Windows 7 Authentication Failures in Monitor Mode on ISE 1.2

Similar Messages

• Windows authentication failure on SharePoint 2013 zone

  I am attempting to set up a Windows authentication zone in a SharePoint 2013 installation for use by the search crawler.  The zone has been configured to use NTLM in order to eliminate Kerberos from the equation.  The result of my
  attempts to access the Windows authentication zone is a 403 error.  Central Administration is working on the same server, and of course is using Windows authentication.
  I know about the issue of using Windows authentication to localhost, and have configured the backconnectionhostnames entry in the registry.  To prove that I can use Windows authentication using the intended host name for the SharePoint zone, I have
  set up a test IIS site that binds to the host name used by the zone, and successfully authenticated using Windows authentication.
  From monitoring the ULS logs it's obvious that I'm actually successfully completing Windows authentication, and getting a SharePoint claim, but from that point I'm being denied by SharePoint.  I do know that my Windows credentials has site collection
  administrator privileges.  The most interesting failure in the ULS log appears to be:
  SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
  Another odd thing is that after the ULS indicates I have failed authentication, I'm redirected to /_layouts/AccessDenied.aspx instead of the login page defined in web.config.  I have tried many things, including enabling Kernel-mode authentication. 
  Below is an excerpt from my ULS logs:
  SPApplicationAuthenticationModule: There is no Authorization header, can't try to perform application authentication.
  Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.53, Original Level: Verbose] Value for isAnonymousAllowed is : {0}
  [Forced due to logging gap, Original Level: Verbose] Value for checkAuthenticationCookie is : {0}
  Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.56, Original Level: VerboseEx] Sending HTTP response {0} - {1}:{2}.
  [Forced due to logging gap, Original Level: Verbose] SPRequestModule.PreSendRequestHeaders
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5320.19544383434
  Name=Timer Job SchedulingApproval
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=16.4101862108173
  Name=Timer Job SchedulingApproval
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=14.9021733209109
  Name=Timer Job SchedulingApproval
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.95, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnEndRequest: Start
  SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=17.2175513927049
  Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
  Name=Request (GET:https://crawler.my.host:443/)
  Micro Trace Tags: 0 nasq
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=9.54646470431298
  Name=Request (GET:https://crawler.my.host:443/)
  SPTokenCache.ReadTokenXml: Successfully read token XML 'mydomain\myuser'.
  Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
  Token Cache: Entry missing for user 'mydomain\myuser'.
  Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
  Claims Windows Sign-In: User 'mydomain\myuser' for request url 'https://crawler.my.host/' does not have a cached SessionSecurityToken.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:33.24, Original Level: VerboseEx] We are in claims windows only mode for for request url '{0}'.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:33.71, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  SPSecurityContext: Added JsonWebSecurityTokenHandler to trust channel factory
  SPSecurityContext: Replaced WSTrustRequestSerializer with SPTrust13RequestSerializer
  SPSecurityContext: The SecurityTokenServiceBehavior is attached to the TrustChannel.
  SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'
  MessageId: 'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
  SecurityTokenServiceReceiveRequest: LocalAddress: 'http://servername:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId:
  'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
  Entering monitored scope (ExecuteSecurityTokenServiceOperationServer). Parent No
  STS Call: Issuing new security token.
  SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: Found primary sid claim. Value: 's-0-0-0-0-0-0-1234'.
  Using claim provider 'System' for operation because it is default and it is visible.
  Excluding claim provider 'AD' for operation because it is not default and .
  Using claim provider 'AllUsers' for operation because it is default and it is visible.
  Excluding claim provider 'Forms' for operation because it is not default and .
  Using claim provider 'User Profile Claim Provider' for operation because it is default and it is visible.
  STS Call Claims Windows: Setting cookie lifetime to: Microsoft.IdentityModel.Protocols.WSTrust.Lifetime
  STS Call Claims Windows: Successfully requested sign-in claim identity for user 'mydomain\myuser'.
  STS Call: Successfully issued new security token.
  Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Execution Time=13.187150880908
  [Forced due to logging gap, cached @ 12/01/2014 15:48:34.87, Original Level: Verbose] The SecurityTokenServiceHeaderInfo including the correlation ID was added.
  Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationCaller:http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue). Execution Time=719.713539011243
  [Forced due to logging gap, cached @ 12/01/2014 15:48:35.60, Original Level: Verbose] ____{0}={1}
  Claims Windows Sign-In: Siginging in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
  Updating X.509 certificate validation policy
  [Forced due to logging gap, cached @ 12/01/2014 15:48:36.26, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  Adding X.509 certificate thumbprint '493E6806F4178EDD685BE5EA0AAF79ED30FB4A90' to root authority trust
  SPLocalLoginProvider: Initializing and creating S2S Claim Mappings
  SPLocalLoginProvider: Initialized S2S Claim Mappings.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:36.37, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:37.17, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:37.96, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnSessionSecurityTokenCreated: Start
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.10, Original Level: VerboseEx] SPSam.SetPrincipalFromSessionToken: End
  [Forced due to logging gap, Original Level: Verbose] Looking up {0} site {1} in the farm {2}
  Token Cache: Failed to add token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to Add the token for '0).w|s-0-0-0-0-0-0-1234'.
  Token Cache: Successfully added token to cache for '0).w|s-0-0-0-0-0-0-1234'.
  SPTokenCache.ReadTokenXml: Successfully read token XML '0).w|s-0-0-0-0-0-0-1234,0#.w|mydomain\myuser,123456789012345,True,dpoRtB/hPcjVrEaJtqVWxhY8Pbfm++oHwWQ5TCB9jBlLx5n2Ky5OqGXM7ntfLB0kqIJNDUkeQrl4wL7xW2m4r0rV1TiOUf+e2mpHq8WOgN67puRViZbCxCkwmmxUpE/1OVNcDFXRCh26tvVFieK99LKZn8BJUtmP8RqxtwtwqBolNjCyZ3rfSSmtFyM3pdWjphdj312R9Lcp9/EhTpvvV1J2lFCig901ZGaPo7zOw3pFyXl1eDs+gF2Bcbc7/mMZw67/gEccsFaekBVH1TK0d9qqr6P/ISeEgzhlK4DChV94ntsw8m8Pb255yTL8WrbTykMFV3jC7R2MvqCmiKGK+g==,https://crawler.my.host/'.
  Claims Windows Sign-In: Not writing a cookie for request 'https://crawler.my.host/'.
  Claims Windows Sign-In: Successfully signed-in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
  Updating header 'LOGON_USER' with value '0#.w|mydomain\myuser' for the request url 'https://crawler.my.host/'.
  Leaving Monitored Scope (SPClaimsCounterScope). Execution Time=4957.74267399907
  SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
  Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|mydomain\myuser, ClaimsCount=27
  Leaving Monitored Scope (PostAuthenticateRequestHandler). Execution Time=31.2877754016223
  Micro Trace Tags: 0 nasq,69 air4a,1 air4b,22 air4a,0 air4b,1641 aeayb,732 b4ly,654 erv2,58 erv3,1814 air36,0 air37,42 b4ly,5 agb9s,39 b4ly
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5101.04328902137
  SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.24, Original Level: Verbose] {0}
  [Forced due to logging gap, Original Level: VerboseEx] SPRequestParameters: AppPrincipal={0}, UserName={1}, UserKye={2}, RoleCount={3}, Roles={4}
  Site=/
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.37, Original Level: Verbose] {0}
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.40, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.48, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  Access Denied for /. StackTrace:    at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)     at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender,
  EventArgs eventArgs)     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)    
  at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)     at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest
  wr, HttpContext context)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr
  rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
  at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr
  nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
  Leaving Monitored Scope (SPFederationAuthenticationModule.OnEndRequest). Execution Time=351.625416079418
  Entering monitored scope (Request (GET:https://crawler.my.host:443/_layouts/AccessDenied.aspx?Source=https%3A%2F%2Fcrawler%2Emy%2Ehost)). Parent No
   

  I'm extending an existing claims based web application.  The way I'm testing authentication is by attempting to log in to the Windows authentication zone using the browser and an account with site collection administrator privileges.  I've also
  tried using the intended crawler service account, but that also fails authentication.
  With regard to the default zone issue, I've already experimented with using both the default zone and another zone, but neither works.
  BTW, I already have this working in a SharePoint 2013 development environment, and a similar configuration has been in a SharePoint 2010 production environment for over a year, which makes this a particularly maddening problem.
  I have enabled Failed Request Tracing, and get a 401.1, 401.2, then a 403 (which says it was caused by the 401.2).  I'm not sure of the significance, but the 403 trace shows the module for the 401.2 to be UrlAuthorizationModule, while the module for
  the 403 error is FederatedAuthentication.
  Per my ULS trace included in my original post, it appears that I'm actually getting a SharePoint claim.

• Open mode (monitor mode) with ise and catalyst switches

  Hi There,
  Anyone know if the following observation is correct ?
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting. The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  Regards
  Jan

  Hello Jan-
  Below is my input to your questions:
  From the TrustSec 2.1 "Monitor Mode" guide i get the idea that Open mode, is not really as zero impact in a data gathering part of an ISE deployment is a was expecting.
  Yes, a device is still allowed on the network even if it fails all authentication methods (MAB, 802.1x, etc). Basically you use monitor mode to perform discovery and see what would have been blocked had ISE been deployed in production.
  The guide describes using Profiling to authorize Cisco IP phones for the Voice VLAN.
  Yes, you can use profiling to do this. Keep in mind that you will need advanced licensing for this. Otherwise, you can either use MAB with static MACs imported/entered in the local database or EAP-TLS with phone certificates
  - Does this mean that regular methods like using CDP won't work to for this once i enable dot1x on an access switch port interface ?
  CDP will still work, in fact some of the profiling happens thanks to CDP, however, the device will simply not going to be allowed to get on the network and the Voice VLAN unless it passes authentication/authorization.
  - And that i will need to figure out which ports should be set for multi-domain (phone+pc), and which should be set for multi-auth(possibly multiple devices on one port) during the open mode period ?
  This really depends on how secure you want your network to be
  Hope this helps!
  Thank you for rating!

• Intermittent AD Authentication failures in ISE 1.2

            Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
  Thanks
  Jef

  Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
  When you say Multicast to you AD...how did you check that? We do use multicast.

• Windows server 2008 R2 x64 Authentication failure while try to access Windows server 2003 R2

  Hello,
  I try to access Windows Server 2003 R2 Standard from Windows Server 2008 R2 x64 standard using integrated windows authentication . And because my application tries to read SQL server i'm getting and error that user is not trusted. Then I tried to open a
  simple shared folder on  2003 and none of the users is able to do it. Both servers are part of common workgroup in the same IP range. Using domain is not an option. Migrating 2003 to 2008 is not an option either. The specific DB provider I have to use
  supports only windows authentication, so creating user into SQL server is not an option too. I have tested many applications and cases which requires/uses windows authentication and non of the manage to connect.
  Any help is very welcome because things are urgent!
  Authentication failure

  That method in workgroup mode may be a problem.
  Authentication in SQL Server
  Might ask them over here.
  SQL Server forums on
  MSDN
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• ISE internal user authentication failure - user not found

  Hi Forumers'
  I trying to do wireless 802.1x, where identity store using intenral user.
  But i found this error message when i trying to connect
  Authentication failed                                                                                 :
  22056 Subject not found in the applicable identity store(s)
  My authrorization rules is built like this
  identity groups = user identities group / " mygroup"
  condition = no setting
  permissions = standard / PermitAccess
  Question 1
  Any troubleshooting step to do on this?
  Question 2
  For the Authorization rules, what's the condition should set for using Internal User as Identity store?
  Thanks
  Noel

  The error is caused to an authentication failure and is not an issue with authorization
  You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
  In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".

• Workflows Do Not Start - "Not Supported in Windows Authentication Mode"

  I have a publishing site that is using Kerbos authentication.  Everything on the site works fine.
  I created a simple workflow in SPD 2013 and published this to the site without any problems.  However when I try to start the workflow with the account of a user who is a member of the site it will not run.  In the browser an alert pop's up
  saying "Something went wrong.  To try again, reload the page and then start the workflow again".
  In the SharePoint log's I find the following:
  SharePoint Server              Workflow Services              aj5oh Exception  System.NotSupportedException: Not supported
  in Windows authentication mode.     at Microsoft.SharePoint.IdentityModel.SPIdentityContext.Create(SPUserToken token, Boolean isShareByLinkGuestUser)     at Microsoft.SharePoint.WorkflowServices.WorkflowServiceContextExtensions.GetApplicationUserCredentials(WorkflowServicesContext
  context) StackTrace:  at Microsoft.Office.Server.Native.dll: (sig=1f86b0bf-2440-4b16-9099-860a571153c2|2|microsoft.office.server.native.pdb, offset=131CE) at Microsoft.Office.Server.Native.dll: (offset=21C85) 799af29b-db87-0034-c938-8a35e4082ffc
  This is a dev environment where everthing is setup on a single box, and I registered the workflow service in HTTP mode (which I allowed during the installation of workflow manager).
  Any ideas on what the problem might be?
  Thanks,
  Richard

  You haven't changed it to Claims there, you have changed NTLM to Kerberos. I guess your web app was already claims based because in SP 2013 we have to use Powershell to convert classic to claims and not from GUI.
  When I click the workflow on a item to start in manually I get the error:
  "Something went wrong. To try again, reload the page and then start the workflow"
  In ULS I get the not supported exception.
  It seems 2013 platform workflows aren't supported in classic mode web applications:
  http://sharepointconnoisseur.blogspot.co.uk/2012/11/sharepoint-2013-upgrade-preparation-to.html
  But I am not able to publish 2010 mode workflows in the classic web application, SPD 2013 throws error while publishing:
  "Unexpected error on server, wf cannot be associated"
  So does Infopath while publishing on to a list in that web application:
  -- The opinions expressed here represent my own and not those of anybody else -- http://manojvnair.blogspot.com

• Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

  I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
  Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
  Following steps are the steps that I went but I got an error:
  Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
  and the error that I got is attached(access is denied)  
  Can you please help me?

  You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
  Here's a guide on how to (re)gain those rights:
  http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

• The kerberos PAC verification failure when all users of only one RODC Site, trying to get access iis webpage of different site using Integrated Windows Authentication

  The kerberos PAC verification failure when all users of only one Site which having only one RODC server(A), trying to get access iis webpage of different site which having WDC server(B) using Integrated Windows Authentication. But when they accessing the
  website using IP address, it is not asking for credentials as I think it is using NTLM Authentication at that time which is less secure than Kerberos.
  Note that:- All user accounts and Computers of the RODC has been allowed cache password on the RODC. Nearest WDC for the RODC (A) is the WDC (B).
  The website is hosted on a windows server 2003 R2 and generating below system event log for those users of the RODC site :-
  Event Type: Error
  Event Source: Kerberos
  Event Category: None
  Event ID: 7
  Date:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">date</var>
  Time:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">time</var>
  User: N/A
  Computer:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name (the 2003 server)</var>
  Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client<var style="color:#333333;font-family:'Segoe
  UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name</var> in realm <var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">realm_name</var> had
  a PAC which failed to verify or was modified. Contact your system administrator.
  This issue has been raised for last one week. Before that everything was fine. No Group Policy changed, Time also same.
  In this situation do I need to do Demotion of the RODC and re-promote it as RODC again  or is there any other troubleshooting to resolve it.
  Thanks in Advanced
  Souvik

   Hi Amy,
  Thanks for your response
  I noticed that Logon server could become incorrect again after user re-login or restart of a workstation.
  It seems root cause is different.  Need a permanent solution.
  The Workstations of the RODC site are getting IP from a DHCP server by automatic distribution of IP from a specific subnet for the site only.  The RODC is
  the Primary DNS server for the site.
  I have checked the subnet and it is properly bound with only with that AD site. The group of users and workstations are in the same site AD organisational Unit.
  Sometime I restarted the NET LOGON service and DNS server service on ther RODC server and sometime rebooted the server. But the Logon server issue has not fixed permanently.
  The internal network bandwidth of the site is better than the bandwidth to communicate with other site.  
  The server is Windows server 2008 R2 standard and hosting the below roles
  RODC
  DNS
  File server
  The server performance is Healthy in core times when maximum users usually logins. 
  Any further support would be much appreciated Amy
  Thanks
  Souvik

• Elements 11 Preview Window not visible in dual monitor mode

  When I go to dual monitor mode the preview window is hidden. I can still hear the audio from the clip but I can't see the video window. It is still hidden when I switch back to single monitor mode. The only way to bring it back is to close out the program and reopen it. Does anyone know where it goes and how to make it visible?

  MAINEEDIT
  I have just set up for Premiere Elements 11 Dual Monitor Mode in Windows 8 64 bit computer.
  How do you have your monitors set up...Extend Across.. or other?
  I am not having any problems keeping track of what I believe you are referring to as the "Preview Window". So please excuse
  if I double check with you via the following screenshot.
  Preview Window which can be brought up
  a. double clicking the file in Project Assets
  b. double clicking the file on the Expert workspace Timeline
  I am going to go over this one more time with my Premiere Elements 11 and Windows 8 64 bt computer to see
  if I can create the situation that I am interpreting that you have.
  Thanks.
  ATR
  Add On...This especially makes me ask....
  When I reopen the program the preview window appears in its normal position.
  The Preview Window is going to close when you save/close the project. As you saying that you re-opened the project
  to find the Preview Window opened?

• JDBC Connectivity for SQL Server 2005 Windows Authentication Mode

  Hi Everyone,
  In my Scenario we are using SQL Server 2005 with Mixed Mode Authentication. Now we are planning to move only with Windows Authentication Mode.
  We have configured DB with Window authentication mode & user id have been configured in PI channels however we are getting error. We checked microsoft site, which says Windows Authentication mode DB can not be connected using JDBC drivers.
  http://support.microsoft.com/kb/313100
  In this above link see Basic Connectivity Troubleshooting Section.
  Please let me know if someone confirued JDBC Channel Successfuly with Windows Authentication Mode.
  Thanks In Advance
  Regards,
  Bharathi.

  I think this issue is related to the way that Vista, Windows 7 and Windows 2008 / 2008 R2 treat users who are logged on to the system with an account that is a member of the local administrators group when SQL is running locally.
  If your SQL setup has left you with BUILTIN\Administrators being a member of the sysadmin server role and you start up SQL Management Studio you'd expect to be mapped to the sysadmin role if your user account is in the local administrators group, however
  these OS disable this ability and when you try to connect to the database engine SQL server doesn't know you are a member of the local administrators group.
  To get round this, close all your open SQL management studio windows and then start a new window by right clicking the icon in the start menu and chosing to run as administrator. This time when you try to connect to the SQL database engine, windows doesn't
  "hide" the fact that you are an administrator. If you need to do this a lot you can go to the compatibility tab on the properties of the shortcut and set it to always run as administrator.
  Alternatively you can install the admin tools remotely and you don't get this effect.
  Tim

• "Windows Authentication Mode" when SQL Server 200 and CF on different machines?

  Hi All,
  I am playing for two days with following problem. And still I
  did not able to get rid of it.
  I have installed SQL Server 2000 on machine which is my
  server (windows 2003 server) and this machine is my domain
  controller. I have user “ABC” user and I have added
  this user in administrator group.
  I have another machine where OS is Windows XP and CF 7 is
  installed. I create an ODBC Connection from Administrative Tool to
  my Database (windows 2003 server) successfully.
  Now when I create Data Socket in Coldfusion Administrator and
  when I select the my ODBC that I had created and when I Submit it
  then CF admin throughs the following message.
  Connection verification failed for data source: myTest
  java.sql.SQLException: [Macromedia][SequeLink JDBC
  Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL
  Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
  Please Brother, I don’t have any Clue to solve it,
  Please help.
  One Important thing, All this working fine if my CF, and SQL
  Server are on same machine.
  Best regards,
  Shahid

  Hi Phil Thanks,
  Finally i able to configure it out..... following are the
  steps...
  I assume domain controller is properly configure.
  Following are the steps for the machine where SQL SERVER 2000
  is installed
  1- We need to create Login account for your domain account in
  SQL Server 2000 using Enterprise Manager.
  • Right Click -> New Login
  • Click to load the domain users, select any user from
  your domain that will connect to your SQL Server from LAN.
  Following are the steps for the machine where ColdFusion and
  IIS are installed.
  Step No. 1
  Stop ColdFusion MX.
  Backup your existing macromedia_drivers.jar file.
  Unzip macromedia_drivers.zip into the same directory,
  overwriting the previous
  macromedia_drivers.jar.
  You can download “macromedia_drivers.zip” from
  following URL
  http://kb.adobe.com/support/coldfusion/ts/documents/1a3c2ad0/macromedia_drivers.zip
  A new file, DDJDBCAuth03.dll, which is required for Windows
  Authentication, is also included in the zip file replacing the
  older DDJDBCAuth.DLL.
  Restart ColdFusion MX.
  ColdFusion MX loads the JDBC drivers inmacromedia_drivers.jar
  in the directory cf_root/lib. For example, with ColdFusion MX 7
  Server Configuration on Windows installed on drive C:, this would
  beC:\CFusionMX7\lib\macromedia_drivers.jar.
  Then restart Machine
  Step No. 2
  Configure all the ColdFusion Services to “Log On
  As” using the Domain User Account configured in SQL Server in
  the above mentioned step.
  Change the “Log On As” similar for the all other
  Cold fusion services (ColdFusion MX 7 ODBC Agent, ColdFusion MX 7
  ODBC Server, ColdFusion MX 7 Search Server).
  Step No. 3
  Restart the services; for the safe side reboot the system.
  Step No. 4
  Create ODBC (Control Panel -> Administrative Tool ->
  Data Sources (ODBC)) using the windows NT Authentication option to
  connect to database.
  Step No. 5
  Create Data Socket and Select the created ODBC connection in
  the Drop down (ColdFusion-> Admin)
  Thanks to all who participated in this discussion...
  With lots of Thanks to All particular to Phil who guided me
  in right direction,
  Shahid

• The test couldn't sign in to Outlook Web App due to an authentication failure. Extest_ account.

  Hi.
  I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
  I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
  The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
  One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
  Target: xxx|xxx
  Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxxx
  User: extest_xxx
  Details:
  [22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
  [22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
  [22:50:09.154] : The server reported that it supports authentication method FBA.
  [22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
  [22:50:09.154] : Trying to sign in with method 'Fba'.
  [22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
  [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
  [22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  [22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
  Authentication Method: FBA
  Mailbox Server: xxx
  Client Access Server Name: xxx
  Scenario: Logon
  Scenario Description: Sign in to Outlook Web App and verify the response page.
  User Name: extest_xxx
  Performance Counter Name: Logon Latency
  Result: Skipped
  Site: xxx
  Latency: -00:00:00.0010000
  Secure Access: True
  ConnectionType: Plaintext
  Port: 0
  Latency (ms): -1
  Virtual Directory Name: owa (Default Web Site)
  URL: https://xxx.com/OWA/
  URL Type: External
  Error:
  The test couldn't sign in to Outlook Web App due to an authentication failure.
  URL: https://xxx.com/OWA/
  Mailbox: xxx
  User: extest_xxx
  Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
  EventSourceName: MSExchange Monitoring OWAConnectivity External
  Knowledge:
  http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
  Computer: xxx
  Impacted Entities (3):
  OWA Service - xxx, xxx - xxx, Exchange
  Knowledge:     View additional knowledge...
  External Knowledge Sources
  For more information, see the respective topic at the Microsoft Exchange Server TechCenter
  Thanks
  MHem

  Hi,
  Based on the error, it looks like an OWA authentication failure.
  Have you tried post this to LYNC forums?
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Recent Windows 7 update causing monitor sleep problems/W​indows loop in some HP desktops?

  After perusing this forum, I wonder if there was a recent Windows 7 update that has been causing problems for some HP desktops and displays. My office has a 3500 Microtower desktop running Windows 7 Pro. While Windows 7 Pro is running and in use (as in, not prompted by any user-set power management option), the dual HP displays (via DVI split to VGA) will enter sleep mode ("No Signal", I believe) seemingly randomly/chaotically and without warning. No amount of mouse-waving and keyboard-smashing will wake the displays. The displays will not receive a signal after being turned off then on. Then, not immediately but after some undetermined time, the desktop hard drive light will begin to blink at a consistent 1-second interval (approximate), as though it is stuck in a loop.
  My guess, based on both our office's experience and the posts I've read with the same problem (see below for links), is that this update would have become available either November 16 or 17, November 15 at the earliest.
  Thank you for your attention to this conundrum!
  Aaron
  One more piece, not sure if relevant: a user connected remotely in order to monitor the desktop, but detected no problems with the machine. Unfortunately, I was not able to remain with the desktop to see if the displays had shut off at any point during his monitoring.
  Links to other forum posts:
  http://h30434.www3.hp.com/t5/Desktop-Audio-Video-M​onitors/HP-Omni-220-1050xt-Monitor-goes-blank-at-r​...
  http://h30434.www3.hp.com/t5/Desktop-Audio-Video-M​onitors/No-signal-message-on-HP-2010i-using-HPs500​...
  http://h30434.www3.hp.com/t5/Desktop-Audio-Video-M​onitors/HP-S2331-problem-with-coming-on-and-stayin​...
  http://h30434.www3.hp.com/t5/Desktop-Audio-Video-M​onitors/HP-Pavilion-HPE-h8-1100z-CTO-Desktop-PC-pc​...
  http://h30434.www3.hp.com/t5/Desktop-Audio-Video-M​onitors/HP-w2007-monitor-flashes-on-then-off-and-g​...

  Hi,
  If you think that the issue is related to a recent Windows 7 update then try going back to a known good restore point before the issue occured.
  HP DV9700, t9300, Nvidia 8600, 4GB, Crucial C300 128GB SSD
  HP Photosmart Premium C309G, HP Photosmart 6520
  HP Touchpad, HP Chromebook 11
  Custom i7-4770k,Z-87, 8GB, Vertex 3 SSD, Samsung EVO SSD, Corsair HX650,GTX 760
  Custom i7-4790k,Z-97, 16GB, Vertex 3 SSD, Plextor M.2 SSD, Samsung EVO SSD, Corsair HX650, GTX 660TI
  Windows 7/8 UEFI/Legacy mode, MBR/GPT

• System freezes when enabling monitor mode for AR9285 on 2.6.36

  EDIT: OK, sorry guys, found some more infos on the topic:
  https://bbs.archlinux.org/viewtopic.php?pid=863772
  Bug report:
  https://bugs.archlinux.org/task/21683
  I am going to downgrade my kernel to 2.6.35.
  Hey all,
  I have a severe system failure when trying to set my wlan chipset into monitor mode - works with backtrack 4, which still uses 2.6.30 I guess
  reproduce with:
  Atheros AR9285 chipset on ArchLinux w/ Kernel 2.6.36 , drivers are standard ath9k which come with Arch Linux
  airmon-ng start wlan0 <channel>
  "panic occured, switching to console mode.." or something, after a long output, which doesnt get logged, supposedly..
  might be related to:
  https://bbs.archlinux.org/viewtopic.php?id=104231
  although ifconfig wlan0 up works without any problems..
  what can I do? downgrading my kernel to 2.6.30, or installing other drivers?
  I have to admit I'm not a power user when it comes to kernel and drivers stuff.. but willing to learn.
  Thank you
  Last edited by domcobb (2010-12-25 22:24:20)

  I can't help you, but I had a problem with kernel 2.6.36.1-3, too. I got a kernel panic, when I tried to boot. Only thing I could do was to revert to kernel 2.6.35.x. That happened on my big pc, not on my netbook. Maybe he didn't like my amd cpu, who knows.