Trouble authenticating to AD

Similar Messages

• Trouble authenticating after 10.3.9 - 10.4 upgrade?

  I recently (reluctantly) upgraded my Xserve from Mac OS X Server 10.3.9 to 10.4, and I can't authenticate users that exist in the shared directory domain. The server has been an Open Directory Master for some time now.
  Within the Workgroup Manager application, I can see the Local directory, and all system users including Admin uid 501. I can also select my old shared domain under /LDAPv3/192.168.11.10 (server's local IP address) but I can't see any users or authenticate using the Admin login. I can, however, select /LDAPv3/127.0.0.1 and see all of my old users. I presume I can also make changes using the Admin login but I haven't tried.
  Stranger still, I don't see anything in the logs that would indicate a login failure for normal users. Successful Admin logins appear in the Password Service Server log.
  I have a feeling that these authentication issues are related to DNS. After upgrading, no zone files appear in the Zones tab of the DNS editor within Server Admin, even though the Overview tab shows 3 zones allocated. Aside from that, DNS appears to be running, all my zone files are still in /var/named and /etc/named.conf appears untouched. Logs indicate that named starts up correctly and I can do DNS lookups without any problems. For whatever it's worth, I tried using the command-line DNS migrator script.
  I'd been using the Open Directory Master configuration to authenticate local clients for remote home directories, etc. but I'm not anymore. I really only need user authentication for mail, FTP and file sharing services - would it be more appropriate to do a clean install and set it up in a Standalone configuration instead of trying to fix it? If not, does anyone know what might be going on here?
  Thanks
  G5's, G4's, G3's, Xserve, Powerbooks, iBooks   Mac OS X (10.4)  

  Hi, Duane. Trash the new, empty iPhoto Library folder that was created when you exercised the "Create Library" option. Open iPhoto, opt to "Find Library", and navigate to your original iPhoto Library folder. Select that folder, not any of the files or folders inside it. That's your library.
  The standard, default path to that library folder is: Your hard drive>Users>your account name>Pictures>iPhoto Library. You can move the library elsewhere if you like, but if you have no good reason to do so, leaving it in the default location is probably best.
  A cardinal rule for iPhoto users is never to tamper with any of the things inside an iPhoto Library folder. Everything inside that folder is arranged exactly the way iPhoto needs it to be arranged, and next time you open iPhoto, it expects to find all the contents exactly as it left them last time. If you tinker with the contents of that folder via the Finder, or using any tool or utility other than iPhoto itself, the library database will be corrupted for iPhoto's purposes, and some or all of your pictures or albums will seem to have vanished the next time you open iPhoto.
  There is a Discussions forum entirely devoted to iPhoto 4 and earlier. If you have further questions related to your version of iPhoto, I recommend posting them in that forum.

• I deleted cookies and now I cannot get into my aol mailbox from either my bookmarks or from the aol website. It says it is having trouble authenticating. Solution?

  I deleted some aol cookies and tried to get to my aol mailbox and could not. I then reset to allow cookies and went to the website to get into the mail with no luck. I was however able to get in from my old desktop aol icon.

  Hi Steve,
  Many online logins do not use the Keychain, but only Cookies, or possibly Auto Fill.
  Open Safari>Preferences>Autofill, is Usernames & PW checked?
  Then in the Security tab, what are the Accept Cookies setting? (Oh just saw in the server post you have that set OK).
  On the Apple ID thing, that generally happens if there are failed attempts to login, Log Out of Apple & try iForgot...
  https://iforgot.apple.com/cgi-bin/WebObjects/DSiForgot.woa/wa/iforgot?language=C A-EN&app_id=2417&newWindow=true&border=false

• Authentication with EAP-MD5/PEAP/FAST

  Version: ISE 1.2p12
  Hello,
  I have trouble authenticating devices that use different protocols:
  - Cisco IP Phones: EAP-MD5
  - Windows machines: EAP-PEAP
  - Cisco APs: EAP-FAST
  1) I'm able to authenticate the IP Phones individually with a authentication rule:
  IP PHONES If Wired_802.1X allowed protocols EAP-MD5
  For EAP-MD5 I selected only EAP-MD5
  Now if I use a generic rule
  DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
  with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
  ISE says that there's a protocol mismatch:
  "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
  ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
  I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
  2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
  Does any of you have hints ?

  I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
  You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
  For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
  Kind regards
  Alex

• Mifare Authentication on Omnikey 3x21 CL

  I am having trouble authenticating to block 52 (or any block) of my mifare 1k card using Omnikey 5x21 Contactless Interface.
  Here is my code it is a bit much but I wish for other people to have a clear understanding on what I am doing. Also newbies can see the whole process.
  Please scroll down to the point where I construct the Authenticate APDU Command.
  I am using key A (sector 26 or hex: 0x1A) Transmission protocol T=0 or 0x60, on block 52 (0x34)
  The signed applet simply hangs when I uncomment:
  byte[] baAuth = new byte[]{(byte)0xFF,(byte)0x88,(byte)0x00,(byte)0x34,(byte)0x60,(byte)0x1A};
  //CommandAPDU auth = new CommandAPDU(baAuth);
  msg += "Authenticate Apdu Command: " + convertBytesToHexString(baAuth) + "\n";
  //resp = channel.transmit(auth);
  //msg += "Authenticate Response: " + convertBytesToHexString(resp.getBytes()) + "\n";
  The applet is meant to take the information from a mifare card and display it on screen.
  What is going on with this whole authentication process, it looks completely normal to me, am i missing something?
  I would love it if someone could help me with this problem!
  I simply wish to read the information from the card and print it on screen.
  Kind regards
  Stewart
  public String DoCard() {
            String msg = "";
            String smsg = ""; //screen message;
            String fileName = System.getProperty("user.home") +
            System.getProperty("file.separator") +
            "InterSign_assignment";
            smsg += msg += "Applet output\n";
            String s ;
            TerminalFactory factory = TerminalFactory.getDefault();
  try {
  List<CardTerminal> terminals = factory.terminals().list();
  msg += "Terminals: " + terminals + "\n";
  CardTerminal terminal = terminals.get(1);
  Card card = terminal.connect("T=0");
  CardChannel channel = card.getBasicChannel();
  msg += "Card Present: " + terminal.isCardPresent() + "\n" ;
  ResponseAPDU resp;
  //UID
  byte[] uid = new byte[]{(byte)0xFF, (byte)0xCA, (byte)0x00, (byte)0x00, (byte)0x00};
  CommandAPDU com = new CommandAPDU(uid);
  msg += "GetUID Command: " + convertBytesToHexString(com.getBytes()) + "\n";
  resp = channel.transmit(com);
  msg += "GetUID Response: " + convertBytesToHexString(resp.getBytes()) + "\n";
  //Load Key
  byte[] baLoadkey = new byte[]{(byte)0xFF,(byte)0x82,(byte)0x20,(byte)0x1A,(byte)0x06,(byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
  CommandAPDU loadkey = new CommandAPDU(baLoadkey);
  msg += "LoadKey Loaded Apdu Command: " + convertBytesToHexString(loadkey.getBytes()) + "\n";
  resp = channel.transmit(loadkey);
  msg += "LoadKey Response: " + convertBytesToHexString(resp.getBytes()) + "\n";
  //Authenticate
  byte[] baAuth = new byte[]{(byte)0xFF,(byte)0x88,(byte)0x00,(byte)0x34,(byte)0x60,(byte)0x1A};
  CommandAPDU auth = new CommandAPDU(baAuth);
  msg += "Authenticate Apdu Command: " + convertBytesToHexString(baAuth) + "\n";
  resp = channel.transmit(auth);
  msg += "Authenticate Response: " + convertBytesToHexString(resp.getBytes()) + "\n";
  //Read
  byte[] baRead = new byte[]{(byte)0xFF, (byte)0xB0, (byte)0x00, (byte)0x34, (byte)0x10};
  CommandAPDU read = new CommandAPDU(baRead);
  msg += "Read APDU Command: " + convertBytesToHexString(read.getBytes()) + "\n";
  resp = channel.transmit(read);
  msg += "Read Response: " + convertBytesToHexString(resp.getBytes()) + "\n";
  card.disconnect(false);
  } catch (CardException e) {
  msg += e;
  //log it
            try {
                 FileWriter fos = new FileWriter(fileName);
                 fos.write(msg, 0, msg.length());
                 fos.close();
            } catch (Exception e) {
                 e.printStackTrace();
  return msg;
  Edited by: Setori on Oct 8, 2007 2:21 AM

  I got the APDU commands from a .net application that I developed uses the winscard.dll, I pinvoked the needed functions such as Transmit function and from there I developed the APDU command. Following the omnikey contactless development pdf. http://omnikey.aaitg.com/fileadmin/CardMan__5x21-CL_Reader_Developers_Guide_v1_11.pdf pg 53.
  I have took each APDU command directly from the .net program which works really well.
  Yes I agree the problem stems from the "authenticate" and "general authenticate" issue
  Omnikey does not support the general authenticate but does support the depricated authenticate command
  and javax.smartcardio does not support the depricated authenticate but does support the general authenticate.
  The work around: ....?
  So this is what I wish to do, I noticed that there might be a work around.
  javax.smartcardio has two transmit functions which accept different arguments.
  1     transmit(CommandAPDU command); //doesnt work with omnikey
  2     transmit(java.nio.ByteBuffer command, java.nio.ByteBuffer response) ; //currently testing
  is it not possible to construct a ByteBuffer and send it via that way. I presume that smartcardio will not check, just transmit it, thus javax.smartcardio can be happily ignorant of the data I send and just darn well send it to the omnikey reader.
  I have tried it and I think I am doing something wrong. Here is my code.
  //AUTHENTICATE
  byte[] baAuth = new byte[]{(byte)0xFF,(byte)0x88,(byte)0x00,(byte)0x34,(byte)0x60,(byte)0x1A};
  byte[] baResp = new byte[255];
  ByteBuffer bufAuth = ByteBuffer.wrap(baAuth);
  ByteBuffer bufResp = ByteBuffer.wrap(baResp);
  //CommandAPDU auth = new CommandAPDU(baAuth);
  msg += "Authenticate Apdu Command: " + convertBytesToHexString(baAuth) + "\n";
  msg += "Authenticate Response: " + convertBytesToHexString(baResp) + "\n";
  int output = channel.transmit(bufAuth,bufResp);
  Annoyingly it crashes and burns with this error
  Exception in thread "main" java.lang.IllegalArgumentException: Insufficient space in response buffer
       at sun.security.smartcardio.ChannelImpl.transmit(Unknown Source)
       at Asgnmt_smartcardio.DoCard(Asgnmt_smartcardio.java:71)
       at Asgnmt_smartcardio.run(Asgnmt_smartcardio.java:24)
       at Asgnmt_smartcardio.main(Asgnmt_smartcardio.java:222)
  I dont fully understand what is going on and I would love it if someone could highlight my blindspot!
  I do hope that this helps others who encounter the same problem!
  Thank you kindly!
  Edited by: Setori on Oct 8, 2007 9:57 PM

• AAA Authentication error

  I am having trouble authenticating into my router.
  Here is the debug error I get when I try to log in:
  .Apr 9 18:13:15.518: AAA/BIND(00000068): Bind i/f
  .Apr 9 18:13:15.522: AAA/AUTHEN/LOGIN (00000068): Pick method list 'default'
  .Apr 9 18:13:15.522: TPLUS: Queuing AAA Authentication request 104 for processing
  .Apr 9 18:13:15.522: TPLUS: processing authentication start request id 104
  .Apr 9 18:13:15.522: TPLUS: Authentication start packet created for 104(david)
  .Apr 9 18:13:15.522: TPLUS: Using server 172.16.6.3
  .Apr 9 18:13:15.522: TPLUS(00000068)/1/NB_WAIT/4620496C: Started 60 sec timeout
  .Apr 9 18:13:15.522: TPLUS(00000068)/1/NB_WAIT: socket event 2
  .Apr 9 18:13:15.526: TPLUS(00000068)/1/NB_WAIT: wrote entire 42 bytes request
  .Apr 9 18:13:15.526: TPLUS(00000068)/1/READ: socket event 1
  .Apr 9 18:13:15.526: TPLUS(00000068)/1/READ: Would block while reading
  .Apr 9 18:13:15.658: TPLUS(00000068)/1/READ: socket event 1
  .Apr 9 18:13:15.658: TPLUS(00000068)/1/READ: errno 254
  .Apr 9 18:13:15.658: TPLUS(00000068)/1/4620496C: Processing the reply packet
  .Apr 9 18:13:20.434: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
  .Apr 9 18:13:20.434: TPLUS: Queuing AAA Authentication request 0 for processing
  .Apr 9 18:13:20.434: TPLUS: processing authentication start request id 0
  .Apr 9 18:13:20.434: TPLUS: Authentication start packet created for 0(david)
  .Apr 9 18:13:20.434: TPLUS: Using server 172.16.6.3
  .Apr 9 18:13:20.434: TPLUS(00000000)/1/NB_WAIT/4620496C: Started 60 sec timeout
  .Apr 9 18:13:20.434: TPLUS(00000000)/1/NB_WAIT: socket event 2
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/NB_WAIT: wrote entire 25 bytes request
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: socket event 1
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: Would block while reading
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: socket event 1
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/READ: errno 254
  .Apr 9 18:13:20.438: TPLUS(00000000)/1/4620496C: Processing the reply packet
  Any help would be greatly apperciated.

  David
  The debugs show that you are sending requests to ACS/TACACS and receiving no response. There are several things that could cause this symptom. First you should check on whether the request is getting to the TACACS server. Probably you could look in the logs of the server and see if it has recognized and processed requests from your device. If it recognized the request then it may also have some indication of why it did not authenticate. These causes could include a mismatch in the shared key, the server does not have a correct definition of this device as a TACACS client, your machine is not sending requests with the source address that the TACACS server is expecting.
  You also might want to verify that there is correct IP connectivity from your router to the TACACS server (ping or extended ping is a good way to check this). You might also check along the path and make sure that there are not access lists which might be blocking your request (or blocking the response from the server back to you).
  HTH
  Rick

• Can't connect to wireless network but wife can...

  Hi. I've just bought a Macbook pro. I am trying to connect it to a wireless network. The macbook finds the network (and others), but after I give the correct password it says 'authentication failed'. The weird thing (to me) is that my wife can connect to the same network with her macbook with no problems. These are my Airport details (no working connection)
  Software Versions:
  Menu Extra: 6.2 (620.24)
  configd plug-in: 6.2 (620.15.1)
  System Profiler: 6.0 (600.9)
  Network Preference: 6.2 (620.24)
  AirPort Utility: 5.4.2 (542.23)
  IO80211 Family: 3.1 (310.6)
  Interfaces:
  en1:
  Card Type: AirPort Extreme (0x14E4, 0x8D)
  Firmware Version: Broadcom BCM43xx 1.0 (5.10.91.26)
  Locale: ETSI
  Country Code: DE
  Supported PHY Modes: 802.11 a/b/g/n
  Supported Channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
  Wake On Wireless: Supported
  Status: Not Associated
  and these are her's (working connection)
  Software Versions:
  Menu Extra: 6.2 (620.24)
  configd plug-in: 6.2 (620.15.1)
  System Profiler: 6.0 (600.9)
  Network Preference: 6.2 (620.24)
  AirPort Utility: 5.4.2 (542.23)
  IO80211 Family: 3.1 (310.6)
  Interfaces:
  en1:
  Card Type: AirPort Extreme (0x14E4, 0x8D)
  Firmware Version: Broadcom BCM43xx 1.0 (5.10.91.26)
  Locale: ETSI
  Country Code: DE
  Supported PHY Modes: 802.11 a/b/g/n
  Supported Channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
  Wake On Wireless: Supported
  Status: Connected
  Pretty similar......
  We are both running 10.6.2 with all the latest sofwtware updates. Does anyone have any suggestions as to what might be up? The router is a Netgear DG834Gv5, again with the latest firmware. Security is WPA2.
  Thanks in advance,
  wrathkeg

  Two things I'd check first:
  1 - in your router, do you have mac address filtering turned on? If so, add the mac address (Airport id) of your MacBookPro to the 'Wireless Station Access List' in your router. You can find your Airport id under *System Prefs > Network > Airport > Advanced > Ethernet* .
  2 - in your MacBookPro, turn Airport OFF. Then go into *System Prefs > Network > Airport > Advanced.* In the Preferred Networks box, delete the wireless network you are having trouble authenticating with. Click OK, then Apply. Exit System Prefs. Then turn Airport ON. Find the network; re-enter your password. See if that fixes things.

• I tried to update iTunes and it wouldn't let me install it

  iTunes wanted me to update it (it was working fine before) and I downloaded it and it gave me an error message and wouldn't let me start iTunes up. It said I could retry so I redownloaded iTunes from apple.com and tried over and over again but it didn't do anything. I have no itunes library, can't sync my iPod and have no way to access my music on my computer.

  Are you also having trouble authentication? If so, try this solution:
  Go to ~/Library/preferences/ByHost/ and delete all com.apple.HIToolbox files.
  Restart your Mac.
  Go to your user account preference pane.
  Unlock the lock
  Type your password.
  Lock the lock.
  Go to software update and follow the procedures.

• CSOM and O365 Auth

  Hello,
  Ultimately I am wanting to use the Project SDK to authenticate to a Project Online site to pull projects, but I'm having trouble authenticating through O365.
  I followed this blog:
  http://blogs.msdn.com/b/kaevans/archive/2014/02/23/call-o365-using-csom-with-a-console-application.aspx
  to authenticate to my SharePoint online site. I'm met with the following exception with my console app:
  Microsoft.SharePoint.Client.IdcrlException was unhandled
    HResult=-2147186646
    Message=The Application ID (AppID) for which the service ticket is requested does not exist on the system.
    Source=Microsoft.SharePoint.Client.Runtime
    ErrorCode=-2147186646
    StackTrace:
         at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.ParseFPDomainName(XDocument xdoc)
         at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.RequestFederationProviderInfo(String domainname)
         at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetFederationProviderInfo(String domainname)
         at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.InitFederationProviderInfoForUser(String username)
         at Microsoft.SharePoint.Client.Idcrl.IdcrlAuth.GetServiceToken(String username, String password, String serviceTarget, String servicePolicy)
         at Microsoft.SharePoint.Client.Idcrl.SharePointOnlineAuthenticationProvider.GetAuthenticationCookie(Uri url, String username, SecureString password, Boolean alwaysThrowOnFailure)
         at Microsoft.SharePoint.Client.SharePointOnlineCredentials.GetAuthenticationCookie(Uri url, Boolean refresh, Boolean alwaysThrowOnFailure)
         at Microsoft.SharePoint.Client.ClientRuntimeContext.SetupRequestCredential(ClientRuntimeContext context, HttpWebRequest request)
         at Microsoft.SharePoint.Client.SPWebRequestExecutor.GetRequestStream()
         at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
         at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
         at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()
         at ReadProjectList.Program.Main(String[] args) in d:\Projects\Samples\CSOM\ReadProjectList\Program.cs:line 39
         at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
         at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
         at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
         at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
         at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
         at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
         at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
         at System.Threading.ThreadHelper.ThreadStart()
    InnerException:
  I followed the MSDN guidelines for creating an app permissions in SharePoint have the following tags in the app.config file:
  <appSettings>
  <add key="ClientId" value="some_guid"/>
  <add key="ClientSecret" value="this is a secret"/>
  <add key="Realm" value="some_guid"/>
  </appSettings>
  Here is the following code that gives me the error:
  private const string pwaPath = "https://smartdeploy.sharepoint.com/sites/pwa";
  var pass = new SecureString();
  "somepassword".ToList().ForEach(c => pass.AppendChar(c));
  ClientContext test = new ClientContext(pwaPath);
  test.Credentials = new SharePointOnlineCredentials("[email protected]", pass);
  test.Load(test.Web);
  test.ExecuteQuery();
  I know I'm missing something here... ??
  Thanks!
  Allen Anderson -- Cireson -- www.cireson.com

  Hi,
  You can use batch processing with csom. Ex.
  function CreateListItems(objMyArray) {
  var itemArray = [];
  var clientContext = SP.ClientContext.get_current();
  var oList = clientContext.get_web().get_lists().getByTitle('MyList');
  for(index in objMyArray){
  var curObject = itemArray[index];
  var itemCreateInfo = new SP.ListItemCreationInformation();
  var oListItem = oList.addItem(itemCreateInfo);
  oListItem.set_item('Title', curObject.title);
  oListItem.update();
  itemArray[i] = oListItem;
  clientContext.load(itemArray[i]);
  clientContext.executeQueryAsync(onQuerySucceeded, onQueryFailed);
  And it goes well.(No Performance issue)

• Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!

  For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems.  The issues were hit & miss but still problematic enough to warrant our looking into it.  It seems to be getting
  worse...  I now have new servers that aren't getting group policy updates.  They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access.  Those that pick up the AD group full of local admins have trouble
  authenticating members of the group.  Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC.  We reloaded that DC but many of the issues still persist.  At this point, I'm running
  out of places to look for ideas.  I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist.  It doesn't seem to matter what the OS is.  We've been seeing
  this on 2008, 2008-R2 & 2012-R2.
  Here are some examples of events I'm seeing.  I can't figure out the root cause(s).
  Log Name: Application
  Source: Group Policy Files
  Date: 2/19/2015 2:35:12 PM
  Event ID: 4098
  Task Category: (2)
  Level: Warning
  Keywords: Classic
  User: SYSTEM
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Group Policy Files" />
  <EventID Qualifiers="34305">4098</EventID>
  <Level>3</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
  <EventRecordID>1871</EventRecordID>
  <Channel>Application</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>computer</Data>
  <Data>uptime.exe</Data>
  <Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
  <Data>0x80090006 Invalid Signature.</Data>
  </EventData>
  </Event>
  Log Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2/19/2015 9:38:13 AM
  Event ID: 20499
  Task Category: None
  Level: Warning
  Keywords:
  User: NETWORK SERVICE
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
  <EventID>20499</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
  <EventRecordID>4</EventRecordID>
  <Correlation />
  <Execution ProcessID="1932" ThreadID="2156" />
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-20" />
  </System>
  <UserData>
  <EventXML xmlns="Event_NS">
  <ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
  <UserName>RSickler</UserName>
  </EventXML>
  </UserData>
  </Event>
  Note that these servers are sitting in OUs that are full of other servers that don't have these issues.  These GPOs have been in place for years.  I suspect there's a deeper issue with AD, GP or a combination thereof.  The group policy issues
  seem to only affect freshly loaded servers...

  Hello,
  assure that no firewall is blocking connection for AD required ports as listed in
  https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
  You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.
  "During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to
  any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet
  object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially,
  in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'.
  The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
  the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes."
  This error is about a not run adprep /rodcprep:
  Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=HOMENET,DC=local
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
  So either run the command on a DC or ignore this error.
  Please provide also the following data as file:
  ipconfig /all >c:\ipconfig.log [all DCs]
  dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
  repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
  dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
  ADREPLSTATUS:
  http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.
  As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
  https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  
  Info you requested:
  ipconfig_dcs.txt
  dcdiag.txt
  repl.log
  dnslint.htm
  ADREPLSTATUS: ADReplicationStatus.2015.2.23.9.21.16.csv ADReplicationStatusToolData.zip

• Anyone else not able to log in?

  Can't seem to login to my iTunes account, which keeps me from finishing the download of the movie I was renting. Grrrrrr!
  Anyone else having trouble authenticating? I'm getting a "network connection timed out" error, which makes no sense since I'm obviously connected (I connected here).

  I got mine working.
  All I had to do was Log out, quit, re-open and log in. I was so busy trying to log in and getting an error, I didn't even notice that it thought I was already logged in and having problems.
  Hope it works for you.

• In CCM, Associate User with All Phones

  This is 1 of 2 threads I am starting.
  1. (this thread) asks for guidance in associating a User with all IP Phones in order for them to obtain authentication before allowing XML to be pushed to them.
  2. (in a separate thread) asks for guidance in issuing the push to the IP Phone, regarding getting the base64 User:Password inserted into the HTTP pkt.
  Thread 1:
  I want to push a CiscoIPPhoneExecute to IP Phones. I am having trouble authenticating. I know that in order to authenticate (UserID,Password) I must add a User (with User ID and Password) to CCM and associate it with all IP Phones. My CCM ver is System version: 5.1.1.2000-2.

  How do you want to do that? Manually or do you want to write a software that does it automatically?
  To do it automatically you need AXL. First you need to look up which devices your application user is already associated with.. you run the following query (taken directly from productive java code):
  private String getDeviceAssociationSqlString(String ctiUser)
  StringBuilder sb = new StringBuilder();
  sb.append("SELECT dev.name FROM device dev INNER JOIN applicationuserdevicemap adm ON adm.fkdevice = dev.pkid AND tkuserassociation = 1 ");
  sb.append("INNER JOIN applicationuser a ON a.pkid = adm.fkapplicationuser AND a.name='" + ctiUser + "'");
  return sb.toString();
  You do an executeSqlQuery with that query and parse the results (the response will look something like
  SEP123SEP124/row>..
  Then you look up all devices, e.g. by sending a query like
  SELECT name FROM device WHERE name LIKE 'SEP%'
  (the where clause is to only include IP phones..the device table also contains gateways, analog ports, etc. and we don't want that.. not that this query includes third party sip phones which doesn't make too much sense.. but it won't cause any problems either.. I know because we run that code on a system with third party sip phones).
  Then you do a delta between the two lists and if the second query yielded more results than the first, you need to associate the application user with that phone. There's no direct way in AXL (there used to be in CCM4 but no longer in CCM5+ because we now use application users.. you could theoretically use end users where you can still use updateUser, however it's not a good idea to mix application and regular users).
  So.. you need to update the SQL database directly.. and run executeSqlUpdate via axl. The query to add phone deviceName to application user ctiUser is:
  private String getAddDeviceAssociationSqlString(String deviceName)
  StringBuilder sb = new StringBuilder();
  sb.append("INSERT INTO applicationuserdevicemap (fkapplicationuser, fkdevice, tkuserassociation) VALUES((SELECT pkid from applicationuser WHERE name = '");
  sb.append(config.ctiUser);
  sb.append("'), (SELECT pkid FROM device WHERE name = '");
  sb.append(deviceName);
  sb.append("'), 1)");
  return sb.toString();
  This also works on CCM6, and most likely on CCM7 (I haven't had any projects with 7 yet but at first glance I haven't spotted any major changes like in between CCM5 and CCM6 (the extension mobility stuff has completely changed between those releases).
  And if you do it manually.. just go to your application user, and have have the device association right there.. press the select more phones button, search for all phones whose name starts with sep, check them all, and submit.

• Can only authenticate with telnet on ASA

  Hello,
  On an ASA5520 v7.2 I can only seem to authenticate to the console when using telnet and not ssh. I can connect using both methods, but just have trouble authenticating with ssh. Here are relevent lines related to the issue:
  username user1 password ***** encrypted privilege 15
  username user2 password ***** encrypted privilege 15
  aaa authentication telnet console LOCAL
  aaa authentication ssh console LOCAL
  telnet <my subnet> 255.255.255.0 Inside
  ssh <my subnet> 255.255.255.0 Inside
  Any suggestions are much appreciated!
  Thank you,

  Authentication is performed not for application (telnet/ssh), but for service (shell). You can restrict access to desired port, but you can't authenticate only selected ports.

• Thought it was my Iphone, It's LTE??

  I got a new iPhone 4S about a month ago. Two weeks ago, I reset the phone back to the factory setup and it took 18 hours to authenticate. I spent over 2 hours on the phone w/ VZW tech support, they escalated it to a network engineer (I use the term "engineer" loosely) and still nobody could figure it out. It finally just re-authenticated by itself and everything worked fine.
  That is, until this week. Tuesday I tried sending a text message and it failed. I tried a few times, no luck. I tried a call and got a msg saying my phone could not be authenticated on the network. I noticed a while later that the number on the top of my contacts list was not my number. After beginning to get text messages for someone else (ends up it was the number showing up on my phone), I finally figured out that somehow, someone else got my number when setting up a new phone at the local VZW store. Don't ask me how that worked, but after doing a *228-1, it began working again. The person who ended up with my number was also getting my text messages but our voice function worked sporadically.
  Anyway, I got VZW Tech Support to replace my iPhone with a Droid Razr which I got today. Since the network is down, I can't activate it. Unfortunately, once I tried, now my iPhone no longer works either. So at this point I am stuck with two practically brand new smart phones that do not work.
  Ugh.
  I am in Lexington, SC, by the way.

  The iPhone 4S is a 3G only phone and is not affected by the 4G LTE network. The Motorola DROID Razr would have had trouble authenticating itself with the 4G LTE network if the network was down. The iPhone won't work because it is no longer attached to your line of service.

• Lenovo T400 cannot authenticate with WRE54G

  I recently got a new Thinkpad (Lenovo T400) and am having trouble getting it to authenticate with my Range Expander (WRE54G).  My Xbox360 and my wife's laptop have no trouble authenticating with Static WEP but I cannot.  If I move towards my Router (WRT54GS) and select that access point it authenticates and picks up an IP address no problem.  What's up?  Thanks.

  Which operating system you are using on the laptop ?
  Which wireless card you are using on the laptop ?
  If you are able to see the network name on your laptop but unable to connect then you can try updating the wireless adapter of your laptop as your other wireless devices are working fine.