Dear,

I'm trying to integrate the VIP with the ASA (SSL VPN).

When trying to test communication ASA with VIP via RADIUS, I get the following message:

ERROR    "2014-11-24 13:37:34.599 GMT-0200"  192.168.120.200 ValidationEngine 0 24587 "text=0x600b: Schema validation failed. (Error encountered during schema validation.  Invalid element pin, otp, or temporaryPassword value.), user=carlos.silva, bizCont=off" Thread-1532 VSValidationEngine.c
AUDIT    "2014-11-24 13:37:34.599 GMT-0200"  192.168.120.200 ValidationEngine 0 24587 "text=Access DENIED 0x600b: Schema validation failed. (Error encountered during schema validation.  Invalid element pin, otp, or temporaryPassword value.), user=carlos.silva, bizCont=off ,reason=101" Thread-1532 VSValidationEngine.c
AUDIT    "2014-11-24 13:37:34.599 GMT-0200"  192.168.120.200 ValidationEngine 0 24587 "text=Access 0" Thread-1532 VSValidationEngine.c

Can anyone help me?

Thank You.

See below.  Can someone clear up where the authentication is failing.  Using VIP 2-factor to connect to a VPN.

Thanks.

I have a freshly built Lenovo Desktop running Windows 7 Pro x86

Running in Admin mode I can install the VIP ACCESS TOKEN without issue.  On running the application I am getting:
"Activation Could Not Be Completed Sign In Again Later To Activate VIP Access.  Error Code: 0x10.

I understand that 0X10 is a generic error code.  I have tried the following, none of which has brought success:

• Run using DHCP
• Run using Static IP address
• Removed and reinstalled application
• Checked for the existence of Intel Management Engine, none is present
• Tried running in the users account
• Tried running in the Admin account

We are NOT having issues with VIP Access on any other machines, it only seems to be this one and getting past the initial activation stage,

Any help would be very much welcome.

Regards

Graeme

Hi everyone..

Last week we updated our VIP Enterprise Gateway from 9.3.3 to 9.5.

every things works fine, except LDAP Sync job. We getting error when LDAP job starts, the issues is about time server check error, or time server error something else. see logs:

WARN  "2014-12-15 04:00:00.010 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncJob] LDAPSync service delayed by: 35 minutes"
INFO  "2014-12-15 04:00:00.041 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncJob] The synchronization operation is scheduled for : Mon Dec 15 04:35:00 BRST 2014"
INFO  "2014-12-15 04:00:00.041 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncJob] Doing Server time check."
DEBUG "2014-12-15 04:00:00.041 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncMgr:checkTimeDifference]"
DEBUG "2014-12-15 04:00:00.041 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[ServiceSettings.getServerTime]"
AUDIT "2014-12-15 04:00:01.508 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[ServiceSettings.getServerTime] serverTime: 0"
ERROR "2014-12-15 04:00:01.508 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncMgr:checkTimeDifference] Server Time is invalid"
WARN  "2014-12-15 04:00:01.508 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncJob] <<WARNING>> Error while doing server time check"
AUDIT "2014-12-15 04:35:00.043 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncMgr] Initializing..."
AUDIT "2014-12-15 04:35:00.043 GMT-0200" 0.0.0.0 UNKNOWN 0 0 0  "text=[LDAPSyncMgr] Manager Thread Started."
INFO  "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr] Scheduled LDAPSync Service started at :Mon Dec 15 04:35:00 BRST 2014,op=Synchronization"
DEBUG "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:startLDAPSync],op=Synchronization"
AUDIT "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:startLDAPSync] Acquired the lock. Starting LDAPSync.,op=Synchronization"
AUDIT "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:startLDAPSync] Synching... Start Timestamp(in seconds): 1418625300,op=Synchronization"
DEBUG "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:checkTimeDifference],op=Synchronization"
DEBUG "2014-12-15 04:35:00.043 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[ServiceSettings.getServerTime],op=Synchronization"
AUDIT "2014-12-15 04:35:01.416 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[ServiceSettings.getServerTime] serverTime: 0,op=Synchronization"
ERROR "2014-12-15 04:35:01.416 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:checkTimeDifference] Server Time is invalid,op=Synchronization"
WARN  "2014-12-15 04:35:01.416 GMT-0200" 127.0.0.1 LDAP Sync 0 30 0  "actor=LDAPSyncService,text=[LDAPSyncMgr:startLDAPSync] <<WARNING>> Error while doing server time check. Aborting Sync Operation.,op=Synchronization"

Our servers has not time changed before.. server time is correct.. we only do a update on VIP version.

I think VIP previous version 9.3.3 never do a check "time server" before.. and this new version implement these routine.

can anyone help us?

Hi All ,

LDAP configuration done and service started .the Problem is when starting sync no sync is running and could not see any changes in VIP Manager.I believ this is ports issue but not sure exactly which port is not open. The VIPEG is located in DMZ and all required ports were opened from Firewall but there are aproxy server in DMZ which may need to be opened.

.

One thing more about the new version of VIP 9.5 that has alot of configurations were changed:one that I'm interested in is the VIP manager service could not be found to start it.Do any one know how to do this?

Regards,

My Paypal/Verisign Card has finally run out of power after many years of great service.

I was told by a Payal rep that I can Activate a Symantec VIP hardware token.

The Symantec form for purchasing such a card as a shipping address hard coded to United States

How do I buy one if I live in Canada?

Thanks

Hello

My name is Farsheed,

I was sign up for Digital ID, but i have a 2 question,

1- how i can install Digital ID in my iOS device, and activated in S/MIME

2- how can i send the public key to my friends for autontication

Thank you very much

Farsheed

Hello,

We are checking out the options to implement 2FA for all Windows 2008 servers while doing RDP (can be SMS based on VIP installed on andriod). I was searching for a document or product case studies that can give highlights of this.

Regards,

JB

Dear,

I managed to successfully integrate VIP with SSL VPN Cisco.

I'm just a question.

- All users Active Directory has access to the Self Service Portal;

- All users Active Directory can register a token from the Self Service Portal.;

- All users can access the VPN;

How to restrict VPN access to certain users?

I can perform this control through the VIP?

Or this control is carried out by the ASA (CISCO)?

Below my settings:

Can anyone help me?

Thank You.

Hi, I am looking out the supported platform for Symantec VIP. Need to know if VIP enterprise gateway can be installed on VMs or not?

Cheers,

Amar.

I would like to lock down one of my validation servers to just a particular group.   The connection is for a Junos Pulse VPN and we are using the username-ldappassword-authentication sequence.   It is set up to use a user store that is shared with another vpn so I do not want to restrict the group on the user store itsefl.   Where would I go and what filter would I enter to get this working.   I have tried Radius to LDAP mapping using mapping attribute login_lat_group and setting up the secondary query but it keeps telling me there is a validation error.

I have it set as:

search attribute=member

secondary base dn = ou=groups,o=coname

secondary filter = (&(objectClass=groupofNames)(cn=token_users,ou=multifactor,ou=corp,ou=application_access,ou=groups,o=coname)

LDAP Mapping Attribute=member

Am I not setting this in the correct spot or missing something else?

Please help me with below,

Difference between Versign trusted seal & Norton Secured.

Hi all,

This is my first post in here, hopefully it goes well :)

Just wondering, has anyone deployed Citrix storefront with VIP auth in IIS?

If so are there any guides about?

Thanks in advance

Vince

Been trying to test the integration between ASA and VIP but failed. (remote users will login via Cisco AnyConnect using their AD username, password and Symantec VIP code)

Already configured the following :

Cisco ASA
- AAA server, configured Enterprise Gateway IP address

Enterprise Gateway
- UserStore, added AD successfully 
- Validation, configured with LDAP password and security code
- viP Certificates, imported the cert generated from VIP manager

Tested the config, but failed and found the following logs on the Enterprise Manager:

1) server.out 
Wed Feb 25 14:56:47 EST 2015 server USA process ID: 20024
Wed Feb 25 14:57:00 EST 2015 STOPPED USA
Wed Feb 25 15:18:52 EST 2015 USA's parent process ID: 21188
Wed Feb 25 15:18:52 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
Wed Feb 25 15:18:52 EST 2015 server USA process ID: 21203
Wed Feb 25 15:37:15 EST 2015 STOPPED USA
Wed Feb 25 15:37:20 EST 2015 USA's parent process ID: 21626
Wed Feb 25 15:37:20 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
Wed Feb 25 15:37:20 EST 2015 server USA process ID: 21655
Wed Feb 25 15:39:04 EST 2015 STOPPED USA
Wed Feb 25 15:39:09 EST 2015 USA's parent process ID: 21925
Wed Feb 25 15:39:09 EST 2015 starting /u01/Symantec/VIP_Enterprise_Gateway/Validation/bin/VSValidationServer --config-file /u01/Symantec/VIP_Enterprise_Gateway/Validation/servers/USA/conf/radserv.conf
ERROR: ld.so: object '/u01/Symantec/VIP_Enterprise_Gateway/server/bin/libldap50.so' from LD_PRELOAD cannot be preloaded: ignored.
Wed Feb 25 15:39:09 EST 2015 server USA process ID: 21955
 
2) server.log
DEBUG    "2015-02-25 15:40:00.501 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=0, autobc=0, trigger=0, isVisited=0" Thread-3965647728 VSValidationServer.cpp
DEBUG    "2015-02-25 15:40:00.501 GMT+1100"0.0.0.0 ValidationServer 0 0 "text=VSValidationServer._processReceiveThread() -- Sending response" Thread-3965647728 VSValidationServer.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=VSValidationServer._workerThread() -- Received request" Thread-4151301856 VSValidationServer.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Reading extra request attributes ('state')" Thread-3965647728 VSValidationEngine.c
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Executing 'authenticate' operation" Thread-3965647728 VSValidationEngine.c
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- _valServerMode 0" Thread-3965647728 VSValidationEngine.c
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Processing-2 request for error->code=0 bizContinuityOn=0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Processing request for [user:testing] [idlen=4]" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Invoking pre-filter module" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Invoking 1st-factor module" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- nUluoMode = 0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- Invoking self._validateLDAPPassword()" Thread-3965647728 VSAuthOTPFirstFactorImpl.c
INFO     "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=Verifying against User Store No:- 1 whose storeName is USA-AD " Thread-3965647728 tokenbinding.cpp
INFO     "2015-02-25 15:40:00.502 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=encoding is  UTF-8 " Thread-3965647728 tokenbinding.cpp
INFO     "2015-02-25 15:40:00.519 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=encoding is  UTF-8 " Thread-3965647728 tokenbinding.cpp
DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- Returning opResult [code:3 message:reason=3]" Thread-3965647728 VSAuthOTPFirstFactorImpl.c
DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPStandardControllerImpl.authenticateExt() -- Returning opResult [code:3 message:reason=3]" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=opResult.result = 3, opResult.message = reason=3 = opResult.message = ec5d1fd8 err->code = 49b6" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
DEBUG    "2015-02-25 15:40:00.558 GMT+1100" 0.0.0.0 ValidationEngine 0 0 "text=err->codeAbc = 0" Thread-3965647728 VSAuthOTPStandardControllerImpl.cpp
ERROR    "2015-02-25 15:40:00.558 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Error 18870 occurred at VSAuthOTPFirstFactorImpl.c:634. Description: VSAuthOTPFirstFactorLDAPImpl._validatePassword() -- Incorrect LDAP static password. Enter the correct LDAP static password. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret., user=testing, op=authenticate, bizCont=off" Thread-3965647728 VSValidationEngine.c
DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 0 "text=VSValidationEngineProcessRequest() -- Writing reply attributes - 0" Thread-3965647728 VSValidationEngine.c
AUDIT    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Access DENIED Error 18870 occurred at VSAuthOTPFirstFactorImpl.c:634. Description: VSAuthOTPFirstFactorLDAPImpl._validatePassword() -- Incorrect LDAP static password. Enter the correct LDAP static password. Also, ensure that both the RADIUS server and the RADIUS client shares the same Shared Secret., user=testing, op=authenticate, bizCont=off ,reason=3" Thread-3965647728 VSValidationEngine.c
AUDIT    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationEngine 0 18870 "text=Access 0" Thread-3965647728 VSValidationEngine.c
DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 10.10.10.10 ValidationServer 0 0 "text=0, autobc=0, trigger=0, isVisited=0" Thread-3965647728 VSValidationServer.cpp
DEBUG    "2015-02-25 15:40:00.559 GMT+1100" 0.0.0.0 ValidationServer 0 0 "text=VSValidationServer._processReceiveThread() -- Sending response" Thread-3965647728 VSValidationServer.cpp

Confirm the radius secret is correct on both end as well as the AD password. From the above logs, i notice the ValidationEngine  IP address is 0.0.0.0, not sure if it's relevant.

Appreciate if anyone can assist.

TIA

Received error after install of VIP Access 2.2

Already attempted uninstall/reinstall.

Here is the log:

STORE  :ERROR:03/09/2015 15:10:33 VIPUIManager.exe[2948] [         .\VSAuthCode.cpp][ 189] GetAuthenticationCode::No response recieved for AuthenticatonCode from IDCenter

Any suggestions?

Dears,

I want to monitor the successefull and failed login logs for my users from Symantec VIP Gateway Serevr ?

can anyone help me with the log file containing this info ?

Countless articles cite security risks in the Internet of Things (IoT). Some decry embedded systems as too limited for "real" security. Worse, others claim "silver bullet" niche, point products as cure-all. Of course, there are no silver bullets. Effective security requires a layered approach. Fortunately, today's embedded hardware and truly modern crypto can each do 10x to 1,000x more than most people realize. Still, security requires more than hardware and battery friendly crypto. Effective security requires an end-to-end approach, and that's difficult "at scale" for anyone. So, we've attempted to start the conversation toward defining a scalable security architecture that could work for nearly any vertical. Working with roughly 200 companies, industrial customers, and partners, we've defined and begun refining the attached IoT Security Reference Architecture to help guide anyone in building security into these new and incredibly exciting connected technologies of the Industrial Internet. Click the link below to review this architecture and post your comments here to join the discussion refining that architecture, sketching a better path forward, for everyone. We'd love to hear your thoughts on where the approach hits the mark, and where, as a community, we need to sharpen our thinking and do better. Thanks in advance for your input!

To also read more about our IoT Portfolio, visit our new microsite.

Gents,

My company activated the VIP system now and I'm using Microsoft Outlook for mail function and I want to know how to use the VID to login to the mailbox using the Outlook.

Regards, Ahmed

Hi,

Based on the following, may I know what to quote?

Estimate = 800 to 1000 users

Token = can be mixture of hardware token and soft token on mobile phone.

Application Usage = Microsoft RD Web and RDP

RDWeb web server = located 4 different physical location/country

Domain Controller = located  4 different physical location/country

Deployment prefer on VM

So may I know can you provide the following information ?

1)      User or token licensing cost

2)      Server license such as gateway etc

3)      Some simple network architecture where I have DC and RDweb server on different location. Should I have different VIP manager and

Hi

We use VIP Self Service Portal and VIP Manager and onboard users into both these services using SAML rather than VIP Enterprise Gateway.

This is working fine and we can pull user's attributes from Active Directory such as their email address so we can send a security code to them.

Im led to beleive we should also be able to assign a user to a previously created VIP Manager User Group using SAML.

I have tried to end a SAML attribute of GROUP or GROUPS with a value equal to a VIP manager group name but this is never populated.

We want this to work so we can restrict security settings to a specific set of users.

Any ideas if this feature is supported, or are we forced to deploy the Enterprise Gateway in order to make this work?

Thanks