NAC SSO to Domain W2K8 & W2K3

Hi,
I am configuring SSO between CAS running at 4.8.1 ver and a MS Domain of two servers, a W2K8 R2 & a W2K3 Enterprise SP2.
The problem is I am getting error message in CAS Trace says "Unable to start server ... KDC has no support for encryption type (14). I did tried all possible encryptions in the KTpass; like +Desonly or encrypt ALL or leave encryption technique blank, but invain.
This problem wouldn't appear if I am binding the CAS to the W2K3 server, only. 
Any advise how to get out of this loop.
Many thanks
Mike

Hi Mike,
Is the win 2k8 server running at 2003 functional level? If so, by default, 2003 functional level is not supported. You need to perform the below workaround for it to work at the windows 2003 functional level as per the below link:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1266896
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
Note Before performing the following step, Cisco strongly recommends making a backup copy of the CAS's /perfigo/access/tomcat/conf/krb.txt file.
After running the ktpass command above, manually modify two files on the CAS as follows:
–In the CAS CLI, navigate to /perfigo/access/tomcat/conf/krb.txt and add the following lines:
[libdefaults]
   kdc_timeout = 20000
   default_tkt_enctypes = RC4-HMAC
   default_tgs_enctypes = RC4-HMAC
   permitted_enctypes = RC4-HMAC
–Navigate to /perfigo/access/bin/starttomcat.
Search for CATALINA_OPTS.
Add -DKRB_OVERRIDE=true to the value of CATALINA_OPTS.
For example:
     Old value: CATALINA_OPTS="-server ..."
     New Value: CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"
–Restart the CAS by entering the service perfigo stop and service perfigo start commands.
P.S.: Please mark the question as answered, if it has been resolved. Do rate helpful posts. Thanks.

Similar Messages

  • NAC SSO in Windows 7 not Working

    Hello,
    I'm having problems with SSO process on workstations with Windows 7 and I need help to solve it.
    ENVIRONMENT:
    Clean Access Manager: 4.9.0
    Clean Access Server: 4.9.0
    Clean Access Agent: 4.9.0.33
    Compliance Module: 3.4.27.1
    Windows Domain : Windows 2003 Server Full Functional Level
    Status of Active Directory SSO: Started
    More Informations:
    In Windows Domain Controller, i ran the follow command with no errors:
    ktpass  –princ NAC_USER/[email protected] -mapuser NAC_USER –pass mypass –out c:\nac_user.keytab –ptype  KRB5_NT_PRINCIPAL
    The file nac_user.keytab was created in c:\ of DC.
    in Windows XP Workstations, SSO is working correctly
    in Windows 7 workstations work when i manually enable DES in "Start > Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies/Security > Options >  Network security > Configure encryption types allowed"
    I have many workstations running Windows 7 and can not do this manual procedure in all of them.
    running tail -f /perfigo/access/tomcat/logs/nac_server.log command in CAS, i see the follow messages during an attempt to do SSO with unchanged Windows 7:
    2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 WARN  com.perfigo.wlan.jmx.adsso.GSSServer               - Server was not running ...
    2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server starting server ...
    2012-03-09 11:45:21.329 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server is now running ...
    2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - SPN : [NAC_USER/[email protected]]
    2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - building kdc list for domain mydomain.net
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - done building kdc list for domain mydomain.net
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - KDC(s) :[srvslsdc001.mydomain.net, srvpnpdc001.mydomain.net, srvpnpdc002.mydomain.net, srvalvdc001.mydomain.net, srvtatdco001.mydomain.net, srvtatdco002.mydomain.net, srvpaldc002.mydomain.net, srvmurdc001.mydomain.net, srvnundc001.mydomain.net]
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - creating login context ...
    2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - created login context ...javax.security.auth.login.LoginContext@b55e97
    2012-03-09 11:45:21.631 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Notifying GSSServer status Started
    2012-03-09 11:45:21.807 +0100  Thread-88 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...
    2012-03-09 11:45:42.285 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - opswat=3.5.2.1 dm_opswat=3.5.2.1
    2012-03-09 11:45:42.329 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - SWissServer: OPSWAT SDK Path=https://10.5.33.10/perfigo_download/CCAA/opswat-win.zip
    As we can see, I restarted the AD SSO service and the two bold lines are the records while trying to SSO with Windows 7, but without success.
    NAC Agent pop-up request for manual authentication.
    does anyone know how to solve this trouble?
    If you need more information please let me know .....
    Regards,
    Daniel Stefani

    Hi Guys,
    When I changed the files /perfigo/access/tomcat/conf/krb.txt and /perfigo/access/bin/starttomcat in CAS according to the configuration guide:
    /perfigo/access/tomcat/conf/krb.txt
    [libdefaults]
    kdc_timeout = 20000
    default_tkt_enctypes = RC4-HMAC
    default_tgs_enctypes = RC4-HMAC
    permitted_enctypes = RC4-HMAC
    and
    /perfigo/access/bin/starttomcat
    CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"
    an error was generated in nac_server.log when i tried run SSO Service.
    ERROR:
    2012-03-07 11:52:50.655 +0100  Thread-77 ERROR com.perfigo.wlan.jmx.adsso.GSSServer               - Unable to start server ... KDC has no support for encryption type (14)
    But I remembered that during the changes, I checked the options for the user account I'm using to run the service to Use DES encryption types for this account.
    When i uncheck this option in user account options and kept the changes to files krb.txt and starttomcat,  the SSO service started with no errors and Windows 7 users now do the SSO too.
    tks,
    Daniel Stefani

  • Ume.login.mdc.hosts - SSO Multiple Domain

    Hi,
    My Portal domain is xxxx.net and my ECC domain is xxxx.com
    I exported  the portal certificate into ECC and created parameters in RZ10 to create & accept SSO tickets.
    When i do the ECC System Connection tests in Portal, everything is good and successful. But when i run a Transaction iView, i get the ECC login screen.
    Based on SAP Documentation, i modified UME Property as "ume.login.mdc.hosts = xxxx.com:8036", but still i get the ECC login screen in portal when i run a transaction iView. Please advice.
    Thanks
    Vijay

    Not working on this right now

  • Calling a web service deployed in a SSO protected domain

    Hello,
    I want to write a web service based on a stateless session EJB and to deploy it as part of an application on an OC4J server. The application is protected by SSO.
    My question is: how should I write a client stub for that web service? How are the name and the password provided in the client stub in order to call web service (that will be also protected as part of the protected application)?
    Regards,
    Marinel

    Ditto. I get the feeling that no reply to your message must mean that OC4J doesn't support this.
    An even simpler scenario is getting an Applet client to connect to an EJB without having to provide the username and password from the Applet. Otherwise, we are forced to ask the user to login for every applet or we embed the user/pass in applet params. Both are unacceptable.
    Any ideas.

  • Problem with Cross-domain SSO, NTLM and ITS to R/3

    Hello,
    We are using EP 6.0.13.0 on a Windows environment.  We have an ITS running WebGUI/ESS/MSS in another domain and that is the same domain where the R/3 and BI systems reside.  We have configured NTLM authentication using IIS web server 6.0 and the IISProxy 1.6.2.  We have configured SSO with the backends using the same ID as in the MS-ADS.  Almost everything works fine.
    The problem is that when we use the NTLM logon VIA the IIS to the portal, and then navigate to a WebGUI service transaction we are prompted for login.  When we refresh the portal screen and try again - it works.
    We have configured the mdc.hosts and are using the sendSAPSSO2Cookie.asp to generate the cross-domain logon ticket.
    I have read that ITS may require the PAS be set up but I thought that was only used when you are going directly to the ITS (leveraging the NTLM authentication) - not when you are going through the portal.
    Does anyone have some experience using ALL of the SSO features (i.e. SSO, cross-domain support, ITS, windows integrated authentication)?
    We have though about the relax option for the domain but it does not apply as our domains are:
    SERVER1.domain1.com and SERVER2.domain2.com
    ... so relaxing would not help unless we relaxed to the ".COM" which is unreasonable.
    My regards,
    Judson Maizels

    Hi JUDSON
    well i'll give one easy solution
    make a alias under host file reside in winnt\system32\drivers\etc directory which has same domain name
    i.e
    SERVER1.domain1.com   server1.mydomain.com
    SERVER2.domain2.com   server2.mydomain.com
    it's works in my schenario we have a same system landscape
    as you
    regards,
    kaushal

  • Anyone have Contract Manager v13 installed on a domain controller?

    Hello Everyone
    I have a client who says that the primavera reseller told him it was ok to install CM13 on his Domain controller w2k3 r2, which hosts other databases such as quickbooks and instances of IIS.
    Has anyone ever installed in a situation like this, concurrently with other Dbs and Web servers running?
    I understand that the app server and web server is usually 2 separate machines as well, but with previous versions of CM, you were able to install both on one machine. And those machines were dedicated to CM.
    A quick one line response on if your server/serves are dedicated for CM would be great!
    Any other information would be a great help as well!
    Thanks
    Dennis
    Edited by: user12514167 on Jan 26, 2010 12:20 PM
    Edited by: user12514167 on Jan 26, 2010 12:25 PM
    Edited by: user9054083 on Jan 27, 2010 8:13 AM

    Technically its not impossible. :) one line! :]
    Tough I would never install CM on DC, basically I would avoid anything that would make the crash of DC more probable.
    CM service will take 500-800MB of the RAM, takes a huge peek on CPU while deployment, after that is basically not that troublesome,
    Database (SQL or oracle) needs it own memory and CPU.
    I'm not sure if want your DC with other services to be overloaded.
    IIS - they need to know that if any of the apps they use on IIS is using port 80 they will not be able to use CM service on port 80 as well.
    With the prices of hardware vs prices of CM licenses I would ask a loud - why do you want all in one machine?

  • Domain Administrator Problem

    I created a new domain admin account that is part of AD Administrators, Domain Admins and Enterprise Admins.   I have been using this account for a couple of years with no issue. However after promoting the domain to W2k3 and adding 2012 R2 domain controllers
    I keep running into issues with the account. 
    The most recent was using the command 'appcmd list backup' in preping for IIS migration. I received and Access is denied  error.  I tried this with another account that should have domain admin privileges and got the same error.  When using
    the original Administrator account there is no issue.
    Does anyone have any thoughts on this? Is there a way to check rights and permissions for a domain admin, Enterprise admin and Administrator account?  So far all I have found is stuff related to the SID but I don't believe this is a true check or rights.
    Thanks

    > Yes but isn't is a best practice to rename and disable it? Shouldn't
    > there be a way to create an equivalent account without the -500 SID or
    > am I missing something ?
    "Disable", yes. "Rename", no - renaming it has no benefit, the SID stays
    with him :)
    This is an old tale of the "security by obscurity" days.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • W2K8r2 DC not serving clients

    Problem Context:
    4 DC's serving the domain (native W2K3), DC01, 2, and 3 are W2K3x32, DC04 is W2K8r2x64 (newly added).
    All DC's are GC and DNS.
    DC's all pass DCDiag with no unexplainable errors
    LDAP query of the DC's in the site shows all 4, with identical weight
    All DC's are in the same AD Site
    No errors in any event log
    Sysvol is visible from everywhere, for all 4 DC's
    repadmin /replsum /errorsonly on all DC's (including 04) shows no issues that I don't understand (we have a remote DC in the forest offline, I see that one)
    Each DC points to another DC for 1st DNS and itself for 2nd, in a chain (01->02, 02->03, etc)
    All are single NIC, on different subnets.
    I have 1500+ clients in my environment.  DC01/2/3 are slated to be upgraded, DC04 is the first.  It's newer hardware, 1gb vs 100mb, more ram, x64, etc.  However, in removing the old 04 and adding a new one, DC01/2/3 went off the charts
    on CPU/LSASS.  Doing a query (nltest /sc_query:domain) of my environment, I show that 33% of the environment is divided up each to 01/2/3, 0% go to DC04.  I have a script I run to "stir the pot" after I reboot a DC to "rebalance"
    them, which is essentially an "nltest /sc_reset:domain" run on each server.  I run this, and 33% end up on 1/2/3, 0% on 4.
    If I do it by hand, nltest /sc_reset:domain\dc04, it works and the system uses DC04 and stays there, as expected, but if left to their own devices, zero systems choose DC04.
    Help?  I've no clue why this is happening.  What happens when I replace DC01/2/3 with W2K8 DC's?  Will the systems choose none of them?  We're buried in CPU alerts and my proliferation is blocked until I can close on this.
    Any wisdom would be greatly appreciated.  Thank you.

    1. 14 domains in the forest
    2. Results of the dnscmd (clipped in the middle)
    dnscmd rf3psdc04 /EnumZones
    Enumerated zone list:
            Zone count = 129
     Zone name                      Type       Storage         Properties
     .                              Cache      AD-Domain
     1.8.10.in-addr.arpa            Primary    AD-Legacy       Secure Rev
     10.8.10.in-addr.arpa           Primary    AD-Domain       Secure Rev
    ***lots of reverse lookup zones***
    mfg.intel.com                  Secondary  File
    rf3prod.mfg.intel.com          Primary    AD-Legacy       Secure
    TrustAnchors                   Primary    AD-Forest
    3. I did, both at the root and child.  The NS record only contains the 4 DC's, with correct IP's.  The msdc's folder only contains the 4 dc's with corrct IP as well.
    4. I have IP concerns posting the log file to a public forum, but going through it and checking the health checks on that site, the domain passes all tests, including the SRV test at the end.  I even cycled through each DC on server= and re-ran the
    query, from multiple clients, it returns the same info, the correct info, all 4 DC's, with the same weight.

  • SBS2003 monitoring/reporting without using internal mail server?

    Client is running SBS2003 and for certain reasons, is not running internal exchange. All Exch services disabled and need to stay that way.
    Question; is it possible to configure the server somehow (registry, etc) to point the email to an external SMTP server instead of the internal mail server? We need to get the performance reports but aren't allowed to enable exchange.
    Thanks!
    Charlie

    As best I can recall, in the SBS 2003 era..the reports are acutally emailed using the SMTP service and not exchange.   No information has ever been provided from the MS Product team on how to make mods ot this.  
    But because of integration of SBS when you indicate the users to send to, it's looking at the FQDN and if its the one supplied during the CEICW wizard, then it's trying to send that to an exchange mailbox.   Have you tried running the wizard and
    supply an outside pop3 address?  (not the hosted exchange)  Does the message arrive?  
    Cris Hanna [SBS - MVP] (since 1997)
    Co-Contributor, Windows Small Business Server 2008 Unleashed
    http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
    Owner, CPU Services, Belleville, IL
    A Microsoft Registered Partner
    MVPs do not work for Microsoft
    Please do not submit questions directly to me.
    <Charlie Kaiser> wrote in message
    news:[email protected]...
    No, I'm really not sparring with you. I'm just removing the irrelevant factors from the conversation.
    If you really have to know, their hardware is somewhat underpowered for the utilization it is receiving. The client is on hard times and cannot afford to upgrade the server hardware, nor can they afford a second server. Rebuilding their domain onto W2K3/W2K8
    standard is also too expensive a project for them.
    They have hosted external exchange and have for quite some time. They are happy with it and don't want to change. The server, after we took it over and tuned things for them, works fine. They experience almost no downtime and performance is adequate given
    the current configuration. But adding any additional load to the server results in performance issues, including memory and disk space. Adding an additional 5% load on the server for exchange right now is not an option for us or them. They do not want nor
    need exchange running internally.
    So it returns to the original question; is there any way to simply point the outbound email to a different SMTP server? Somewhere, the monitoring component says "send this information by email; connect to SMTP." If there's a way to modify that easily, we
    will do so. If there is not, then we'll probably just shut off the SBS monitoring and use a 3rd party tool intstead. But pointing SMTP is possibly simpler than making those changes.
    As a small-business consultant, we spend a lot of time trying to help small companies do things as cheaply as possible. For many companies, spending a few grand on a server or project is absolutely out of the question these days. So we do what we can. The
    solution you are pushing can work fine for a larger company that has a healthy IT budget. But not in this case.
    Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL

  • Portal access through a firewall

    Hi there!
    Having the default installtion of R2 on a single W2K box, what's the minimal procedure to make this configuration available through a firewall?
    I've opened ports 7777-7778 but fail when trying to logon via SSO (host.domain.com:7777/pls/orasso)
    Have I missed out to open another port or am I forced to follow the steps of setting up a reversing proxy to have portal-access outside the firewall?
    Cheers
    /Staffan

    If they are on different servers, then both are listening on the 7777 port, and you will have to change one of them to use another port (assuming your firewall can only port forward a port to only one host).
    If you are running both instances on the same server, then your SSO is accessible via 7777 and your midtier would be on 7778, so your setup as described should be enough (I do the same thing).
    If they are running on the one machine, can you access the SSO/INF server directly? http://inf.domain.com:7777 and then http://inf.domain.com:7777/pls/orasso ?

  • After SPNEGO is activated other existing services with Technical user not working

    Hi All,
    We have activated SPNEGO, One of our existing service with Technical user is not working.
    When SPNEGO is disabled it works.
    Regards
    Ram

    Hi Patrick
    We are using SSO. and domain controller has service user. We are in 7.31 PI as Java so user mapping is not done but have same users in Active directory.
    SSO is working fine. But, once specific service is not working where we are using technical user when SSO is active and it is working when SSO is inactive.
    Regards
    Gangula

  • The single tap on our track pads works sporadically

    Our track pad arrow works fine. When I single click, the function does not work.  It seems to not to have a pattern. Need help trouble shooting.

    Hi we had also a big issue with SSO and domains. Our Portal was in domain <portalservername>.a.b.c and our BW System in <bwservername>.a.b.c
    So we thought SSO should work. But the portal had an alias name enterprise.portal.b.c (which was actually used to access the portal via the Internet Explorer)
    And that was the problem.
    The Ticket will be created for portal.b.c and the Session Ticket will only be send to Servers in portal.b.c Domains. Our BW System is in a.b.c so the Session Ticket was not sent.
    We solved the problem (with help of SAP) by adding a system Alias for the BW System named <bwservername>.portal.b.c
    And now SSO was working.
    So not the Domain the system is in is important but the url in your browser window is important.
    I dont know if this help you in any way but because i wanted it to share anyway.
    Best regards,
    Kai

  • Windows Native Authentication

    Hi guys,
    I was able to setup the wna infact
    no errors appears in OC4J~OC4J_SECURITY~default_island~1 log file when OC4J_SECURITY instance starts up
    but if I try to connect to
    http://sso.<domain>/pls/orasso using a client of
    Windows Domain the sso login page appears
    and the following message in ssoServer.log
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Calling Authentication method
    [INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.authenticate method ...
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Remote user name: {{UNAUTH_USER}}
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Windows Native Authentication was not possible.
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Falling back to SSO authentication
    [INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOServerAuth:authenticate method
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 user name NULL
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Password Null
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Subscriber Null
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Voice header: null
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 x-oracle-mobile-authtype: null
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 auth mode is user/pass
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Perhaps this is a Basic Auth u/pwd
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 No username supplied. Sending IPASInsufficientCredException
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Requesting Login Page to collect credentials
    [INFO] AJPRequestHandler-ApplicationServerThread-6 Entered SSOKerbeAuth.getUserCredentialPage method ...
    [DEBUG] AJPRequestHandler-ApplicationServerThread-6 Sending login page to the user with an error message: null
    [INFO] AJPRequestHandler-ApplicationServerThread-6 Exiting from SSOKerbeAuth.getUserCredentialPage method
    Any ideas bout this issue ?
    Regards
    Luigi

    Luigi,
    did you follow up
    http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
    regards,
    --olaf                                                                                                                                                                                                                               

  • Potential JavaSSO and Custom Login Module Bugs In Clustered Environment

    We've been working with the custom login modules and JavaSSO and have found issues with deployment on 10.1.3.2 in a clustered environment. Deployment on a single server looks like it is working properly.
    I'm wondering whether any one here has been using CLM with JavaSSO and have deployed in a clustered application server environment? I've posted in the past regarding this in the OC4J side, but never got a response, so I thought I'd try the experts here...
    Here are some TARS that we've logged. Any help from the community would be appreciated.
    6320304.994 JAVASSO JSSOUTIL.LOGOUT FUNCTION REDIRECT NOT WORKING ON CLUSTER
    6365407.993 SETTING <distributable/> TAG IN WEB.XML CRASHES APPLICATION
    6338664.992 JAVASSO LOGIN PAGE DOES NOT LOGIN USER BUT RELOADS LOGIN PAGE
    Thanks!
    Kenton

    Hi Kenton,
    Specifically, what were the issues that you ran into when clustering JavaSSO? Was it a problem only when combined with the Custom LM?
    As long as the same CLM is configured for your app (I assume this is also clustered) and JavaSSO, that should be sufficient. Obviously, CLM need to be configured against the same user repository.
    If the apps were on different hosts, did you remember to set the property "custom.sso.cookie.domain" to set the right domain name in the cookie? Otherwise, you will keep getting redirected to the login page.
    http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/javasso.htm#BABJCGCB
    -skt

  • OEM not connecting to database

    I am getting the screen with the following message...
    The database status is currently unavailable. It is possible that the database is in mount or nomount state. Click 'Startup' to obtain the current status and open the database. If the database cannot be opened, click 'Perform Recovery' to perform an appropriate recovery operation.
    Related Links
    Configure Recovery Settings
    When I click startup it is asking for host and database credentials and then when I click OK it is asking whether to startup database. When I click OK it is again returning back to the same page displaying the above message.
    But I am able to startup the database in the command prompt with sql commands .
    Please help me out...

    yes ... i am using database control and the content which is there in my emoms.properties is
    # emoms.properties
    # Properties used by Console Configuration Manager.
    # Version 1.0
    # MODIFIED (MM/DD/YY)
    # rpinnama 12/26/03 - Removing repAgentUrl
    # sjconnol 12/11/03 - remove noSave flag for pref creds
    # hsu 12/05/03 - add param for stmt caching
    # mpawelko 11/24/03 - change iSQLPlus URL entries
    # hsu 11/10/03 - add sharing param
    # sjconnol 10/16/03 - add noSave flag for pref creds
    # mgoodric 10/10/03 - add proxyHost, proxyPort, dontProxyFor
    # vkapur 08/13/03 - add emdRepRAC for db console
    # mpawelko 07/15/03 - add iSQLPlus DBA URL placeholder
    # mpawelko 06/26/03 - add iSQLPlus URL placeholder
    # streddy 06/12/03 - Added emdrep.ping.pingCommand
    # dkapoor 04/21/03 - append db console params
    # aholser 04/02/03 - add oms name
    # skini 03/26/03 - Add connect descriptor
    # skini 02/20/03 - skini_2771051_2_4.0.1_main
    # rpinnama 01/03/03 - Remove pingDirectory
    # skini 12/31/02 - Leave only essential properties
    # skini 12/30/02 - Comment out defaults
    # rpinnama 12/12/02 - Add emdrep.ping.pingDirectory
    # skini 11/13/02 - Add documentation for proxy parameters
    # skini 11/08/02 - Add auth properties
    # jpyang 10/24/02 - change maxConnForJobWorkers to 10
    # ggilchri 10/23/02 - add https port
    # dmshah 10/16/02 - Adding nvp for db connection settings
    # xshi 10/03/02 -
    # xshi 10/02/02 - sso config - domain
    # aholser 10/07/02 - move repository.properties to console.properties
    # xshi 08/19/02 - add das location
    # xshi 08/14/02 - add sso consoleauthentication
    # lyang 06/14/02 - lyang_add_configuration_manager
    # OMS login information
    oracle.sysman.eml.mntr.emdRepSID=%EM_REPOS_SID%
    oracle.sysman.eml.mntr.emdRepPwdEncrypted=false
    oracle.sysman.eml.mntr.emdRepPort=%EM_REPOS_PORT%
    oracle.sysman.eml.mntr.emdRepUser=%EM_REPOS_USER%
    oracle.sysman.eml.mntr.emdRepPwd=%EM_REPOS_PWD%
    oracle.sysman.eml.mntr.emdRepServer=%EM_REPOS_HOST%
    oracle.sysman.eml.mntr.emdRepConnectDescriptor=%EM_REPOS_CONNECTDESCRIPTOR%
    # From the old web.xml file
    oracle.sysman.emSDK.svlt.ConsoleServerHost=%HOSTNAME%
    oracle.sysman.emSDK.svlt.ConsoleServerPort=%EM_UPLOAD_PORT%
    # The https port dedicated to the receiver servlet using an EM Certificate
    oracle.sysman.emSDK.svlt.ConsoleServerHTTPSPort=%EM_UPLOAD_HTTPS_PORT%
    oracle.sysman.emSDK.svlt.ConsoleServerName=%HOSTNAME%_Management_Service
    oracle.sysman.emSDK.svlt.ConsoleMode=standalone
    oracle.sysman.emSDK.sec.ReuseLogonPassword=true
    oracle.sysman.eml.mntr.emdRepDBName=%EM_TARGET_DBNAME%
    oracle.sysman.eml.mntr.emdRepRAC=false
    # iSQL*Plus integration
    oracle.sysman.db.isqlplusUrl=http://opsserver-dt.sci.local:5560/isqlplus/dynamic
    oracle.sysman.db.isqlplusWebDBAUrl=http://opsserver-dt.sci.local:5560/isqlplus/dba/dynamic
    # port specific ping command
    emdrep.ping.pingCommand=/usr/sbin/ping <hostname>
    # HTTP Proxy server to Oracle MetaLink
    #proxyHost=%EM_PROXYHOST%
    #proxyPort=%EM_PROXYPORT%
    #dontProxyFor=%EM_DONTPROXYFOR%
    # For controlling the sharing of realtime metric collection
    oracle.sysman.emSDK.emd.rt.useMonitoringCred=true
    # The number of JDBC statements that's cached per repository
    # connection. Setting it to 0 would turn off caching
    oracle.sysman.emRep.dbConn.statementCacheSize=30
    # The number of JDBC statements that's cached per direct-target admin
    # connection. Setting it to 0 would turn off caching
    oracle.sysman.db.adm.conn.statementCacheSize=2
    # The number of JDBC statements that's cached per real-time database
    # connection used for performance monitorng
    oracle.sysman.db.perf.conn.statementCacheSize=30

Maybe you are looking for