AC CUP - Users authentication issue

Similar Messages

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• User authentication issues when auth by external radius server

  We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
  ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
  When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
  The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
  No site added as it's an internal IP address....

  We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
  ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
  When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
  The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
  No site added as it's an internal IP address....

• Need help on workspace user authentication issue (critical)

  My client implemented Oracle EPM 11.1.1.1.1 We had no issues with installation.
  We started getting issues with workspace logins. All my MSAD user login have been failing through workspace. But they can access other applications like Shared Service and Planning using their own IDs. I found following entries in SharedServices_Security_Cleint.log file
  Resolution is I had to bounce workspace agent and web applications. This is happening periodically and at least once in a day.
  I am not sure why it is skipping my MSAD connections. I am sure my active directories are not down since i can access shared service and Essbase using my own ID. Have you guys seen this issue?
  We are using web logic 9.2 as application server
  Please help
  2009-05-26 15:21:01,923 INFO [Foundation Server] CSS is initialized as client. The default logger properties will be loaded com.hyperion.css.CSSSystem.<init>(Unknown Source)
  2009-05-26 15:21:01,923 INFO [Foundation Server] CSS Log file will be generated at D:\Hyperion\logs\BIPlus\SharedServices_Security_Client.log com.hyperion.css.CSSSystem.<init>(Unknown Source)
  2009-05-26 15:21:01,923 INFO [Foundation Server] Configure CSS with registry com.hyperion.css.CSSSystem.initCSSSystem(Unknown Source)
  2009-05-26 15:21:01,923 INFO [Foundation Server] Initializing CSS from Registry. com.hyperion.css.common.configuration.CSSConfigurationManager.getConfiguration(Unknown Source)
  2009-05-26 15:21:01,954 INFO [Foundation Server] Trying to get Registry Instance com.hyperion.css.registry.RegistryManager.<init>(Unknown Source)
  2009-05-26 15:21:02,048 INFO [Foundation Server] Got Registry Instance com.hyperion.css.registry.RegistryManager.<init>(Unknown Source)
  2009-05-26 15:21:24,000 WARN [Foundation Server] Failed to instantiate provider for factory: com.hyperion.css.spi.impl.msad.MSADFactory.[Root Cause: The specified Hostname or Port number is not valid. ] com.hyperion.css.spi.CSSManager.getProvider(Unknown Source)
  2009-05-26 15:21:24,000 WARN [Foundation Server] Skipping provider: Regence. Failed to get provider instance. com.hyperion.css.spi.CSSManager.isNull(Unknown Source)
  Thanks,
  Naveen

  Hi Naveen,
  Are you using SSL at all?
  How many providers do you have in your CSS file? Is it just the native directory and 1 MSAD provider?
  It's very odd that the same users cant logon to the Workspace but can access Shared Services and Planning. Ive seen this once in 9.3.1 and this appeared to be caused by the SSL config. We ended up reinstalling everything without SSL.
  Im not sure whether its still available in System 11 but have you tried debugging the workspace:
  http://server:port/workspace/index.jsp?debug=true
  This will open up the workspace with a little debug box at the bottom. See if any errors come up when you log in.
  Hope this helps.
  Seb
  www.capiotech.com

• CUPS 8.0 end user login issue

  Hi All,
  I am having CUCM 7.1.5 and CUPS 8.0(4) installed. The problem is when I tried to login the CUPS user page the it says "login failed". The CUPS intergration with CUCM seem to be fine because all the end users can be seen in CUPS. But I am not able to login the CUPS user page. Users have needed roles assigned to them.
  CUCM is sycronized with LDAP server over SSL
  Can anyone pls help me on this. What else I need to check? Is there any log to check on CUCM or CUPS?
  Thanks

  Hi Ronak,
  It is not the problem login to the CUPC  (still I didn't tried it), I have problem login to the CUPS User Web page using end user credentials in CUCM
  End users have needed roles assigned and they also are CUP enabled users
  Pls can you suggest me to any thing to check, As I said our CUCM is sycronized with LDAP server over SSL
  Thanks

• User Authentication failed

  Hi all,
  I like to share one of my peculiar issue with you and like to get a solution as well.
  I am trying to install a portal server with r3load based method. I did a java export of mssql Portal server and suceefully imported in the newly installed server.The server is up and running.I also completed the post installation activites like SLD ,SSO and Jco creation. I am not able to log in to the java page using administrator user and also other users..It keep on saying that user authentication is failed.
  But the beauty is that using the same adminsitrator user i am logging in the visaul administrator .
  I dont know where the problem and also i verified the log files under cluset/server nodes. There i found the log as  follows  --- > Connection is already closed and no longer associated with a managed connection,,
  I dont know where i am missing. Due to this I reinstalled the server and imported again..But the same problem is existing to me. Anyone have suggestion on this please do reply.
  Thanks and Regards
  Vijay

  Hi,
  Thnaks for reply. Its only a java system ,, So no activity needs to be done in SU01. I checked the table in database..the users are exisitng as well in the table.
  FYI: I am able to log in visaul admin but not in the java pages like
  http://<hostname>:port/
  http://<hostname>:port/irj
  Hope i explained  my problem it in right way
  Regards
  Vijay

• User Scheduling Issue....

  BO Edge 3.1 SP3 FP3.5
  Microsoft Windows Server 2008 Standard without Hyper-V SP2
  OK.... here is my Dilemma....
  Users are all set up as AD Users
  Authentication Options 
  Y Use Kerberos authentication
  Synchronization of Credentials  
  Y Enable and update the user's data source credentials at logon time. This will synchronize the data source with the user's current logon credentials. 
  SiteMinder Options Click on the value to change the options 
  SiteMinder Single Sign On: Disabled
  AD Alias Options Schedule User's AD Alias Updates
  Specify when BusinessObjects Enterprise will update AD aliases for users.
  Note that this will also update the Group Graph. 
  Last Sync: There is no record of a previous sync attempt. 
  Next Scheduled Sync: AD Alias sync has not been scheduled. 
  New Alias Options 
  Y Assign each new AD alias to an existing User Account with the same name
  Alias Update Options 
  Y Create new aliases when the Alias Update occurs
  New User Options 
  Y New users are created as concurrent users
  Attribute Binding Options
  Y Import Full Name and Email Address 
  Y Give AD attribute binding priority over LDAP attribute binding 
  DILEMMA*****
  So user jsmith sets up recurring report schedules for 20 reports....
  jsmith is terminated....
  jsmith is removed from Windows AD Directory......
  ALL OF jsmith's schedules DISAPPEAR........
  So I thought ..... set up a "Super User" which will allow them to set schedules etc... BUT mgmt wants to track EVERYTHING so they still want that jsmith set the schedule... they also still need to be able to use the SSO abilities that are set up....
  Has anyone else had this issue??? I have several ideas just not sure if they are valid, ANY HELP would be GREATLY appreciated.
  Is there a way to alias a user name... ie jsmith logs in as jsmith but can set schedules as superuser1.....
  THANKS IN ADVANCE

  Hi,
  This is SAP Business one system administration forum. Please find correct and repost above discussion to get quick response.
  Please close this thread here with helpful answer.
  Thanks & Regards,
  Nagarajan

• Not Authorized HTTP Error 401. The requested resource requires user authentication.

  Hi All,
  I have MDS web application on one server and MDS DB on another, both in same domain .
  MDS web application is created as new website on same IIS with SharePoint and have their own port assign
  In IIS Windows Authentication is added and enabled.
  Users do have function permission and module enabled.
  MDS is accessible only on server where web application is.
  When it is accessed from any computer within domain error is
  Not Authorized
  HTTP Error 401. The requested resource requires user authentication.
  Can anyone offer any suggestions?
  Thanks
  Zorko

  Hi Zorko,
  The issue may happen in case:
  1. The Master Data Service(MDS) web application is running under a domain user account
  2. You didn't register a Service Principal Name(SPN) for the account
  3. You are using fully qualified domain name(FQDN) or host name to access the MDS
  4. You are able to access the MDS by IP address(http://<ip address>)
  If I am right, it is because of the browser choose to use Kerberos authentication to connect to the MDS.
  So then, to fix the issue, please:
  Register SPN for the application pool account. Enable the delegation.
  Or, please force the web site to use NTLM authentication only.
  For more information, please see:
  How to use SPNs when you configure Web applications that are hosted on Internet Information Services:
  http://support.microsoft.com/kb/929650
  Forcing NTLM Authentication (IIS 6.0):
  http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true
  Thanks,
  Jinchun Chen
  Jinchun Chen(JC)
  TechNet Community Support

• Authentication Issue, When Profile ReCreate

  Hi,
  i face authentication issue in SQL Server 2012 Evalution after i login in new account.
  Take a look situation and what i did.
  1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
  2). Every Thing i Did i by using AD User name "SP_Farm"
  3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
  Note: during the whole process i only use SP_Farm (AD Admin User)
  Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
  after that i cant access Management Studio. :(
  Please Guide if is there any other way.
  Thanks you 
  Shariq Ayaz
  [email protected]
  www.shariqdon.com
  www.shariqdon.com/itworld
  www.shariqdon.com

  Hi,
  i face authentication issue in SQL Server 2012 Evalution after i login in new account.
  Take a look situation and what i did.
  1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
  2). Every Thing i Did i by using AD User name "SP_Farm"
  3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
  Note: during the whole process i only use SP_Farm (AD Admin User)
  Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
  Creating a user with the same name is
  not the same user :-)
  A user has a unique ID and you did not create the same ID, but a new user with same name.
  after that i cant access Management Studio. :(
  Please Guide if is there any other way.
  Thanks you 
  Shariq Ayaz
  [email protected]
  www.shariqdon.com
  www.shariqdon.com/itworld
  www.shariqdon.com
  You can try to use This solution:
  http://blogs.msdn.com/b/raulga/archive/2007/07/12/disaster-recovery-what-to-do-when-the-sa-account-password-is-lost-in-sql-server-2005.aspx
  * After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication.
  [Personal Site] [Blog] [Facebook]

• Essbase 6.5 External Authentication Issue!! Urgent Please!!

  Hi all,
  I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
  I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
  I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
  "User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
  Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
  Its kinda Urgent. so any replies for the same will be appreciated.
  Thanks and Regards,
  Vikram

  Vikram,
  Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
  Here is the Sample CSS
  <spi>
            <provider>
                 <msad name="full360">
                      <trusted>false</trusted>
                      <url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
                      <userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
                      <password>full@360</password>
                      <authType>simple</authType>
                      <identityAttribute>dn</identityAttribute>
                      <maxSize>1000</maxSize>
                      <user>
                           <loginAttribute>sAMAccountName</loginAttribute>
                           <nameAttribute>dn</nameAttribute>
                      </user>
                      <group>
                           <nameAttribute>cn</nameAttribute>
                           <objectclass>
                                <entry>group?member</entry>
                           </objectclass>
                      </group>
                 </msad>
  Download this toll "http://www.ldapbrowser.com/download.htm"
  LDAP browser to get the perfact DN information.
  Let me know the status
  Ravikant

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• Anyconnect 3 NAM Profile user authentication failure

  Hello,
  I use Cisco Anyconnect as a supplicant for my 802.1x enabled network, we use EAP-TLS. I created a wired profile with the standalone profile manager and deployed it to my clients. Machine authentication works fine, but as soon as i log in to the device the user authentication is not working and the anyconnect falls back to an open wired network.
  I don't see any logs in my ACS.
  But when i create a profile on the device itself the EAP-TLS authentication works without any issues.
  any ideas?
  regards
  alex

  Hello Luke-
  I have faced the same issue with MAR (Machine Access Restriction) in the past. It all worked great while we had wireless authentication only but things went out of control once we started to roll out wired
  I have been working with ISE for a little bit now and I can tell you that the same issue is still present. It would be pretty nice if they can "fix" this but as of right now you would face the same exact issue. So if you want to do user+machine authentication, you have a couple of options that were recently discussed in this thread:
  https://supportforums.cisco.com/message/3775027#3775027
  To answer your other question:
  So is there a trick to get NAM to trigger machine re-authentication without having to reboot?
  Back when I had this issue I was able to "trick" the native windows client to perform machine authentication again by going to "Start Menu > Shut Down > Switch User." In the new window it is important not to click on the already logged user but to select "New/Different User." There you can still type the same credentials for the already logged user. This seemed to force the machine to pass its machine credentials again without having to reboot the machine which is till not ideal and not user friendly at all but that is all I have Also, do keep in mind that I have not tested this with the AnyConnect client so results may vary.
  Thank you for rating!

• Go URL - User Authentication Failure

  Hi,
  I am trying to use a 'Go URL' in web application and I see some issue with authentication mechanism.
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?
  Thanks

  969211 wrote:
  I was able to login and view the dashboard whenever the username used in the 'Go URL' is from the console. But if the user who is from Active directory is used in the 'Go URL' link, then I get the login page saying 'Invalid username or password'. When I check the log file, it says ' [53012] User Authentication Failure'.
  Also the AD user can login from the login page, but not thru 'Go-URL' link.
  Can anyone let me know whether I am missing any step?Check the usage of Go URL first : http://docs.oracle.com/cd/E21043_01/bi.1111/e16364/apiwebintegrate.htm
  If you dont user NQUser and NQPassword then they will be prompted for a password. you need to http://<hostname.domain>:9704/analytics/saw.dll?Dashboard&PortalPath=<your GO URLpath>*&NQuser=USERNAME&NQPassword=PASSWORD*
  You should not access if URL without logging in.
  Also on different note:
  Rupesh Shelar wrote:
  Make sure your BISYSTEM password
  Go to weblogic console, http://IP address:7001/console
  Home >Summary of Security Realms > myrealm > Users and Groups > BISystemUser
  And then go to your EM (http://IP address:7001/em)
  expand weblogic domain > bifoundation_domain > Security > Credentials > oracle.bi.system ? system.user
  Just retype a new password then Restart BI All Services then test it.How is BISystemUser even related to Go URL .or this issue .?
  Hope this helps.
  Let me know the updates. Mark if it answers!
  Thanks,
  SVS

• ISE - Machine + user authentication

  I've searched forum, community but I couldn't find exactly what I need:
  I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
  Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
  If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
  Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
  Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
  How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
  NAM is already refused by client, so I need something that will work on plain Windows 7.
  Thanks.

  Hello Align-
  In your post you are referring to two completely separate and independent solutions:
  1. MAR
  2. EAP-Chaining
  MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
  EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
  I hope this helps!
  Thank you for rating!

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?