Hi Mike, thanks for your respone. I performed my tests with the domain administrator account. See it should have enough permissions to perform the authentication. I also recreated the AD/WinNT authentication server, just to be sure. Didn't help. Also machine authentication per se works, only when group membership comes into play, I get this problem. I have already enabled authentication und pre-authentication policy trace but the only error I can see are that I already mentioned, nameley: GetUserGroups: Finding user sid of user failed. user 'rappaport02$' does not exist I have no idea why the GetUserGroups functions fails. The computer account definitly exists and if I use non group-related filter rule, authentications works perfectly. And my Linux testbox with SAMBA could resolve the groups of the machine account (with wbinfo) without any problem. Maybe I can use the method from KB14345. Although it is a workaround for Win2K it may work in 2K3 as well. But I would need some more help what custom filter expression I should use that incoroprates the <USERNAME> variable. Regards, Dominik ... View more

Hi, Take into account to use the AcmeGizmo website (http://www.acmegizmo.com/). Almost every feature of the SA can be shown with that demo network. The only disatvantage: You have to be online. Regards, Dominik ... View more

Hi, I'm glad to hear that your solution with WSAM finally worked. I was not able to get SSO for the VMRC protocol working. I think the IVE would need special support for that protocol. 255.255.255.255 is the global broadcast address. I it strange to see WSAM trying to connect to it. Have you had a look at the WSAM application definition? I would generally recommend using the FQDN of a server in every resource definition compared to just the hostname. You can use the IVE's troubleshooting tools to see if the hostname without the domain part can be successfully resolved to its IP address. In that case, just the hostname should be fine. In addition, it may help to provide a WINS server if you have one in you network to resolve NetBIOS names. Regards, Dominik ... View more

Hi, According to your post I understand that you would like to have some explanation how I published my Microsoft Virtual Server 2005 R2 website with the help of JSAM. Is that correct? Well first let me mention the specifications: 1. The FQDN of my Virtual Server machine is vs-host1.geblergasse95.local 2. I configured the website to listen on the default port 443 by SSL in addition to the default port number 1024. You have to adopt the settings in my explanation if you use http instead of https and port 1024 instead of 443 3. I didnÕt change the port tcp/5900 for the VMRC protocol Here is what I have done: 1. I created a web bookmark with the url https://vs-host1.geblergasse95.local 2. I activated the Auto-allow BookmarkÓ option with the parameter Everything under this URLÓ to bypass the need for create an allow rule manually. 3. I wanted that every user should log on to the Virtual Server website with the built in Administrator account to the machine. To provide a smooth user experience, I used the SSO feature. I created a policy under Resource Policy > Web > BasicAuth and NTLM policies. I called it Enable logon to vs-host1Ó, defined https://vs-host1.geblergasse95.local:443/* as the resource and set the Action to NTLM, Use Specified Credentials for SSO and provide the Username, Password, and domain of the built in Administrator account of the machine. DonÕt forget to enable Integrated Windows AuthenticationÓ for the VS website in the Internet Information server. 4. To come to the JSAM part, I created a resource policy to allow the access to vs-host1.geblergasse95.local over port 5900. 5. Then I added a JSAM application under the User role with name vs-host1Ó and specified vs-host1.geblergasse95.local as hostname and Server Port = Client Port = 5900. 6. Now when I start JSAM through the web portal I was able to both open the VS website through the web bookmark without providing user credentials and accessing the server through the VMRC ActiveX control. I havenÕt activated the option to automatically launch JSAM through the web bookmark but it should work fine. It should work the very same way if you use WSAM instead of JSAM. If you experience problems with the [JW]sam part, I would recommend the following basic diagnosing steps: 1. Can you resolve the name of the virtual server host on your client? Try ping. If it doesnÕt work check the hosts file under %Systemroot%\system32\drivers\etc. 2. Can you connect to the port 5900? You can use telnet hostname 5900 to check that. If it displays a blank screen it works. 3. Check the User access log file on the IVE under System / Log/Monitoring / User Access / Log. You have to first activate the SAM logging under System / Log/Monitoring / User Access / Settings. Enable SAM/Java under Select Events to log. 4. Check the local WSAM logs. They should reside on your machine under the %Userprofile%\Application Data\Juniper Networks\Secure Application Manager and are named dsSamEvent.log and dsSamDebug.log. You have to enable client side logging for WSAM on the IVE under System / Log/Monitoring / Client Logs / Settings. I hope that helps. Regards, Dominik ... View more