Monday 31 January 2011

LDAP Connection Errors

When using LDAP connection to import the external identity source(user names) in Deepnet Authentication Server, you must specify the correct user DN string and its password in order to connect LDAP server successfully. Otherwise you will get some errors like "AcceptSecurityContext error, data 525(or 52e etc)".



I often use two utilities to confirm the user DN string, dsquery and ADSIEdit.



Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use dsquery, you must run the dsquery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. On Windows 2003, you may need to install Support Tools on the domain controller to use dsquery.


Here is an example. the command "dsquery user" is executed on domain controller.



C:\>dsquery user
"CN=Administrator,CN=Users,DC=nanoart,DC=local"
"CN=Guest,CN=Users,DC=nanoart,DC=local"
"CN=SUPPORT_388945a0,CN=Users,DC=nanoart,DC=local"
"CN=krbtgt,CN=Users,DC=nanoart,DC=local"

Alternatively, we can use ADSIEdit. I prefer to run it on domain controller as well, although it can run on another machine, but you must know how to login.





References



LDAP Troubleshooting

Common Active Directory LDAP bind errors

Saturday 22 January 2011

Redundant cluster settings

First of all, let us look at the content of server.xml file which is located at the folder "C:\Program Files\Deepnet Authentication Server\Tomcat\conf". There are 3 occurrences of Cluster.



<Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" clusterLogName="clusterlog" clusterName="localhost" manager.className="org.apache.catalina.cluster.session.DeltaManager" manager.expireSessionsOnShutdown="false" manager.notifyListenersOnReplication="false" manager.notifySessionListenersOnReplication="false" manager.sendAllSessions="false" manager.sendAllSessionsSize="500" manager.sendAllSessionsWaitTime="20" manager.sendClusterDomainOnly="true">
<Membership className="org.apache.catalina.cluster.mcast.McastService" mcastAddr="228.1.1.4" mcastClusterDomain="das_cluster" mcastDropTime="30000" mcastFrequency="1000" mcastPort="24282" recoveryEnabled="true"/>
<Sender className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" doProcessingStats="true" doTransmitterProcessingStats="true" doWaitAckStats="true" keepAliveMaxRequestCount="-1" keepAliveTimeout="80000" queueCheckLock="true" queueDoStats="true" queueTimeWait="true" recoverCounter="6" recoverTimeout="5000" replicationMode="fastasyncqueue"/>
<Receiver className="org.apache.catalina.cluster.tcp.ReplicationListener" compress="false" sendAck="true" tcpListenAddress="x.x.x.x" tcpListenPort="4000" tcpSelectorTimeout="100" tcpThreadCount="6"/>
<Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" filter=".*\.gif;.*\.js;.*\.css;.*\.png;.*\.jpeg;.*\.jpg;.*\.htm;.*\.html;.*\.txt;" primaryIndicator="true"/>
<Valve className="org.apache.catalina.cluster.session.JvmRouteBinderValve"/>
<ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/>
<ClusterListener className="org.apache.catalina.cluster.session.JvmRouteSessionIDBinderListener"/>
</Cluster>

What will this result in? With some traffic monitor, you will see a lot of connection attempts to IP "228.1.1.4" configured in server.xml (see above). Suspicious and scary, isn't it? I am not comfortable with that, although this address doesn't exist on Internet.


According to Deepnet Support, this tech(multicast) was adopted at the very beginning for deepnet authentication server cluster configuration, but they abandoned it as another approach was used to implement the cluster/load balancing.


So these settings are redundant, why not remove them!



  • backup the file server.xml;
  • open the file server.xml with your favourite editor;
  • locate these pairs <Cluster ..>....</Cluster>, delete them;
  • save the file;
  • restart deepnet service "das";

Now it is nice and clean. Happy!

Monday 10 January 2011

Deepnet ActiveSync solution doesn't work on some Android devices.

You may have some problems to add Deepnet ActiveSync protection onto Android phone device. Here is the effective remedy.



1, go to the folder "C:\Program Files\Deepnet Security\IIS" on your Exchange server where Deepnet IIS agent is installed;

2, open the file "config.xml" with your favourite editor;

3, locate <serv desc="Microsoft Server ActiveSync" code="sas">, which is around line 64;



<serv desc="Microsoft Server ActiveSync" code="sas">
<requests>

4, insert the following after <requests>;



<req match="Microsoft-Server-ActiveSync/Android" source="${_url}">
<params>
<par name="UserName" value="User={.*?}&" source="${_url}"/>
<par name="DeviceID" value="/{android.+}/*.*$" source="${_url}"/>
</params>
<variables>
<var name="x-deviceID" value="$$encrypt(<uuid>${DeviceID}</uuid>)"/>
</variables>
<actions>
<condition property="${_Authenticator}" value="devicePass" op="iquals">

<condition property="${UserName}" value="" op="equals">
<act type="assign" var="UserName" value="${_authuser}"/>
</condition>


<condition property="${UserName}" value="" op="notequals">

<act type="xmlrpc">
<methodCall>
<methodName>das.login</methodName>
<params>
<param>
<value><string>${_appId}</string></value>
</param>
<param>
<value><string>${UserName}</string></value>
</param>
<param>
<value><string><![CDATA[<?xml version="1.0"?>
<credential>
<method>${_Authenticator}</method>
<token>
<deviceID>${DeviceID}</deviceID>
</token>
<credentialData>
<devicePrint>
${x-deviceID}
</devicePrint>
</credentialData>
</credential>]]></string></value>
</param>
<param>
<value><string>${_clientip}</string></value>
</param>
<param>
<value><string></string></value>
</param>
<param>
<value><boolean>0</boolean></value>
</param>
</params>
</methodCall>
</act>
</condition>
</condition>
</actions>
<errors page="/dasweb/sas/error.aspx?errcode=$$urlencode(${_return})&username=$$urlencode(${UserName})&appid=$$urlencode(${_appId})&method=$$urlencode(${_Authenticator})">
<err code="E-METHOD-NOT-FOUND" page="/dasweb/sas/method_not_found.aspx?errcode=$$urlencode(${_return})&username=$$urlencode(${UserName})&appid=$$urlencode(${_appId})&method=$$urlencode(${_Authenticator})"/>
<err code="E-TOKEN-INACTIVE" page="/dasweb/sas/token_inactive.aspx?errcode=$$urlencode(${_return})&username=$$urlencode(${UserName})&appid=$$urlencode(${_appId})&method=$$urlencode(${_Authenticator})&deviceid=$$urlencode(${DeviceID})"/>
<err code="E-CONNECT-DAS" page="/dasweb/sas/connect_das_error.aspx?errcode=$$urlencode(${_return})&das=$$urlencode(${_das})"/>
</errors>
</req>

For your convenience, the working configuration file can be downloaded from here. Simply replace the original one, then restart IIS service.