SPNego SSO not working on specific servers

Similar Messages

• Oracle EPM Planning 11.1.2.1 - Ziplogs utility not working on all servers

  Oracle EPM Planning 11.1.2.1 - Ziplogs utility not working on all servers
  We have Planning 11.1.2.1 distributed so that Planning web app, EAS etc. are on own webservers and Essbase is on separate cluster.
  Currently we have an issue with ziplogs utility - it seems to work on Essbase servers gathering all necessary ODL logs for over 100MBs, but on Planning Webservers ziplogs utility seems to start, but generates only empty 1kb zip file without any content.
  We haven't touched logging otherwise, everything should be pretty much in original state.
  Unfortunately I can't remember now exactly, but I have a a hunch that ziplogs utility worked prior patching Planning element on webservers to 11.1.2.1.600.
  Other servers or elements haven't been patched (although Oracle recommends also FS, EB etc. to be patched to 11.1.2.1.600). I'm wondering, could this be the reason as in a way FS and EB are on same patching level whereas Planning is not?
  Also, there seems to be a bit of limited diskspace on webservers (still waiting for extension), but I would imagine lack of diskspace for preparing any temp files etc. would results in some errors, the problem is that ziplogs doesn't give any errors, just runs very short time and then ends bringing 1kb empty file.
  Has anyone experienced anything similar and are you perhaps able to give quick guidance how to enhance or modify ziplogs batch file etc. to make it create a bit of logging of its own actions?
  Thanks in advance if anyone has ideas what could be the root cause for this or faced something similar.

  Okay, I was able to get it installed and Common Components installed correctly this time. I still can't access workspace though.
  Is there something I need to do before I can browse to http://localhost:19000/workspace/index.jsp?
  All I get is the following error:
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.5 404 Not Found
  The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
  If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
  Anyone know what's going on?

• I have a macbook pro with OSX Mavericks 10.9.5 and some keys that are not working. Specifically, the enter/return button, the "p", "0", ";", and all the function keys.  What's really weird is that happens randomly.  I've never spilled anything on it

  I have a macbook pro with OSX Mavericks 10.9.5 and some keys randomly are not working. Specifically, the enter/return button, the "p", "0", ";", and all the function keys.  What's really weird is that happens randomly.  I've never spilled anything on it, and I can't for the life of me figure out how to fix this.  Can anyone help?  of course this happened after my warranty expired.

  **update**
  I don't know if this will help someone but I am posting this for that purpose.  In the past when I first had this problem, I'd read a post somewhere (sorry, long ago, don't have the link) where an individual was having the same problem and they stated that when the MBP got heated, that's when the keys would stop working, and they went into the MBP and jiggle some stuff around (a specific wire, I'm not electronically inclined so I know NOT of what they spake!).  Well I didn't want to do that but it always stuck in the back of my mind.  I had given up, really, and was planning to take my MBP to the apple store.  But by chance one night I left my MBP on the floor where it's cool, and when I turned it on, the problem went - poof! It seems there was some validity to the post that spoke about heat, because my problems started when I would stream foreign dramas on my MBP for hours at night, and I would hear the fan going off all the time, and in the mornings, my "p", "enter", "0", ";", and all the function keys would stop working. 
  So, maybe try keeping the MBP in a cool place when it's off.  Since I've started doing this overnight every night (keeping it on the cool floor, out of reach of any big feet), I have not had a single problem with my keyboard.
  Hopefully this might help someone.

• Google drive does not work with specific group but works with all users group!!

  Hi,
  Why Google drive does not work with specific group but works with all users group?
  My rule :  Internal > external > all users = works fine
  But
                 Internal > external > A group = not working !!

  Hi,
  if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
  http://technet.microsoft.com/en-us/library/bb794762.aspx
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• Hi all, Since I updated to Mavericks I am having trouble with Safari showing all the buttons/clickable options, but they are gray and will not work. Specifically, the Trash Can/Delete and the "Move to" folder button simply do not work. Any ideas?

  Hi all, Since I updated to Mavericks I am having trouble with Safari showing all the buttons/clickable options, but they are gray and will not work. Specifically, the Trash Can/Delete and the "Move to" folder button simply do not work. Any ideas?

  Please post a screenshot that shows what you mean. Be careful not to include any private information.
  Start a reply to this message. Click the camera icon in the toolbar of the editing window and select the image file to upload it. You can also include text in the reply.

• RD Web Access SSO not working correctly

  I have two Win 2008 r2 sp1 servers.  Both are RD Session host servers.  One of them is also serving as a RD Gateway server AND RD Web access server.  Most everything is working well and as planned.  However, I am having an issue with
  the the RD Web Access.
  In the RD Web access server configuration page, I've set "One or more RemoteApp sources" and I've added two servers there, separated by a semicolon (eg RDServer1;RDServer2), and as expected a long list of RemoteApps hosted on both servers is shown .  The
  issue is that whatever server is listed second (eg RDServer2) won't allow sso to work right  -- when I click a link for a RemoteApp hosted on RDServer1 I am not prompted again for login credentials.  However, when clicking a link for a RemoteApp
  hosted on RDServer2 I am prompted "Enter Your Credentials".  I've tried swapping the order of the "Source Name" servers, and after a reboot indeed links to the RemoteApps hosted on that second server now prompt for me to "Enter your credentials".
  Things I've tried:
  1. Trying various server name formats (IP address, NetBIOS name, FQDN, and more) to no apparent effect.
  2. Applied the hotfix from KB2524668 to both servers.
  3. Flushed the IE caches for the client machines.
  4.  Tried various AD login accounts
  5. Ensuring that the RD Web Access server is added to the local group "TS Web Access Computers" on both servers.
   This is one step that I'm not 100% sure of -- it is clear to me that the RD Session host server that doesn't contain RD Web access should be there, but I'm not totally clear as to whether the dual-duty RD Web server/RD Session host should have this setting.
   I've tried it both ways, but it doesn't seem to make a difference.
  I'm stumped.

  Kevin,
  That's it!  I have a separate SSL cert for each RD Session Host, and used the corresponding certs to sign RemoteApps for each.  I still don't see this requirement in the documentation (although they do mention exporting self-signed certs, but that
  is due to the fact that they are self-signed and not automatically trusted by client machines), but maybe I'm just blind.
  Regardless, the fix to my problem was to export the cert from my RDServer1, import it to RDServer2, then set RDServer2 to use that cert to sign the RemoteApp connections.
  Thanks for your assistance, I was really stuck.
  Chris

• RRMX/SSO not working with Win7/GUI 7.2

  Dear all,
  I'm testing the useability of our BW system with new Windows 7 and SAP GUI version 7.2.
  The only way of launching BEx analyzer is via RRMX or portal (using single sign-on) but this is not working. Once i trigger RRMX, Excel 2007 is opened (with Business Explorer Add-In) but when i try to open a query it opens the SAP Logon! The BEx version used is still the 3.5 (but we are in SAP BI 7.01).
  Does anyone faced this problem? Do you know if there are specific settings for using SSO or RRMX with GUI 7.2/WINN 7?
  Thanks for your help.
  Best Regards,
  Nuno

  Hi Guys,
  I have this issue also - I have used the above gui version and BW updates but still this does not work as such!
  I donu2019t have the reg key values that are mentioned above but works internally but no over direct access?
  We have windows 7 units connecting via a saprouter to a message server inturn connecting them to the application box.
  I have tried to create the key manually but still no joy.
  If go directly to the application server all works fine!
  If I go via the saprouter and then to the application server u2013 again all works fine!
  the error in the log sees an IP address ind=stead of the FQDN name
  The fqdn name of the saprouter and then an IP address????? However this should be a FQDN name
  So the error is something like /H/mysaprouter.co.uk/H/then the IP of application server
  /H/mysaprouter.co.uk/H/10.10.10.2
  There are no errors in the saprouter log file and nothing that I can see via the cisco firewall???
  I can telent on all portsu20263225, 3205 3005
  However please also note that this is not an issue when connecting internally via the saprouter, only an issue with Direct access (TCPIPv6)!
  Io any of you have any ideas why this would return an IP address instead of FQDN name via the sap router.
  This was working a few week oku2026u2026but something has changed and no one know what!
  I would suggest firewall issues but I do get teh above errors when trying to connect either via exel or trying to connect backwords via the tc RRMX

• SSO not working when launching the InfoView application

  We are so close to implementing SSO for BO Edge 3.0 using AD and Kerberos.  We can logon to InfoView and CMC using AD authenication and it works fine.  When turning on SSO:
      <context-param>
          <param-name>sso.enabled</param-name>
          <param-value>true</param-value>
      </context-param>
  in the InfoViewApp web.xml it fails with an error message in the Tomcat stdout.log
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  +          [Krb5LoginModule] user entered username: "at"MYCOMPANY.COM+
  User name is missing.
  When done through the application logon screen and able to logon it is
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  +          [Krb5LoginModule] user entered username: dennis"at"MYCOMPANY.COM+
  The username appears in the log file followed by the debug message for Kerberos key being created.
  I am so close, does anyone have an idea?

  Hi Tim,
  The Vintela SSO document for BOE XI 3.1 is very comprehensive, but it has not resolved my issue.
  Under NTLM option I SSO works great with .NET InfoView as long as I have the web site authentication set to Windows Authentication and ASP .NET Authentication enabled.  Once the ASP .NET is disabled, SSO does not work.
  When using the Kerberos option, .NET InfoView SSO does not work due to the error 'propagating the security context between the security server and the client'.
  The Java InfoView SSO does not work either, but I can enter my user credentials and logon fine.
  std.out error:
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            [Krb5LoginModule] user entered username: @OR.PROVIDENCE.ORG
  Acquire TGT using AS Exchange
            [Krb5LoginModule] authentication failed
  Generic error (description in e-text) (60)
  No user name is being passed.  I've been through a multitude of documents and forums ensuring settings are correct and I believe they are including no duplicate SPN's.
  The only issue on the server is that I cannot open the tomcat confi app. due to it not able to start service BOE120Tomcat.  I was able to update the registry with the info for the bsclogin.config and krb5.ini.  I was not able to find anything on getting that service started.
  Any ideas?  Need more info? I have a bunch. 
  Thanks and have fun,
  Phil

• SSO not working in ESS/MSS in ERP 2004

  I have installed the Business Packages ESS 60.2 and MSS 60.1.2 on EP6 SP9.  Another server has the Web AS ABAP 6.40 system and J2EE running the ESS and MSS Web Dynpro apps.  It all works fine without SSO.  When I change the JCO Destinations for the application data to ticket instead of username/password I get the following error on testing:
  com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: The system is unable to interpret the SSO ticket received
  This error also occurs when accessing the webdynpro app directly or through the portal.  NB. The portal SSO does work in the case of calling an R/3 transaction or calling webdynpro app iview that does not in turn make an RFC call to the ABAP system.  I have followed the SAP help on "Scenario: SSO Between Portal, Web Dynpro, and ABAP Systems".
  Any ideas appreciated
  Fergus

  Hi Prakash
  This is the end of the dev_jrfc.trc from the abap/j2ee webdynpro server:
  Error file opened at 20050608 101523 British Summer Time Rel 6.40
  Error> occured  >Wed Jun 08 10:15:23,406<    >RfcGetException rc (7) message: The system is unable to interpret the SSO ticket received
  <RfcGetException
  Error> occured  >Wed Jun 08 10:17:28,544<    >RfcGetException rc (7) message: The system is unable to interpret the SSO ticket received
  <RfcGetException
  The portal dev_jrfc.trc does not report any errors.
  Other information I should have mentioned: EP uses LDAP for user directory, the ABAP system uses its own user management, the J2EE on the ABAP server uses its own user management.  The user I am testing with is the same name in all 3 systems and has full admin permissions in each.
  Thanks, Fergus

• SAP PLM 7.02- Web UI search not working for Specification

  Hello PLM members,
  I am facing issue with indexing of Specification connectors due to that the specification quick search is not working properly.
  I am looking the steps to activate the EHS: Specification connector in the ESH_cockpit.
  What is the prerequisite before activation of the Specification connector in the cockpit.
  After selecting the EHS: Specification, do i need to activate all the related connector inside the specification.
  What is Virtual template  for  EHS: specification in the cockpit.
  Need detail about the scheduling a real time indexing.
  Thanks
  Shailesh

  Dear Shailesh,
  You can find the necessary information in the Specification customizing:
  When you create a connector the cockpit will automatically creates all the necessary dependent connectors. When all of the connectors have the status Prepared, you can start the indexing.
  The PLM Web UI uses the virtual template for the Advanced Search and all the other enterprise search. This model is only a application relevant representation of the EHS data. You can find additional information about this here: Creating Virtual Templates - Search Technology - SAP Library
  Hope it could help.
  Kind Regards,
  Gergő

• CAS SSO not working for VPN Group

  Hello,
  I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
  Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
  The only thing I got is this from the ASA:
  AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
  AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
  I am so close but cant call this done yet....

  Hey Faisel,
  Thanks for the question.
  This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
  So on the ASA I now get these:
  AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
  AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
  Where cas_accounting2 is the AAA server group for Group A
  On the ASA I can see that the FW sends a packet to the cas:
  "send pkt cas2-hvn-3515/1813"
  but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
  "rad_vrfy() : response message verified"
  What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

• "Resend" option is not working for specific user. "The Operation Failed" Exchange 2010 Outlook 2013

  Hi Everybody. I have a weird one for you.
  I have a user that gets an "operation failed" message whenever trying to use the "resend" option on any email (It's the one right under recall). I had tested up and down on her machine. Exchange 2010 Outlook 2013
  Ran in safe mode, recreated her profile, disabled virus scanning, repaired office. (weird, the font just changed sizes on me)
  After all of this I tested on other computers, other users seem to be able to "resend" just fine. However her account does not work on any computer I try, internal or external to the network.
  It looks more like a profile issue.
  She's a very active archivist, so she only has 486MB of space used by her mailbox.
  It's well under quota.
  It's been really puzzling me.
  MCSE 2003, Exchange. MCTS Vista, 7. Administrator of awful, neglected website http://timssims.net

  Hi Timssims,
  Since there is only one user in the org has this issue, it seems an issue on the Outlook client side.
  I suggest asking Outlook Forum for help so that we can get more professional suggestions.
  For your convenience:
  https://social.technet.microsoft.com/Forums/office/en-US/home?forum=outlook
  However I also have some suggestions for your reference:
  1. If this issue occur on Cached Mode, I suggest turning to Online Mode for testing.
  2. Please also paste the detailed error message if "operation failed" is not the
  complete information.
  3. If still not works after perform operations above (including suggestions from Outlook Forum), I suggest re-creating a new mailbox for the specific user just as Martin suggested.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Imap and Pop not working on 2013 servers - BAD Command received in Invalid state

  Hello, 
  We recently moved our frontend server over to Exchange 2013. So now both internally and externally all mail traffic will flow through the new servre. After battling issue after issue I was able to get the new exchange environment working as it should. The
  only problem is that IMAP and POP3 logins do not work for 2013 mailboxes. It works fine for 2010 but not 2013. Here are the results from the testconnectivity website:
  The IMAP service is being tested.
  There was an error testing the IMAP service
  Additional Details
  Secured: CN=mail.domain.com, OU=Unified Communications, O=Companhy, POBox=United States, S...
  S: * OK The Microsoft Exchange IMAP4 service is ready.
  C: 1 CAPABILITY
  S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
  1 OK CAPABILITY completed.
  C: 2 LOGIN user <password>
  S: 2 NO LOGIN failed.
  C: 3 LIST "" *
  S: 3 BAD Command received in Invalid state.
  Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.MailProtocolException: 3 BAD Command received in Invalid state.
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.ImapProtocolTester.SendCommand(String command, String logString)
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.BaseProtocolTest.PerformTestReally()
  Elapsed Time: 1829 ms.
  Here are my Get-ImapSettings from the mailbox server
  RunspaceId                        : 1c5069f4-520f-4f62-88d6-affd0e0796d7
  ProtocolName                      : IMAP4
  Name                              : 1
  MaxCommandSize                    : 10240
  ShowHiddenFoldersEnabled          : False
  UnencryptedOrTLSBindings          : {[::]:143, 0.0.0.0:143}
  SSLBindings                       : {[::]:993, 0.0.0.0:993}
  InternalConnectionSettings        : {MAIL4.domain.com:993:SSL, MAIL4.domain.com:143:TLS}
  ExternalConnectionSettings        : {}
  X509CertificateName               : mail.domain.com
  Banner                            : The Microsoft Exchange IMAP4 service is ready.
  LoginType                         : SecureLogin
  AuthenticatedConnectionTimeout    : 00:30:00
  PreAuthenticatedConnectionTimeout : 00:01:00
  MaxConnections                    : 2147483647
  MaxConnectionFromSingleIP         : 2147483647
  MaxConnectionsPerUser             : 16
  MessageRetrievalMimeFormat        : BestBodyFormat
  ProxyTargetPort                   : 143
  CalendarItemRetrievalOption       : iCalendar
  OwaServerUrl                      :
  EnableExactRFC822Size             : False
  LiveIdBasicAuthReplacement        : False
  SuppressReadReceipt               : False
  ProtocolLogEnabled                : True
  EnforceCertificateErrors          : False
  LogFileLocation                   : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4
  LogFileRollOverSettings           : Daily
  LogPerFileSizeQuota               : 0 B (0 bytes)
  ExtendedProtectionPolicy          : None
  EnableGSSAPIAndNTLMAuth           : True
  Server                            : MAIL4
  AdminDisplayName                  :
  ExchangeVersion                   : 0.10 (14.0.100.0)
  DistinguishedName                 : CN=1,CN=IMAP4,CN=Protocols,CN=MAIL4,CN=Servers,CN=Exchange Administrative Group
                                      (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=willowcreek,DC=org
  Identity                          : MAIL4\1
  Guid                              : 593e53d7-64e5-4170-b897-47b1af944a5b
  ObjectCategory                    : domain.com/Configuration/Schema/ms-Exch-Protocol-Cfg-IMAP-Server
  ObjectClass                       : {top, protocolCfg, protocolCfgIMAP, protocolCfgIMAPServer}
  WhenChanged                       : 2/4/2015 8:45:39 AM
  WhenCreated                       : 1/22/2015 1:48:43 PM
  WhenChangedUTC                    : 2/4/2015 2:45:39 PM
  WhenCreatedUTC                    : 1/22/2015 7:48:43 PM
  OrganizationId                    :
  OriginatingServer                 : NS6.domain.com
  IsValid                           : True
  ObjectState                       : Unchanged
  The IMAP service is being tested.
  There was an error testing the IMAP service
  Additional Details
  Secured: CN=mail.willowcreek.org, OU=Unified Communications, O=Willow Creek Community Church, POBox=United States, STREET=67 E Algonquin Road, L=South Barrington, S=IL, PostalCode=60010, C=US
  S: * OK The Microsoft Exchange IMAP4 service is ready.
  C: 1 CAPABILITY
  S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
  1 OK CAPABILITY completed.
  C: 2 LOGIN ssimpson <password>
  S: 2 NO LOGIN failed.
  C: 3 LIST "" *
  S: 3 BAD Command received in Invalid state.
  Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.MailProtocolException: 3 BAD Command received in Invalid state.
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.ImapProtocolTester.SendCommand(String command, String logString)
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.BaseProtocolTest.PerformTestReally()
  Elapsed Time: 1829 ms.
  The IMAP service is being tested.
  There was an error testing the IMAP service
  Additional Details
  Secured: CN=mail.willowcreek.org, OU=Unified Communications, O=Willow Creek Community Church, POBox=United States, STREET=67 E Algonquin Road, L=South Barrington, S=IL, PostalCode=60010, C=US
  S: * OK The Microsoft Exchange IMAP4 service is ready.
  C: 1 CAPABILITY
  S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
  1 OK CAPABILITY completed.
  C: 2 LOGIN ssimpson <password>
  S: 2 NO LOGIN failed.
  C: 3 LIST "" *
  S: 3 BAD Command received in Invalid state.
  Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.MailProtocolException: 3 BAD Command received in Invalid state.
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.ImapProtocolTester.SendCommand(String command, String logString)
  at Microsoft.Exchange.Tools.ExRca.Tests.ImapPop.BaseProtocolTest.PerformTestReally()
  Elapsed Time: 1829 ms.

  When you do the telnet test make sure you enter in the command like below verbatim. Right before you type login you need to add some preceding character in my case the > sign.
  * OK The Microsoft Exchange IMAP4 service is ready.
  > login jchong password (make sure you type a preceding character first like the > sign)
  > OK LOGIN completed.
  James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

• HELP: WLC AP-SSO not working (standby unity in maintenance mode)

  I have two WLC version 7.3.101.0 with the standby unit having HA-SKU. I have tested the AP-SSO functionality without any problem in lab with direct connection on RP port between two WLC. Once I brought them into data centre in separate location (latency is less than 10ms between the two DC), the standby unity always went into maintenance mode. The booting process on standby unit went to maintenance mode as shown below:
  Management Gateway and Peer Redundancy Management interface are not reachable.
  Entering maintenance mode...
  I have checked on the core switches at 2 data centre that the two WLC RP ports are connected to same VLAN and it is spanned across MAN link (10GB and less than 10ms delay). The spanning tree on those ports are forwarding as well.
  I have rebooted the second unit but no luck.
  The interface between two DC is using MTU 9216 which I do not think would cause this issue.
  Anyone has come across same or similar issue with me or know the solution? If you do, plz enlighten me.
  Thanks

  Thanks Leo and Scott for your feedback. I notice there are two newer software for WLC version 7.3.102.0 and 7.4.100.0.
  Both of them seem to have many open caveats. In my wireless environment, I also use ISE, MSE and Prime Infrastructure and unfortunately WLC 7.4 does not support prime solution and MSE yet according to below compatibility matrix.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  I think I only have choice to do minor upgrade to 7.3.102.0 at this moment (please correct me if I am wrong). This software was published on 30th Jan 2013 so I wonder if someone else has tried this and managed to get WLC AP-SSO setup working flawlessly where 2nd WLC unit is at different location?
  Appreciate for more info and advise.

• Kerberos running, but SSO not working??

  hey all
  so - relativley new to OSX Server but am loving it thus far.
  I am trying to get SSO to work but am having huge issues. Kerberos IS running according to Sever Admin but users are not able to use any of the SSO functions. When i run klist on users stations i receive the following message:
  Kerberos 5 ticket cache: 'API:Initial default ccache'
  Default principal: [email protected]
  Valid Starting Expires Service Principal
  03/03/10 09:09:22 03/03/10 19:09:17 krbtgt/[email protected]
  renew until 03/10/10 09:09:22
  which means there IS a Kerberos ticket but i does not seem to be picking up any other ticket - ie for AFP or the RADIUS
  am i missing an obvious step? do i need to set up each service to speak Kerberos?
  could someone point me in the right direction
  thanks

  RADIUS doesn't use Kerberos, so that's not expected to work. For AFP, there are a couple of easy things to check:
  1) Make sure AFP has Kerberos authentication enabled: In Server Admin -> AFP service -> Settings -> Access -> Authentication pop-up, make sure either "Kerberos" or "Any Method" is selected.
  2) Make sure AFP is using the right service principal: in Terminal on the server, run "defaults read /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal". The reply should be "afpserver/[email protected]" (assuming directory.ourcompany.com is both the file server and Open Directory domain master). If it's wrong, you can fix it by stopping the AFP service, running "sudo "defaults write /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal afpserver/[email protected]", then restarting AFP.