Sharepoint authentication via NTLM from proxy OSB service
Hello all ,
I want to reopen again this point of NTLM authentication for OSB to IIS/Microsoft .
So we follow all the recomandation until now regarding Authenticator and open URL .
The problem is that - webservice client generated from SharePoint wsdl - runs ok from java enviroment (Jdeveloper , Eclipse ) with Authenticator class set .
But when we move on OSB - and made a proxy service that made the java call out to one of client method the response is 401 - not authorized .
Any new hints ?
What can be wrong ?
Many thanks in advance ,
Stefan
Any way how can I see the error messages also in the log of OSBYou may use sysout's in Java code to print information on Standard out. You may also utilize server logging service-
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13739/logging_services.htm#CJAGBADA
enable some http monitor to see what happened behind - and where credentials are lost .You may use any network packet analyzer.
Regards,
Anuj
Similar Messages
-
Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication
This is similar to
http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
However I have tried his resolution to no avail.
I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
event ID 13019
level: warning
Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
Published Application Name: sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com
Published Backend URL: https://sharepoint.domain.com
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://sharepoint.domain.com/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
And
event ID 12027
level: error
Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: ****
Session ID: ****
Published Application Name: Sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com/
Published Backend URL: https://sharepoint.domain.com/
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: OuOfOrderFEHeadersWriting
Response Code to Client: 500
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.And within the next 10 minutes I found this
http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
Needed to set up delegation to ANY service in the Web application proxy -
Can I configure WS-Sec authentication via Active Directory with OSB or OWSM
Hi
I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
Regards,
Néstor BoscánHi.
OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
OWSM
http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
and
http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
hope this helps
best
rolando -
Sharepoint authentication via AD
Hi,
We normally give permission to SP objects (list/libraries) via AD groups. e.g. if no of users want to access a particular report, we create a group in AD, add all these people and give permission to that group in AD.
Yesterday, some people complained that they can't access the report. After investigation, I came to know that the particular group is missing from AD. We created a new group with same name but it didn't work. I still have to add this group to SP manually.
I am not sure where we had used the old group in SP for permissions.
My Questions:
1) is there a quick fix to solve this. if something can be done in AD and the old group will start working
2) Is there a way to know what are the places the old group was used to give permissions in SP?
3) Is there a way to know who were the members in the old group from SP? does SP caches the member and keep it somewhere in SP itself
4) I also noticed that the old group is shown in SP w/o the domain name. e.g. the group name is HRGroup and our domain is companydomain. It should show as companydomain\HRGROUP but it just shows as HRGROUP with domain group categoryHi Dai,
Thanks for your reply.
I checked with my Admin guy and he told me that it's required to have "domain function level needs to be 2008 R2" but unfortunately our domain function level is still 2003
so that can't be possible. -
Hi Friends,
Greetings!
Is there a way to secure an OSB service so that user will be able to access it only if they pass their AD/LDAP userid and password?
Note: I know I can add servie accounts. However I want to avoid adding a guge number of users/services acounts manually.
Thanks,
Sachin.Hi Sachin,
You have to configure webogic security realm to add AD/LDAP Authentication provider.
http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/
In order to secure OSB service you can enable HTTPS or have message level security for the same.
>know I can add servie accounts. However I want to avoid adding a guge number of users/services acounts manually.
No Need to maintain n nunber of accounts per n number of users.
use Basic Authentication/Custom Authentication/OWSM username token service policy to to authenticate username/password with AD/LDAP.
For Authorization: Use Transport/Message Level Authorization at OSB Service level
Regards,
Abhinav Gupta -
Error while invoking web services from Proxy services in OSB
I have a Proxy Service of message type in Oracel Service Bus 10gR3 and it passes the incoming messages from a JMS Queue to Business Service of Web Services type. This Web Service is hosted in Glass Fish v3 and it's binding style is RPC. The JRE used in both the servers are 1.6.0_20. The JMS message is of Text type. The Web Services at the Glass Fish throws MessageCreationException for any content of the JMS message. However, it works fine if Business Service's test client is invoked from the OSB'S Admin Console. However, the same will not work if Proxy Service's test client is called.
The detailed exception stack is given below :
Thanks for the help.
- Raj
com.sun.xml.ws.protocol.soap.MessageCreationException: Couldn't create SOAP message due to exception: XML reader error: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
at com.sun.xml.ws.encoding.SOAPBindingCodec.decode(SOAPBindingCodec.java:359)
at com.sun.xml.ws.transport.http.HttpAdapter.decodePacket(HttpAdapter.java:318)
at com.sun.xml.ws.transport.http.HttpAdapter.access$500(HttpAdapter.java:92)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:501)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:285)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:143)
at org.glassfish.webservices.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:116)
at org.glassfish.webservices.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:87)
at org.glassfish.webservices.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:196)
at org.glassfish.webservices.EjbWebServiceServlet.service(EjbWebServiceServlet.java:127)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at com.sun.grizzly.http.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:195)
at com.sun.grizzly.http.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:139)
at com.sun.grizzly.http.servlet.ServletAdapter.doService(ServletAdapter.java:376)
at com.sun.grizzly.http.servlet.ServletAdapter.service(ServletAdapter.java:329)
at com.sun.grizzly.tcp.http11.GrizzlyAdapter.service(GrizzlyAdapter.java:166)
at com.sun.enterprise.v3.server.HK2Dispatcher.dispath(HK2Dispatcher.java:100)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:245)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:791)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:693)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:954)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:170)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)
Caused by: com.sun.xml.ws.streaming.XMLStreamReaderException: XML reader error: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.wrapException(XMLStreamReaderUtil.java:267)
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.next(XMLStreamReaderUtil.java:95)
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.nextContent(XMLStreamReaderUtil.java:110)
at com.sun.xml.ws.streaming.XMLStreamReaderUtil.nextElementContent(XMLStreamReaderUtil.java:100)
at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:175)
at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:303)
at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:129)
at com.sun.xml.ws.encoding.SOAPBindingCodec.decode(SOAPBindingCodec.java:354)Let me explain what I am trying to achieve. Our application receives data from multiple sources - from mainframe using FTP, JMS Queue and BPM application using Web Services. The data from all these sources are sending to a Web Service running in GlassFish V3. To handle this I have created three Proxy Services and one Business Service on OSB. The Business Service is of type Web Service using the same WSDL from the target Web Service.
The Proxy Services are configured as follows:
Proxy 1 (type - Messaging service) listens to the JMS Queue and receives JMS Text Message -> Business Service(B1) (Web Service).
Proxy 2 (type - Messaging service Polls files from the FTP Server -> Business Service(B1) (Web Service).
Proxy 3 (type - Web service) is invoked by the BPM application and sends a String -> Business Service(B1) (Web Service).
All the Proxies route to the same Business Service - B1 which calls the Web Service in GlassFish. The only Proxy that works fine is Proxy 3 which is created using the same WSDL of the Web Service. In the other two proxies it thows the same exception in GlassFish as I mentioned before.
com.sun.xml.ws.protocol.soap.MessageCreationException: Couldn't create SOAP message due to exception: XML reader error: com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0] at com.sun.xml.ws.encoding.SOAPBindingCodec.decode(SOAPBindingCodec.java:359)
Is this configuration correct to achieve my requirements?
Once again thanks for the help.
- Raj -
Route the request from Proxy Service in OSB to external BusinessService URL
Hi,
How to route the request from Proxy service to the Business Service(Which is not registered in the OSB) using End point URL.Dynamically look up the URL and route the req from Proxy to Business service.
thanks in Advance
Edited by: user10680427 on Jul 14, 2009 2:57 AM
Edited by: user10680427 on Jul 14, 2009 3:34 AMHi..
Just set in within a routing options in a route node, either dynamic routing or just setting the uri, depends on your specific case.. -
Consumer-Proxy authentication via x.509 Certificate
Hi experts,
I want to consume a service from a erp system and authenticate via x.509 SSL Certificate. But in soamanager there is no checkbox for this authentication method when I create the logical port. Only u201CUser Id / passwordu201D and u201CSAP authentication Assertion Ticketu201D are existing under consumer security. Has someone any idea / hint? I have no Idea how I can solve the problemu2026The Basis Team installed the x.509 client certificate.
The logon to a service which is running on SAP ECC 6.0 works via SSL and Client Certificate. (Configuration in SOAMANAGER
Provider Security -> Transport Guarantee Type: Https
HTTP Authentication: x.509 SSL Client Certificate via Https)
But the authentication to a consumer proxy from SAP to a legacy system only works vie http and username / password at the moment
In SOAMANAGER -> Logical Port -> Consumer Security there is no opportunity for SSL oder Client certificate. There are only the two opportunities:
User ID / Password
SAP Authentication Assertion Ticket
In SOAMANAGER -> Logical Port -> Transport Settings: there is an opportunity to select Https. Is this selection enough for x.509 Client Certificate and SSL?
Someone an idea how to configure a consumer proxy (SAP ECC 6.0) for certificate authentication? -
Proxy business services in osb
In osb if i want to get data from a client then what is the procedure
I am using a business service whose endpointuri is a proxy service (protocol http)
And this business service is inturn called by my local proxy service
Is this procedure correct ?
if not then what is the correct procedure how many proxy and business services do i need to get data from my client
Thanks,
RahulHow many Proxy Services and Business Services to use depends on the use case.
For example, if your client will initiate a transaction when it has some data to send to another system then you will have to configure following flow:
First system (wants to send some data)--> Proxy Service(to receive data from Client) --> Business Service (to call the second system) --> second system web service API
Another scenario in which you need to get some data from the second system when requested by the first system (query scenario) the above flow would still remain the same.
Addition of another Proxy service depends on specific use case and scope of re-usability etc. For example if you want to fetch data from a system and that query can be reused in various processes or can also be called from various client applications then you can create a wrapper Proxy above the Business service and call this Proxy Service instead of calling the business service from your Proxy.
Domain structure also is a deciding factor, for example if you want to call a Proxy in one domain from another domain you can use a Business Service in the requesting domain. -
Features to isolate OSB services from just one slow business service.
Hi,
Here is a OSB question around a quick business service that suddenly turn to be a slow one and the impact on the overall OSB performance.
Suppose you have a critical OSB cluster in production with many proxy and business services.
Because of requirements, you have a specific sync http business service (web service) that has an acceptable response time around 1 secs. But suddenly the response time goes to 30 secs or even more due to some problem, generating a great impact on thread and resource consumption on OSB side.
Suppose a http time out configuration of 2 secs on the business service is just not enough. OSB continues to crash.
You can use OSB throttling feature but doing that you have to fix a maximum concurrency.
If the service implementation is down, OSB can handle that using "Offline Endpoint URIs" in the operational settings of sbconsole. But in this situation the service is online accepting requests. It's just slow to respond.
This is a hypothetical situation just to stress the problem.
Besides business service time-out configuration and throttling and dispatch-policies on proxy/business services are there any other features that can be used ?Wesley,
Ok, once the business service request is sent, the thread is freed. When the response comes, a new thread is picked up to handle the business service response. So in the mean time there's no blocking thread. Yes. It is correct.
Just to make sure, what about the waiting synchronous http client calling the proxy service ?
I mean, this fire-and-forget feature works only on the business service side or entirely for the proxy/business service (That separation would not make sense I suppose) ? The same case with http proxy. The request thread will be used till the BS is invoked in the route node or end-of the request pipeline. After this thread is released. Once the response comes from the http bs on a different thread, that thread will be used till the end of the responsepipeline
eg
Client---->Http Proxy---->Thread1{Request Pipeline--->Routenode---->End of Request actions in the Routenode--->Call BS Request} ----->Thread2{BS gets response--->Response Pipeline --->send response back to the client}
For example, a http client is waiting for the proxy service response, but while the business service does not respond, there is no blocking thread at all in the proxy service side too ?Yes. That is true
So, there could be many waiting http clients calling this proxy service, all http business service requests sent, and no blocking threads ?Yes.
What would be the drawbacks of this feature ?Nothing I can think off. Therotically we will be forced to do extra over head when BS latencies are low which might of little practical impact. In that case you can change QOS=Exactly once. BS request and response will be on the same thread , but proxy response thread will be always different from that of proxy request thread no matter what the QOS is set
Cheers
Manoj -
OWSM security for a OSB service- authenticate from weblogic security realms
Hello,
I have a requirement to add security to a OSB service.
The user details are configured in weblogic security realms. lets say there are ten different users.
I need to protect my osb service using OWSM policy & the policy should be configured to authenticate the user from realms.
I am new to OWSM & wondering if this is possible?
Can the experts please direct me to any docs or steps?
Thanks
GaneshHi,
Thanks for the links.
I followed the blog and configured it using oracle/wss_username_token_service_policy.
Now my requirement is to send the username,password from proxy to business and to the BPEL. (the bpel needs this username /password & and in header)
The issue I am facing is the proxy service is not sending the soap header details to business service.
I dont want to make the proxy as passthrough. (ie set Process WS-Security Header to NO)
I have to authorize on proxy level and then send the same credential details to business service?
So the question is, how can I retrieve the header after osb process it?
Can anyone please help me here?
Thanks
Ganesh -
Transportation of security through header from proxy to business service
Hi,
I have an application in which i have implemented web security at proxy service level. I couldnt transport that to business service.
I have embedded USERNAME and PASSWORD in the header of the proxy service. This authentication should pass through to the business service, which in turn calls the SOA composite. How can i transport my credentials from proxy to business service.
Thanks
KarthickSolved
-
We are getting an error on the authentication piece when trying to submit a file to the OfficialFile.asmx web service to submit a document to the Drop-Off Library. Here is the code snippet -
public string FileUpload(HttpPostedFile FileInput, RecordsRepositoryProperty[] properties)
string strFileUrl = string.Empty;
RecordsRepositorySoapClient repository = new RecordsRepositorySoapClient();
BinaryReader b = new BinaryReader(FileInput.InputStream);
byte[] binData = b.ReadBytes(FileInput.ContentLength);
repository.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential(iUserID, iUserPassword, iUserDomain);
repository.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
repository.SubmitFile(binData, properties, null, FileInput.FileName, HttpContext.Current.User.Identity.Name);
strFileUrl = repository.GetFinalRoutingDestinationFolderUrl(properties, null, FileInput.FileName).Url;
return strFileUrl;
Although we are setting the network credential in the client call we still get the error
- The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Ideas?
Thanks in advance.Hi,
Based on the error message, the issue is related to the authentication type.
I suggest you can specify the credential type like the below:
CredentialCache credentialCache = new CredentialCache();
NetworkCredential credentials = new NetworkCredential(UserName, PassWord, sDomain);
credentialCache.Add(new Uri(recordCenterUrl), "NTLM", credentials);
Here is a detailed code demo for your reference:
http://blogs.msdn.com/b/mcsnoiwb/archive/2011/06/06/sending-files-to-a-record-center-using-the-sp2010-webservice-officialfile-asmx.aspx
Best Regards
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jerry Guo
TechNet Community Support -
Comment out proxy/bussiness services in OSB
How can I comment some of the proxy/bussiness services in OSB?
I suppose you mean enable/disable.
There's an option for that in a proxy's operational settings (state = enabled).
For a business service simply don't expose it with a proxy service, or disable the proxy services that might route to it.
Hope that helps. -
Java stored proc from proxy Java classes generated from a web service?
Hi gurus,
I have searched "Java Stored Procedure" on this forum but could not find what I am looking for, so I have to post again.
I need to use a web service and my client app is written in PowerBuilder 11 (Sybase), which claims that it will create a datawindow from a web service. Well, it turned out that PB can only handle simple stuff (it works with a very simple wsdl from the internet) but can't handle more complex ones that we need to use. So I am thinking about using Oracle JDeveloper(JDev) to create the web service proxy for the web service and then load it into Oracle as a Java stored procedure so that PowerBuilder can call the procedure. JDev succsfully generated the proxy and a few Java classes. My question is, do I need to load all the classes into the database? If yes, will the reference to the package work? For example, in a JDev generated class (the soap client class), it has package MyJdev.proxy; at the top. Or, will it work if I load all the classes included in package /MyJdev/proxy into the database?
Thank you very much for any help.
BenFor the java stored proc called from pl/sql, the example above that uses dynamic sql should word :
CREATE OR REPLACE PACKAGE MyPackage AS
TYPE Ref_Cursor_t IS REF CURSOR;
FUNCTION get_good_ids RETURN VARCHAR2 ;
FUNCTION get_plsql_table_A RETURN Ref_Cursor_t;
END MyPackage;
CREATE OR REPLACE PACKAGE BODY MyPackage AS
FUNCTION get_good_ids RETURN VARCHAR2
AS LANGUAGE JAVA
NAME 'MyServer.getGoodIds() return java.lang.String';
FUNCTION get_plsql_table_A RETURN Ref_Cursor_t
IS table_cursor Ref_Cursor_t;
good_ids VARCHAR2(100);
BEGIN
good_ids := get_good_ids();
OPEN table_cursor FOR 'SELECT id, name FROM TableA WHERE id IN ( ' | | good_ids | | ')';
RETURN table_cursor;
END;
END MyPackage;
public class MyServer{
public static String getGoodIds() throws SQLException {
return "1, 3, 6 ";
null
Maybe you are looking for
-
Loops and certain instruments won't download properly
The loops won't don't download as well as certain instruments. Any help?
-
How can i connect plex app with time capsule
i have a time capsule 2TB and iphone 5s and ipad mini 2 i stored all my movies on the TC and i can acces them by imac and apple tv i just bought plex for ipad and iphone and don't now how to connect to TC i want play these movies by ipad by plex conn
-
Hi I'm trying to log with a new acc apple ... And in iCloud I'm getting every time an mess like the I already got the max limit of acc for this phone
-
Capture WAITING FOR DICTIONARY REDO: FILE
Hi Experts, Based on a large transaction, source A1 database archive action was auto switch for redlog files. After this event, we destination A2 DB capture get a state---WAITING FOR DICTIONARY REDO: FILE G:\ORACLE\ORADATA\VMSDBSEA\ARCHIVE\ARC10201_0
-
Error when exporting to excel (.xls)
Everytime I try and export my spreadsheet to excel, it says "an error has occurred" and nothing happens. I'm not using special text or something, it's in Times New Roman. How can I fix this error?