Windows Authentication Fails

Similar Messages

• AD FS Token issuance endpoints for Windows authentication fail to open

  Hi,
  I have had issue with AD FS and after turning tracing on, I realized that the AD FS endpoints to issue token based on windows authentication were all failing with an error like:
  A WS-Trust endpoint that was configured could not be opened. 
  Additional Data 
  Address: https://adfsvm.dub01.local/adfs/services/trust/13/windowstransport 
  Mode:    WindowsTransport 
  Error: 
  MSIS0006: A Service Principal Name is not registered for the AD FS service account. 
  I have tried to register an SPN for the AD FS service using the following command (I have found the AD FS Service Name in the Federation Service Properties as in the screenshot hereunder) but it fails with the following error.
  setspn -a host/ADFSVM.dub01.local DUB01\ADFSService
  Checking domain DC=dub01,DC=local
  CN=ADFSVM,CN=Computers,DC=dub01,DC=local
          WSMAN/ADFSVM
          WSMAN/ADFSVM.dub01.local
          TERMSRV/ADFSVM
          TERMSRV/ADFSVM.dub01.local
          RestrictedKrbHost/ADFSVM
          HOST/ADFSVM
          RestrictedKrbHost/ADFSVM.dub01.local
          HOST/ADFSVM.dub01.local
  Duplicate SPN found, aborting operation!
  Now I have come to realise that the Federation Service name is the same as the computer name but:
  I dont know if that is an issue
  I don't recall having been offered to give a particular name when installing AD FS
  This is the first time I install AD FS. Is there anyone who could give me a pointer?
  Thanks.
  Francois

  the ADFS federation service FQDN should NOT be the same as the hostname. You will run into Kerberos issues because of duplicate SPNs as you have found
  https://jorgequestforknowledge.wordpress.com/2013/09/06/duplicate-spn-breaks-trust-between-clientserver-and-active-directory/
  When installing ADFS you should specify a federation service FQDN and a service account. When using the GUI to install ADFS, (if I'm not mistaken) the federation service FQDN is derived from the selected cert in the GUI. If that cert had a subject name being
  the hostname, you get this scenario. Instead, install an SSL cert, a token signing cert and a token encryption cert BEFORE the installation and use powershell to install/configure ADFS as it gives you more control.
  As an example see (ADFS v2):
  https://jorgequestforknowledge.wordpress.com/2012/05/08/installing-and-configuring-adfs-v2-as-an-sts-server-part-1/
  https://jorgequestforknowledge.wordpress.com/2012/05/09/installing-and-configuring-adfs-v2-as-an-sts-server-part-2/
  https://jorgequestforknowledge.wordpress.com/2012/05/10/installing-and-configuring-adfs-v2-as-an-sts-server-part-3/
  Install-ADFSFarm
  https://technet.microsoft.com/en-us/library/dn479416.aspx
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• Windows authentication fails from Mac browser when LB is in between

  (1)     A new instance of Windows server 2008 R2 is taken and IIS server is installed.
  On IIS server, ‘Windows Authentication’ is enabled and all the other authentication (anonymous, basic) is disabled.
  (2)     From Safari browser on Mac, a IIS resource (protected by Windows Authentication) is accessed by directly accessing IIS server. The resource access is successful.
  (3)     Now a Load Balancer is configured in front of IIS server.
  (4)     From Safari browser on Mac, a IIS resource (protected by Windows Authentication) is accessed by accessing load balancer. Here IIS server prompts for username and password.
  Seems that authentication negotiation is failing between Mac browser and IIS when LB is in between. Can somebody pls know the reason / resolution for this issue ?
  Thanks

  I was just helping someone with this same issue, and found this post searching for answers. I think it's a problem with your web hosting provider. It looks like whois is saying you both use readyhosting.net, is that right?
  If you go into the developer options and override the User Agent string, you can make the issue start and stop. When the user agent string starts with "Mozilla/5.0 (Windows NT 6.1", then the page with show the error message. If it starts with anything else, then it works fine.
  This, and the fact that you did not make any changes to your site makes it sound like your hosting provider changed something. You probably need to have them fix it somehow.

• Windows A/D Authentication Failed (Error 1300L)

  I currently have in place CS ACS Solution Engine v3.3.3 and the Remote Agent is installed on Windows Server 2003. I'm using a lab environment to test Authentication to network switches and routers using ACS as Radius with Windows A/D as the backend. I have had success with the authentication using the CiscoSecure DB but when I change it to Windows DB I get the follwing error in the log:
  CSWinAgent 10/24/2005 14:42:34 A 0433 2004 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 10/24/2005 15:00:06 A 0254 3468 RPC: NT_ForAllNTTrustedDomains received
  CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: Found 1 trusted domains
  CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: trusted domain 1 [Domain-Name]
  CSWinAgent 10/24/2005 15:00:06 A 0048 3468 NTLIB: Found 0 trusted domains
  CSWinAgent 10/24/2005 15:00:06 A 0287 3468 RPC: NT_ForAllNTTrustedDomains reply sent
  CSWinAgent 10/24/2005 15:01:33 A 0121 0564 Client connecting from XX.XX.XX.XXX:1935
  CSWinAgent 10/24/2005 15:01:34 A 0371 2940 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 10/24/2005 15:01:34 A 0048 2940 NTLIB: Attempting Windows authentication for user JohnDoe
  CSWinAgent 10/24/2005 15:01:34 A 0048 2940 NTLIB: Windows authentication FAILED (error 1300L)
  CSWinAgent 10/24/2005 15:01:34 A 0433 2940 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 10/24/2005 15:01:37 A 0371 2940 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 10/24/2005 15:01:37 A 0048 2940 NTLIB: Attempting Windows authentication for user JohnDoe
  CSWinAgent 10/24/2005 15:01:37 A 0048 2940 NTLIB: Windows authentication FAILED (error 1300L).
  I installed the RemoteAgent with a Domain Admin Acct. and the CSAgent Service is running with the same acct. Also the external DB is established and the Unknown User Policy is enabled.
  Any suggestions??
  TIA

  Looking into the CSWINAgent log file, I determined that the authentication request was being "forwarded" to a different Windows Server and failing. Talking to one of our Systems Admins, I determined that the Remote Agent was in fact installed on a Domain Controller, but its role might not provide the service needed to do the username query. Furthermore, he went on the explain that we have a number of DCs in our evnironment, but that they each act as different "roles." Apparently the Remote Agent is smart enough to recognize that the current DC in which the Remote Agent was installed on could not perform the task requested and looked for the DC that could (the log file gave me the name of the DC that could). The Systems Admin stated that the DC that the log file was pointing to was the "PDC emulator" in our native envirnoment. So in short, I installed it on the suspected DC and everything works great. I did have to that the Domain Admin to the security Policy that you stated. I have been doing 802.1X machine and user auth ever since without issue. Thanks for your help.

• ACS External Windows Authentication: Pre-Windows 2000 name only works

  Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name).
  If I use the Windows 2003 login name, I get a 529 error in the event viewer, stating the username/password is incorrect. This error appears on the Windows 2003 SP1 server running ACS.
  Curiously, if I authenticate using the down-level name, the successful event shows the same authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) and "Workstation" and "Login Process" name (CISCO).
  I cannot determine if this is an ACS or Windows problem. Any one have a clue?

  Win2003 logon name: [email protected]
  A Pre-Windows2000 name: [email protected]
  Interestingly, the down-level name will authenticate, but the "up-level" name will not.
  Here are excerpts from AUTH.log:
  Failed up-level name:
  AUTH 01/19/2006 07:52:04 I 4817 3604 Attempting authentication for Unknown User '[email protected]'
  AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
  AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
  AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain COMPANY
  AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
  AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 01/19/2006 07:52:04 I 2124 3604 Unknown User '[email protected]' was not authenticated
  Passed down-level name:
  AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
  AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bsmith
  AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by WINDC02)
  AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user bsmith from WINDC02

• Windows 7 fails when authenticating to another computer on the network

  In Windows 7 (home premium, 64 bit), I am attached to a VPN (Using OpenVPN). Then, whenever I try to either:
  - Use explorer to look at the file system of another computer 
  - Use the remote desktop connection on another computer
  - Map a folder on another computer as a network drive
  ... in all of these cases, I get the authentication dialog and once I send my username and password, it crashes. For example, when I use explorer, it hangs, and then comes back with the message: "Explorer has stopped working"
  I have elsewhere seen a proposed solution for similar symptoms, of deleting this key: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling 
  However, this is not applicable in my case, as the key is not present.
  I don't think that this can be a problem with the network, because:
  a) this works fine from a different computer, running XP,
  b) I have in fact seen this working on this computer, but just once, straight after a system restore, and I can't replicate the success by doing another system restore.
  c) If it were a problem with the network, you would expect Windows to fail gracefully.
  Additionally:
  - Disabling the firewall doesn't help.
  - Disabling the antivirus software (AVG) doesn't help.
  - Doing a clean boot doesn't help.
  I'd be grateful for any suggestions.

  try changing windows authentication levels
  http://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking
  http://technet.microsoft.com/en-us/library/jj852207.aspx

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• PPPoE works in Windows XP but in OS X just says "authentication failed"

  I connect to the Internet via a cable modem. When I boot into Windows XP (SP3) and make a PPPoE connection, it works perfectly.
  When I set up the same PPPoE connection on the Mac side however, it won't connect! It just says "authentication failed." I thought this might be some Snow Leopard bug so I busted out my old PBG4 with Leopard 10.5.8 on it, and it gave the same errors.
  As a side note, my AirPort Express and AirPort Extreme routers also cannot connect with PPPoE. Is there something wrong with Apple's PPPoE implementation?

  I know HOW to set it up. I've been rocking Macs for years and years. I'm just baffled because the PPPoE doesn't work AT ALL in the Mac (or with either of my 2 Apple routers) but works perfectly fine when I Boot Camp into Windows XP.
  I've also tried downgrading the firmware on the AirPort units as I heard that helped in some cases...certainly didn't help in mine though

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• SSIS Package Execution, Windows Authentication, Error: Failed to acquire connection

  Hello,
  I have developed one SSIS Package in SSDT 2012 to create Reporting Database from SQL Datasource and 1 SharePoint List.
  On Development Environment : (Windows Authentication)
  Here everything is running fine.
  On Test Environment Client Side : (Windows Authentication)
  Deployed successfully.
  Validating successfully.
  While executing the package: getting below error.
  SSISPackage:Error: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has occurred. Error Code : 0x80040E21.
  An OLE DB record is abailable. Source: "Microsoft OLE DB Service Componenets" Hresult: 0x80040E21 Description: "Multipe-step OLD DB operation generated errors. Check each OLD DB status value, if available. No work was done.".
  Execute SQL Task: Error: Failed to acquire connection "ReportingDB". Connection may not be configured correctly or you may not have the right permissions on this connection.
  I have done below things:
  On SSIS Package side,
  1. DelayValidation is Set to True for all the connections and each tasks in package
  2. RetainSameConnection : True
  3. ProtectionLevel : DoNotSaveSensitiveData
  On SSMS,
  1. Created one Credential
  2. Create Proxy under SSIS SQL Service Agent to run package as Windows User
  3. Checked all the permissions and roles.
  Below is the connection string which I am using.
  Data Source=DBTEST;Initial Catalog=ReportingDB;Integrated Security=SSPI; persist security info=False;
  Trusted_Connection=Yes;
  Can anyone please help me? As I am trying to resolve this error for the last 4 days and could not find any solution yet.
  Thank you,
  Mittal.

  Can you try changing protection  to - EncryptSensitiveWithUserkey
  can you also enable DTC
  To enable MSDTC on each Web server on Windows Server 2008
  Click Start, click Run, type dcomcnfg and then click OK to open Component Services.
  In the console tree, expand Component Services, expand Computers, expand My Computer, and then expand Distributed Transaction Coordinator.
  Right click Local DTC, and click Properties to display the Local DTC Properties dialog box.
  Click the Security tab.
  In the Security Settings section, click Network DTC Access.
  In the Client and Administration section, select Allow Remote Clients and Allow Remote Administration.
  In the Transaction Manager Communication section, select Allow Inbound and Allow Outbound.
  In the Transaction Manager Communication section, select Mutual Authentication Required (if all remote machines are running Windows Server 2003 SP1), select Incoming Caller Authentication Required (if running MSDTC in a cluster), or select No Authentication
  Required if some of the remote machines are pre-Windows Server 2003 SP1. No Authentication Required is the recommended selection.
  Select Enable XA Transactions, and then click OK.
  Repeat steps 1 through 9 on the other Web servers.
  Please mark
  this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• SAP Business One Integration Services Authentication Failed

  Dear ,
  ALL SAP forum members,
  Iam Using SAP Business One 8.81 PL 06, Micorsoft SQL 2008 R2
  In SLD B1DI and  JDBC, the connections were tested successfully.
  Whenever I log into SBO, I am getting "SAP Business One Integration Services Authentication Failed" error message. I did extensive research on all possible SBO documents dating 1 year back especially in B1ic Troubleshooting Document (New and Old) and searched the length of the SBO forums, but I could not a solution.
  I uninstalled and reinstalled the B1f package many a time. The integration services we re also restarted many times and the connections were all tested successfully. Firewall, AntiVirus also checked.
  In the B1f, in the Monitoring Window, the login is "Ok" but the AuthCheck is "Failed". I checked Authent.Monitor->Authentic Info  and I found the following message under Action message "Wrong Usrname and Password".
  I debugged and i found again "/com.sap.b1i.vplatform.scenarios.authen/sap.Xcelsius/Authenticate_Check.bfd
  But could not understand much of it.
  But i could go no further. The experts are requested to suggest their solutions, If any, to me as Iam stuck in this phase for the last 3 week
  I hope some experts will guide me over this issue
  Thanks and regards
  Ashish Gupte

  Hi Konstantin Ryahovsky
  Thanks for your reply. My problem is solved.
  And frankly speaking i dont know how it was solved. I have not uninstall, install ,not even i had restarted the server also.
  only change i did in SLD >> Maintainance >>> cfg Runtime >>>> Put server IP address instead of server Name and restarted the services.
  Thanks & regards
  Ashish Gupte

• HTTP 401 received when running exRCA and authentication fails

  After upgrading Exchange 2013 to CU6 our ActiveSync functionality stopped (along with a few other things). I have been using ExRCA to troubleshoot and have spent several days looking at forums and trying different things out to get it working again but to
  no avail. Essentially when I enter valid account credentials it fails to authenticate and as a result I receive an 401 response.
  I have already checked Inherited permissions are enabled for the user account in AD. I have checked that the authentication for the Virtual directory is set to Basic with SSL required. (Have also tried with windows authentication enabled). I have recycled
  the ApplicationPool especially the MSExchangeSyncAppPool - That appears to be correctly configured and running under LocalSystem Identity. I have recreated the virtual directory using the reset feature in the EPC. Both internal and external URLs are set as
  well as the CAS server being assigned to the External URL.
  The report that I get: -         
  An ActiveSync session is being attempted with the server.
   Errors were encountered while testing the Exchange ActiveSync session.
   Additional Details
  Elapsed Time: 3721 ms.
   Test Steps
   Attempting to send the OPTIONS command to the server.
   Testing of the OPTIONS command failed. For more information, see Additional Details.
    Tell me more about this issue and how to resolve it
   Additional Details
  An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.
  HTTP Response Headers:
  request-id: 216790d5-03dc-4616-87c6-d196c870a6f0
  X-CalculatedBETarget: ex2013.domain.org
  X-FEServer: EX2013
  Content-Length: 0
  Cache-Control: private
  Date: Wed, 12 Nov 2014 16:13:10 GMT
  Server: Microsoft-IIS/8.5
  WWW-Authenticate: Basic realm="domain.org"
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Elapsed Time: 3721 ms.
  I have failed request logging enabled and I am seeing numerous entries for some of the other services including ActiveSync and getting similar errors to the below: -
  ModuleName
  WindowsAuthenticationModule
  Notification
  AUTHENTICATE_REQUEST
  HttpStatus
  401
  HttpReason
  Unauthorized
  HttpSubStatus
  1
  ErrorCode
  No credentials are available in the security package
   (0x8009030e)
  Any thoughts or additional diagnostic steps will be appreciated.
  I tried recreating the backend virtual directory via EMC using the following command: - 
  New-WebApplication  -Site "Exchange Back End" -Name Microsoft-Server-ActiveSync -PhysicalPath "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync" -ApplicationPool MSExchangeSyncAppPool -Force
  (didnt work...)

  Hi Joby 
  Thanks for getting back - tried your suggestion but still the same. 
  Attempting to send the OPTIONS command to the server.
  Additional Details
  An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.
  HTTP Response Headers:
  request-id: 53f6bea6-4ef2-463e-87a1-f2dfd6a7bcf8
  X-CalculatedBETarget: ex2013.xx.domain.org
  X-FEServer: EX2013
  Content-Length: 0
  Cache-Control: private
  Date: Mon, 24 Nov 2014 13:16:15 GMT
  Server: Microsoft-IIS/8.5
  WWW-Authenticate: Basic realm="xx.domain.org"
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Elapsed Time: 681 ms.

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• 802.1x authentication fail

  i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
  i have added WLC as a host there in radius
  on wlc i have configured authentication like radius ip shared secret key and done
  its working i can ping radius server
  also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
  i also configured my windows wireless adaptor as PEAP MSCHAP v2
  i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
  (WiSM-slot24-1) >debug aaa events enable
  (WiSM-slot24-1) >
  (WiSM-slot24-1) >
  (WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
  *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
  *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
  *aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
  *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
  *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
  *radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
  *aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
  *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
  *dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
  any idea to solve this problem?
  or any one knows that how to configur a radius server on juniper linux operating system?
  many thanks in advance

  You should post on the Juniper forums regarding your policy configuration.  You should stick with using a radius than just doing ldap through the wlc.  Here is a link for webauth using ldap, but should get you close.  Again... you should look at getting your juniper radius configuration fixed first.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

• Windows authentication failure on SharePoint 2013 zone

  I am attempting to set up a Windows authentication zone in a SharePoint 2013 installation for use by the search crawler.  The zone has been configured to use NTLM in order to eliminate Kerberos from the equation.  The result of my
  attempts to access the Windows authentication zone is a 403 error.  Central Administration is working on the same server, and of course is using Windows authentication.
  I know about the issue of using Windows authentication to localhost, and have configured the backconnectionhostnames entry in the registry.  To prove that I can use Windows authentication using the intended host name for the SharePoint zone, I have
  set up a test IIS site that binds to the host name used by the zone, and successfully authenticated using Windows authentication.
  From monitoring the ULS logs it's obvious that I'm actually successfully completing Windows authentication, and getting a SharePoint claim, but from that point I'm being denied by SharePoint.  I do know that my Windows credentials has site collection
  administrator privileges.  The most interesting failure in the ULS log appears to be:
  SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
  Another odd thing is that after the ULS indicates I have failed authentication, I'm redirected to /_layouts/AccessDenied.aspx instead of the login page defined in web.config.  I have tried many things, including enabling Kernel-mode authentication. 
  Below is an excerpt from my ULS logs:
  SPApplicationAuthenticationModule: There is no Authorization header, can't try to perform application authentication.
  Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.53, Original Level: Verbose] Value for isAnonymousAllowed is : {0}
  [Forced due to logging gap, Original Level: Verbose] Value for checkAuthenticationCookie is : {0}
  Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.56, Original Level: VerboseEx] Sending HTTP response {0} - {1}:{2}.
  [Forced due to logging gap, Original Level: Verbose] SPRequestModule.PreSendRequestHeaders
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5320.19544383434
  Name=Timer Job SchedulingApproval
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=16.4101862108173
  Name=Timer Job SchedulingApproval
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=14.9021733209109
  Name=Timer Job SchedulingApproval
  [Forced due to logging gap, cached @ 12/01/2014 15:48:32.95, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnEndRequest: Start
  SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
  Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=17.2175513927049
  Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
  Name=Request (GET:https://crawler.my.host:443/)
  Micro Trace Tags: 0 nasq
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=9.54646470431298
  Name=Request (GET:https://crawler.my.host:443/)
  SPTokenCache.ReadTokenXml: Successfully read token XML 'mydomain\myuser'.
  Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
  Token Cache: Entry missing for user 'mydomain\myuser'.
  Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
  Claims Windows Sign-In: User 'mydomain\myuser' for request url 'https://crawler.my.host/' does not have a cached SessionSecurityToken.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:33.24, Original Level: VerboseEx] We are in claims windows only mode for for request url '{0}'.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:33.71, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  SPSecurityContext: Added JsonWebSecurityTokenHandler to trust channel factory
  SPSecurityContext: Replaced WSTrustRequestSerializer with SPTrust13RequestSerializer
  SPSecurityContext: The SecurityTokenServiceBehavior is attached to the TrustChannel.
  SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'
  MessageId: 'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
  SecurityTokenServiceReceiveRequest: LocalAddress: 'http://servername:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId:
  'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
  Entering monitored scope (ExecuteSecurityTokenServiceOperationServer). Parent No
  STS Call: Issuing new security token.
  SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: Found primary sid claim. Value: 's-0-0-0-0-0-0-1234'.
  Using claim provider 'System' for operation because it is default and it is visible.
  Excluding claim provider 'AD' for operation because it is not default and .
  Using claim provider 'AllUsers' for operation because it is default and it is visible.
  Excluding claim provider 'Forms' for operation because it is not default and .
  Using claim provider 'User Profile Claim Provider' for operation because it is default and it is visible.
  STS Call Claims Windows: Setting cookie lifetime to: Microsoft.IdentityModel.Protocols.WSTrust.Lifetime
  STS Call Claims Windows: Successfully requested sign-in claim identity for user 'mydomain\myuser'.
  STS Call: Successfully issued new security token.
  Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Execution Time=13.187150880908
  [Forced due to logging gap, cached @ 12/01/2014 15:48:34.87, Original Level: Verbose] The SecurityTokenServiceHeaderInfo including the correlation ID was added.
  Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationCaller:http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue). Execution Time=719.713539011243
  [Forced due to logging gap, cached @ 12/01/2014 15:48:35.60, Original Level: Verbose] ____{0}={1}
  Claims Windows Sign-In: Siginging in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
  Updating X.509 certificate validation policy
  [Forced due to logging gap, cached @ 12/01/2014 15:48:36.26, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  Adding X.509 certificate thumbprint '493E6806F4178EDD685BE5EA0AAF79ED30FB4A90' to root authority trust
  SPLocalLoginProvider: Initializing and creating S2S Claim Mappings
  SPLocalLoginProvider: Initialized S2S Claim Mappings.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:36.37, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:37.17, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:37.96, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
  [Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnSessionSecurityTokenCreated: Start
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.10, Original Level: VerboseEx] SPSam.SetPrincipalFromSessionToken: End
  [Forced due to logging gap, Original Level: Verbose] Looking up {0} site {1} in the farm {2}
  Token Cache: Failed to add token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
  Token Cache: Reverting to local cache to Add the token for '0).w|s-0-0-0-0-0-0-1234'.
  Token Cache: Successfully added token to cache for '0).w|s-0-0-0-0-0-0-1234'.
  SPTokenCache.ReadTokenXml: Successfully read token XML '0).w|s-0-0-0-0-0-0-1234,0#.w|mydomain\myuser,123456789012345,True,dpoRtB/hPcjVrEaJtqVWxhY8Pbfm++oHwWQ5TCB9jBlLx5n2Ky5OqGXM7ntfLB0kqIJNDUkeQrl4wL7xW2m4r0rV1TiOUf+e2mpHq8WOgN67puRViZbCxCkwmmxUpE/1OVNcDFXRCh26tvVFieK99LKZn8BJUtmP8RqxtwtwqBolNjCyZ3rfSSmtFyM3pdWjphdj312R9Lcp9/EhTpvvV1J2lFCig901ZGaPo7zOw3pFyXl1eDs+gF2Bcbc7/mMZw67/gEccsFaekBVH1TK0d9qqr6P/ISeEgzhlK4DChV94ntsw8m8Pb255yTL8WrbTykMFV3jC7R2MvqCmiKGK+g==,https://crawler.my.host/'.
  Claims Windows Sign-In: Not writing a cookie for request 'https://crawler.my.host/'.
  Claims Windows Sign-In: Successfully signed-in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
  Updating header 'LOGON_USER' with value '0#.w|mydomain\myuser' for the request url 'https://crawler.my.host/'.
  Leaving Monitored Scope (SPClaimsCounterScope). Execution Time=4957.74267399907
  SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
  Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|mydomain\myuser, ClaimsCount=27
  Leaving Monitored Scope (PostAuthenticateRequestHandler). Execution Time=31.2877754016223
  Micro Trace Tags: 0 nasq,69 air4a,1 air4b,22 air4a,0 air4b,1641 aeayb,732 b4ly,654 erv2,58 erv3,1814 air36,0 air37,42 b4ly,5 agb9s,39 b4ly
  Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5101.04328902137
  SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.24, Original Level: Verbose] {0}
  [Forced due to logging gap, Original Level: VerboseEx] SPRequestParameters: AppPrincipal={0}, UserName={1}, UserKye={2}, RoleCount={3}, Roles={4}
  Site=/
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.37, Original Level: Verbose] {0}
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.40, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  [Forced due to logging gap, cached @ 12/01/2014 15:48:38.48, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
  [Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
  Access Denied for /. StackTrace:    at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context)     at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender,
  EventArgs eventArgs)     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)    
  at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)     at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)     at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest
  wr, HttpContext context)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr
  rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
  at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr
  nativeRequestContext, IntPtr moduleData, Int32 flags)     at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
  Leaving Monitored Scope (SPFederationAuthenticationModule.OnEndRequest). Execution Time=351.625416079418
  Entering monitored scope (Request (GET:https://crawler.my.host:443/_layouts/AccessDenied.aspx?Source=https%3A%2F%2Fcrawler%2Emy%2Ehost)). Parent No
   

  I'm extending an existing claims based web application.  The way I'm testing authentication is by attempting to log in to the Windows authentication zone using the browser and an account with site collection administrator privileges.  I've also
  tried using the intended crawler service account, but that also fails authentication.
  With regard to the default zone issue, I've already experimented with using both the default zone and another zone, but neither works.
  BTW, I already have this working in a SharePoint 2013 development environment, and a similar configuration has been in a SharePoint 2010 production environment for over a year, which makes this a particularly maddening problem.
  I have enabled Failed Request Tracing, and get a 401.1, 401.2, then a 403 (which says it was caused by the 401.2).  I'm not sure of the significance, but the 403 trace shows the module for the 401.2 to be UrlAuthorizationModule, while the module for
  the 403 error is FederatedAuthentication.
  Per my ULS trace included in my original post, it appears that I'm actually getting a SharePoint claim.