Meraki and Active Directory authentication

Similar Questions

• Windows Server 2008 R2, with two Windows Storage Server 2003 Standard: How can I add the MAC authentication on top of Active Directory authentication for a storage servers?

  I have two running Windows Storage Server 2003 storage servers in a domain R2 Windows Server 2008 Standard.  On top of the Active Directory authentication, I want to add authentication of MAC address for the access to one of the storage servers.  In this scenario, an authenticated user is unable to log on to the target storage server unless the user is also on one of the computers MAC address accepted.  All domain users will have access to other folders and files as configuration storage server in Active Directory.  I already have a user access to installation by the permissions for folders on the storage server target, but I still want to restrict access to specific computers as well.  For what it's worth the server hardware is HP Proliant DL360 G5 for the Standard Server 2008 R2 and server HP Proliant DL185 G5 for two Storage Server 2003 computers.  I don't want to have MAC address authentication as the main means of access control to the network, only for the storage server a as an addition to control Active Directory.

  Hi Kerry,

  The question you posted would be better suited in the TechNet Server Forums since we have dedicated to this support; We recommend that you post your question in the TechNet Forums to get help:

  http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

  Keep us informed on the status of the issue.

• WebLogic with problem supplier Active Directory Authentication: < DN for user...: null >

  I have a java application (SSO via SAML2) using Weblogic as an identity provider. Everything works fine using created users directly in Weblogic. However, I need to add support for Active Directory. Thus, according to the documents:

  -J' set an Active Directory authentication provider

  -changed it's order in the list of authentication providers so that it is first

  -l' control indicator value SUFFICIENT and configured the specific provider; Here's the part concerned in the config.xml file:

  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  
  
  

  I configured an instance of AD LDS (Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created the users and a user admin "tadmin" that has been added to the members directors. I've also made sure to set the msDS-UserAccountDisabled property.

  After the restart Weblogic, I see that users and groups in AD LDS are properly recovered in Weblogic. But, when I try to connect to my application using Username:tadmin and the password: <>... it doesn't.

  Here's what I see in the log file:

  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  
  
  

  So, I tried to watch why did I: < DN for user tadmin: null >. The Apache Directory Studio I have reproduced the ldap search request used in Weblogic, and of course, I get no results. But, change filter only "(& (cn = tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; Here is the result of Apache Directory Studio:

  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  
  
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  
  
  

  (the "[email protected]" is defined as userPrincipalName in the tadmin on AD LDS user)

  As you can see, ' numEntries #: 1 "(and I can see as a result the entry ' CN = tadmin, CN = wl, DC = in, DC = com ' in Apache Directory Studio interface); If I add the userAccountControl filter I get 0.

  I read the AD LDS does not use userAccountControl but "uses several individual attributes to store the information contained in the userAccountControl attribute flags"; Among these attributes is msDS-UserAccountDisabled, which, as I said, I already have the value FALSE.

  So, my question is, how do I run? Why do I get "< DN for user tadmin: null >"? What is the userAccountControl? If this is the case, should I do a different configuration on my AD LDS? Or, how can I get rid of the userAccountControl filter into Weblogic?

  I don't seem to find the configuration files or in the interface: I don't have that "user of the name filter: (& (cn = %u)(objectclass=user))", there is no userAccountControl.»

  Another difference is that, even if in Weblogic, I put compatible ssl false flag, the newspaper I see ldaps and ldap, I noticed (I don't mean to install something ready for production and I don't want SSL for the moment).

  Here are some other things I tried, but doesn't change anything:

  -other attributes '-FS' were not resolved, so I tried their initialization to a value

  -J' tried other users defined in AD LDS, not tadmin

  -in Weblogic, I added users who were imported from AD LDS into the policies and roles > Kingdom roles > Global roles > roles > Admin

  -J' removed all occurrences of userAccountControl I found xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)

  Any thoughts?

  Thank you.

  In the case of some other poor soul will fall on this issue: I did this job by configuring a generic ldap authenticator.

  See also:

  Re: could not connect to the WLS console with the user of the directory

• Is there another solution to integrate NAC Appliance and Active Directory on Windows 2008 64 bit

  I'm trying to integrate a device of the NAC solution in a network where all domian servers and application servers are Windows 2008 64-bit.

  Could someone help me to confirm if Active Directory (AD) on Windows 2008 is not taken in charge and tell me what alternatives exist to authenticate users who consider that it is not possible to make any changes on the server. They will continue to be Windows 2008 64 bit.

  The original idea was to use AD SSO to authenticate users, but I read that it is not supported on Windows 2008 64 bit.

  I'd appreciate any help or suggestions.

  Concerning

  Arturo Monroy

  Arturo,

  You can use LDAP. Configure an LDAP authentication provider and have your customers to provide their credentials.

  It will not however a single code access scenario. They would have to enter their credentials again on the NAC agent.

  Support for 64 - bit is on its way and will be out in the new versions soon.

  HTH,

  Faisal

• DMVPN and active directory (logon)

  Hi all

  We have a DMVPN configuration between a few sites and everything seems fine, except that the logons through the VPN for a new domain active directory are very slow (10-15 minutes). I believe that the problem may be with the fragmentation of tunnel and packages such as AD is configured correctly.

  I am looking for some recommendations or advice on the MTU and TCP MSS settings see if it solves the problem.

  both the hub and the spokes are currently with the following settings MTU and MSS (ive removed some irrelevant information) Tunnel0 was originally a mtu of 1440 but if whatever it is 1400 is even worse.

  Thank you

  interface Tunnel0

  IP 1400 MTU

  IP nat inside

  authentication of the PNDH IP SP1

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  IP virtual-reassembly in

  No cutting of the ip horizon

  source of Dialer0 tunnel

  multipoint gre tunnel mode

  0 button on tunnel

  Profile of ipsec protection tunnel 1

  interface Dialer0

  MTU 1492

  the negotiated IP address

  NAT outside IP

  IP virtual-reassembly in

  encapsulation ppp

  IP tcp adjust-mss 1452

  Dialer pool 1

  Dialer-Group 1

  Darren,

  In general the prolem is due to Kerberos on UDP traffic.

  There are several ways you can solve the problem:

  (1) transition to Kerberos over TCP. (suggested)

  (2) setting the MSS on the interface of tunnel not on telephone transmitter (recommended)

  (3) allowing the PMTUD tunnel (strongly recommended).

  M.

• VSphere 5.5 and active directory

  Hello

  I'm having a problem trying to set up a new device Center 5.5 use AD permissions. My ad is 2012, I gave the host in which the vc unit sits on a COMPLETE domain name and it is joined to the domain, then, I'm going to the VC unit and join it to AD that she is successful. When I go to add permissions the ad domain is here not only local and sphere.local appears.

  When I look in the AD, I noticed that the host and the VC have not computer accounts even if they seem to be joined to the domain successfully.

  Any ideas would be appreciated.

  Paul

  Hello

  Please lookinto this link, hope this helps you:

  http://wahlnetwork.com/2013/09/09/using-Active-Directory-integrated-Windows-authentication-SSO-5-5/

• Problems of ESXi 5.5 and Active Directory

  Something has clearly changed in the behavior of default Active Directory for ESXi 5.5

  I can successfully join a freshly installed ISO standalone ESXi 5.5 (1331820) to my domain name by using the vSphere Client. Time is correct on the host computer and the domain controller, so it isn't that. I also see the default group esx ^ admins is automatically configured as an administrator on the host authorization tab (because this group is configured in AD since approximately 2009).

  Unfortunately, connect to ESXi with the vSphere client "use Windows logon credentials" is uneven at best - it seems to have worked once or twice - and logging in the shell or SSH using the windows credentials (we tried [email protected] and mon_domaine\compte) does not work.

  We thought we were crazy, so we went back and installed 5.1 all over again - and it worked fine. We compared the: / etc/hosts and files /etc/krb5.conf on both machines and could not find any differences.

  Does anyone have an idea?

  THX

  Simple solution:

  Reboot the host or execute: /usr/sbin/services.sh restart

  This was not necessary because the directory-based authentication was supported in the GUI, but it is now. After a re-start AD works as it should.

• Active Directory authentication via host profile

  I am trying to use apply a profile host through powershell script that will add an esxi host to my domain active directory.

  $vCenter = Read-Host "Enter vCenter.

  $esxhost = Read-Host "enter the domain the ESXi host's FULL name.

  $ADdomaincreds = $host.ui.PromptForCredential ("Enter Credentials", "Please enter your user name Active Directory and password.", "", "")

  $hostprofile = Read-Host "Enter HostProfile to apply"

  SECURESTRING #CONVERT

  $CONVERT_AD_PASSWORD = http://System.Runtime.InteropServices.Marshal: SecureStringToBSTR($ADdomaincreds.Password)

  $AD_PASSWORD = http://System.Runtime.InteropServices.Marshal: name ($CONVERT_AD_PASSWORD)

  SE connect-VIServer $vCenter

  $hostprof = get-VMHostprofile-name $hostprofile

  $applyhost = get-VMHost $esxhost

  Game-VMHost - VMHost $applyhost - State "maintenance".

  $additionalConfiguration = apply-VMHostProfile - ApplyOnly - $hostprof profile-entity $applyhost - confirm: $false

  $additionalConfiguration = $ADdomaincreds.username

  $additionalConfiguration = $AD_PASSWORD

  $additionalConfiguration = apply VMHostProfile - $hostprof profile-entity $applyhost - Variable $additionalConfiguration - confirm: $false

  It runs without error, but when I look at the esxi host he always says that he uses local authentication.  If I apply the host through the VI Client profile, it works without problem. Is this what I need to put in the variable?

  I also tried using the Set-VMHostADDomain of LucD function.  This works, however, if I then apply the profile of my host to complete the configuration of the other components such as syslog, ntp, etc., authentication gets restore local authentication after a reboot.

  Hello

  There is a bug in the Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.

  The problem is caused by using an incorrect version of the API (4.0) which is not taken in charge of operations active directory.

  Here are possible solutions:

  1. join the domain without using the host profile feature. Here's a simple script that can do for you:

  function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) {
     $vmhostView = Get-View -id $vmhost.ID
     $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager
     $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' }
     $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef
     $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword)
  }
  

  2. apply the solution profiles host with direct API calls (Get-View)

  Let me know if you need anything that anyone else.

  Kind regards

  Nedko Nedev

  PowerCLI development team

• ISE personas and Active directory

  Hello everyone,

  just a question...

  Which character has need of more bandwidth with Active Directory?

  Assuming that I have admin / - fire guard - political service monitor

  wich side place AD? (cause of firewall bandwidth limits)?

  Thanks in advance for your answer

  The node primary admin and the political service nodes. All nodes join the AD, but when you create groups in AD and build your policies which is made from the node of the main admin, PSN nodes are responsible for enforcing those policies. It is my personal opinion.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Continuation with VIO and Active Directory reference error

  While deploying the instance OpenStack de VIO, I get the following error message when checking the parameters of authentication source:

  Cannot find the specified user (Group). Details: The LDAP search request failed. Further reference

  This seems to be a problem, I met several times, where AD would send a reference instead of the response that the client must follow. But I don't see any option to allow removal with Active Directory. Is there a way around this?

  Concerning

  Gerald

  I found a work around for the problem:

  The query is successful when you use the ports for the Active Directory Global catalog.

  The ports are:

  • 3268 (without encryption)

  or

  • 3269 (with SSL)

  Disadvantage: You can't just use your do domain name address all the domain controller, you must specify one with its host name.

• ESX and Active Directory

  Hello

  I have a succession of VMware ESX ESX 3.5 70 servers and I want to be able to manage better the connection, I am familiar with the addition of the accounts of users and groups by VI or by using a command. What I want to do is if possible to create different groups and modify it permissions on each host via a script, and then if possible to add users to the same group in Active Directory and user management centrally via AD. If this is not possible, I would like to script adding user accounts and change the permissions of the user. I like to keep as manageable as possible to control the user accounts and permissions, more than 70 servers may prove to be multitasking.

  Thanks in advance

  This is the best post I've seen on this task.

  http://blog.scottlowe.org/2007/07/10/ESX-Server-ad-integration/

  You can also watch Centrify.

  http://www.Centrify.com/DirectControl/vmware_esx.asp

• Cloning and Active Directory

  I just came across trouble cloning a win2003 server in Active Direcory. Once I renamed the cloned that he renamed the initial account of the server in Active Directory, so I could not connect to the source server over.

  I've always had to run newsid.exe after a clone or the Configuration Wizard can do?

  If you use the feature to customize comments, it will generate a new SID for the clone if you ask.

  I misread your post origionally and was about to recoment that you clone servers Active Directory (for example, domain controllers)

• WLC4402, SSC 4.0, EAP FAST with ACS 4.1.23 and Active Directory

  Hi all

  I have a problem where my client software SSC (Cisco Secure Services)-wireless on laptops don't will authenticate the windows domain users if they enter the user name and passwords manually. The unique signature feature will not work. I am using EAP-FAST. It is an ACS appliance based server that I restored from the recovery CD.

  When I look at the failure of authentication request I can see that she is trying to send [email protected] / * / during an attempt to SSO on. The log shows that it is a bad user name or password. Note that the end of the domain name is missing.

  I can see the authentication attempt in the log of the remote agent (CSWINagent.log) on the domain controller, so I don't know that it sends the connection request to the domain controller. The Remote Agent is the same version as the ACS server. When I authenticate successfully (manually) it sends not the domain part of the user.

  This is a new installation. Initially, I had 2 remote agents, both on the service domain controllers has been run under an account with sufficient privileges windows domain administrator. After a planned turn off weekend windows authentication has stopped working completely. I found a post in this forum that says to use the local system to start the remote agent service. This led windows authentication to life, but now I have this problem. I don't know that until I changed it the manual connection is also required in domain (IE user domain\username). I can't be sure that this is the case!

  Can anyone help me to get windows AD to accept these credentials, because they are sent to the client connection? Otherwise if I can make it work with the user account, he worked with initially then that would be great.

  Thank you very much

  As you mentioned that SSC transmits the username "[email protected] / * /" in SSO.

  Is what I think for the moment, to use the feature of Distribution of Proxy on ACS.

  that is, demand to come as it is "[email protected] / * /', let's make ACS Stip off"@domaine"and"username"to RA for AD verification."

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342969

  After stripping '@domaine' send the request back to the ACS it itself, i.e. in the column forward to, ensure that we have input of the ACS.

  And let me know if it works for you?

  Kind regards

  Prem

• ACS 4.2 and Active Directory

  I'm putting in place our new ACS 4.2 server. This is version 4.2 Build 124, running on a Windows 2003 server. I'm having some trouble with the enumeration of the groups and just may not know what Miss me. We have 7 different areas, and I can only list one of them groups. We do not run ACS on one of our domain controllers, but the server is a member of the domain controllers. I even added a service account is a domain administrator and services run as account but I still cannot enumerate groups. Any help would be greatly appreciated.

  Hello

  I know that you have a domain administrator account that is running the services ACS. But I'd like to as go you through the steps listed below again.

  ------------------------------------------

  -You should have a user on AD.

  -To make it difficult to hack, give him a very complicated password for a long time.

  -Make the user member of the Domain Admins group.

  -Make the user member of the Administrators group.

  -Make the user member of the Enterprise Administrators group.

  On to Windows 2000/2003 server running ACS:

  -Add the new user to the appropriate local group.

  -Open "Administrative Tools" in the control panel.

  -Open "Computer management".

  -Open 'Local users and groups' and then 'groups '.

  -Double-click the group "Administrators".

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Give special rights to the new user on the ACS server.

  -Open "Administrative Tools" in the control panel.

  -Open "local security policy".

  -Open "local policies".

  -Open "User rights assignment."

  -Double-click "Act as part of operating system"

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Double click on "Log on as a service."

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Set the ACS services to run as long as the user created.

  -Open "Administrative Tools" in the control panel.

  -Open "Services".

  -Double-click the CSADMIN entry.

  -Click the 'connection '.

  -Click on "This account", and then on the button 'Browse '.

  -Choose the field, double-click the user created previously.

  -Click 'OK '.

  -Repeat for the rest of the CS services.

  -Wait for Windows to apply the security policy changes, or restart the server.

  -If you restarted the server, skip the rest of these instructions.

  -Stop and then start the CSADMIN service.

  -Open the GUI of the ACS.

  -Click on System Configuration.

  -Click on the Service order.

  -Click "restart."

  Note If domain security policy is set to override settings for "Act as part of operating system" and "Log on as a service" rights, rights of user changes listed above will also be to do here.

  If you log on several areas, a full two-way trust must exist between the domains, the user (ACS account) must be created and given the high access in each domainbto be questioned and FULL domain each domain must be listed as a DNS suffix in the properties of the IP Address of the server on which the ACS is installed (restart netlogon service after adding the FULL domain name).

  HTH

  JK

  Please help the rate of messages-

• Web server on a DMZ and Active Directory

  It is a question facing two part philosophical part technical.

  If I have a new Win 2 k 3 web server that I put on my DMZ is stupid to allow him to join my AD domain by opening the appropriate ports for communication between the inside and DMZ AD interface interface?

  Or who simply goes against Smart Firewall? Can an attacker cross from outside intf in DMZ within intf?

  If it's a wise thing to do, how to do? I guess just to open the ports that use MS as 135 137, netbios, 139, and 445 (I forgot everything?). Am I missing?

  Thanks for any advice, technical or philosophical.

  Marc

  I would put it no doubt inside. In this era of virus, worms, software, spyware, p2p, etc., your users applications are often (in general not as malicious) also dangerous than the outside world. Use a DMZ for MS products is darn almost impossible, unless it is limited filtering (blocking access to users to SNMP, terminal services and other management fixed ports) in a position that allowed default value (rather than the general practices of firewall failure deny and selectively permit).

  Because of the need for a relatively open between the clients and servers MS, I have a pretty aggressive policy of hardening, patching and antivirus.

  If you try to put your DMZ, you can determine how your internal users could access it. If they are accessing the interface of http as well, it's good (some applications have two web interfaces as client binary packages well too big that use different, sometimes dynamic ports). You could then selectively allow access to the ip address of sql for ad servers only and open a ton it things. Yet, there is the risk that if this box has been compromised, it could be a conduit for other hosts. Because this kind of things MS is such a puzzle to the DMZ, I generally recommend people think about hardening the servers instead of trying to force the DMZ piece square into a round hole.

  For IIS, look are the IISLockdown utility, which is a supplement on win2k/NT4 and perhaps be included out of the box on win2k3. It is menu-driven and can help you disable stuff you don't need. Hacking exposed Win2k is a great book to pick up. The NSA.gov has guidelines of security for most of the server MSFT products.