Pre-authentication ACL disconnects

Similar Messages

• ISE Node Failure & Pre-Auth ACL

  Hi All,
  I would like to know that, what should be the best practice configuration for following points,
  1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
  2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
  Here is the port configuration and pre-auth ACL which I am using in my network,
  Interface Fa0/1
  switchport access vlan 30
  switchport mode access
  switchport voice vlan 40
  ip access-group ISE-ACL-DEFAULT in
  authentication event fail action authorize vlan 30
  authentication event server dead action authorize vlan 30
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation protect
  mab
    dot1x pae authenticator
  dot1x timeout tx-period 5
  ip access-list extended ISE-ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS and Domain Controllers
  permit ip any host 172.22.35.11
  permit ip any host 172.22.35.12
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Deny All
  deny   ip any any log
  Thanks & Regards,
  Mujeeb

  Hi,
  I am using following configuration on the ports,
  Interface Fa0/1
  switchport access vlan 30
  switchport mode access
  switchport voice vlan 40
  ip access-group ISE-ACL-DEFAULT in
  authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
  authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
  authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
  authentication host-mode multi-domain
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation protect
  mab
    dot1x pae authenticator
  dot1x timeout tx-period 5
  Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
  ip access-list extended ISE-ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS and Domain Controllers
  permit ip any host 172.22.35.11
  permit ip any host 172.22.35.12
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Deny All
  deny   ip any any log
  Thanks

• Post-Authentication ACL in Wireless Controller question

  Hey guys,
  I'm trying to setup an ACL for "after" people login to our wireless network to allow them access ONLY to web, not file servers or sql servers, etc.
  I found how to configure an ACL, but it's pre-authentication and after people log in, they have access to everything.
  Any ideas?
  I'm using a Wireless Controller 2504
  Thanks.

  I think I found it, there is a override ACL after login, I set this one up (see picture), but even though I can do a nslookup and I can ping any site, when I try to go online, I get nothing.
  What am I forgetting?

• Calling a function in Pre-Authentication Process in Authentication Scheme

  Hello all,
  I want to call a function located somewhere inside apex (not in the database) from the Pre-Authentication Process in an Authentication Scheme.
  Is it possible?
  Regards Pedro.

  Pedro
  Possibly if you could unwrap the source of the package but basically you wouldn't want to mess with APEX's API.
  If this is your function then you want it somewhere in one of your own schemas (you won't potentially break APEX and you will retain it when you upgrade).
  If you wish, you could create your own authentication schema and only give yourself access to it (as well as execute to the applications parsing schema user). You could also just create it as in the application parsing schema
  CREATE OR REPLACE PACKAGE BODY xxxxxxx WRAPPED  This makes the source unreadable in the database. (remember to keep the original source yourself though!).
  Hope this helps
  Cheers
  Ben

• RDP pre-authentication: what does it actually do?

  I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
  I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
  No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
  after they have already successfully authenticated and visited the /RDWeb pages.
  Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
  that this is what is expected; it is checking for the existence of a cookie.
  But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
  cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
  Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
  Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
  meant to work ;)

   
  Hi,
  Please double check the following article:
  Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
  On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
  When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
  Looking forward to your feedback.
  Regards,
  Dollar Wang
  Forum Support
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Technology changes life……

• Error with Pre-Authentication for Windows Desktop SSO

  When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
  Are these ktpass commands setup right?
  The Windows AD administrator created the accounts:
  C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev.keytab:
  Keytab version: 0x502
  keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
  3e6846d3cd)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev-http.keytab:
  Keytab version: 0x502
  keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
  f4d3ec43e6)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>I can read the keys with ktutil.
  ktutil:  rkt amdev-http.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
  ktutil:  rkt amdev.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
     2    3            HOST/[email protected]
  ktutil:  wkt amdev2.keytabI then try to do a kinit with the principal:
  kinit -k -t amdev2.keytab HTTP/[email protected]
  kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
  01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
  Stack trace:
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
          at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
  . . .

  Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
  I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
  The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
  If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.

• Kerberos pre-authentication failed

  Hi,
  I have a customer has the below issue:
  After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
  Also the below email alert from ADManager:
  Alert     Message:
  Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.
  Severity:
  Attention
  Event Details
  Domain
    krbtgt/domain.LOCAL
  Event Code
    16
  SID
    %{S-1-5-21-428199501-1217283236-4064894256-500}
  Client Host Name
    Server.domain.local
  Event Type
    Failure
  Remarks
    Kerberos pre-authentication failed.
  Logon Service
    krbtgt/ domain.LOCAL
  Domain Controller
    DC.domain.local
  User Name
    Administrator
  Client IP Address
    IP
  Failure Code
    0x18
  Logon Time
    Apr 09,2015 11:42 AM
  Failure Reason
    Bad password
  Record number
    2197037173
  Event Number
    4771
  They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled
  I think they will have a huge issue due to this Kerberos authentication failure.
  Please help!

  Hi,
  Did you confirm the time sync issue?
  The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.
  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
  Similar threads has been discussed:
  https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Pre-authentication failed in krb

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

• Pre-authentication information was invalid (24) authoriazation against AD

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  I have solve it....The reason of this problem was this:
  Im accesing our network via this login properties:
  login: My second name
  pass: My password
  Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

• Pre-authentication information was invalid (24)

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

• Exchange 2013 pre-authentication & Reverse Proxy Options

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,

  Hello,
  I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
  which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
  along with Exchange 2010.
  I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
  won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
  So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
  Nicholas,
  How about IIS ARR?
  http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
  http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Kerberos pre-authentication issues - why now?

  Hi all,
  We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.  When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.  I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.  However, we have another W2K3 DC that has never had this issue.  So why now?  Why this new DC?  What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
  Any help or information that I can get would be helpful.
  Thanks,
  - Steve

  Hi JK,
  Thanks for the reply.
  Right, I understand that, and TAC directed me to the same document.  But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.  It's only the NEW domain controller that has this problem.  So I'm trying to figure out what the difference is!
  I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
  Thanks,
  - Steve

• JAAS, AD, Pre-authentication information was invalid (24)

  Our application is java based, and we use JAAS to allow authentication for the users though Active Directory.
  In particular we alwyas encourage our prospect clients to use Krb5LoginModule.
  We would
  1. add new user to AD , set DES for the account, reset the password
  2.
  setspn -A host/newUser.DOMAIN.COM newUser
  setspn -A HTTP/newUser.DOMAIN.COM newUser
  run ktpass
  pass the keytab to the server where the server application will be running from and setup there
  -Djava.security.auth.login.config=c:\config\config.conf
  -Djava.security.realm=DOMANNAME
  -Djava.security.kdc=<Ip address of kdc>
  where config.conf file would have line
  Krb5LoginModule tryFirstPass=true storePass=true storeKey=true useKeyTab=true keyTab="c:\keytab.key";
  and it works...
  However, I have encountered a situation where the above would return
  Pre-authentication information was invalid (24) error.
  We have reset the password, re-generate the keytab, it is the same time zone ... and nothing.
  Then I asked to have a new user added (just to test it) - and it worked for the new user.
  Now - what do I need to do to get to work for the hunders of others?
  Thanks

  Support for the new Kerberos preauthentication mechanisms is available in Java SE 6.
  In addition, the pre-auth support has been backported to J2SE 5.0 Update 8.
  Seema

• WLC web authentication ACL to allow internet surfing only

  Hi forumers'
  I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
  according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
  i also try on this ACL at my core switch but seem not success.
  ip access-list extended ACL-VLAN-20
  permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 any eq 80
  permit tcp 172.16.20.0 0.0.0.255 any eq 443
  deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
  deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
  int vlan 20
  ip access-group ACL-VLAN-20 in
  any problem with it?
  well, as long as can block web authenticaiton user only goto internet then serve my purpose
  thanks
  Noel

  This should work
  deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
  permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
  permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
  permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
  but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
  You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
  When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
  But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
  HTH,
  Steve

• Browser pre-authentication

  I have an applet that is contained on a page for which Basic Authentication is required.
  The applet itself makes calls to the same web-server, to a script, for which the same authentication is required. i.e. its in the same realm.
  Communication is through the HttpURLConnection class.
  When viewing the page within Internet Explorer (on windows), the applet does not ask me for authentication, it uses that of the Browser, for which a username and password has already been given. This, for me is the desired behaviour.
  However, under netscape / mozilla / firefox (on both windows and linux) the applet displays its own login / password window.
  Has anyone else found this, and perhaps found a workaround?
  I am using plug-in version 1.4.2_04 on windows.
  If it is not possible to to do this client side, perhaps somebody knows a way that I could clone the authentication information, server side, and pass it back to the applet through another means (via parameters when the applet page is generated), Does anyone know if this information is available in the CGI environment, and which Environment variables & HTTP headers would be used?
  Regards
  Nick

  For anyone who is interested I managed to solve my own problem here, in a somewhat unorthodox way.
  As I have access to the web server (apache), I added a RewriteRule, which passes the HTTP Authorization header to my cgi script. It take the form:
  RewriteEngine On
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},PT]
  Which basically says : for any URL create an environment variable (HTTP_AUTHORIZATION), and set it to the value of the Authorization HTTP header.
  So in my cgi script which generates my applet tag, I pass this value to my applet, via a parameter.
  And set it for my HttpURLConnection using the following
  URL url = new URL("http://blah/blah.cgi");
  HttpURLConnection server = (HttpURLConnection)url.openConnection();
  server.setRequestProperty("Authorization", getParameter("auth"));
  server.connect();
  Hope somebody finds this useful
  Nick