3rd party authentication before ACS (TACACS+) auth

Similar Messages

• 3rd party authentication - PingFederater

  We are looking to use a 3rd party authentication tool (PingFederater) and was wondering if anyone has ever tried this.

  Hi,
  i never heard that this should work. When i take a look at the tech specs of the product i never saw BOE working with these technologies.
  Beside it is not listed in the PAM i think this would not work.
  To have an official statement i would recommend you open a Support Message with the SAP Support.
  Regards
  -Seb.

• Using Weblogic LDAP JAAS credentials for 3rd party authentication

  Hello to all!
  I'm posting this question because I'm developing a software layer that will connect a weblogic based web application, with LDAP authentication, to a 3rd party application, also with LDAP authentication, and I'm having difficulties in getting a <b><i>javax.security.auth.Subject</i></b> object from the weblogic server.
  I already have a way of doing it, but it requires that a username and a password exist in some sort of storage, in order to work (either hardcoded (which is to be avoided as much as possible) or stored in a file (which is to be avoided if possible, but if nothing better exists...)).
  I'm using a Weblogic 11g server, with LDAP authentication (LDAP provider placed in last at the provider list, with flag SUFFICIENT) and I'm developing the software layer using Oracle's jDeveloper 11g Release 1.
  Now, this 3rd party application requires a <b><i>javax.security.auth.Subject</i></b> object in order to perform authentication.
  How do I get this from the weblogic server ?
  Of the following approaches, can you tell me which are the most correct ones ?
  <ul>
  a)<b>
      LoginContext lc = null;
      try {
          lc = new LoginContext("<JAAS instance name>");
          lc.login();
      } catch (LoginException e) {
          e.printStackTrace();
      javax.security.auth.Subject subject = lc.getSubject();
  </b>
  </ul>
  <ul>
  b)<b>
      LoginContext lc = new LoginContext("<JAAS instance name>"
          new MyClass.CallbackHandler(userid, password));
      lc.login();
      javax.security.auth.Subject subject = lc.getSubject();
      javax.security.auth.Subject.doAs(subject, myClassObject);
  </b>
  </ul>
  <ul>
  c)<b>
      javax.security.auth.Subject subjectA = weblogic.security.Security.getCurrentSubject();
      subjectA.doAs(subjectA, myClassObject);
  </b>
  </ul>
  Thanks in advance,
  Nuno B.

  Here is a document on Monitoring and Reporting Tool Integration into Network Admission Control.
  http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd801dee49.shtml

• HTTP authentication via ACS TACACS+.

  Hi.
  I configure a router for tacacs+ access and the console and CLI work fine.
  HTTP access continually prompts for password and I can never gain access via web.
  I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
  Debug authentication and authorization are ok (PASS)!
  Any suggestions??
  Thanks.
  Andrea.

  Hi Andrea,
  Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
  You can configure it for Group, under whihc you have your user account or per user basis too.
  Select group > Edit Settings > TACACS+ section
  Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
  Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
  Let me know if it helps :)
  I suppose you have "ip http authentiaction aaa" command configured.

• Consume 3rd party authentication (providers) in SP13

  I have a situation where I should have multiple authentications for my SP13 farm.
  1. Since Claims is dominant in SP13, how can I integrate different (multiple) authentications? I am not clear on how claims works internally :(
  2. How users from different authentication types can be grouped into SharePoint specific groups?
  - GEM

  Hi GEM,
  1.Claims-based authentication is more general authentication mechanism that allows users to authenticate on external systems that provide asking system with claims about user. For how claims-based authentication works, you can have a look at the blog:
  http://www.c-sharpcorner.com/UploadFile/Ashush/authentication-methods-in-sharepoint-2013/
  For integrating multiple authentication methods in claims based web application, you can refer to the blog:
  http://www.dotnetspark.com/kb/2845-configuring-multiple-authentication-providers.aspx
  2.For adding users from diffferent authentication types into SharePoint groups, there is no special steps. Because with claims-based identities, a user obtains a digitally signed security token from a commonly trusted identity provider. The token contains
  a set of claims. Each claim represents a specific item of data about a user such as his or her name, group memberships, and role on the network. Claims-based authentication is user authentication that uses claims-based identity technologies and infrastructure.
  Applications that support claims-based authentication obtain a security token from a user, rather than credentials, and use the information within the claims to determine access to resources.
  Reference:
  http://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• 3rd party router before or after TC

  Quick question:
  If I connect G wireless clients to my old TC, the speed drops to G for all clients. Does the same apply to wired clients, i.e. if I connect one 100mbit wired client, does the speed drop to 100mbit for the gigabit clients as well?
  thanks,
  Tom

  If I connect G wireless clients to my old TC, the speed drops to G for all clients. Does the same apply to wired clients, i.e. if I connect one 100mbit wired client, does the speed drop to 100mbit for the gigabit clients as well?
  No. Each LAN port on the TC is self-sensing and will operate at the speed of which the connected client is capable of.

• Migration of EmbeddedLDAP to 3rd Party LDAP

  Hi,
  Is it possible to migrate the complete authentication process of EmbeddedLDAP
  used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user (default
  user : weblogic created during the domain setup) authentication should happen
  on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge between
  Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this problem?
  Thanks in advance.
  Mandar

  I do not believe there are any restrictions on removing the default authenticator.
  When you boot the server make sure the user/pass is valid in the 3rd party LDAP
  and they have the proper admin/oper privileges to boot the server.
  You might want to configure the server with two authenticators first to verify
  you can successfully authenticate to the 3rd party LDAP before removing the default
  authenticator.
  -Craig
  "Mandar Jadhav" <[email protected]> wrote:
  >
  Hi,
  Is it possible to migrate the complete authentication process of EmbeddedLDAP
  used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user
  (default
  user : weblogic created during the domain setup) authentication should
  happen
  on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge
  between
  Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this
  problem?
  Thanks in advance.
  Mandar

• SGD with Third Party Authentication issue

  Hi
  I am trying to setup SGD with Third Party Authentication and have done all the requisites for this.
  I input the SGD URL and get the Third Party Login page but after I input my credentials, I get redirected to the SGD default login page which should not be the case. I had already set "Tomcat Authentication" as false in server.xml and enabled the Third Party authentication scheme in Array Manger
  What else am I missing ?
  Kindly advise
  SGD ver4.31
  Thanks

  Every now and then I have found the same. One thing that almost always solved the problem was recreating a new trusted user, you can follow the steps from:
  [http://docs.sun.com/source/820-1088/trusted_users.html|http://docs.sun.com/source/820-1088/trusted_users.html]
  Especially the step to test the trusted_user is a very good test to see if the trusted user is ok: http://server/axis/services/rpc/externalauth
  When prompted, log in as the trusted user.
  An other way to test it is via the api-test functionality: http://server/sgd/admin/apitest/
  First setup a session: webtopsession->startSession(0)
  Then authenticate via externalauth->setSessionIdentity
  These steps are the minimal steps to perform 3rdParty Authentication
  (There is also an example jsp for 3rd Party Authentication on the wikis.sun: [http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)|http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)] )
  - Remold

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• Having problem w 3rd party software ., there tech advsed me to repair  permissions  before  reinstalling software . However  , querrie says  repairing permissions  is not good for  system .  whats up ,, help  !!!

  having problem w 3rd party software ., there tech advsed me to repair  permissions  before  reinstalling software . However  , querrie says  repairing permissions  is not good for  system .  whats up ,, help  !!!

  I've fixed the problem - I think.
  I forgot I had the program "Little Snitch" installed on my computer. So I went into it and saw that it was blocking most of my connections for all the programs I use on a daily basis. Once I lifted the RULE to those certain programs - BAM - everything came back to life in an instant!

• Authentication on PocketPC through 3rd Party SSO client

  Dear community,
  I am currently investigating into the possibility of authenticating a user on a PocketPC device through a 3rd party SSO client.
  Does anyone have any experience in this ? What is the configuration effort is and what product was used ?
  Thank you very much, best regards
  Jochen

  as an addendum to my post, I've seen that this can be done.
  http://www.hardcopy.de/hardcopy/english/bsp_sap_neu_kz.php3

• Pricing conditions for the articles are getting triggered one day before the actual activation date to 3rd party systems through job WPMU.

  Hi SAP Guru´s,
  Currently we are sending the pricing, promotions & article master data delta load to 3rd party system from SAP ECC via SAP XI through IDOCS using daily scheduled batch jobs WPMU. IDOC segment - WP_PLU.
  Here the issue is the promotion & pricing data are sent to 3rd party system one day before the actual start date.
  Eg: Promotion 123456 which has start date as 15/05/2014 & ending on 30/05/2014 & was created & activated on 13/05/2014.
  This promotion 123456 is getting triggered from SAP ECC through batch job on 14/05/2014 morning & 3rd party system receives the data on 14/05/2014 & the promotion are getting activated at 3rd party system end on 14/05/2014 itself which actually gets active from 15/05/2014.
  Same in the case for Standard Pricing data which needs to be active from 31/05/2014 once the promotion 123456 ends on 30/05/2014.
  The standard pricing data gets triggered from SAP ECC on 30/05/2014 through batch job & reaching 3rd party system on 30/05/2014 & getting activate on 30/05/2014 itself.
  This creates more issues at the store end as well as affecting business.
  We checked at 3rd party system end & they replied that their system considers the updated time stamp & date to activate the prices & it does not considers the actual active from & active to date. They need the data to be sent from SAP ECC on the effective date of the pricing & promotions.
  Can any one help me how to change the pricing conditions beign triggered through batch job in SAP ECC based on the actual promotion & pricing conditons start date or is there any other process to trigger the data through the batch job on the actual promotion & pricing data activation date.
  Thanks in Advance.
  Thanks & Regards,
  P.P.Shankar

  Hello Shankar,
  Change the lead time in the POS Outbound Profile. You can't put less than 2 days there so data for today and tomorrow will be transferred which also means you need to adjust your batch timing accordingly.
  Sales and Distribution -> POS Interface -> Outbound -> Maintain Profile for POS Outbound.
  See if it helps. The best option would still be that the 3rd part system considers the activtion date.
  Kind Regards
  Kaizad

• How to Collect IDOCS before sending to 3rd party

  Hi All,
  I am sending out PO's using ORDERS idoc from SAP to 3rd party.
  In my scenario I need to group the similar IDOC data into a single file before sending it out to the 3rd party using XI. So in Partner profile I have choosen 'Collect IDOC' option and given the count as 10.
  Once IDOCS were generated they were in Status '30'. So I then ran RSEOUT00 to flush the PO idocs to XI. It did flush them out but as individual IDOCS.
  I had the impression that 'Collect IDOC' files the selected IDOCS into a SINGLE file/IDOC and then sends it out. Was I right in assuming that collect IDOCS merges all idocs into 1 file/idoc or is it wrong.
  If it does not, is there a way how I can merge all these IDOCS into a single file before sending to 3rd party ?
  Thanks
  Shirin

  Hi Shirin,
  For IDoc packages see -
  XI:Idoc Message Packages
  The specified item was not found.
  For IDoc Bundling see - The specified item was not found.
  Also, to see BPM Collect patterns, you can navigate to the SWCV named SAP BASIS in your IR. Under namespace http://sap.com/xi/XI/System/Patterns you will find the integration process called BpmPatternCollectPayload. There are many examples in this namespace.
  If you are new to BPM, see this - [Step by Step Guide to BPM|http://www.riyaz.net/blog/index.php/2008/04/16/a-step-by-step-guide-to-bpm-asynch-sync-bridge/].
  Hope this helps.
  Regards,
  Riyaz

• Many 3rd party apps that I have used before now will not open with the alert "XYZ application cannot be opened because the identity of the developer cannot be confirmed"  Why now?

  Many 3rd party apps that I have used before now will not open with the alert "XYZ application cannot be opened because the identity of the developer cannot be confirmed"  Why now since I updated Mavericks?

  The format in which a developer has to sign his application in order for it to be recognized as signed has changed. Update the applications, wherever possible.
  To make a one-time exception to the security policy, follow these instructions. They apply to Installer packages and other installable items as well as applications.