PDF?

I am having the same issue AND none of my pages or files require a UserID or Password. My issue appears to be something with the domain because a and b work just fine and produce a PDF file while item c does not work and produces the error msg.
http://www.dot.wi.gov/projects/neregion/151/index.htm works just fine and produces a PDF file.
http://www.dot.state.wi.us/projects/neregion/151/index.htm works just fine and produces a PDF file.
http://www.wisconsindot.gov/projects/neregion/151/index.htm produces an error msg. ‘Nothing done’.Error info. - Authorization Failure http://www.wisconsindot.gov/projects/neregion/151/index.htm
[email protected]

Create PDF From Web Page - Authenticated SharePoint Sites generate "Authorization Failure" error

We have several authenticated sharepoint sites on our intranet, and we are trying to create a PDF of a site (x levels down) using the Acrobat create PDF from web page feature. When you try to create a PDF from a non-sharepoint, authenticated website, a login prompt appears asking for login credentials. However, when you try to use the same feature on an authenticated sharepoint site, you do not get prompted for credentials and instead get an Authorization Failure error. the popup says "Error: Nothing Done". We have successfully PDF'd anonymous sharepoint sites on the WWW. Has anyone successfully PDF'd an authenticated SharePoint site?
Thanks in advance,
-Richard.

I am having the same issue AND none of my pages or files require a UserID or Password. My issue appears to be something with the domain because a and b work just fine and produce a PDF file while item c does not work and produces the error msg.
http://www.dot.wi.gov/projects/neregion/151/index.htm works just fine and produces a PDF file.
http://www.dot.state.wi.us/projects/neregion/151/index.htm works just fine and produces a PDF file.
http://www.wisconsindot.gov/projects/neregion/151/index.htm produces an error msg. ‘Nothing done’.Error info. - Authorization Failure http://www.wisconsindot.gov/projects/neregion/151/index.htm
[email protected]

Problem - acs command authorization and web access control

Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help !

WVC54GCA Web Access Failure

First of all I would like to say hello, this being my first post here.
Today I bought my first Linksys Camera and it works flawless on my LAN but I don't know how to access it from outside the network(web access).
My camera is connected through a D-Link DIR-600 Router and my ISP is using a dynamic IP address.
I forwarded port 1234 for my Linksys camera local IP and changed "Web Access" Port from camera setup to 1234.
My question is if I know my IP how do I connect to the camera and how do I let other people see it? For example let's say my IP is 123.123.123.123 should I use http://123.123.123.123:1234 to see the camera?

Since you have a dynamic IP, it's highly recommended that you get a DDNS service such as TZO to keep a domain name on the cam instead of relying on an IP.
If you just want to use the IP, you first need to open port 1234 and then use the WAN IP and Port as shown, http://123.123.123.123:1234 should work as long as port 1234 is open to the STATIC LAN IP of the camera.
good luck
http://www.MyHomeServer.com
Linksys IP camera reviews, Tutorials and How-To's on Web & Mobile Streaming

Publish RD Gateway and Web Access with One-Time Password (OTP) / Two-factor Authentication WITHOUT ISA/TMG server

Hi everybody,
I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
The setup is supposed to be like this:
LAN:
1 DC (2008 R2)
RD Farm (2012)
1 SA Server (2012)
DMZ:
RD Gateway/Web Access (2012)
Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
(without the OTP extension).
If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
contain the correct OTP extension.
The problem comes here.
When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user
Account Domain: domain
Failure Information:
Failure Reason: Unknown username or password.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: server
Source Network Address: 192.168.x.x
Source Port: 63003
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
The problem is that no matter what i try the above problem stays there.
Is it not possible to just forward ALL authentication handeling to a remote server?
The only solution I've found to get it working someday in the future is this:
"Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
Also this link describes it:
http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
Please, bring me some answers before my head explodes! :)
PS, long question = maybe some errors, ask me if something is unclear.

Hi,
Based on our experience, if the NTLM error occurs, please check the password.
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Users see all applications in RDS 2012 Web access in one-way trust domain environment

Hello!
We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
In the security log of wa.domainA.local we can find an event :
An account failed to log on.
Subject:
Security ID:                IIS APPPOOL\RDWebAccess
Account Name:                RDWebAccess
Account Domain:                IIS APPPOOL
Logon ID:                0x2C7B16
Logon Type:                        3
Account For Which Logon Failed:
Security ID:                NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:                An error occurred during logon
Status:                        0xC000005E
Sub Status:                0x0
Also in network trace on wa.domainA.local kerberos error could be found:
On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
How to deal with this issue? The aim is to show only specified applications to domainB users.
Any help would be appreciated.

Hi,
Thank you for your posting in Windows Server Forum.
Please check below links might useful for your case.
“After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
this article)
1. Remote APP list empty
2. RD
Web Access unable to access Source (RD Server)
In respect to Kerberos Error, refer this link for troubleshooting.
1. Troubleshooting Kerberos Authentication problems – Name resolution issues
2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
Hope it helps!
Thanks,
Dharmesh

Excel Web Access(An error has occurred.Please contact your system administrator if this problem persists. )

I'm using share point 2007 under windows server 2008 R2(one web server, another db server).When I publish a excel(*.xlsx) to report library or view it in web browser with the same error as bellows:
Excel Web Access
An error has occurred.
Please contact your system administrator if this problem persists.
Please kindly support to guide how to fix it with bellow information in details such as log.Many thanks!
1. The 12/logs file is as bellows:
10/10/2014 09:53:55.18 w3wp.exe (0x6528)                       0x5C08 Excel Services
Excel Calculation Services    2u7d Medium ExcelServerSharedWebApplication.Local: An exception was thrown by configdb infrastructure: System.InvalidOperationException: ExcelServerSharedWebApplication.Local: Could
not get ServerContext.Current, which indicates that either SharePoint or the SSP infrastructure isn't provisioned correctly or that we're running outside of a web context.     at Microsoft.Office.Excel.Server.ExcelServerSharedWebApplication.get_Local().
10/10/2014 09:53:55.18 w3wp.exe (0x6528)                       0x5C08 Excel Services
Excel Services Administration 8tqh Critical Excel Services: Unexpected exception while trying to access Shared Services Database;. Error = ExcelServerSharedWebApplication.Local: Could not get ServerContext.Current, which indicates that
either SharePoint or the SSP infrastructure isn't provisioned correctly or that we're running outside of a web context..
10/10/2014 09:53:55.18 w3wp.exe (0x6528)                       0x5C08 Excel Services
Excel Web Access              6nfi Unexpected InternalEwr.OpenWorkbook - An unexpected exception in the ECS Proxy occurred. Message: Microsoft.Office.Excel.Server.ExcelServerSettingException:
An error has occurred. ---> System.InvalidOperationException: ExcelServerSharedWebApplication.Local: Could not get ServerContext.Current, which indicates that either SharePoint or the SSP infrastructure isn't provisioned correctly or that we're running
outside of a web context.     at Microsoft.Office.Excel.Server.ExcelServerSharedWebApplication.get_Local()     --- End of inner exception stack trace ---     at Microsoft.Office.Excel.Server.ExcelServerSharedWebApplication.get_Local()
at Microsoft.Office.Excel.Server.ExcelServerSettings.get_Settings()     at Microsoft.Office.Excel.Server.ExcelServerSettings.get_EcsList()     at Microsoft.Office...
2.the event in event viewer is:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2014/10/10 9:49:43
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ***.net
Description:
An account failed to log on.
Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:   3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  ***
Account Domain:  ***
Failure Information:
Failure Reason:  An Error occured during Logon.
Status:   0xc000006d
Sub Status:  0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: ***
Source Network Address: ***
Source Port:  63664
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length:  0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-10T01:49:43.563436300Z" />
    <EventRecordID>37602685</EventRecordID>
    <Correlation />
    <Execution ProcessID="532" ThreadID="26096" />
    <Channel>Security</Channel>
    <Computer>***.net</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">***</Data>
    <Data Name="TargetDomainName">***</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2304</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">
    </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">***</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">***</Data>
    <Data Name="IpPort">63664</Data>
</EventData>
</Event>

Hi Tracy,
Have you changed something on your SharePoint 2007 environment recently before this issue occurred?
This issue may be related to Alternate Access Mappings settings like the following similar post, if you have configured AAM, you can check if this issue happened to some URLs, if it's the case, please add the problematic URLs as a Publish URLs for the default
zone for your web application, and also add these URLs as trusted locations, then check results again.
If above doesn't work, please enable ULS log on verbose level to get more useful log errors which time are corresponding to the errors occur.
https://social.technet.microsoft.com/Forums/en-US/c9ab4818-65c9-444d-be50-1bfed1f1509b/excel-web-access-web-part-works-on-intranet-but-not-internet?forum=sharepointgenerallegacy
http://blog.bugrapostaci.com/2011/09/08/how-to-enable-verbose-log-mode-on-moss-2007/
Thanks
Daniel Yang
TechNet Community Support

ACS 5.3 cannot create default network access authorization rule

Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

Looks like you are using chrome amd it's not a supported browser.
Supported Web Client/Browsers
You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
•Windows 7 32 bit
•Windows XP Professional (Service Pack 2 and 3)
•Windows Vista
•Internet Explorer version 7.x
•Internet Explorer version 8.x
•Internet Explorer version 9.x
•Mozilla Firefox version 3.x
•Mozilla Firefox version 4.x
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
Jatin Katyal
- Do rate helpful posts -

SSL VPN message "This (client) machine does not have the web access privilege."

Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
   quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
                UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
   heading "My Intranet"
   url-text "Cisco" url-value "http://192.168.0.2"
   url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
   url-list "MyServers"
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!

Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan

Powershell Web Access - Authorization failure

Similar Messages

Maybe you are looking for