This report shows what CNAMES belong to your group.The reports come out on the first of the month and have to be checked for issues.

 

Most look like the one shown to the right:

The first line is the CNAME

Second is the machine name

Third is date created

 Fourth is the target that is resolves to

 www.aad.cornell.edu,

           target: cu-aad-03.mediathree.net,

           created: 12/13/2015,

           Target of CNAME resolves to: 208.118.251.96

 

The report will present a warning when it recognizes that there is a problem.

 

These External CNAMEs appear to not resolve and represent a Security Risk:

             _9980e14d501aafc73f37c352744558a1.hr-request.aad.cornell.edu

 

 

----------------- CNAME does not resolve and has a security alert.-----------------

This CNAME comes with a warning.

 In spite of the warning on this one when I checked with the techs for this app:

It's bad policy to tell anyone to disregard a security warning, but this is the case where it's what we have to do. The dns entry in question is part of our security certificate validation process.  It's legitimate and necessary.  I think the scripts that generate the DNS report are lagging behind the current trends.

To recognize when one of these is used for security certificates, you will see ".acm-validations.aws" at the end of the target of the CNAME.  If you don't see that at the end of the target, then you may want to take some action.

By having that CNAME in place, AWS can validate that we control the domain and can automatically renew our SSL certificates for hr-request.aad.cornell.edu.  Documentation is available here:

 

https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html


Off-Campus CNAME Details:

              _9980e14d501aafc73f37c352744558a1.hr-request.aad.cornell.edu,

              target: _f095f1a8a2e34ae65ea97c1c1470deaf.hkvuiqjoua.acm-validations.aws,

               created: 3/21/2019,

               Target of CNAME is Unresolvable

 

 ----------------- Wrong or Duplicate CNAME-----------------

Another issue found was this CNAME was a duplicate of the correct CNAME

 

                                 testspi.aad.cornell.edu, (correct CNAME)

                                     target: cu-aad-01.mediathree.net,

                                     created: 1/29/2018,

                                     Target of CNAME resolves to: 208.118.251.79

 

All of the data is identical to the one to the right, but the one to the right shows a login error message.

 

 

To add or remove CNAMES go to "How to Administer CNAMES"

 spitest.aad.cornell.edu, (incorrect CNAME)

         target: cu-aad-01.mediathree.net,

          created: 1/29/2018,

            Target of CNAME resolves to: 208.118.251.79

 

Which resolves to test SPI Lite, but breaks at the “Cornell University Federated Login”

An error occurred while processing your request.

Error Message: Unable to Respond

The login service was unable to identify a compatible way to respond to the requested application. This is generally to due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.

Need assistance? Contact the IT Service Desk at (607) 255-5500 or use one of the other contact methods found on the Support page. It will be helpful for you to share the URL of the website you're trying to access and, if possible, the content of this error message when you call.

  • No labels