AD Authentication and credentials encryption

Similar Messages

• Unable to connect to Wi-Fi connection using WPA2 PSK authentication and encryption type TKIP

  I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
  My issue is copy/pasted below:
  Original Title: TKIP selection in WiFi network settings
  I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
  On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
  Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
  7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
  When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
  if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
  the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.

  I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
  My issue is copy/pasted below:
  Original Title: TKIP selection in WiFi network settings
  I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
  On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
  Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
  7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
  When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
  if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
  the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.

• Authentication - clear text/encrypted

  Hi all,
  I have got another thread open about Set-OutlookProvider as I am having issues with 20-odd XP machines off the domain using OutlookAnywhere.
  My question is about authentication when using Outlook Anywhere:
  If you setup the proxy as follows (see screenshot):
  Is the password sent in clear text or not???? I thought it was, but I have been running packet captures with Wireshark and cheking the output and cannot find the password in clear text.
  Am I correct in assuming that by ticking the box "connect using SSL Only" and even not using the option to connect with proxies with certificate will send the credentials encrypted rather than in clear text?
  Would appreciate comments.
  Regards

  Check the connection settings in your dialog above - you are using HTTPS.  So unless your WireShark is running as a man-in-the-middle, you are getting encrypted traffic.  Notice also that you will only use SSL - the checkbox is selected
  and you can't change it.  So your clients will always use SSL for their OA connections - and their traffic will always be encrypted (including the credential traffic).

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• How to get ADF authentication and authorization working on server

  I am having an issue with deployment & ADF authentication and authorization.
  From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
  When making an attempt to log in I get the following results:
  Running Locally with ADF Authentication:                                           Works Fine
  Running Locally with ADF Authentication & Authorization:         Works Fine
  Deployed to server with ADF Authentication:                                    Works Fine
  Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
  What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
  JDeveloper Version: 11.1.2.4
  Server Web Logic: 10.3.6
  Server ADF: 11.1.1.16
  Page Error when trying to log in:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Server error when trying to log in:
  Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
          at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
          at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
          at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
          at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
          at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
          at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
          at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
          at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
          at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
          at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
          at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
          at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
          at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
          at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
          at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
          at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
          at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
          at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
          at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
          at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
          at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  Web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
      <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
      <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
      <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
      <param-value>differentOrigin</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_DECORATORS</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
    </context-param>
    <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
    </filter>
    <filter>
      <filter-name>trinidad</filter-name>
      <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
      <filter-name>adfBindings</filter-name>
      <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>JpsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>trinidad</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>adfAuthentication</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
      <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>resources</servlet-name>
      <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>MapProxyServlet</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <init-param>
        <param-name>success_url</param-name>
        <param-value>/faces/Pages/homePage.jspx</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>MapProxyServlet</servlet-name>
      <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
    <mime-mapping>
      <extension>swf</extension>
      <mime-type>application/x-shockwave-flash</mime-type>
    </mime-mapping>
    <mime-mapping>
      <extension>amf</extension>
      <mime-type>application/x-amf</mime-type>
    </mime-mapping>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/faces/pages/*.</url-pattern>
        <url-pattern>/faces/*.</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  </web-app>
  Jazn-data.xml
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
    <jazn-realm default="jazn.com">
      <realm>
        <name>jazn.com</name>
        <users>
          <user>
            <name>*****</name>
            <display-name>*******</display-name>
            <description>******</description>
            <credentials>********<credentials>
          </user>
        </users>
        <roles>
          <role>
            <name>support</name>
            <display-name>support</display-name>
            <members>
              <member>
                <type>user</type>
                <name>mobile</name>
              </member>
            </members>
          </role>
        </roles>
      </realm>
    </jazn-realm>
    <policy-store>
      <applications>
        <application>
          <name> myapp </name>
          <app-roles>
            <app-role>
              <name>mob_mobile_support</name>
              <class>oracle.security.jps.service.policystore.ApplicationRole</class>
              <display-name>mob_mobile_support</display-name>
              <description>support role</description>
              <members>
                <member>
                  <name>mobile</name>
                  <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                </member>
              </members>
            </app-role>
          </app-roles>
          <jazn-policy>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>SUPPORT</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.*</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>mob_mobile_support</name>
                    <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.addapplicationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addappmsgtypPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addoperationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.homePagePageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>myapp.view.pageDefs.workHistoryPageDef</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
          </jazn-policy>
        </application>
      </applications>
    </policy-store>
  </jazn-data>

  Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
  Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
  Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
  Timo

• I'm trying to log into my site that requires authentication but I get a popup that says it doesn't require authentication and then I get a 403

  I have a site that requires authentication. In the past i have logged in using firefox with the following format
  http://username:password@sitename:siteport/specificsiteurlinfo
  and gotten in just fine. I just set up a new computer with a new instance of firefox and try the same thing but I now get the following popup-
  "You are about to log in to the site "sitename" with the username "username", but the website does not require authentication. This may be an attempt to trick you.
  Is "sitename" the site you want to visit?"
  When I click "yes" Firefox appears to try to go to the site without any authentication and I of course get a 403 Forbidden error.
  I have tried reverting back to old versions of Firefox with no luck.
  Any advice would be greatly appreciated.
  Thank you.

  The purpose of that warning is to alert you to the possibility of being fooled by a link with login credentials at the beginning. On your old computer you might have tweaked this setting to limit when the warning appears:
  http://kb.mozillazine.org/Network.http.phishy-userpass-length
  This article discusses the steps to adjust that setting to fit your needs: [http://fix.lazyjeff.com/2011/04/disable-firefox-login-prompt.html].

• Setting Authentication and SSL Settings by folder/file in ColdFusion 10

  Am attempting to upgrade to ColdFusion 10 (patched to current level) on our development network.  We are running Windows Server 2008 R2.  On both of the below instances it worked fine with ColdFusion 8 and 9.
  On the first instance the entire site is SSL with the exception of one directory.  The entire site is set to Anonymous Authentication Disabled and Windows Authentication Enabled for the entire site except for the one directory that is not SSL.  On ColdFusion 10, that one directory that is not supposed to be SSL and have anonymous authentication will not allow access unless you hit it with an https: and authenticate.  It ignores the settings for that directory and uses the overall site settings.
  On another instance the entire site is set to Anonymous Authentication except one file (login.cfm) is set to Windows Authentication.  When you enter that site it hits the login.cfm, if you authenticate it gives you more options.  If you don't you still get in but without the extra options.  The system ignores the Windows Authentication and defaults to the overall site's setting of Anonymous Authentication.  I have tried setting the authentication at the site level to both Anonymous and Windows then going through individual directories and changing them to what they should be, but the settings are ignored and it uses the overall site settings.
  Is Tomcat somehow overriding the page/folder specific SSL and or Authentication settings?

  Charlie, I appreciate you helping rule out the possible discrepancies in the installation.  As far as server configuration, all testing is being done on two virtual Windows Sever 2008 R2 64 bit boxes running IIS 7.5  One of the boxes was upgraded from ColdFusion 9.01 and one that is a new install on a new virtual machine.  The CF9.01 box has been processing both the SSL and non-SSL properly. The only changes I made to the CF9.01 I upgraded was to turn on CGI in the IIS settings.  Both servers show the same problems so I kind of ruled out the new server vice upgrade issue.  I checked the inheritance and all of the files have the same windows user's permissions.  I have imported the SSL certificates into the JRE\security\lib\certs.  I am guessing those are imported correctly otherwise it would not allow the SSL to work at all. All SSL/windows authentication has been set up through IIS, I have not tried to modify any Tomcat settings.
  I created a .htm file and put it in both a directory that is SSL protected and one (ScheduledTasks) that is not SSL protected.  It worked fine. That is if it was in a directory that should have been protected by SSL it prompted me for my CAC and pin.  When I put it in the ScheduledTasks directory and tried opening it with a stander http:// it worked fine.  I then tried to open a .cfm in the same directory and I got the standard 403-Forbidden: Access is denied.  You do not have permission to view this directory or page using the credentials that you supplied.

• Authentication and Authorization Problems with IIS 6 and Jrun 4

  Hello all,
  I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
  package testauthenticationapp;
  import java.io.IOException;
  import java.io.PrintWriter;
  import javax.servlet.*;
  import javax.servlet.http.*;
  public class SecureTestServlet extends HttpServlet {
     private static final String CONTENT_TYPE =
        "text/html; charset=windows-1252";
     public void init(ServletConfig config) throws ServletException {
        super.init(config);
     public void doGet(HttpServletRequest request,
                       HttpServletResponse response) throws ServletException,
                                                            IOException {
        response.setContentType(CONTENT_TYPE);
        PrintWriter out = response.getWriter();
        out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
        if (request.getUserPrincipal() != null){
           out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
        } else{
           out.println("<h3>User Principal is null</h3>");
        if (request.isUserInRole("Test_Role")){
           out.println("<h3>User is in Test_Role</h3>");
        } else {
           out.println("<h3>User is NOT in Test_Role</h3>");
        out.close();
  1.  What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
  2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning  false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
  Any help that is provided is appreciated. Thanks in advance.

  Try This...
  Close All Open Apps...  Perform a Reset... Try again...
  Reset  ( No Data will be Lost )
  Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
  http://support.apple.com/kb/ht1430

• Authentication and authorization for a custom connector

  I have the following problem: I have a software which tries to connect with the server through its own custom RMI connector.
  So I have the  RMI Connector deployed via Mlet-Service. I have written a small TestClient and can get a RemoteMBeanServer  with RemoteMBeanServer rs = getRemoteMBeanServer(), but if I try to call something like  rs.getMBeanCount() I get :
  com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, only role administrators is allowed to access JMX
  So the WebAS considers someone who tries to connect with this connector as guest. How do can I get authentication  and autorization to access the JMX parts? The manual seems only to cover JSP and webapplications, where it is possible to configure a role for them. I only have this connector.jar, configuration and mlet-file.
  I still have the option to use JAAS authentication with  this connector, then I have to configure it differently and, the more difficult, to implemend
  a method "public Subject authenticate(Object credentials)" where credentials are two Strings with user and passwd. But I am not quite sure how to fill the Subject with useful information.
  Thanks in advance
  Nils

  Jmx is secured resource and only administrator role user
  can access it.
  If your code is running in a servlet you can define
  the servlet to run as administrator
  1. Add in the web.xml
  <security-role>
     <role-name>AnyName</role-name>
  </security-role>
  2. Add in the web-j2ee-engine.xml
  security-role-map>
     <role-name>AnyName</role-name>
     <server-role-name>administrators</server-role-name>
  </security-role-map>
  If you are runnig from a remote client you just have to
  Properties connectionProperties = new Properties();
  connectionProperties.setProperty(
  Context.INITIAL_CONTEXT_FACTORY,
  "com.sap.engine.services.jndi.InitialContextFactoryImpl");
  connectionProperties.setProperty
  (Context.PROVIDER_URL, "<host:p4port>");
  connectionProperties.setProperty
  (Context.SECURITY_PRINCIPAL, "<ADMIN USER>");
  connectionProperties.setProperty
  (Context.SECURITY_CREDENTIALS, "<PASSWORD>");
  MBeanServerConnection mbsc =
                      JmxConnectionFactory.getMBeanServerConnection(
                           JmxConnectionFactory.PROTOCOL_ENGINE_P4,
                           connectionProperties);

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• 802.1x multipoint authenticator and security issue

  Hi everybody
  Let say we have following set up:
  host1
  host2   ) ----------------hub------ f1/0-switch( authenticator)-------------------------Radius server.
  host3
  The switch is configured as follows.
  Switch(config)#interface FastEthernet 1/0
  Switch(config-if)#dot1x port-control auto
  Switch(config-if)#dot1x host-mode multi-host
  Let  say only host1 has valid credentials and the rest hosts i.e h2,h3 are  rogue hosts.  host1 sends authentication request and successfully  authenticated and switch transition its port to an authorized state.  But does it not mean  the other hosts h2 and h3 which were not  authenticated but yet are able to access network ?
  thanks and have a great weekend.

  This board is more for Wireless Security not LAN. but I would think it's because you are connecting through a hub instead of a switch. Hubs share the data, so when the switch gets the auth for the valid client it turns that port as it should.
  Now an invalid client connects and because the port is already thinking the client is valid, it passes all the traffic.
  Make sense?
  Steve
  Sent from Cisco Technical Support iPhone App

• SAP authentication and SSO into BI4 with multiple SAP systems

  We have already setup SAP authentication and SSO between ECC6 and BI4, e.g. to run CR 2011 reports with data based on ECC infosets, or BEx (operational BI on ECC). ECC is the main point of entry for users, so ECC user accounts and role imports are used in BI4.
  Now if we add BW to this, with Crystal or WebI or Analysis OLAP sourcing data from BW, can we still leverage detailed authorizations in BW on the corresponding BW user - with user accounts and role imports in BI4 still being ECC-based?

  Hi,
  Let's say the trust relationship is setup between those systems. Then the simple example is to use Enterprise authentication in BI4, and assertion tickets are issued when making requests to ECC or BW. I assume LDAP/AD authentication would work as well.
  >> You also have to setup trust between the BI 4 and ECC & between BI4 and BW. Thats part of the setup for the SSO Token Service.
  But does this scenario rule out SAP authentication or not? I was hoping that I can still logon to BI4 with an ECC-issued logon ticket, and then BI4 would nevertheless issue assertion tickets for my BW alias.
  >> And that is still possible. Setup the SSO Token Service, setup the aliases for the users. then you could logon with ECC credentials and run a BW report because the token service would then generate the token towards the BW system.
  ingo

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.

• Aironet 1310 using Peap Auth and AES encryption??

  I have 2 1310 wireless briges in a point to point configuration with the root bridge acting as my ACS server..
  I am currently running Leap Authentication and with Wep encryption but would like to upgrade this to use Peap and AES if possible??
  I'm wondering if anyone has upgraded their solution to this type of encryption?
  thanks

  What IOS version are you running ? 12.4(25d)JA is the last supported IOS version for this product. So you should go with that image.
  If you are using AP as AAA server, then I think only EAP-FAST, LEAP & MAC authentication is supported. Not anything else.
  Here is WGB (workgroup bridge) configuration with EAP-FAST & you can get an idea how to configure EAP-FAST if you choose to. (In your case you have to configure root bridge & non-root bridge in two respective AP)
  http://mrncciew.com/2013/04/28/wgb-with-eap-fast/
  HTH
  Rasika
  **** Pls rate all useful responses ****