Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

Hi Folks,
I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
Authenticator.setDefault(new ReportAuthenticator());
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
Any help is greatly appreciated.
P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
best regards
Dushy

Hi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2

Similar Messages

Invoke NTLM Authentication Based WebService from BPEL

Hi All,
I am working with SOA Suite 11.1.1.6 version deployed on Weblogic Server (Linux Based OP).
I have a requirement where i need to invoke a webservice which exposes a NTLM Based Authentication. Since this particular webservice doesn't even get loaded if we dont pass the credentials. For example :- If i hit the WSDL URL on browser, it first ask for the credentials and on success , it loads the WSDL File.
First i have tried using this WS using SOAP UI and were able to invoke it successfully , because SOAP UI can handle the NTLM Authentication Properly. And it gives us the wizard to put the credentials when we load the WSDL in SOAP UI.
But the problem comes when i use that WS using our SOA Composite. The WSDL Doesn't get loaded only , since it requires the credentials first. I am not sure how should i go ahead and invoke this. I have checked lot of blogs but none of them were useful for me.
Did anybody face this issue/ task to invoke a WS which doesn't get loaded without passing the credentials and also to invoke it through BPEL composites deployed on the weblogic server (based on Linux OP).
Please suggest!!!
Regards,
Shah

Hi,
I am in a similar situation.
I am able to successfully invoke the webservice via soapUI when I pass the username, password and the domain.
If I do not pass the domain name in the SOAPUI or even in SOA, I get HTTP 401, Unauthorized error.
However, I am able to set only the
oracle.webservices.auth.username a
oracle.webservices.auth.password properties when I configure it in SOA 11g.
I tried passing the domain name in the oracle.webservices.auth.username property as domainname\username. But no luck
The composite is deployed on a linux server. Please suggest/advice any pointers to resolve this NTLM authentication issue.

Http method not recognized and ntlm authentication

Does anybody know why ips signatures fire on ntlm authentication proxy? In our environment we have ISA 2004 and the ips is complaining about http not in rfc specs and http not recognized. Is it possible that ips does not understand ntlm proxy authentication?

These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.
I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.
WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.

CommandLink action not being invoked

HI:
I have a page with panelGrid, which has three inputText and one selectOneMenu, all of which have a validator ( a method in the backing bean).
All these are followed by a commandLink button with a 'action' method in the same backing bean.
Problem is when the link is submitted the action method does not get invoked. I placed debug messages and can see that the validator methods are entered but the action method never gets invoked. There are no error messages either.
Any thoughts ?

I found a work around. At least everything is working now. I have to yet test out the entire functionality of my application but here is what I did.
Thanks to the example in the book
JavaServer Faces
By Hans Bergsten
In my main layout page
<%@ taglib prefix="f" uri="/WEB-INF/jsf_core.tld" %>
<%@ taglib prefix="h" uri="/WEB-INF/html_basic.tld" %>
<f:view>
<html>
<h:form>
<%@ include file="../../page1.jspf" %>
</h:form>
<h:form>
<%@ include file="../../page2.jspf" %>
</h:form>
<h:form>
<%@ include file="page3.jspf" %>
</h:form>
</html>
</f:view>

[FIXED]ExternalInterfce.call not being invoked in IE7

My Flex UI is working perfectly in FF3. I am getting a
strange problem in IE7. When I clear out all browsing history and
visit my application, it works fine. When I reload the page
containing the SWF of my flex app, or if I logout and log into my
app again, the ExternalInterface.call invocation does not seem to
be happening.
I have looked for answers on various fora. I am using SWF
embedding code generated by the flex builder and it is correctly
setting the id of the SWF. I am running out of leads on what to try
next.
This has got to be a history-related issue. Anybody else seen
this?
Thanks.
-Raj

My observation was that the ExternalInterface call to my JS
function was vanishing into the ether.
I moved the SWF embedding code to the bottom of the page to
ensure that IE will initialize all other tags in the page before it
started the flash player. This seems to have done the
trick!!

Plsql notify procedure not being invoked

I have defined a persistent queue of RAW with multiple consumer set to false. I have also defined and registered a procedure to be called when a message is enqueued. I have assumed that I only need to call DBMS_AQ.REGISTER to enable the callback to be envoked. i.e. I have not used the subscriber interface to subscript to the queue because I need not do so.
Am I incorrect in assuming that I need not use the subscriber interface when the behavior I desire is for the notify procedure to be called when a message is enqueued.

Hi
If you are using single consumer and registering for notification as anonymous you may face problem but if you use multiple consumer and subscribe using an agent and register for notification using that subscriber it is bound to work. Just try once.
Regards,
Sanjeev.

Invoking a Web Service that Requests NTLM Authentication in BPEL Process

Hi,
I am trying to invoke a webservice which requires NTLM Authentication.able to test the service through SOAP ui .
Followed the steps memntioned in the oracle doc in order to invoke the same service through BPEL Process, some how I am facing issue when BPEL invokes the service. Here is the error message
oracle.fabric.common.FabricException: oracle.fabric.common.FabricException: Error in getting XML input stream: Response: '401: Unauthorized' for url:
Oracle doc link :-
http://docs.oracle.com/cd/E28280_01/admin.1111/e10226/soacompapp_secure.htm#BABJEBIF
http://www.albinsblog.com/2014/04/oraclewebservicespreemptivebasicauth.html#.VK5UEiuUeFM
The above link discuss about the properties that need to be set in composite.xml file in order to invoke the service.
I am using SOA 11.1.1.6, tried to implement the same steps but i could see the error message "Unauthorized for url ********** "
Could you please help me on this.
Thanks

Hi Guys ,
Got to kow that this is a bug. Some how following link helps in sending the payload to webservice which requires NTLM authentication thru JAVA.
Thoughts Oracle SOA OSB: NTML Authentication - Oracle SOA suite
Thanks

NTLM Authentication

We are trying to setup NTLM authentication Uing IIS proxy on IIS 5 and EP6. We have got the IISproxy module working but having problems after changing the authschemes.xml.
Heres my XML file
======================================================
<?xml version="1.0" encoding="UTF-8"?>


<document>
     <authschemes>
        
        <authscheme name="ntlmuidpw">
            
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.WindowsLoginModule</loginModuleName>
                <controlFlag>SUFFICIENT</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
            <priority>20</priority>
            
            <frontendtype>2</frontendtype>
            
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
     <authschemes>
        
        <authscheme name="uidpwdlogon">
            
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                <controlFlag>SUFFICIENT</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertPersisterLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options></options>
            </loginmodule>
            <priority>20</priority>
            
            <frontendtype>2</frontendtype>
            
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        <authscheme name="certlogon">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        <authscheme name="basicauthentication">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                <controlFlag>REQUIRED</controlFlag>
                <options></options>
            </loginmodule>
            <priority>20</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
        </authscheme>
        <authscheme name="header">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options>Header=remote-user</options>
            </loginmodule>
            <priority>5</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
        </authscheme>
        <authscheme name="guest">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.AnonymousLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options></options>
            </loginmodule>
            <priority>1</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.anonymous</frontendtarget>
        </authscheme>
        
        <authscheme name="anonymous">
            <priority>-1</priority>
        </authscheme>
    </authschemes>
    
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>ntlmuidpw</authscheme>
</authscheme-ref>
</authscheme-refs>
</document>
=============================================================
</CODE>
I get the following error when I try to go to the portal:
=========================================================
Fatal           Error in isAuthSch
emeSufficient().
java.lang.NullPointerException
        at com.sapportals.portal.prt.service.authenticationservice.Authenticatio
nService.isAuthSchemeSufficient(AuthenticationService.java:155)
        at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook
(SecurityHookService.java:194)
        at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook
.java:202)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:138)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:50)
        at com.sapportals.portal.prt.pom.PortalNode.createComponentNode(PortalNo
de.java:263)
        at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(P
ortalRequestManager.java:545)
        at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(
ServletConnection.java:208)
        at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatc
her.java:532)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.ja
va:415)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.InvokerServlet.service(Invoker
Servlet.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.RunServlet.runSerlvet(RunServl
et.java:149)
        at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.startServle
t(ServletsAndJspImpl.java:833)
        at com.inqmy.services.httpserver.server.RequestAnalizer.checkFilename(Re
questAnalizer.java:665)
        at com.inqmy.services.httpserver.server.RequestAnalizer.handle(RequestAn
alizer.java:312)
        at com.inqmy.services.httpserver.server.Response.handle(Response.java:17
3)
        at com.inqmy.services.httpserver.server.HttpServerFrame.request(HttpServ
erFrame.java:1229)
        at com.inqmy.core.service.context.container.session.ApplicationSessionMe
ssageListener.process(ApplicationSessionMessageListener.java:36)
        at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
        at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:148)
Feb 3, 2005 5:18:07 PM # Client_Thread_1      Fatal           An error occured d
uring authscheme computation.
java.lang.NullPointerException
        at com.sapportals.portal.prt.service.authenticationservice.Authenticatio
nService.getLogonIView(AuthenticationService.java:190)
        at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook
(SecurityHookService.java:216)
        at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook
.java:202)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:138)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:50)
        at com.sapportals.portal.prt.pom.PortalNode.createComponentNode(PortalNo
de.java:263)
        at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(P
ortalRequestManager.java:545)
        at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(
ServletConnection.java:208)
        at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatc
her.java:532)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.ja
va:415)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.InvokerServlet.service(Invoker
Servlet.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.RunServlet.runSerlvet(RunServl
et.java:149)
        at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.startServle
t(ServletsAndJspImpl.java:833)
        at com.inqmy.services.httpserver.server.RequestAnalizer.checkFilename(Re
questAnalizer.java:665)
        at com.inqmy.services.httpserver.server.RequestAnalizer.handle(RequestAn
alizer.java:312)
        at com.inqmy.services.httpserver.server.Response.handle(Response.java:17
3)
        at com.inqmy.services.httpserver.server.HttpServerFrame.request(HttpServ
erFrame.java:1229)
        at com.inqmy.core.service.context.container.session.ApplicationSessionMe
ssageListener.process(ApplicationSessionMessageListener.java:36)
        at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
        at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:148)
=========================================================
Please Help

Hi,
The authscheme you have provided is not valid xml
End tag 'authscheme' does not match the start tag 'loginmodule'. Error processing resource
</authscheme>
--^"
<authscheme name="ntlmuidpw">

<loginmodule>
<loginModuleName>com.sap.security.core.logon.imp.WindowsLoginModule</loginModuleName>
<controlFlag>SUFFICIENT</controlFlag>
<options></options>
</loginmodule>
<loginmodule>
<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<controlFlag>REQUISITE</controlFlag>
<options></options>
</loginmodule>
REMOVE THIS LINE<loginmodule>
<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
If this is just a copy/paste error, include the exact version of you portal.

Re: How to enable NTLM authentication in OSB???

Hi all,
We have the same problem trying to integrate OSB with and asmx service that uses NTLM.
We try an alternative, we have created the artifacts of asmx service using wsimport and we created a little java project using these artifacts. We also added a class with a static method in this project in order to be used by OSB java callout mechanism. When this project if used standalone (through eclipse) works fine and as the environment is windows server, it sends automatically to the client the credentials of user that is logged on windows domain. On the other hand when we deploy this java project in OSB as jar for callout we receive : Response: '401: Unauthorized' exactly at the point that the produced artifact class invokes the constructor of javax.xml.ws.Service in order to create an instance of the service.
Can it be the same problem stated by 830428?
The stack trace:
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:172),
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153),
com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187),
weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:73),
weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:515),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:103),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:95),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:71),
javax.xml.ws.Service.<init>(Service.java:56),
org.tempuri.EDoc.<init>(EDoc.java:46),
after that (actually before) is just our code which calls the @WebServiceClient Class (the local artifacts which are used to call the actual web service).

Kuppusamy.V.,
We experiened the same issue as you and managed to find a solution to the problem.
The OSB does not support NTLM authentication, so you are quite correct in stating you must write a Java class and use a Java callout from an OSB Proxy Service.
Our Java class worked fine from the Unix commandline, but failed when deployed to the OSB and invoked by the proxy service with the dreaded '401 Unauthorised' error.
On closer inspection, the proxy service stack trace revealed:
java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://your.domain.here/default.aspx' at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
We noticed that the exception was being thrown from the WebLogic 'weblogic.net.http.HttpURLConnection' class and not the Sun 'java.net.HttpURLConnection' as we expected (and our Java code explicitly imported)!
We couldn't understand why a different HTTP handler was being invoked, but it got us thinking. And thinking. And raising an Oracle support ticket. And waiting.
Tired of waiting, we revisited the problem and chanced across the Javadoc for the 'java.net.URL' class and noticed one of the constructors allows you to specify a HTTP handler!
Instead of opening our URL with this typical usage:
URL url = new URL(yourURL);
HttpURLConnection http = (HttpURLConnection) url.openConnection();
We used:
URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
HttpURLConnection http = (HttpURLConnection) url.openConnection();
And, hey presto!, it worked a treat.
And we closed the Oracle service ticket. And stopped waiting :)
Regards,
Jerome

Outlook Negotiate/NTLM authentication credential prompt

Hello everyone,
I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
connect via MAPI over HTTP. Everything working fine!
External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
(notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
So here is my progress on this:
I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
IISAuthenticationMethods          : {Negotiate}
InternalUrl                    : https://mail.domain.com/mapi
InternalAuthenticationMethods : {Negotiate}
ExternalUrl                     : https://mail.domain.com/mapi
ExternalAuthenticationMethods   : {Negotiate}
I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
"Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
apply.
Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
A great day to everyone!
Vasko

I don't have a ton experiencing using something like ARR, but we should do some testing. The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally. This SHOULD let us know where the problem
lies. If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange. If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

Using Hyper-V 2012 r2, connecting to the console results in: A certification authority could not be contacted for authentication.

I'm having some trouble with authentication to guests from my Hyper-V console.
If I try to connect from the Hyper-V Manager to the console of any guest, I get the error:
"A certification authority could not be contacted for authentication. If you are using a Remote Desktop Gateway with a smart card, try connecting to the remote computer using a password. For assistance, contact your system administrator or technical support."
I'm not using an RDG and smart card.
I have 2 virtual networks. The first is Production, the second is Isolated. Production has 2 NICs attached to the Production LAN, the second has 2 NICs in our DMZ. The host is a member server of the production domain. I can use MSTSC from the LAN or the DMZ
to gain access to each Guest and the Host.
The issues start if I try "Connect" from Hyper-V Manager in an attempt to use the console of any Guest. Each attempt fails with the above error. If I use an incorrect password, I get a different error: "The credentials that were used to connect
to {Server FQDN} did not work. Please enter new credentials."
Taking a look at the the event logs, I can see the session successfully authenticating to the Guest (4776 Credential validation and 4624 Logon), and the fact I get a different error if I enter an incorrect password show I get some way along the line. However
if I take a look at the logs on the Host, however I get:
An account failed to log on.
   Subject:
       Security ID:       NULL SID
       Account Name:       -
       Account Domain:       -
       Logon ID:       0x0
   Logon Type:           3
   Account For Which Logon Failed:
       Security ID:       NULL SID
       Account Name:
       Account Domain:
   Failure Information:
       Failure Reason:       An Error occured during Logon.
       Status:           0xC000006D
       Sub Status:       0xC000005E
   Process Information:
       Caller Process ID:   0x0
       Caller Process Name:   -
   Network Information:
       Workstation Name:   -
       Source Network Address:   -
       Source Port:       -
   Detailed Authentication Information:
       Logon Process:       Kerberos
       Authentication Package:   Kerberos
       Transited Services:   -
       Package Name (NTLM only):   -
       Key Length:       0
   This event is generated when a logon request fails. It is generated on the computer where access was attempted.
   The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
   The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
   The Process Information fields indicate which account and process on the system requested the logon.
   The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
   The authentication information fields provide detailed information about this specific logon request.
       - Transited services indicate which intermediate services have participated in this logon request.
       - Package name indicates which sub-protocol was used among the NTLM protocols.
       - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Which looks to me like a blank authentication request is being sent? (I've not deleted any machine/domain names, they're just not present)
Any suggestions? Do you think I'm barking up the wrong tree?
Thoughts and comments gratefully received

Hi,
What’s your guest system platform, base on my experience that must be the not supported guest system issue, the generation 2 vm only support the Windows 8 or 8.1 platform.
The related KB:
Generation 2 Virtual Machine Overview
http://technet.microsoft.com/en-us/library/dn282285.aspx
Hope this hleps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Windows NTLM Authentication on SAP 4.6c (Platform AIX)

I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
I need to implement single sign on for SAP integrated application.
As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory id as external id in connection string. All transaction should run with external user id context.
Can someone help me with following question.
1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
2. What SNC library needed for SAP (AIX instance)?
3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
What option do I have to get Single Sign On working?
Any help is highly appreciated.
Regards and Thank you in advance.

> Hi Reiner,
> Thank you very much for response, this is helpful
> information.
If you consider an answer as helpfull, please mark it with the button on the left side :-).
> My options are pretty much limited,
> I can't use NTLM since, AIX will not accept trust
> -- NTLM Auth will not work with AIX
> -- Kerberos auth have to have third party tool like
> CyberSafe for SNC trust relationship.
As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
> I planning to try using SSO as mentioned in "Enabling
> Single Sign-On for ASP.NET Applications in Enterprise
> Portal 6"
> Is this approach works with EP 5.0?
This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
> If any one has "sapsecu.dll" please send me at
> [email protected] with same size as stated in
> this document.
This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
> My SSO ticket did not get created after following
> steps in document, I am suspecting either sapsecu.dll
> or veryfy.pse is wrong?
Did you find a MYSAPSSO2 cookie in the request?

Event ID 6038 LsaSrv NTLM authentication warning

Searching the internets we haven't found any other references to this particular Event ID Warning message.
It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
Windows Server 2008, but out Child Domain is at Domain Functional Level:
Windows Server 2012 (3 Domain Controllers in our Child Domain).
Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page.
The full Event ID is pasted in below.
We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos.
How are these tasks accomplished on Windows Server 2012 Domain Controllers?
Thanks in advance for any help!
Log Name:      System
Source:        LsaSrv
Date:
12/27/2012 6:00:01 PM
Event ID:      6038
Task Category: None
Level:
Warning
Keywords:      Classic
User:
N/A
Computer:      <server
FQDN>
Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.
It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.
So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do:
Auditing and restricting NTLM usage guide
http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
systems.
With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
restrict NTLM traffic.
This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

I've copied a .NET application from an older 2008 server running IIS 7.0.600.16386 to a newer 2008 R2 server running 7.5.7600.16385. The .NET framework version is 4.0.30319. I've setup an application pool and copied the wwwroot directory.
I've checked for nested web.config files and I've been reading a lot about converting the site to an application. The older server running the application is still up and running and the configurations look identical. If I convert the site to an
application the icon changes and doesn't look like it does on the old server. I'm new and still learning the basics of programming and publishing applications. Can someone point me in the right direction? I've been on google for a few days
to no avail. Thanks.
Description:
An error occurred during the processing of a configuration file required to
service this request. Please review the specific error details below and modify
your configuration file appropriately.
Parser Error Message: It
is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This error can
be caused by a virtual directory not being configured as an application in IIS.
Line 20:       <add path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" validate="false" />
Line 21:     </httpHandlers>
Line 22:     <authentication mode="Forms">
Line 23:       <forms cookieless="UseCookies" loginUrl="~/AccessDenied.aspx" protection="All" name="TVHRFORMAUTH" timeout="180" slidingExpiration="true" />
Line 24:     </authentication>

Hi,
I agree with Tim that we can ask for better help in the following IIS forum.
IIS.NET forum
http://forums.iis.net/
Best regards,
Frank Shen

OSB NTLM authentication

Hi.
I'm looking for any example to create a passthrougth proxy service on a business service based on an endpoint HTTP that requires basic authentication plus NTLM domain.
I haven't OWSM on this OSB.
TIA
Corrado

Corrado,
FYI, NTLM is no longer recommended -
http://msdn.microsoft.com/en-us/library/cc236715.aspx
http://en.wikipedia.org/wiki/NTLM
Now coming to your question, OSB does not support NTLM authentication mechanism. As a workaround, you may write a java client that can support NTLM authentication over HTTP and then use this as a java callout in your proxy. You may pass the incoming authentication info to the java callout which may perform the further work (authentication and service invoke)
Regards,
Anuj

Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

Similar Messages

Maybe you are looking for