Database Account Authentication to a few users.

Similar Messages

• How to create an database account authentication scheme in apex

  Dear
  I have an apex installation (embeded) on oracle 11g.
  I want to create a database account authentication scheme in apex. I have seen the page with different tab like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and the effects. I have gone thru the documentation 'Application Builder User’s Guide Release 4.1' , but the functionalities of these tabs are not mentioned.
  Please help.
  Dennis
  Edited by: Dennis John on Feb 28, 2012 10:57 PM

  Thanks to dear Jit
  I am new to apex.
  I have gone thru that documents but I couldn't find any detailed documentation about the database account authentication scheme configuration
  The database account authentication scheme creation interface will show tabs like name,subsription,source,session not valid, login processing, logout URL,session cookie attributes and comments.
  I want to know what are the things to be specifed on these tabs and how it will reflect in the login. The specified documentation is not giving any detail about the above mentioned tabs of authentication scheme creation iwizard.
  And also I want to know how the applciation user will be mapped to the database account?
  As per my understanding a database user (for each run time user) is required for to authenticate the apex run time login other than the applciation schema user (holds the objects of applicaiton)
  run time user means - end user who uses the applcaition, not the developer.
  Please help.
  Dennis

• APEX Database Account Authentication Problem

  Hi There
  I'm developing an application in APEX 3.1 on top of an Oracle 10g database. The schema account ABC has full control of all objects but additional users have been added USER1 for example. When I set the authentication of the APEX application to Database Account I am able to login as ABC but not when I use USER1. The errors I receive are:
  ORA-28007: the password cannot be reused ORA-06512: at "APEX_030200.WWV_FLOW_SECURITY", line 248 ORA-06512: at "SYS.WWV_FLOW_VAL", line 55 ORA-06521: PL/SQL: Error mapping function
  ERR-10480 Unable to run authentication credential check function.
  I haven't used any custom funtions, pages or procedures, even tried starting a new app from scratch and still am not able to login.
  Thanks
  Daniel

  Thanks Varad, but I was able to log in to PL/SQL Developer using the USER1 credentials. I have found the problem though, the Oracle database was an older version than this APEX functionality could work with. We upgraded the database and now I can log in fine.

• Database Account Credentials Authentical Failure

  Hello All,
  I've set my Authentication Scheme in APEX to Database Account credentials (I have Oracle 10+ installed). However, when I login I get the following errors. Can someone please advise?
  ORA-28007: the password cannot be reused
  ORA-06512: [b]at "FLOWS_020200.WWV_FLOW_SECURITY", line 221
  ORA-06512: at "SYS.WWV_FLOW_VAL", line 49
  ORA-06521: PL/SQL: Error mapping function
  Error ERR-10480 Unable to run authentication credential check function.
  Thanks

  Hi Scott:
  Thanks for the clarification with Default User profile.
  In my database, the authetication works for all the profiles that have DEFAULT PROFILE. However, doesn't work for DB accounts that don't belong to DEFAULT profile(these users have profile called ENDUSER_PROFILE).
  So, how and where can I define multiple profiles as VALID for the Database Account authentication?
  Thanks for your help!
  Muni

• How to diseable database accounts

  Hello
  How to disable database accounts so that only Apex users are enabled on an internet site based on xe database.
  Thanks in advance

  You can lock the accounts. Refer to the ALTER USER command in the SQL Reference guide. (http://download-east.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_4003.htm#i2058207)
  E.g.
  ALTER USER <username> ACCOUNT LOCK
  There are other methods too. For example, if you revoke the CREATE SESSION priv from a user, the a client session cannot be created using that user as logon.

• Authentication Scheme - Database Account with login user exists in table

  Hi all,
  I m new to APEX. Could anyone tell me how can i modify the authentication scheme to validate the user by Database Account DB user & password, also the username must exist in a table
  As the DB is not only designed for one application, so DB account may incl. DB users more than the users who can access the APEX application. So I must check the user name exists in a table also.
  Thx.

  Scott,
  I try to save the msg in application item and set the message by application item in process before header, it works perfect. The message display as what i want :)
  One more question is i would like to give this link to user will go let the user go to the target page and can edit the page without doing any searching b4.
  http://XXX/apex/f?p=115:3::NO:::P3_ID:82
  If the user hvnt login, system will prompt login page, after the user login it, it will direct go to the target page. I have try if the user type in a wrong username / password it still work after i retype a correct one. The page can redirect to the target page.
  However, if i type in a user name & password is correct but not exist in my define table like what i stated b4. Then i type in a correct one I can just go to page 1 instead of the target one.
  How can i do the same thing?
  Sorry for non-stop questioning, but pls help. Thanks a lot.

• Database Account and User Groups

  Hello,
  Currently, I am using DATABASE ACCOUNT for an authentication scheme for all of my applications but, I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users. I have read that, in order to apply user groups in an application, you must use APPLICATON EXPRESS ACCOUNT credentials.
  Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.
  Is there a way to create user groups while using DATABASE ACCOUNT for authentication? What is the best practice in a case like this?
  Can anyone please shed some light on this? Thanks.
  - Dee

  Dee,
  I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users.I'm not clear on what your purpose is, just runtime authorization, or something more?
  Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.Those tables belong to your application's parsing schema and they are accessed only by code in applications you develop. The Application Express machinery knows nothing about them.
  Is there a way to create user groups while using DATABASE ACCOUNT for authentication?You can create your own tables to define groups and to keep track of which named accounts belong to which groups. And you can write an API for applications to use to query this information and to maintain it from custom applications built for that purpose.
  All

• Database authentication & database account profiles

  Hi,
  Is anyone aware of any sample applications that uses database acccount profiles for password policies like ageing, length, reuse and so on.
  I've searched the forums but havn't found any links
  Has anyone experience in this field
  Many thanks
  Pete

  Roger,
  The authentication code and the general steps to hook it up are posted in this thread: Re: Custom Authentication
  As far as checking profile settings and account status, I would run these checks in processes on your after-login page. If there are exceptions, the user can respond to them on that page. If there are no exceptions, the page should branch to the start-of-application page of your choice. How you access this profile/account information for the authenticated user is up to you to figure out. Keep in mind that you will not be connected as the database account you authenticated against, so there is really no "active" profile involved. Your application's parsing schema will need to be granted access to whatever dictionary views it needs for this purpose.
  Good luck,
  Scott

• Authentication using database accounts (EJB)

  Hi.
  I'm developing a web app(struts, jsp). Users should log-in using their Oracle
  database accounts (created with CREATE USER ...). Is it possible to accomplish that using EJB? How?
  I've read that i can somehow map application server's users with database users
  using sql authentication providers: Wouldn't then sql queries made by ejbs
  still be executed with the same user every time?

  Normally application servers use a shared login to allow using a shared connection pool, and avoid the cost of logging in and out.
  Are you using JPA or the native TopLink API? Are you using JTA?
  TopLink / EclipseLink have several features for user logins.
  You can use Oracle proxy connections, these allow a shared connection pool to be used, but allow setting a proxy user on the connection.
  See, org.eclipse.persistence.config.PersistenceUnitProperties.ORACLE_PROXY_TYPE
  You can also use real database logins with JPA (or ServerSession) through using a JPA EntityManager properties or a ConnectionPolicy.
  See, org.eclipse.persistence.config.EntityManagerProperties, org.eclipse.persistence.sessions.server.ConnectionPolicy.
  You also have the option of using a shared login for reads, and a user login for writes.
  If you are using the native API, you can also use DatabaseSessions.
  James : http://www.eclipselink.org

• Tacacs authentication fails for one user account for only one switch

  Hi,
  I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
  The same user account works well for other devices.
  The AAA configs are same on every devices in the network.
  Heres the show tacacs output from the switch where only one user account fails;
                Socket opens:        157
               Socket closes:        156
               Socket aborts:        303
               Socket errors:          1
             Socket Timeouts:          2
     Failed Connect Attempts:          0
          Total Packets Sent:       1703
          Total Packets Recv:       1243
            Expected Replies:          0
  What could be the reason ?
  No errors on ACS server; same rights had been given to the user account.
  Thanks to advise.
  Prasey

  Hi there,
  Does the user get authenticated in the ACS logs?
  reports and activity----> failed attempts
  ro
  reports and activity----->  passed authentications
  That will help narrow it down.
  Brad

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• OPS$ Account Authentication in OC4J

  Hi,
  We have an existing database which uses OPS$ account authentication in Oracle Forms 6i. Fine.
  But, I need to access the same database from a JSP Application deployed to OC4J. Does OC4J and JDBC support OPS$ authentication in any way?
  Thanks,
  Jeremy

  HI,
  Thanks for the response. Actually, I want all users to log in individually, rather than share a JDBC connection username and password. The users currently use Oracle Forms 6i and log in with the "/" username (which then uses remote authentication on the database).
  The issue is that they I'm not able to use this kind of authentication via JDBC as, as far as I understand it, this is a feature of SQL*Net (which JDBC does not "use").
  The workaround is that the users were created as "create user x identified by y" and not "create user x identified externally" so that they're able to log in both ways. I'm only able to do this because we're using the "OPS$" prefix.
  1) using remote authentication
  2) Explicitly specifying username and password.
  Cheers,
  Jeremy

• Accessing several applications after logging into database account once

  I have several applications with authentication against database accounts. I would like to create a situation in which users only have to log in once and are able to use all the applications they are allowed to use afterwards without having to log in again.
  Has anyone already got a solution for this problem?
  Your suggestions are very welcome,
  Greets, Dik

  I understand that it is possible for applictions within one workspace. These applications share the same session.
  What applications share the same session? Applications belonging to the same workspace that might operate at the same time? As a generic rule? No, this is not the case. Those applications share the same session only if you intend them to, but they need not.
  Applications that do not belong to the same workspace cannot share the same session.
  Single Sign-On (without a login server) is something you'd have to cook up yourself. That would have nothing to do with session-sharing but rather the ability of multiple applications to reference some artifact outside the application (a session cookie, an HTTP header value, a combination of those, ...) that would help it identify that authentication (by some trusted authority) had occurred. Each application could then do its own session management independent of that finding.
  Scott

• SharePoint 2013 and Windows authentication (integrated) or SharePoint user for report data source

  Hello,
  I am having issues creating report datasource in "Windows authentication (integrated) or SharePoint user" in SharePoint 2013. I followed the steps mentioned in the link http://blogs.msdn.com/b/psssql/archive/2014/04/28/sharepoint-adventures-using-claims-with-reporting-services.aspx.
  I am just stuck in the delegation piece here. I have a SSAS instance by name "XXXXAPPV01\Multidimensional". First thing is what is the procedure to set SPN for this instance? I need to add this service in the delegation tab so that C2WTS service
  configured correctly.
  Nothing but I should be able to access my SSAS 2012 cube from SSRS 2012 by "Windows authentication (integrated) or SharePoint user" as the authentication method.
  Palash

  I used the below command to set SPN for analysis services.
  setspn -S MSOLAPSvc.3/XXXXAPPV01APPV01.xxxxdmo.local:Multidimensional xxxxdmo\svcMyService
  After setting the SPN for this service account I added this account(xxxxdmo\svcMyService) in the delegation tab of my domain account created earlier for claim service (xxxxdmo\svcC2WTS). Now in service type it shows -> MSOLAPSvc.3, User or Computer it shows
  -> XXXXAPPV01APPV01.xxxxdmo.local and in Port it shows -> Multidimensional. This is in my svcC2WTS account delegation tab. Still I am not able to connect datasource by "Windows authentication(integrated) or SharePoint User". I am getting the
  same error "Cannot convert claims identity to windows token".
  I am not sure what am I missing in this configuration piece yet to get this working.
  Palash

• Database Accounts AR, AP, GL

  Do the AR, AP, GL Database accounts have access to all Oracle EBS receivables, payabales, ledger data in the Database, or are some tables/views restricted from these accounts?
  Is there any document that details which AR, AP, GL tables/views contain the more sensitive data?

  user599292 wrote:
  Do the AR, AP, GL Database accounts have access to all Oracle EBS receivables, payabales, ledger data in the Database, or are some tables/views restricted from these accounts?
  Is there any document that details which AR, AP, GL tables/views contain the more sensitive data?Hi user i suggest check [e-trm site|etrm.oracle.com] for table relations in EBS, i belive it can be helpful for you
  Regard
  Helios