Windows Native Authentication with 2 AD domains
I have installed 10g infrastructure on win2k server. I completed the steps in note 282074.1 and WNA is working for the first domain (norris.intra). I now want to have this work for a second domain (shoremont.intra). These 2 AD domains are in separate forests (no global catalog server). I have sync'd the second domain with OID and configured external authentication. According to note 190312.1 you can merge kerberos Keytabs. I have setup the following krb5.ini files on the domain control in each domain:
File: krb5.ini on AD server monroe2k.norris.intra
[libdefaults]
default_realm = NORRIS.INTRA
clockskew = 300
[realms]
NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
[domain_realm]
.norris.intra = NORRIS.INTRA
norris.intra = NORRIS.INTRA
.shoremont.intra = SHOREMONT.INTRA
shoremont.intra = SHOREMONT.INTRA
File: krb5.ini on AD server swtp_fileserver.shoremont.intra
[libdefaults]
default_realm = SHOREMONT.INTRA
clockskew = 300
[realms]
SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
[domain_realm]
.shoremont.intra = SHOREMONT.INTRA
shoremont.intra = SHOREMONT.INTRA
.norris.intra = NORRIS.INTRA
norris.intra = NORRIS.INTRA
Are the above entries correct? Once I generate and merge the keytab files I will copy the merged file to the OSS server. Following note 282074.1 what other changes need to be made to the various .xml files to implement this configuration? Thanks.
Does anyone have any ideas on how to do this????
Similar Messages
-
Windows Native Authentication with 2 (multiple) AD domains
I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
Phase 2) Configure a Kerberos Service Account for the Single Sign-on
Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
Questions:
1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
ThanksDoes anyone have any ideas on how to do this????
-
Hi guys,
I was able to setup the wna infact
no errors appears in OC4J~OC4J_SECURITY~default_island~1 log file when OC4J_SECURITY instance starts up
but if I try to connect to
http://sso.<domain>/pls/orasso using a client of
Windows Domain the sso login page appears
and the following message in ssoServer.log
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Calling Authentication method
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.authenticate method ...
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Remote user name: {{UNAUTH_USER}}
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Windows Native Authentication was not possible.
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Falling back to SSO authentication
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOServerAuth:authenticate method
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 user name NULL
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Password Null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Subscriber Null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Voice header: null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 x-oracle-mobile-authtype: null
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 auth mode is user/pass
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Perhaps this is a Basic Auth u/pwd
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 No username supplied. Sending IPASInsufficientCredException
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Requesting Login Page to collect credentials
[INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.getUserCredentialPage method ...
[DEBUG] AJPRequestHandler-ApplicationServerThread-6 Sending login page to the user with an error message: null
[INFO] AJPRequestHandler-ApplicationServerThread-6 Exiting from SSOKerbeAuth.getUserCredentialPage method
Any ideas bout this issue ?
Regards
LuigiLuigi,
did you follow up
http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
regards,
--olaf -
Windows Native Authentication from Windows 7
Has anyone successfully tested SSO with Windows Native authentication from a windows 7 client ?
I have a working setup with SSO on OID 10.1.4.3 but with windows 7 client I get the fallback login prompt instead of automatic login.
I have got a workaround from support but it still does not work:
- on the client Windows7 PC to to PC security policies (Policies -> Network Security -> Configure encryption types allowed for Kerberos) and select all of them EXCEPT the “Allow future types” option;
- change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3 (please take a backup of the registry settings before any change).
Thanks // KerstinApply patch 6915917 solves the problem
-
Using Windows 8.1 With Older Domain Controllers
Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?
I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1? For such cases, how do we configure security policy on those 8.1 domain member
computers? Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
WillHi,
You could refer to below guide to complete your migration process:
Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Karen Hu
TechNet Community Support -
NTLM Authentication with a domain controller/active directory
Hi,
I have a requirement to do an NTLM authentication with the MS active directory.
I am aware that JNDI doesn't support this protocol to communicate with the AD.
I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
Can any of you guys suggest any alternative to achieve this ?it really depends to be honest. I'd probably go something like this though:
One Small physical server to act as a domain controller - you could put DHCP on this too
One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined.
Then for your VM's create the following:
1 x additional domain controller
For remote desktop services:
1 x Remote Desktop Session Host
1 x Connection Broker
1 x Gateway and web server
For additional services
1 or 2 x Exchange
1 x sharepoint
1 x IIS
but it really depends what you want to achieve.
The benefit from Virtual machines is that you can keep separate virtual servers for separate applications.
If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance.
Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
Windows Intergrated Authentication with reverse proxy issue with Safari
Hi All
I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
Thanks & Regards
Karthikeyan VaithilingamI found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.
-
VPN Concentrator authentication with multiple domains
I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
Thanks in advance for any help.To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller
-
Manual Tomcat Active Directory (AD) Authentication with multiple domains
Hi,
We have successfully implemented manual AD Authenticaiton on our BO XI 3.1 environment using Tomcat applicaiton server.
Now we need to include another domain to be able to use AD authenticaiton to BOE.
What changes do we need to perform to allow the additional domain to log in successfully?
Thanks for any support.
Thanks,
JHello,
You need to modify the file krb5.ini by adding the second domain there
Have a look at the note 1406795 (https://bosap-support.wdf.sap.corp/sap/support/notes/1406795)
The users of that domain will have to login by specifying that domain (user@domain)
Regards,
Philippe -
How to get the SSO user from PL/SQL with Windows native authen
I connect to a 10g daabase using SSO through Windows Native Authentication wher the OID user mapps to a single Database user.
I need to get the SSO user from pl/sql
My fornt end is Portal & FormsHmm, I see.
Well your problem boils down to being in the database and needing to have access to web environment variables. The SSO sets specific variables in the environment but your stored procedure is not privy to them.
Now having said that, note that the mod_plsql Web Toolkit has a utility for accessing cgi variables. For instance,
owa_util.get_cgi_env('Osso-User-Dn')
If your web application cannot capture the SSO info and pass it to the stored proc in a parameter, OWA may be the only way.
Check out the Single Sign-On Developers Guide, specifically the part about developing statically protected PLSQL applications.
Hope this helps.
regards,
tt -
WinAD manual authentication to two domains
Hi,
We have our windows 2008 domain (A) and a secure windows domain (B) which we have a one way forest trust with. Their trust of us is listed as 'External, not transitive'.
So
A - Forest, Transitive -> B
B - External, Not Trans -> A
We are running web sphere on windows 2008 R2, BOXI 3.1 SP 5.
We have set up WinAD manual authentication with our domain A using Kerberos. Reading the documentation and threads here, it's obvious we cannot add domain B without creating a forest trust from the other side. This will not happen for security and policy reasons.
Should we be able to configure BOXI manual LDAP authentication to their AD and have it coexist with the WinAD auth?
Thanks,
SamYes that is possible and you can configure.
It should work fine.
-Raunak -
SSO and Windows Native Mode Benefits?
Hi All
We currently run EP7 SP8 and I need to find out what the benefits are if we move to Win2000 or Win2003 Native mode. Also if we can use SSO with Win2000 or Win 2003.
Does anyone have any information which would help me weigh up the pros and cons of implementing this.
Many Thanks for your help
Philthank you for your reply,
Metalink note 277382.1 is a good document how to configure OID External Authentication Plugin for Authentication Via Microsoft Active.
configure OID for import users and External Authentication Plugin are a prerequisites steps for SSO WNA. but WNA must more other steps not descript in this metalink note
N.B: WNA "Windows Native Authentication" is a feature for Oracle SSO which enables Microsoft Internet Explorer users to automatically authenticate to their web applications using their desktop credentials.
thanks -
Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008
Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my caseHi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD => It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet -
I got an issue with OS of widows 7.
unable to scan documents to user's PC.am getting error message "Authentication with the destination has failed. Check settings. To check the current status, press [Scanned Files Status
Other Windows xp PC can do this.
How can I fix this problem?
Printer Model :C2051 /mp2001spHi,
I searched for the error and it is mentioned in Ricoh's website:
Messages Displayed on the Control Panel When Using the Scanner Function
http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001045/0001045718/view/trouble/int/0036.htm
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Message
Cause
Solution
“Authentication with the destination has failed. Check settings. To check the current status, press [Comm. Status/Print].”
The entered login user name or login password is not correct.
Check that the user name and password are correct.
Check that the ID and password for the destination folder are correct.
A password of 128 or more characters may not be recognized.
From the solution, it mentioned that the issue could relate to user account or its password.
Please let me know if it is in domain environment. If so, please test to log the same user account currently on Windows 7 to Windows XP and see if issue persists.
Also please test to directly access the scanning folder on printer server to see if there is any issue in accessing the destination folder. -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu
Maybe you are looking for
-
Raising a credit note for a VAT credit.?
Clients wants to raise a credit note for VAT credit. Unable to credit negative amount . i.e. cannot enter negative amount in credit note. Trying to adjust VAT. Also they d o not want separate process. i.e. they raise a credit note and invoice. What i
-
Layers Appear, but are not selectable
I receive PDF files from Engineers & Architects which I presume were created from AutoCAD (or similar) software. Many of these files appear to have individual layers. I.E.: when I open them, I see a split-second delay between certain lines appearin
-
ADS(Adobe Document Services setup/configuration/testing)
Hi experts, I am trying to do the following from Interactive Forms Config guide(around page 22), as part of ADS config-testing : Defining ADSUser as Technical User To prevent, that the password for the ADSUser expires, do following: 1. Log on to
-
Color profile after calibration
I use AdobeRGB1998 color profile for monitor and Photoshop. When I have calibrate monitor I must use new color profile? Have I think right? Thanks!
-
Is it possible to turn off the wireless networking feature?
As I don't want to have a wireless hotspot 24/7 at my place and would prefer to conserve power when that function isn't needed, I'd like to know if the Time Capsules allow users to turn the wi-fi broadcasting on and off. Or is it just an always-on ki