Getting incorrect username or password error when using FAS to single sign on with VDA with event ID 102 and event ID 25 on DC

Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in the Microsoft Active Directory directory service. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function in the rest of this article) that reads this attribute do not succeed if the calling security context does not have access to the attribute.

By default, access to the TGGAU attribute is determined by the

Permission Compatibility decision (made when the domain was created during the DCPromo.exe process). The default permission compatibility for new Windows Server 2003 domains does not grant broad access to the TGGAU attribute. Access to read the TGGAU attribute can be granted as required to the new Windows Authorization Access (WAA) group in Windows Server 2003.

Related:

When a user authenticate, if a Windows access token holds a maximum of 1024 group memberships, what happens if the user is member of more groups?

I need a solution

Hi;

When a user authenticate, if a Windows access token holds a maximum of 1024 group memberships, what happens if the user is member of more groups? What’s the behaviour then of the Proxy SG and what does the user see?

Kindly

Wasfi

0

1568293232

Related:

REST API call – PATCH /sepm/api/v1/computers

I need a solution

Hi All,

Currently trying to use the REST API to move computers between groups.

I’ve been able to use /api/v1/identity/authenticate to generate a user token and /api/v1/groups/{groupid}/computers to get a list of all computers in a group with no issues.

However, when I use PATCH /sepm/api/v1/computers I get the following error:

{
    "errorCode": "400",
    "appErrorCode": "",
    "errorMessage": "Duplicate hardware keys found: [null,                                 ]."
}

The JSON payload is formatted as shown below:

[
               {
              "group": {
                             "id": "3B5ECBA80A6F07386A1448D71ED26BA2"
              },
              "hardwareKey": "9692AC780717CDB725D101BEE5FD4066"
              }
]

The provided group ID is the destination group and the hardwareKey is for the client I wish to move.

I was able to reproduce the error in both PowerShell and Postman. PowerShell script used was from the example scripts provided in the link below:

https://support.symantec.com/en_US/article.HOWTO125873.html

0

Related:

Need REST Generator with support for dynamic URL (URL provided by user)

I need a solution

Hello,

As of now, I have created REST generator which is able to produce access token with xxx.yyy.zzz as URL and some parameters as request contents. I can easily modify the request contents since there is provision for dynamic values/process variables, but there is no such provision for base URL (at least I didnt find it). It looks like it has to be static and there is no way for user to tweak into this URL. (e.g. User may want to select the server/host which is going to provide the tokens).

Please let me know if there is anyway to create the REST Generator with dynamic / user driven URL.

0

Related:

  • No Related Posts

Upgrade Error 14.2.1031.0100 – After Schema upgrade

I need a solution

I have this error when upgrading to the latest SEPM version (14.2.1031.010).

– I have a GPO with these settings:  “logon as a service permission” to these 3 accounts  (NT SERVICEsemsrv ,NT SERVICEsemwebsrv, NT SERVICEsemapisrv) and this one in “Replace a process level token”  (NT SERVICEsemwebsrv).

I have this log error:

I would appreciate any help.

0

Related:

  • No Related Posts

Extended Validation (EV) Code Signing without password dialog

I need a solution

Hello,

I have a problem with Symantec extended validation code signing.

I like to do the signing of my application in an automation, but with the following command I always get the dialog box for enter the token password (as you can also see it in the attached screenshot):

$process = Start-Process “C:Program Files (x86)Windows Kits10binx64signtool.exe” -ArgumentList ‘sign /v /s MY /tr “http://sha256timestamp.ws.symantec.com/sha256/timestamp” “C:UserssaumiDesktopTestTestbinDebugTest.exe”‘ -Wait -PassThru

Is it possible to run the signing completly silent for an automation, means without enter a token password?

I already found the possibility to enable single logon (https://knowledge.digicert.com/solution/SO20695.html) but we can not keep the token on our build machine, means we always activate and deactivate the token when we don’t need it anymore. So we need a possibility to set the token password as a parameter, as it works with the signing with an .pfx file.

Does someone knows a way to do that?

Thank you!

Regards
M. Sauter

0

Related:

Re: Re: Change Password for Access Key by Object User

If you have configured the AD authentication provider correctly in ECS, any AD user within the search base should be able to authenticate into the management API and obtain a X-SDS-AUTH-TOKEN token.

curl -L –location-trusted -k https://10.247.100.247:4443/login -u “my_ad_user@domain.com:ChangeMe” -v

The curl command above will work without my_ad_user@domain.com existing as a local object user in ECS. This will at least confirm if you have AD configured correctly in ECS. If you can’t get the X-SDS-AUTH-TOKEN, you likely have something configured incorrectly in the AD Auth Provider within ECS.

Once you have a token, you can attempt to generate a secret key. However, you first need to configure the domain portion of a namespace so that when my_ad_user@domain.comgenerates a secret key, ECS can map them to your desired namespace and insert them as a local object user.

Have a look here at example of what the curl commands would look like using an AD user and obtaining a secret key: https://130820690509421904.public.ecstestdrive.com/share/BagOfTricks-CurlWithLDAPUsers.docx

Related:

Re: NMC: Unable to set user privileges based on user token for root ->Security token has expired.

Hello everyone,

I have NMC running on a dedicated linux server on 9.1.1.6 and about 60 backupservers connecte with NW 9.1.1.5 and one with 9.2.1.1

between 24 and 48 hours after NMC startup I get the following message every 2 seconds in gstd.log on NMC

nsrd AUTHC critical Unable to set user privileges based on user token for root on <NMC_SERVER>: Security token has expired.

gstd.log in debug level=3

gstd NSR notice 04/20/18 09:38:29.547136 lgto_auth: redirected to <backupserver_NW9.2.1.1> prog 390103 vers 2

gstd NSR notice 04/20/18 09:38:31.097192 lgto_auth for `nsrmmdbd’ failed: Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

nsrd AUTHC critical Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

gstd NSR notice 04/20/18 09:38:31.097317 lgto_auth for mmdb connection failed: Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

; retrying…

gstd NSR notice 04/20/18 09:38:31.097356 build_lgtoauth_parms using override_uname: root

I use LDAPS authentication.

prior to this console I had a windows NMC with local authentication which showed identic messages (only SYSTEM instead of root user)

if I shutdown the named backupserver from the gstd.log the messages are gone.

if I start it up again they come back.

only gstd stop and start solve the issue for 1-2 days, after a NMC restart everything is working very well.

has anyone similar experiences or explanations?

I already searched the knowledge base but could not find a working solution.

maybe 9.2.1.2 and/or 9.1.1.7 might help?

thanks for any answer

Dominic

Related:

NMC: Unable to set user privileges based on user token for root ->Security token has expired.

Hello everyone,

I have NMC running on a dedicated linux server on 9.1.1.6 and about 60 backupservers connecte with NW 9.1.1.5 and one with 9.2.1.1

between 24 and 48 hours after NMC startup I get the following message every 2 seconds in gstd.log on NMC

nsrd AUTHC critical Unable to set user privileges based on user token for root on lnxvib174.internal.draexlmaier.com: Security token has expired.

gstd.log in debug level=3

gstd NSR notice 04/20/18 09:38:29.547136 lgto_auth: redirected to <backupserver_NW9.2.1.1> prog 390103 vers 2

gstd NSR notice 04/20/18 09:38:31.097192 lgto_auth for `nsrmmdbd’ failed: Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

nsrd AUTHC critical Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

gstd NSR notice 04/20/18 09:38:31.097317 lgto_auth for mmdb connection failed: Unable to set user privileges based on user token for root on <NMC_Server>: Security token has expired.

; retrying…

gstd NSR notice 04/20/18 09:38:31.097356 build_lgtoauth_parms using override_uname: root

I use LDAPS authentication.

prior to this console I had a windows NMC with local authentication which showed identic messages (only SYSTEM instead of root user)

if I shutdown the named backupserver from the gstd.log the messages are gone.

if I start it up again they come back.

only gstd stop and start solve the issue for 1-2 days, after a NMC restart everything is working very well.

has anyone similar experiences or explanations?

I already searched the knowledge base but could not find a working solution.

maybe 9.2.1.2 and/or 9.1.1.7 might help?

thanks for any answer

Dominic

Related:

How to Configure Kerberos Authentication on NetScaler Release 10.0

  • The client sends the TGT to the Ticket Granting Server of the KDC and receives a Kerberos ticket.

    User-added image

    Note: This authentication process is not necessary if the client already has a Kerberos ticket whose lifetime has not expired. Additionally, clients such as Web Services, .NET, or J2EE, which support Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), get a Kerberos ticket for the target server, create an SPNEGO token, and insert the token in the HTTP header when they send an HTTP request. They do not go through the client authentication process.

  • Related: