File based authentication OWSM

I've defined the .htpasswd file with username and password credentials.
I've registered a gateway with 'extract credentials' and 'file authenticate' policy and I've configured the file authentication to use the htpasswd file.
I've defined plainttext format for the username and password to perform basic test, but I'm always getting 'authentication fault, invalid username or password'.
When I define md5 as the format for my username and password and I use the md5encode utility the file authentication works fine.
Are there known issues with plainttext format in file authentication?

Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.

Similar Messages

OWSM 11g file based authentication

Hi,
I have to secure a service using the username and password present in file. I'll have to use a file based authentication mechanism. As OWSM 11g doesnt have the gateway, can i achieve this functionality with OWSM 11g agent ?
Thanks

Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.

Error while using OWSM File based authentication - URGENT

Hi ,
We have the requirement to invoke the gateway protected webservice from the client.
PLEASE GIVE ME A SOLUTION. IT IS URGENT.
I have protected a webservice via OWSM Gateway.The webservice was devloped with the jdev RPC-ENC format and deployed on a Oracle AS.
I tried testing the webservice with the OWSM-Test Tool without any issues.
But when i created a webservice proxy client and test the code with the userid/passwrd ,am getting the following error.
calling http://localhost:8888/gateway/services/SID0003001
javax.xml.rpc.soap.SOAPFaultException: Invalid username or password
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:555)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at project1.proxy.runtime.RpcEncWSSoapHttp_Stub.getStringReturnCust(RpcEncWSSoapHttp_Stub.java:78)
at project1.proxy.RpcEncWSSoapHttpPortClient.getStringReturnCust(RpcEncWSSoapHttpPortClient.java:45)
at project1.proxy.RpcEncWSSoapHttpPortClient.main(RpcEncWSSoapHttpPortClient.java:31)
Process exited with exit code 0.
I wonder ,whats the mode of difference between the OWSM-Test tools client and the Java WS proxy client.
Has any body encountered this kind of behaviour.
Your feed back is highly appreciated.
AG
Edited by: user555285 on May 29, 2009 10:42 AM
Edited by: user555285 on May 29, 2009 10:42 AM

Yes, The originial web service also has authentication and i did it via OWSM but I did not initialize it in authentication in the webservice proxy.
Now i did it and works fine.
Thanks AJochems (Redora) .
--AG

OWSM File based Authentication

Hi ,
We have the requirement to invoke the gateway protected webservice from the client.
I have protected a webservice via OWSM Gateway.The webservice was devloped with the jdev RPC-ENC format and deployed on a Oracle AS.
I tried testing the webservice with the OWSM-Test Tool without any issues.
But when i created a webservice proxy client and test the code with the userid/passwrd ,am getting the following error.
calling http://localhost:8888/gateway/services/SID0003008
javax.xml.rpc.soap.SOAPFaultException: Invalid username or password
at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:555)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at project1.proxy.runtime.RpcEncWSSoapHttp_Stub.getStringReturnCust(RpcEncWSSoapHttp_Stub.java:78)
at project1.proxy.RpcEncWSSoapHttpPortClient.getStringReturnCust(RpcEncWSSoapHttpPortClient.java:45)
at project1.proxy.RpcEncWSSoapHttpPortClient.main(RpcEncWSSoapHttpPortClient.java:31)
Process exited with exit code 0.
I wonder ,whats the mode of difference between the OWSM-Test tools client and the Java WS proxy client.
Verified the owsm documnetation/metalink with no luck yet....
Has any body encountered this kind of behaviour.
Your feed back is highly appreciated.
regards
L

Yes, The originial web service also has authentication and i did it via OWSM but I did not initialize it in authentication in the webservice proxy.
Now i did it and works fine.
Thanks AJochems (Redora) .
--AG

Where I can get visio file of SAML claims-based authentication process

Hello
I saw SAML claims-based authentication process flow diagram on
http://msdn.microsoft.com/en-us/library/office/hh394901(v=office.14).aspx . Please let me know where I will get the visio of this file.
Regards
Avian

What makes you think that such a file is available (to the public)?
Use the graphic, or make your own.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs

OWSM 11g: SAML holder of the key based Authentication

Hi all,
I am trying to implement SAML holder of the key method based authentication. As per weblogic documentation, I have disabled the Disable X.509 certificate validation since I am using SAML holder_of_key assertions. I have attached the policies to the composites oracle/wss10_saml_hok_token_with_message_protection_client_policy and oracle/wss10_saml_hok_token_with_message_protection_service_policy. I am using the default values except for keystore.recipient.alias property. When I am testing the policy it says that the saml.assertion.filename named temp could not be found.
As per the documentation this is file containing SAML holder of the key based authentication. Can anyone provide some idea as to what should be the contents of this file?
Thanks in advance

me too am facing same problem..did you manage to solve this?
please suggest..

Claims Based Authentication and Editing User Profiles

Hi All,
I have an interesting issue where I have a SharePoint Farm setup with both the intranet and mysites web applications setup using Claims Based Authentication. While everything seems to work fine, you are able to search for users, view properties and users
can change their own profile properties. However when you configure a profile administration account (an account with the "manage user profiles" permission on the User Profile Service Application) and you attempt to use that account to edit
another users profile you get hit with a generic error page.
Delving deeper you get the following errors:
ULS:
Date   Process   Thread Id   Area   Category   Event Id   Level   Correlation   Message
5/7/2013 00:31:44:64   App Pool: MySites   0x1DC8   SharePoint Foundation   Logging Correlation Data   xmnv   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Name=Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)
5/7/2013 00:31:44:66   App Pool: MySites   0x1DC8   SharePoint Foundation   Authentication Authorization   agb9s   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|DOMAIN\sp_config, ClaimsCount=24
5/7/2013 00:31:44:66   App Pool: MySites   0x1DC8   SharePoint Foundation   Logging Correlation Data   xmnv   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Site=/
5/7/2013 00:31:44:69   App Pool: MySites   0x1DC8   SharePoint Foundation   Files   00000   High   4001199c-6bd8-c03d-920f-55177fbff00c
UserAgent not available, file operations may not be optimized.
at Microsoft.SharePoint.SPFileStreamManager.CreateCobaltStreamContainer(SPFileStreamStore spfs, ILockBytes ilb, Boolean copyOnFirstWrite, Boolean disposeIlb)
at Microsoft.SharePoint.SPFileStreamManager.SetInputLockBytes(SPFileInfo& fileInfo, SqlSession session, PrefetchResult prefetchResult)
at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBufferFactory.CreateFromDocumentRowset(Guid databaseId, SqlSession session, SPFileStreamManager spfstm, Object[] metadataRow, SPRowset contentRowset, SPDocumentBindRequest& dbreq, SPDocumentBindResults&
dbres)
at Microsoft.SharePoint.SPSqlClient.GetDocumentContentRow(Int32 rowOrd, Object ospFileStmMgr, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)
at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
Guid& pgDocScopeId)
at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
Guid& pgDocScopeId)
at Microsoft.SharePoint.Library.SPRequest.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean&
pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified,
String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean&
pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid&
pgDocScopeId)
at Microsoft.SharePoint.SPWeb.GetWebPartPageContent(Uri pageUrl, Int32 pageVersion, PageView requestedView, HttpContext context, Boolean forRender, Boolean includeHidden, Boolean mainFileRequest, Boolean fetchDependencyInformation, Boolean& ghostedPage,
String& siteRoot, Guid& siteId, Int64& bytes, Guid& docId, UInt32& docVersion, String& timeLastModified, Byte& level, Object& buildDependencySetData, UInt32& dependencyCount, Object& buildDependencies, SPWebPartCollectionInitialState&
initialState, Object& oMultipleMeetingDoclibRootFolders, String& redirectUrl, Boolean& ObjectIsList, Guid& listId)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.FetchWebPartPageInformationForInit(HttpContext context, SPWeb spweb, Boolean mainFileRequest, String path, Boolean impersonate, Boolean& isAppWeb, Boolean& fGhostedPage, Guid& docId,
UInt32& docVersion, String& timeLastModified, SPFileLevel& spLevel, String& masterPageUrl, String& customMasterPageUrl, String& webUrl, String& siteUrl, Guid& siteId, Object& buildDependencySetData, SPWebPartCollectionInitialState&
initialState, String& siteRoot, String& redirectUrl, Object& oMultipleMeetingDoclibRootFolders, Boolean& objectIsList, Guid& listId, Int64& bytes)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.GetWebPartPageData(HttpContext context, String path, Boolean throwIfFileNotFound)
at Microsoft.SharePoint.ApplicationRuntime.SPVirtualPathProvider.GetCacheKey(String virtualPath)
at System.Web.Compilation.BuildManager.GetVPathBuildResultFromCacheInternal(VirtualPath virtualPath, Boolean ensureIsUpToDate)
at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)
at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)
at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate)
at System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection)
at System.Web.UI.Page.ApplyMasterPage()
at System.Web.UI.Page.PerformPreInit()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
5/7/2013 00:31:44:69   App Pool: MySites   0x1DC8   SharePoint Foundation   Files   aiv4w   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Spent 0 ms to bind 33542 byte file stream
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Portal Server   User Profiles   ai7z6   High   4001199c-6bd8-c03d-920f-55177fbff00c
User was not successfully retrieved: i:0#.w|DOMAIN\AUSER in ProfileUI.OnInit. Seeing if this is a system account
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Portal Server   User Profiles   ai7z7   High   4001199c-6bd8-c03d-920f-55177fbff00c
User i:0#.w|DOMAIN\AUSER not found and not a system account.
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Portal Server   User Profiles   ahn7m   Unexpected   4001199c-6bd8-c03d-920f-55177fbff00c
ProfileUI: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Portal Server   User Profiles   ahn7h   Unexpected   4001199c-6bd8-c03d-920f-55177fbff00c
ProfileEditor: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Foundation   General   8nca   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Application error when access /_layouts/15/EditProfile.aspx, Error=DOMAIN\AUSER
at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Foundation   Runtime   tkau   Unexpected   4001199c-6bd8-c03d-920f-55177fbff00c
Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Foundation   General   ajlz0   High   4001199c-6bd8-c03d-920f-55177fbff00c
Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
5/7/2013 00:31:44:72   App Pool: MySites   0x1DC8   SharePoint Foundation   General   aat87   Monitorable   4001199c-6bd8-c03d-920f-55177fbff00c
5/7/2013 00:31:44:73   App Pool: MySites   0x1DC8   SharePoint Foundation   Monitoring   b4ly   Medium   4001199c-6bd8-c03d-920f-55177fbff00c
Leaving Monitored Scope (Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)).
Execution Time=87.1739285300227
It seems similar to an issue in the blog post here: http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013/ however I tried what was suggested and it didn't work.
Any help with this is appriciated.

This line offers clues about the actual problem:
Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
According to the MSDN link (http://msdn.microsoft.com/en-us/library/microsoft.office.server.userprofiles.usernotfoundexception.aspx)
it is not able to find the user in the profile store. Additionally the link you mentioned (http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013)
suggests that the account being used to validate accounts on the production domain may have a problem.
If there a way you can test that account in isolation against the DC?
With Regards Shailen Sukul Entrepreneur/Software Architect/Developer/Consultant/Trainer (BSc | Mct | Mcpd (.Net 2/3.5/SharePoint2010) | Mcts (Sharepoint 2010/MOSS/WSS), Biztalk, Web, Win, Dist Apps) | Mcitp(SharePoint) | Mcsd.NET | Mcsd | Mcad) MSN | Skype
| GTalk Id: shailensukul Twitter: http://twitter.com/shailensukul Website: http://sukul.org Blog: http://shailen.sukul.org/ http://www.linkedin.com/in/shailensukul

Sharepoint 2010 on Windows 2012R2 and claims based authentication

Hello,
We have installed a sharepoint 2010 SP2 CU dec 2014 on a Windows 2012R2 server.
The installation went without problems.
However, we want to use claims based authentication on a certain web app pool.
Therefore some configuration on IIS is required.
The first issue we ran into, is the web application pool uses ASP.NET 2.0, which is the default settings.
However, using this ASP.NET Version 2.0 the feature "Providers" and ".net users" are invisible.
When changing the .net version to 4.0, the features comes back again.
I can fill in the connection strings without problem.
The providers feature however, gives me the following errors:
There is a duplicate .... sections defined.
When googling on this error, it seems that on .net 4.0 these sections are already globbally defined in the machine.config, So i removed these entries in the machine.config
These are the lines that are "double"
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false"
allowDefinition="MachineToApplication"/>
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere"
/>
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"
/>
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false"
allowDefinition="MachineToApplication" />
So after removing these lines, i can get into Providers feature in IIS.
but, when i click on "Add..." i get the following error:
Add Provider
There was an error while performing this operation.
Details:
This method cannot be called during the application's pre-start initialization phase.
OK
I spent to much time already to solve this issue and i hope that someone can give me some advice to address this issue.

The STS web.config:<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>

<behaviors>
<serviceBehaviors>
<behavior name="SecurityTokenServiceBehavior">

<serviceMetadata httpGetEnabled="true" />

<serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
</behavior>
</serviceBehaviors>
</behaviors>

<services>
<service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract" behaviorConfiguration="SecurityTokenServiceBehavior">

<endpoint address="" binding="customBinding" bindingConfiguration="spStsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

<endpoint name="ActAs" address="actas" binding="customBinding" bindingConfiguration="spStsActAsBinding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
<service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
<endpoint address="" binding="customBinding" bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding" contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
</service>
</services>

<bindings>
<customBinding>
<binding name="spStsBinding">
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="spStsActAsBinding">
<security authenticationMode="SspiNegotiatedOverTransport" allowInsecureTransport="true" defaultAlgorithmSuite="Basic256Sha256" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
<binaryMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</binaryMessageEncoding>
<httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Negotiate" useDefaultWebProxy="false" />
</binding>
<binding name="SPWindowsTokenCacheServiceHttpsBinding">
<security authenticationMode="IssuedTokenOverTransport" />
<textMessageEncoding>
<readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
</textMessageEncoding>
<httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
<modules>
<add name="WindowsAuthenticationModule" />
</modules>
</system.webServer>
<system.net>
<connectionManagement>
<add address="*" maxconnection="10000" />
</connectionManagement>
</system.net>
<connectionStrings>
<add connectionString="Server=sqldb_qa_sharepoint2010;Database=SG_SHP_Claims_Authentication;Integrated Security=true" name="SHP_Claims_Authentication" />
</connectionStrings>
</configuration>
I have backupped the machine.config and restored it (the file i edited was in the following dir: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Machine.config)

Faces context not found (Form based authentication)

<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/WorkingZone.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
when i tried to login with valid user the the url shows
http://localhost:8080/FormAuth/jsp/WorkingZone.jsp
how to append faces context automatically.
I am not finding for this faces context.
Plz suggest me a solution soon.
Thanks
Raghavendra Pattar

The FacesContext is created by FacesServlet which is
definied in the web.xml with an url-pattern.
If you just follow the url-pattern of this
FacesServlet, usually /faces/ or *.faces, or *.jsf,
then the FacesContext will be created.Hi balu,
this is the web.xml that i am using
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>false</param-value>
</context-param>
<filter>
    <filter-name>UploadFilter</filter-name>
    <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
    <init-param>
      <description>
          The maximum allowed upload size in bytes. If this is set
          to a negative value, there is no maximum. The default
          value is 1000000.
        </description>
      <param-name>maxSize</param-name>
      <param-value>1000000</param-value>
    </init-param>
    <init-param>
      <description>
          The size (in bytes) of an uploaded file which, if it is
          exceeded, will cause the file to be written directly to
          disk instead of stored in memory. Files smaller than or
          equal to this size will be stored in memory. The default
          value is 4096.
        </description>
      <param-name>sizeThreshold</param-name>
      <param-value>4096</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>UploadFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <servlet-name>ThemeServlet</servlet-name>
    <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ThemeServlet</servlet-name>
    <url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file></welcome-file>
     </welcome-file-list>
<jsp-config>
    <jsp-property-group>
      <url-pattern>*.jspf</url-pattern>
      <is-xml>true</is-xml>
    </jsp-property-group>
</jsp-config>
<security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
        <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>manager</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
      <form-login-page>/Login/login.jsp</form-login-page>
      <form-error-page>/Login/error.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>manager</role-name>
</security-role>
</web-app>1)My requirement is Login page should be the first page
If enter the valid user and password
then i will get directory structure
when i click the secured JSF page inside secure
i got this URL
http://localhost/secure/WorkingZone.jsp
obiviously /faces is missing
and i am getting faces context not found.
If u need further clarification i will send u..
Plz reply me...

Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

Hi
I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
The remote server returned an error: (500) Internal Server Error
[WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
How to fix this issue?
Regards,
Siva

Did you create a new web application or modify an existing web application?
I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
Also, as suggested above, check application pools are running.
This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

Big problem :anything is accepted by form-based authentication on Jboss

Hi there
I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
Here is my configuration. The web.xml is like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>LoginTest</display-name>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manager security role</description>
<role-name>manager</role-name>
</security-role>
</web-app>
I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
<Realm
className="org.apache.catalina.realm.JDBCRealm" debug="1"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
connectionName="plankton"
connectionPassword="plankton"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name"
/>
The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
Can anybody help me about this? I'm really stuck on this.
Thanks a lot!

By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
I also created the users and the roles.
But it seems like Tomcat container doesn't do the JDBC realm authentication.

FORM based Authentication issue on Sun ONE AS7

I am trying to use FORM based authentication for a web module I created, and can not get it to work. I have registered the roles through the admin console of the server, and adjusted the web.xml. When I try to use BASIC authentication, I get a 'Authentication refused for []' message before I even log in, and another one after I do. When I use FORM authentication, the URL points to my login.jsp page (no matter what I put in the path, which is what is supposed to happen), however my default servlet (hello.java) is actually run, and the login.jsp page never comes up. I created my jsps and servlet in the mounted [ejb]_WebModule. Please let me know if something seems incorrect here, or if you can think of something I should check...I can't find anything out there to help me.
Here is my web.xml:
<web-app>
<display-name>DiningGuideManager_TestApp</display-name>
<servlet>
<servlet-name>front</servlet-name>
<servlet-class>data.DiningGuideManager_WebModule.hello</servlet-class>
</servlet>
<servlet>
<servlet-name>myPage</servlet-name>
<jsp-file>/myPage.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>front</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Me</role-name>
<role-name>EveryoneElse</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>Me</role-name>
</security-role>
<security-role>
<role-name>EveryoneElse</role-name>
</security-role>
<ejb-ref>
<ejb-ref-name>ejb/TestedEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>data.DiningGuideManagerHome</home>
<remote>data.DiningGuideManager</remote>
<ejb-link>DiningGuideManager</ejb-link>
</ejb-ref>
</web-app>
for FORM authentication I have this:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Thanks,
Michelle

Yes there's a default generated index.jsp page that I'm having trouble overriding with one of my own. Have you used Form Based Authentication before? To do so you have edit the WEB-INF/web.xml file by adding:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/test/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/test/secure/loginpage.jsp</form-login-page>
<form-error-page>/test/secure/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
When you attempt to first go to any page in my /test/secure/ directory you get redirected to the /test/secure/loginpage.jsp where you have to login as a tomcat user, when succesfully logged on you get redirected to an index.jsp page which is NOT the one I created in test/secure/index.jsp. Even when I type in the url to go to my own test/secure/index.jsp I still don't get my own one that exists there, but instead get the default one that's generated that displays:
"Authentication Mechanism FORM".
Hope that makes more sense.
I've tried restarting tomcat but it makes no difference.

Forms based authentication in sharepoint 2013 using custom membership provider

I am developing FBA for SP2013 using custom membership provider using the following link
http://benredl.wordpress.com/2012/10/03/creating-forms-based-authentication-and-user-profiles-in-sharepoint-2013-using-custom-membership-and-role-providers-and-a-custom-user-profile-synchronization-utility/
the feature i am trying to develop is that the user is created using a homegrown asp.net application which uses sql server
and then When that user goes to SP2013 he should be able to login with the username and password created using the homegrown asp.net application
my questions are following
If I follow the article in the link should i be taking the assembly(dll) and deploying it to GAC or will VS2013 automatically do it
Do I have to implement FindUserByEmail and FindUserByName methods ?
if the connectionstring for an asp.net application is in the web.config file where would the connection for the sqlserver go if this application is for SharePoint
TIA

Hi TIA,
try this it contains the code for you and it is ready
http://sharepoint2013fba.codeplex.com/
Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation

Certificate based authentication

I have a client application that requires certificate based authentication.
I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
When adding the usercertificate attribute to the ID I used the following LDIF:
version: 1
dn: uid=userid,ou=employees,o=company
changetype: modify
replace: userCertificate
usercertificate: < file:///home/user/Certs/usercert.bin
the file was a binary encoded certificate file.
Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
Thanks
Brian

Cyril,
Thanks for the reply.
I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
2. From the DSCC
----a. Directory Servers Tab -> Servers Tab -> Click Server Name
----b. Security Tab -> General Tab
----c. In "Client Authentication" section, select:
--------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
--------ii. This should be the default setting.
3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
----a. certmap default default
----default:DNComps
----default:FilterComps uid,cn
4. restart the directory server
5. Do the following to setup the user who will be connecting. On their unix account (or similar)
----a. Create a directory to hold the certDB
--------i. mkdir certdb
----b. Create a CertDB
--------i. /ldap/dsee7/bin/certutil -N -d certdb
------------1) Enter a password when prompted
----c. Import the CA cert
--------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
----d. Create a cert request
--------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
----e. Send the cert request to the PKI Team to generate a user cert
----f. Take the text of the generated cert & save it to a file
----g. Import the new cert into your certdb
--------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
----h. Create a binary version of cert
--------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
--------i. ldapmodify
------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
------------2)
------------version: 1
------------dn: uid=userid,ou=employees,o=company
------------sn: Service Account
------------givenName: userid
------------uid: userid
------------description: Service Account for LDAP
------------objectClass: top
------------objectClass: person
------------objectClass: organizationalPerson
------------objectClass: inetorgperson
------------cn: Service Account
------------userpassword: password
------------usercertificate: < file:///home/userid/Certs/userid.bin
------------nsLookThroughLimit: -1
------------nsSizeLimit: -1
------------nsTimeLimit: 180
After doing this setup I am able to perform a search using the certificate:
ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
This search is successful, and I can see it logged, as having been a certificate based authentication:
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
dn: uid=userid,ou=employees,o=company
usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
which decodes as: < file:///home/userid/Certs/userid.bin
So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
Thanks
Brian
Edited by: BrianS on Mar 23, 2012 12:14 PM
Just adding ---- to keep my instruction steps indented.

Certificate Based Authentication and SSL

To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.

Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE.

File based authentication OWSM

Similar Messages

Maybe you are looking for