Temporary IVR Handoff for authentication

Similar Messages

• CVP IVR HandOff

  Dear there,
  Recently I have been trying to test CVP IVR Handoff function and found a document for CVP IVR Handoff.
  On the document,  I saw one of tcl file, which is  cvp_ivrhandoff.tcl
  I am trying to find a sample file for cvp_ivrhandoff.tcl. but I cannot find it.
  How and Where could I get this tcl fileIs?  If you could guide me, Please help me or guide me for this?
  Thank you

  Thank for your prompt response.
  There is no idea what I want 
  a few days ago, I found a ppt file for CVP IVR handoff on cisco Live365 site. on page 48 of attached ppt file, you can see the IVR Handoff Mechanism.
  CVP_ivrhandoff.tcl is hit for IVR Handoff  when incoming call reach at ingress gw.
  So I want a sample tcl file for CVP_ivrhandoff.tcl. but until now, I cannot find it.
  Any idea or advice for me?
  Thank you 

• Printing to a Windows shared printer, keep getting "Hold for Authentication" when I'm on the Windows shared network and can browse the computers.

  I have had two MacBook Pros now, and this has been an issue in Mountain Lion and Mavericks. I've got a shared printer on the local Windows network (it's a USB printer shared via the network and the computer), and the other Windows computers in the house can print to it no problem. The Mac sees it no problem, yet whenever I try to print to it, I just get "Hold for Authentication."
  Like I said, persists over Mountain Lion and Mavericks. No other computer in the house has any issues printing to it. I've installed the drivers for the printer as well (Brother HL-2240).
  I've tried to follow the instructions here: https://discussions.apple.com/message/23268762#23268762 but the printer isn't listed in Keychain Access.
  Any thoughts?
  Thanks in advance!
  Patrick Campanale

  Well, that isn't too useful. Try this instead: Adding a printer shared by a Windows computer via SMB/CIFS.
  You may find more by selecting Mac Help from the Finder's Help menu and searching for articles by keyword.

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• One username for two tunnel in IPSec remote access vpn + ACS for authentication

  Hi all,
  I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.

  You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
  Then make a new connection profile that uses that AAA server group.
  Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
  This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

• Using Hyper-V 2012 r2, connecting to the console results in: A certification authority could not be contacted for authentication.

  I'm having some trouble with authentication to guests from my Hyper-V console.
  If I try to connect from the Hyper-V Manager to the console of any guest, I get the error:
  "A certification authority could not be contacted for authentication. If you are using a Remote Desktop Gateway with a smart card, try connecting to the remote computer using a password. For assistance, contact your system administrator or technical support."
  I'm not using an RDG and smart card.
  I have 2 virtual networks. The first is Production, the second is Isolated. Production has 2 NICs attached to the Production LAN, the second has 2 NICs in our DMZ. The host is a member server of the production domain. I can use MSTSC from the LAN or the DMZ
  to gain access to each Guest and the Host.
  The issues start if I try "Connect" from Hyper-V Manager in an attempt to use the console of any Guest. Each attempt fails with the above error. If I use an incorrect password, I get a different error: "The credentials that were used to connect
  to {Server FQDN} did not work. Please enter new credentials."
  Taking a look at the the event logs, I can see the session successfully authenticating to the Guest (4776 Credential validation and 4624 Logon), and the fact I get a different error if I enter an incorrect password show I get some way along the line. However
  if I take a look at the logs on the Host, however I get:
  An account failed to log on.
      Subject:
          Security ID:        NULL SID
          Account Name:        -
          Account Domain:        -
          Logon ID:        0x0    
      Logon Type:            3
      Account For Which Logon Failed:
          Security ID:        NULL SID
          Account Name:        
          Account Domain:        
      Failure Information:
          Failure Reason:        An Error occured during Logon.
          Status:            0xC000006D
          Sub Status:        0xC000005E
      Process Information:
          Caller Process ID:    0x0
          Caller Process Name:    -
      Network Information:
          Workstation Name:    -
          Source Network Address:    -
          Source Port:        -
      Detailed Authentication Information:
          Logon Process:        Kerberos
          Authentication Package:    Kerberos
          Transited Services:    -
          Package Name (NTLM only):    -
          Key Length:        0
      This event is generated when a logon request fails. It is generated on the computer where access was attempted.
      The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
      The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
      The Process Information fields indicate which account and process on the system requested the logon.
      The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
      The authentication information fields provide detailed information about this specific logon request.
          - Transited services indicate which intermediate services have participated in this logon request.
          - Package name indicates which sub-protocol was used among the NTLM protocols.
          - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Which looks to me like a blank authentication request is being sent? (I've not deleted any machine/domain names, they're just not present)
  Any suggestions? Do you think I'm barking up the wrong tree?
  Thoughts and comments gratefully received

  Hi,
  What’s your guest system platform, base on my experience that must be the not supported guest system issue, the generation 2 vm only support the Windows 8 or 8.1 platform.
  The related KB:
  Generation 2 Virtual Machine Overview
  http://technet.microsoft.com/en-us/library/dn282285.aspx
  Hope this hleps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Printing: Stuck on 'Hold for authentication'

  Hello. Im try to print from my mac mini through a windows 7 pc. I haven't ever gotten this to work. I can see the printer by choosing 'guest' when logging into the print server. I don't know what my username and password would be. When I save the printer and go to print something a the print status window comes up and says "Hold for authentication". I tried clearing keychains related to the print in keychain access. Anyone know of a soulution?

  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  Use the search box in the toolbar of the Keychain Access to search for the name of the shared printer. Double-click one of the items and check the box marked Show password in the inspector window. You'll be prompted for your keychain password to confirm. Make a note of the user name and password. Then delete every "Network Password" item in the search results. Quit Keychain Access.
  The next time you send a job to the printer, you'll be prompted for the user name and password. Enter the information you noted earlier and check the box to save it in the Keychain.

• Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

  Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
  using ADFS or domain security. Can anyone point us in the right direction?

  Hi,
  By default, smart card is not available for stand alone computer and local account.
  This authentication technology might be helpful to you:
  EIDAuthenticate - Smart card logon on stand alone computers and local accounts
  http://www.mysmartlogon.com/products/eidauthenticate.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support

• How do you use an external MIT Kerberos realm for authentication in 10.4?

  Does anyone have experience with OS X Server 10.4.x Open Directory and using a "third-party" KDCs for authentication?
  I have four 10.4.5 XServes that form a SAN (Xsan). I am using a common Open Directory domain that consists of about 100 users to manage access to the SAN file space. I have one of the servers set up as OD master and a second as a failover.
  My university has a kerberos realm that includes all university staff and students. I would like to use that KDC for authentication, not create my own KDC on the OD Master.
  The SAN is only being used to support network file services, not as work stations. The users are going to mount file space on their local machines through AFP, Samba, or via ssh at the command line.
  All of the users' short names are identical to their principle names in the University kerberos realm.
  All of the Apple documentation assumes that in the OD Master will be the KDC for the OD, and part of the setup involves starting up the Kerberos KDC on the OD master system. There is mention of using any MIT Kerberos KDC, but I cannot for the life of me find where that is documented.
  I have tried using the Server Admin interface and the "Join Kerberos . . . " tool, but when I enter the principle and password, the realm name and the DNS of the KDC it always fails with "error creating the keytab file."
  I have also tried just putting a valid edu.mit.kerberos file /Library/ Preferences and creating a keytab file in the realm I want to join, and putting that at /etc/krb5.keytab in each of the servers in OD domain, but that doesn't seem to work, either.
  Has anyone else been successful doing this with OS X Server 10.4.x?

  Leland,
  Thanks for your suggestions. I need a little more
  guidance though. Can you explain how to do step one?
  1) on your OD Master, using workgroup manager edit
  the KerberosClient record and add the correct kdc
  info to the XMLPlist attribute.
  Is this done on the "Inspector" tab of the Work Group
  manager for the user record for the principle that is
  in the KDC? Exactly which key value pair do I need to
  edit?
  No, use the "Inspector" tab to look at config records, you will find the KerberosClient & KerberosKDC records in that list.
  Select the XMLPlist attribute and edit it.
  Look for the realms dictionary and either replace the existing entry with the correct realm info or add a new entry for the realm.
  The important keys are KADM_List & KDC_List.
  You should also look at the domain_realm dictionary and make sure that
  also has the correct info.
  Look at the kerberos admin guide at
  <http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-admin/krb5.conf.ht ml#krb5.conf>
  for an idea of what the sections mean.
  2) from the command line on a server run (as
  root):
  sso_util configure -r FOO.EDU -a kdcadmin -p
  kdcadmin_pw -v 4 all
  I would do this on each server in the OD, correct?
  yes, this step creates the service principals for the servers in the kdc, exports the info to the local keytab, and configures the services to use kerberos (so that they know their service principals)
  you might need to modify the
  AuthenticationAuthority
  entry for each user to point at the proper realm.
  Is this also done in the "Inspector" tab for each
  user's record in Work Group Manager?
  yes
  Thanks again for the suggestions.
  Glad to be able to help
  - Leland
  DP G4   Mac OS X (10.4.2)  

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Java Applet Constantly Asks for Authentication

  With have a ADF application on Weblogic 10 that has occasional access to a Java applet. The Java applet is loaded whenever it's needed and not loaded whenever it isn't in a facet. The applet is currently in the public_html/applet folder.
  When we set the SSL configuration to requiring a client certificate, when the Java applet loads, it'll constantly ask for a client certificate even though the user already presented the client when hitting the website:
  Request Authentication Identification required. Please select certificate to be used for authentication.
  This is annoying to users and the Java Applet doesn't need authentication. Is there any way we can disable the authentication or remove the prompt?
  Here's the embedded applet code:
  <applet height="1" width="1" code="applet.Applet.class"archive="/app/applet/SApplet.jar" /><param name="permissions" value="all-permissions"/></applet>
  Things I've already tried:
  1) Setting the Applet up on HTTP instead of HTTPS; I get a warning about mixed content and still get the authentication pop-up.
  2) Created a minimal applet that only types out "HELLO WORLD" in the console, still get the authentication pop-up
  Here's the console window:
  Java Plug-in 1.6.0_35
  Using JRE version 1.6.0_35-b10 Java HotSpot(TM) Client VM
  User home directory = C:\Users\mfan
  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
  security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.
  security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
  security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws
  security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
  security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy
  security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
  security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
  security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
  security: property package.definition value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
  security: property package.definition new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
  basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@1df073d
  basic: Plugin2ClassLoader.addURL parent called for https://192.168.130.99/app/applet/HelloWorld.jar
  network: Cache entry not found [url: https://192.168.130.99/app/applet/HelloWorld.jar, version: null]
  network: Connecting https://192.168.130.99/app/applet/HelloWorld.jar with proxy=DIRECT
  network: Connecting http://192.168.130.99:443/ with proxy=DIRECT
  security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loading SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
  security: Loaded SSL Root CA certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecacerts
  security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
  security: Loading Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
  security: Loaded Deployment SSL certificates from C:\Users\mfan\AppData\LocalLow\Sun\Java\Deployment\security\trusted.jssecerts
  security: Loading certificates from Deployment session certificate store
  security: Loaded certificates from Deployment session certificate store
  security: Loading certificates from Internet Explorer ROOT certificate store
  security: Loaded certificates from Internet Explorer ROOT certificate store
  security: Checking if certificate is in Deployment denied certificate store
  security: Checking if certificate is in Deployment session certificate store
  security: Checking if SSL certificate is in Deployment permanent certificate store
  security: KeyUsage does not allow digital signatures
  (and here's where the prompt comes up).

  Actually, setting the archive to http://URL works fine. No more request authentications come up.

• AnyConnect 3.1.05160 - no valid certificates available for authentication

  Hi all,
  one of our customer is running the above AC version and hitting the above error.
  form the DART file I gathered the following information
  Description : Server certificate validation failed with the following errors:
  Certificate does not match the server name.
  Certificate is from an untrusted source.
  Certificate is not identified for this purpose.
  Certificate is malformed.
  Certificate is explicitly distrusted.
  I am sure the Cert is valid however reading the following article got me thinking,  https://supportforums.cisco.com/discussion/11533701/cisco-anyconnect-3008057-certificate-validation-failure.
  could this be the same reason, haven't mentioned this to my customer as he is running 3.1.05. but could this be related to the same issue?
  thanks in advance
  Lance

  I also had the problem of "no valid certificates available for authentication", although it only prompted once, rather than a flood like the OP.
  However, the cause and solution for my problem was:
  The certificate used for authentication was issued by my internal CA, to the Computer, NOT the user.
  Although the user that is logged on is a local administrator, the AnyConnect Client application does not have the permission to send the certificate from the Computer store.
  The application needs to 'run as administrator'
  Right-click the application shortcut-> Properties->Compatibility->Privilege Level.
  Tick ->Run This Program As Administrator.
  I needed to reboot the client pc before this worked.
  n.b I was using Windows 8

• MacAir using AD for authentication. In AD, there is a network home assigned to that user. When logging into that account on the Mac, it takes 1-2 minutes after entering credentials, before displaying an error that it could not connect to it, every time.

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

• Policy agent using https redirect to AM for authentication

  We are using Access Manager 6 2005Q1.
  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
  In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
  However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
       2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
       2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
       2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
  Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
  Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
  From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
  Any help with this configuration issue is appreciated.

  Bernhard,
  From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
  Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
  We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
  Craig

• MAC OS 10.9   some users cannot print to new Ricoh MP C6502   print job is holding for authentication and cannot figure out why

  I have a few IMAC and G5 users who have OS10.9 who cannot print to a new Richoh MP C6502, I downloaded and installed the new PS driver and it works on some systems but I have 3 people that goes right to Hold for Authentication.   I tried deleting everything associated with this in keychain access and after I did this it comes up to enter a password and it accepts the network login credentials but still holds the print job.  I even tried using guest as login and password as someone suggested but still cannot print any ideas on why?

  I apologize for the delay in responding to you.  I was on the road all day yesterday.
  OK.  I switched the printer's Ethernet cable to a Linksys Switch (Model EZX S55W) that's part of this local network.  That did not work.  I swapped out the cable for one that I know works.  Still no change.  I switched the printer's Ethernet cable directly to a port on the router.  No change.  I even swapped cables here, too, but no success.
  As I was doing all this, I was wondering: When I select the HP P1606dn printer in the Print and Fax "Add" dialog box, (see the image below) and the Print Using pulldown menu displays "Please select a driver or printer model" and the message "Searching for new drivers" appears under it (with the spinning wheel), why is it that the Ethernet connection to printer is critical to "finding" a new (printer) driver?
  Isn't the utility searching through my system and libraries looking for a printer driver app for the printer that I identified/selected in the dialog box?  
  After all, if the dialog box lists the printer among those to choose from, hasn't the utility already discovered the printer via the Ethernet connection?