Remote access certificate authentication: moving from sha-1 to sha-2

Similar Messages

• Remote Access VPN authentication through RADIUS

  Hi,
  I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
  Server configuration:
  1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
  2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
  4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
  On the Dial-in tab, select the option for Allow access
  ASA configuration:
  aaa-server vpn protocol radius
  aaa-server vpn host 10.155.20.25 (RADIUS server IP )
  key cisco321
  tunnel-group vpnacc type ipsec-ra
  tunnel-group vpnacc general-attributes
  authentication-server-group vpn
  but it is not working. Please guide to resolve this issue.
  Regards,
  som

  Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
  Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

• Remote access my office mac from my home mac

  I know this is not the right forum for this, but I am not sure which one is and so I am asking this question here in the hopes that someone will direct me to the right place.
  If I want to access my office mac from home, what program do I need to use? (Apple Remote Desktop?) Where can I find detailed instructions?
  Other pertinent details:
  I have a PB at home and one at the office, both running OSX.3.
  Both are on a wireless network.
  Office is behind a firewall.
  Because both computers are on a wireless network, their IP addresses are of the form 10.0.1.xxx. Turning on File sharing on the office computer and then doing "ssh [email protected].....etc. does not seem to work.
  Ideally I want to be able to remotely run programs on the office computer. I know this ability exists for Windows XP (and my colleagues use it), so it MUST exist for Macs.
  Any help will be much appreciated.
  Thanks,
  NS

  ns,
  Apple Remote Desktop and Timbuktu Pro are worthy programs; you can achieve the same effects with free VNC (virtual network connection) software. Essentially, you set one Mac up as a VNC server, the other as a VNC client, and connect the client to the server. Check Version Tracker and/or MacUpdate for such freeware as VNCThing (OS 9 client), OSXvnc (OS X server), and Chicken of the VNC (OS X client).
  The firewall will require you to set up port forwarding. I've actually found the FAQ and help info at the site for the Windows program UltraVNC along with PortForward more than enough to figure how to set up a VNC link to a Windows PC in my wife's office that could be accessed by either my office Mac (before turning on the link encryption) or her home PC. Adding / using SSH is somewhat more complicated and outside of my firsthand experience, but there are references at e.g. SSH VNC Tunneling (try Googling "SSH VNC Mac"). See for example:
  Homemade Dot-Mac: Remote Control
  MacMod - Your Mac Modding HQ
  VNC Sessions From Off-Campus
  Note that if you have the usual dynamic IP account at home and a static IP at work, it will be easier to set up the work computer as the server since the IP number will be a fixed address. If both computers are on dynamic IP accounts, the server's IP number will have to be checked locally before connecting remotely (one reason ISPs can charge extra for static IP accounts).

• Remote access VPN to server from outside and server reach internet on the same time

  Dear,
  I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
  the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
  server1 : 10.10.10.2 nat to 5.6.7.8
  server2: 10.10.10.3 nat to 5.6.7.9
  server3: 10.10.10.4 nat to 5.6.7.10
  VPN connection to 5.6.7.12
  is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc

  Hi,
  So it seems that the problem is with lacking a NAT0 configuration
  You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
  object network SERVER-NETWORK
   subnet <server network address> <network mask>
  object network VPN-POOL
   subnet <vpn pool network address> <network mask>
  nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
  Just insert the correct address related information and change the "object" and interface names if required.
  This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
  Hope this helps :)
  - Jouni

• I can't access my university VPN with my iPad or iPhone but I can access it with my Mac. I was wondering if there is a simple way so that I can remotely access my home computer from the iPad, turn on the Mac VPN and then access the school network?

  The iosx and open VPN app on the iPad/phone aren't compatible w my school's VPN, but my Mac is via tunnelblick. I would really like to have VPN access from my tablet so I can access journals without undergoing a tedious process.
  Has anyone encountered this and found a remedy? I'm imagining an app from the tablet that can access the Mac at home to turn on the VPN to the school and then have access.. But then I'm thinking id be reading through 2 screens then formatting/resolution could be a problem.
  Another thought was setting up a VPN at home so that my iPad can connect to my computer at home via VPN which would then allow me easy access to journals. But I'm lacking experience in this, especially a security issue as I'm going from point A to point C to get back to point B.
  I'm open to any suggestions.
  Thanks

  You should be able to use the OpenVPN Connect app running on your iPad to connect your iPad to the VPN directly. It is an official OpenVPN client for iOS devices.
  In what way is it "not compatible"? Have you tried it? Tunnelblick is an OpenVPN client, so your school's VPN is using the OpenVPN protocol. That means any OpenVPN client should be able to access it. (It is possible, but unlikely, that your school uses encryption that is not available on the iPad, but that would be very unusual.)
  Otherwise, a remote control app on your iPad would let you control your Mac at home. "Back to My Mac", for example, would allow you to control your Mac remotely. The tricky part of this is that usually a VPN is set up to send all Internet traffic via the VPN server, and I'm not sure how that would work with "Back to My Mac".

• Remote Desktop Connection Authentication Error from Windows 8.1 Pro to Windows 7 Pro

  I keep trying to connect to my server running Windows 7 Pro from my laptop running Windows 8.1 Pro, but I get the following message after providing
  my credentials:
  "An authentication error has occurred (Code: 0x8007001f)"
  I can't find any reference to this error code being associated with using remote desktop.

  Hello,
  Are you connecting to a server as part of a domain ? if so confirm you are using adequate credentials for remote desktop for example: username: domain\administrator 
  if not you can try connecting to the localhost using:
  username: .\administrator   - for example
  also you can try running your remote connection in admin mode:
  Win + R - bring up run then type:
  mstsc /admin
  hope that helps.
  Cheers,
  Harry

• Firefox hangs when I remotely access linux mint 15 from X window in MAC. It was working fine on linux mint14

  I am using firefox 24

  No virtually box. I do not have problem with firefox when I access it locally. But once I remote from my macbook to my linux mint15 box, firefox open but hangs. I can see the tool bar, but I can click on any sites because it is frozen. I did not have the problem before I upraded from linux mint 14 to 15

• Remote Access to TC Disk from Windows/PC. Do I need DynDNS. Using FTP

  I need to be able to have anyone on the Internet be able to access my files on Time Capsule. I am using my Time Capsule as a router and do not have a static IP. My Internet Provider is comcast and modem is a Motorola Surfboard.
  Here are my basic questions:
  How can my Time Capsule be accessed remotely via PC/Windows? What protocol? How?
  Can Time Capsule be set up do FTP? What port mapping do I set up for the personal and private UDP and TCP?
  Since I do not have a static IP address, do I need to subscribe to a Custom DynDNS account?
  Thank You

  How can my Time Capsule be accessed remotely via PC/Windows? What protocol? How?
  Windows or Linux PCs can access the Time Capsule's (TC) file service via the SMB protocol.
  The following is the basic steps to configure the TC's hard drive to be accessed from the Internet.
  Configuring the TC
  AirPort Utility > Select the TC
  o Note the value of the IP Address. This is the Public or WAN-side IP address of the TC. (Note: You will need to have either a static Public IP address, or use a free dynamic DNS service, like you suggested, in order to access the TC from the Internet.)
  Manual Setup > Internet > Internet Connection
  o Connection Sharing = Share a public IP address
  Manual Setup > Disks > Files Sharing tab
  o Enable file sharing (checked)
  o Secure Shared Disks = With base station password
  o AirPort Disks Guest Access = Not allowed
  o Share disks over Ethernet WAN port (checked)
  Manual Setup > AirPort > Base Station
  o Enter a Base Station Password and verify it in the Verify Password box.
  Manual Setup > Advanced > Port Mapping
  o Click the plus sign "+" to add a new port mapping.
  o In the Public UDP Port(s) and Public TCP Port(s) boxes, type in a 4-digit port number (e.g., 5688) that you choose.
  o In the Private IP Address box, type the internal IP address of your TC that you noted earlier.
  o In the Private UDP Port(s) and Private TCP Port(s) boxes, type 548, and then, click Continue.
  o In the Description box, type a descriptive name like "Time Capsule File Sharing," and then, click Done.
  o When you have made all the changes, click Update.
  Connect the PC to the TC from a remote location
  o Type in your DynDNS domain name, plus a colon and the port number you specified when configuring the TC earlier. For example,"www.myTC.com:5688"
  o You will be prompted for your user name and password. The user name can be anything you like; the password would be the TC's Base Station password you defined earlier.

• MFA (Certificate) Authentication Failing from Extranet

  Hi, we have set up ADFS3 and WAP. ADFS3 configured to require MFA (Certificate) from both Intranet and Extranet. We are using our own CA and the root CA is installed on the WAP in Trusted Root CA store. The certificate port of 49443 is open from the Internet
  and also inward from the WAP to the ADFS3 server, as is 443.
  When we test we can use MFA from the Intranet, but when we try the same from the Internet (Extranet) we get the Forms Logon page okay, enter our user details, select our user cert, and then we get a 403 error - The Website declined to show the web page.
  The CRL is resolvable from the Internet, and can be reached okay...
  Is there something we have missed please?
  Thank you for any help.
  Phil

  Hi Steve,
  Yes, I have restarted both ADFS and WAP Servers.
  As a further update, I have even purchased an SSL cert from Comodo to check it this is a Public\Private CA issue, and I still get the same 403 error... I have even tried configuring the backend Web Site (SharePoint in this case) to allow Anonymous authentication,
  just to see if I could get to the site via the WAP, but I still get the same 403 error... Its strange because the URL is still pointing to the Web Address of the ADFS server when I get the 403... Its difficult to see as there arent any IIS logs either now...
  Thanks 
  Phil

• MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

  Hi together,
  a customer has lost some Access Points to another WLC with 7.2  and then they come back after 15 minutes to the origin WLC with 7.5
  Attached the messages
  MFP Protection is configured as optional
  152
  Wed Nov 27 05:33:26 2013
  MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
  153
  Wed Nov 27 05:31:40 2013
  AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
  154
  Wed Nov 27 05:31:40 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
  155
  Wed Nov 27 05:31:33 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
  156
  Wed Nov 27 05:31:33 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  157
  Wed Nov 27 05:31:33 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  158
  Wed Nov 27 05:31:28 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
  159
  Wed Nov 27 05:31:28 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  160
  Wed Nov 27 05:31:28 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  161
  Wed Nov 27 05:31:17 2013
  AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
  162
  Wed Nov 27 05:31:17 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  163
  Wed Nov 27 05:31:17 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  164
  Wed Nov 27 05:31:15 2013
  AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
  165
  Wed Nov 27 05:31:15 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  166
  Wed Nov 27 05:31:15 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  167
  Wed Nov 27 05:28:26 2013
  MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
  168
  Wed Nov 27 05:23:26 2013
  MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
  Don´t know at the moment how to handle it.
  Regards
  Alex

  Hi lAlex,
  Disable Client MFP under WLAN advanced tab & see if  this still occur
  Regards
  Rasika
  **** Pls rate all useful responses *****

• Has remote access been completely removed from my iPhone?

  I recently started a new job and am waiting to receive my new work iPhone. While I wait, I wanted to be able to receive email and have my work calendar on my personal iPhone. I installed an app called MobileIron and put my email and calendar on my phone, but then realized that this gave the company full access to my personal phone. I didn't want that, so I went to Settings>General and found the "profile" (or whatever it's called... the thing that appears under VPN after I do the MobileIron setup), and "removed management" or whatever the option is.
  Doing this automatically removed my work email, work calendar, and some other app that was installed when I first setup the email/calendar on my phone. It also removed the thing under VPN (in "General" under Settings). I also removed the MobileIron App.
  Have I completely removed my company's access to my personal phone, or is there anything else I need to find/delete? I'm a little paranoid when it comes to this stuff on my personal phone.

  sync them back with whatever cloud or email programs you were using.

• ASA Remote Access VPN Clients - Multiple DNS Suffixes?

  Hi community!
  I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
  We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
  I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
  Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
  Full marks for helpful posts!
  Kind regards, Ash.

  Hi
  I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
  I have a remote access requirement for users from separate AD's to authenticate through an ASA.
  I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
  Regards

• How to enable second HD DVR for remote access?

  I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working.  After 2 hours on the phone with tech support, we got it to work again.  However, we were unable to get my second DVR setup.  He said that I could only have one DVR setup for remote access, is that true?  If not, any assistance would be much appreciated. 
  Thank you!

  glcockrum wrote:
  I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working.  After 2 hours on the phone with tech support, we got it to work again.  However, we were unable to get my second DVR setup.  He said that I could only have one DVR setup for remote access, is that true?  If not, any assistance would be much appreciated. 
  Thank you!
  Are you speaking of Remote Access from the Web?  ...or from a mobile phone?
  For Web Access it is absolutely NOT TRUE!
  I have TWO DVRs.  I can access both remotely from the web and schedule or delete recordings.
  The tech MAY have been speaking of (or confused about) the MULTI-ROOM capability that the DVR's have.
  Only one of the DVRs can be (and is) a Home Media (or Multi-Room) DVR, and therefore can share recordings with my other NON-DVR STB and communicates with any computer on my home network for PC-based Audio, Vieo and Image files, as well as connecting to the certain Internet video streaming sites.
  The other DVR is a standalone machine is this regard, but regardless, it still has remote access to control it from the Web.
  (I do not know anything about the Remote Access from a mobile phone capability, since I do have a Verizon Wireless contract.  THAT Remote Access may indeed be limited to just a single DVR.)

• Project Server 2010 Web services access with Client Certificate Authentication

  We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
  web service applications that no longer connect to server with the new authentication configuration.  Our custom applications are using the WCF interface to access the public web services.
  Please let us know if it is possible to authenticate with AD FS 2.0 and then call
  Project Server web services. Any help or coding examples would be greatly appreciated.

  what is the error occurred when the custom PSI app connects?
  can you upload the ULS logs here for research?
  What is the user account format you specified in the code for authentication?
  For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
  'I:0#.w|mybusinessdomain\ewmccarty').
  It requires you to manually call the UpnLogon method of
  “Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)  
  {  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;  }  
  if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
  Than you need to extract UPN-Claim from the identity.
  Upload the verbose log if possible.
  Did you see this?
  http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
  Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,