Activesync client Certificate authentication with third party CA
Hi, I have to configure ActiveSync certificate based authentication, and use a third party CA.
What informations and fields must I configure on the cert template, to use it for activesync ?
For now I've a template with the CN (FirstName LastName) for the Subject Name and a Subject Alternative name with UserPrincipalName (user@domain). Is it enough ?
Do I must publish the user's certificate in AD ?
Thanks
Just one additional thing to consider, as I have seen it go wrong in the past.
Make sure that whatever certificate solution you decide upon will be suitable for your internal clients (Outlook) as well as autodiscover, external name, etc.
I have seen where people put in mail.domain.com in the SAN field, and everything works great for external clients. However, internal clients who connect to
mbx01.domain.com (the internal server name) get errors, as this server name is not on the certificate.
To make this work, you generally have two options:
Put the internal name of the server on the certificate as well - requires a certificate that allows multiple names (may be referred to as a
UC certificate or 'SAN Options' or something like that, depending on vendor)
Setup split-DNS, so your internal clients also use mail.domain.com
internally
I realize that this doesn't answer your original question, but I have seen this being done wrong many times, and this will hopefully save some headache.
Similar Messages
-
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM -
Project Server 2010 Web services access with Client Certificate Authentication
We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management -
SGD with Third Party Authentication issue
Hi
I am trying to setup SGD with Third Party Authentication and have done all the requisites for this.
I input the SGD URL and get the Third Party Login page but after I input my credentials, I get redirected to the SGD default login page which should not be the case. I had already set "Tomcat Authentication" as false in server.xml and enabled the Third Party authentication scheme in Array Manger
What else am I missing ?
Kindly advise
SGD ver4.31
ThanksEvery now and then I have found the same. One thing that almost always solved the problem was recreating a new trusted user, you can follow the steps from:
[http://docs.sun.com/source/820-1088/trusted_users.html|http://docs.sun.com/source/820-1088/trusted_users.html]
Especially the step to test the trusted_user is a very good test to see if the trusted user is ok: http://server/axis/services/rpc/externalauth
When prompted, log in as the trusted user.
An other way to test it is via the api-test functionality: http://server/sgd/admin/apitest/
First setup a session: webtopsession->startSession(0)
Then authenticate via externalauth->setSessionIdentity
These steps are the minimal steps to perform 3rdParty Authentication
(There is also an example jsp for 3rd Party Authentication on the wikis.sun: [http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)|http://wikis.sun.com/display/SecureGlobalDesktop/Single+sign-on+(before+4.40)] )
- Remold -
Replace Self-Signed FAST Search Certificate with Third Party Certificate
We are trying to replace the Self-Signed FAST Search Certificate with Third Party Certificate in our SP 2010 environment. And are facing issues while enabling the SSL communication between the FAST servers and the corporate servers.
Our FAST search servers are in a different farm than that of the Corporate Servers.
The details of the certificate we received is as follows:
Issued to : FastSearchCert
Issued By: Issuer Name
Valid From: 4/21/2015 to 4/20/2017
We were able to successfully renew the certificate on the FAST Search Server by following the below steps:
1. Login to the Administrative and the Non-Administrative nodes
of the FAST server. Go to Windows Service and stop the FAST Search for SharePoint and the FAST Search for SharePoint Monitoring services in both the servers.
Follow the below steps in the Administrative Node followed by the Non-Administrative Node
2.
Install the certificate in the following paths in the certificate store:
“Certificates(Local Computer)\Personal”
“Certificates(Local Computer)\Trusted Root Certification Authorities”
3. Ensure that the user account configured for the “FAST Search Server 2010 for SharePoint” has access to the private key of the certificate.
4. Go the Administrative node of the FAST farm and follow the below steps:
Go to the certificate store.
Expand the Personal folder and then click the Certificates folder. Double-click the third party signed FAST certificate.
Open the Details tab and then click Thumbprint. Note down this thumbprint.
5. Next, open
Microsoft FAST Search Server 2010 for SharePoint with Administrator
Privileges.
6.
Navigate to the directory, “D:\FASTSearch\installer\scripts” and execute the below command to replace the current certificate with the newly created
third party signed FAST certificate.
.\ReplaceDefaultCertificate.ps1 -thumbprint "certificate thumbprint".
7. The FAST certificate was renewed successfully.
Once the certificate has been renewed successfully in both the nodes, follow the below step:
8. Start the FASTSearch for SharePoint and the FAST Search
for SharePoint Monitoring services in the administrator server.
Next, while enabling the SSL communication between the FAST servers and the other corporate servers, we follow the below steps:
1.
Copy the new certificate from any of the FAST servers to all the web-front end and application servers in the corporate farm, in order to enable SSL communication between these servers and the FAST farm.
2. Also, copy the script
‘SecureFASTSearchConnector.ps1’ from the location “%FASTSearchFolder%\installer\scripts” in the FAST servers
to the web-front end and application servers of the corporate farm.
3. Follow the below steps on each of the servers in the corporate farm:
Open ‘SharePoint 2010 Management Shell’ with administrator privileges and navigate to the directory in which
SecureFASTSearchConnector.ps1’ script is located.
And then, execute the below command:
.\SecureFASTSearchConnector.ps1 -certThumbprint "certificate thumbprint" –ssaName “FASTCibtebtSSA” –username “DOMAIN\SP_Farm”
Where,
-certThumbprint
- Thumbprint of the certificate
-ssaName – FAST Content SSA
-username – The account configured to run the SharePoint
Search Service
On execution of the above command, we receive an error message stating that the "Connection to the Content Distributor servername.corp.abc.org: 14391 could not be validated...instance of FAST search server backend is running"
Please help us resolve this issue. We have not been able to find the cause of the above error for a long time.
Any help is much appreciated.Your tip on exporting from eDir to locate a missing private key was very helpful. Here are my steps to renew an expired third party certificate when the private key, generated 30 months ago in my case, could not be located.
In iManager, browse the tree and locate the likely certificate object. The Attributes for the object show Subject Name = webmail.acme.com. Selected the certificate and exported to webmailcert.pfx.
Then, the openssl commands in TID 7004039, "How to convert a SSL PFX to a PEM file", were run against the .pfx file to create cert.pem, key.pem and server.key files.
TID 7015500, "How to determine if private key belongs to public key (certificate)", was followed to determine if the public key (downloaded from third party) and private key (just retrieved from iManager) match - they did - that is, the private key converted from webmailcert.pfx matches the downloaded certificate.
TID 7013103, "How to create a .pem File for SSL certificate Installations", was followed to manually create a server.pem file using openssl.
TID 7010584, "How to setup SSL Certificate for Apache", part labeled "Additional Information" was followed to modify /etc/apache2/vhosts.d/vhost-ssl.conf file. Server.pem file created above copied to /etc/apache2/ssl.crt/ and /etc/ssl/servercerts/ directories as specified in vhost-ssl.conf.
Restarted apache2.
www.digicert.com has an SSL Certificate Checker that can be used to verify the installation is successful. -
SharePoint 2013 on-premises integration with third party email account
the Email sending issue from SharePoint is causing too much time waste
First let me explain how our SharePoint is deployed
Sharepoint version : 2013
Deployment type : on-premise
Authentication : from Domain controller also hosted locally
domain name ; say domain.com this domain.com is same as our website address hosted on godaddy
SharePoint computer name on local DNS : sharepoint.domain.com
OS and IIS : 2008 r2 , IIS 7.5
Network firewall : 25 26 ports opened for sharepoint , both incoming and outgoing.
Server firewall : turned off
Email configuration Attempts by IIS 6.0
We tried following setting on IIS 6.0 SMTP local server properties
In General tab
qualified name was shown as : sharepoint.dts-solution.com
IP assigned : sharepoint server IP , advanced putted two entries of IP with ports as 25,26
In Access tab
Authentication : selected as Anonymous
Connection : All except below list : empty list
Relay : only the list below , one entry as 127.0.0.1 and other is local static IP of SharePoint server
in Delivery tab
outbound security : Basic authentication : accessed user in AD and given the right password, also checked with annonymous -not working
outbound connection: all default values and port = 25
Advance : fully qualified domain name = sharepoint.domain.com , DNS test showed success, rest every check box unchecked
On sharepoint central management settings
Outbound email = sharepoint.domain.com
from and reply to address = [email protected]
IIS 7.5 SMTP settings
In IIS 7.5 sharepoint application we added SMTP settings as smtp server = godaddy out going smtp , user name as [email protected] , password = godaddy password , port : godaddy outgoing port .
Godaddy account
Our website hosted on godaddy with same name as domain.com
open relay not possible on emails.
Results
After setting alerts on SharePoint sites and assigning tasks with alerts we receive email in queue folder but they never get forwarded. We just wish to use any of our email *.domain.com to send outgoing emails from SharePoint . Its been a while we have no
success.
Tech LearnerHi,
As I understand, you are using SharePoint 2013 integrating with third party SMTP server which provides email function.
From SharePoint side, I'd suggest you refer to the link below to configure email integration:
http://technet.microsoft.com/en-us/library/ee956941(v=office.15).aspx
If you have already confirm that message is sent from SharePoint, while stuck in queue on SMTP server, then the issue might be related to relay on SMTP server. Since the issue is related to third party product, we do not have enough resource here,
I'd recommend you contact their support engineer for more assistance:
https://support.godaddy.com/help/category/154/email
https://support.godaddy.com/help/article/3552/managing-your-email-account-smtp-relays
Thanks for the understanding.
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support -
How to integrate DRM with third party tool for loading metadata in SQL table
Experts,
I am new to DRM and I have a requirement in which we want to integrate DRM with third party tool(lets say SQL table) as target and load metadata from DRM (Parent node, name , alias etc) to SQL table (same column name)
Is there any way we can integrate DRM to export the same to table directly instead to files. If yes what are the steps we have to follow.
Is there anyway we can customize DRM to execute queries or run batch
Can I have a basic example please.
Thanks in advance,
Regards,1. Use DRM Export to Table option, for that create an External Connection first for the Target Database and select the respective Tables to which you wish to Export the Hierarchy information.
2. You can perform most of the DRM Actions via the DRM_BATCH_CLIENT.exe.
Please refer to Using the Data Relationship Management Batch Client of DRM User guide.
let me know if you have any issues. -
SOAP -Client Certificate Authentication in Receiver SOAP Adapter
Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
SriniHi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies? -
Skill sets required for interfacing with third party
Hi we are currently using LSO 603 , and we are scrom compliant , we want to build an interface with third party , where we have all our manufacturing courses stored . so client wanted to know the skills sets required for building an interface. please advise
Thanks!Skills required.....
ABAP including BAPI's/Function Modules
understanding of Performance management and how it hangs together.
Happy New Year.
Jules. -
How to connect Developer 6i with third party Databases
How to connect Developer 6i with third party Databases
Hi,
Oracle Forms 6i comes with a Oracle Client Adaptor, OCA, that allows you to connect to 3rd party databases. Starting Forms 9i you use gateways.
Frank -
Muse: In-Browser Editing with third-party FTP
Hi,
I recently finished a new website for my client. The domain already exist. Therefore, we will upload the new website, designed in Muse, directly to our hosting server's FTP. Is it possible to activate in-browser editing by using an third-party FTP? And if yes, which steps I have to do?
Thank you very much for your answers!Hi,
The June 2014 update to Muse enables In-Browser Editing for Muse sites hosted with third-party (non-Adobe) providers.
See https://helpx.adobe.com/muse/using/whats-new.html#In-browser%20Editing%20enhancements for specifics.
Abhishek -
Really Apple?
With the release OSX 10.8.5 Apple has once again showed its true colors, and continued its efforts to create a closed Apple system, which eliminates third party vendors, unless, one can only assume... they pay.
Included in this OSX update is the disabling of the built-in camera to work with third party applications such as Skype and Gmail video chat. No surprise the camera works just fine with Apple apps such as Facetime and Photobooth.
The answer I got on my call to AppleCare to ask for assistance in reinstalling 10.8.4, so that I may Skype again, was we can not do that. You can not go back unless you have a time machine bkup.
Can anyone help me get back to to 10.8.4 on my 2013 MB Air?
I do not have a time machine bkup as this computer is not used to store important documents.
Thank you.Read this post: 10.8.5 Broke Camera Usage For 3rd Party Apps Like Skype
Another: isight not recognized in Skype after 10.8.5 upgrade
Don't panic. Skype simply needs to update its app. -
How to integrate single sign on with third party system
we are in the process of implementing istore application. we already have home grown isupport application to contact support personnal for any issues. Now we are wondering how do we integrate oracle applications single sign on with our third pary system. Is there any recommendation provided by oracle to achieve the same.
We too are in the process of implementing iStore with SSO features.
And if you believe me it seems to me as nightmare.
In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
[email protected]
regards and thanks in advance
Vikas Deep -
Integration of ChaRM with third party tools
Hi all,
We are in the process of building the solution for Change Request Management implementation integrated with third party tool.
As the normal process for ChaRM is to work with the Service Desk functionality (to raise a ticket, then support message, change request, change document etc...), but what we need is create the change request, and change document directly with ChaRM without using the Service Desk functionality.
Did anybody come across this situation?
Please share your experience.
Thanks in advance.
BalajiHi Balaji,
there is no problem, as I understand, you want to use ChaRM without Service Desk. OK, than you create directly a Change Request in CRMD_ORDER, the transaction type you have to select is SDCR (standard transaction type), you have to approve it and then you can create a change document, it is not necessary that you start with a Service Desk ticket like SLFN.
You need configured TMS a SolMan Project with a Maintenance Cycle, thats it (but this is enough , don't forget the customizing).
I hope I understood you correct
Udo -
Conflict with Third Party Apps?
I am getting an occasional error saying there is a possible conflict with third party apps and that I need to check the drivers of my MIDI devices to see if they are up to date? Sorry but I did not record the exact wording. Does anyone know what this might mean, and how I need to go about checking drivers? I have a lot of interfaces and not sure how to see what's what. Thanks.
Hi Midlake,
Well, because they are known troublemakers. Search for 'takes' or 'take folder(s)' or 'comp' here on the forum and you'll find many a troubled soul crying out for help - including seasoned pro's, who thought they were beyond tears...
O, they are fine for recording many takes - but thats' all. I'll select the best takes/phrases.
regards, Erik.
Maybe you are looking for
-
Hi frnds, Plz tell how to make INDEX in se11 tcode. wht is Secondary index how to create? Thanks, Gowri
-
Photoshop CS3 and Bridge crashing after update
Updated to 10.6.3. today. There's a dialogue box on boot-up that refers to Java, but I don't know what it says. Everything else seems okay except for Photoshop CS3 and Bridge, which both stay open for a few seconds and then crash. Thread 9 crashed wi
-
Converting .docx to a pdf using Acrobat X, it says file type unsupported.
Please Help! When I try to convert to convert my .docX to pdf using Acrobat Pro X, it says file type unsupported. When I use "save as" "pdf" in Word, it allows me to save the file as a pdf, but then the URL links in the resulting pdf will not work. T
-
I am using a new macbook air and apple TV. Very frequent the air play function on the macbook is disappearing. All the software both on macbook and apple tv is up to date. I have been connecting to apple tv, however the problem is that the airplay lo
-
Good Morning Everyone, We only knew NVL for Number. Now, we would like to return all dates. SELECT C.START_DATE, C.END_DATE, C.CREATE_DT, C.MODIFIED_DT FROM CLASSES C WHERE C.C_ID = 31 30-JUN-00 22-DEC-07 30-FEB-10 1 row selected. Thanks in advance,