AD authentication using DIGEST-MD5: users have to reset password?

Similar Messages

• Can J2ME use Digest-MD5 Authentication?

  We are writing a Java application with J2ME for cellphones which will use Microsoft MapPoint.net services that requires Digest-MD5 Authentication. Can J2ME use Digest-MD5 Authentication?

  Well, you can either implement it yourself or take a look at :
  http://java.sun.com/products/jce/
  You will probably not want the whole package, but I think you can have access to the sources, so... :-)
  Anthony

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• Read this to find out how to add/update/delete users and change/reset passwords programmatically

  WebLogic 7.0
  I have read a number of questions on how to do these but not many answers, so
  after figuring it all out, I thought I would post a message describing all these
  tasts (It would be great if BEA would start something like 'HOW-TOs for Linux'
  for WebLogic)
  -1. Imports required :
  import weblogic.jndi.Environment;
  import weblogic.management.MBeanHome;
  import weblogic.management.WebLogicObjectName;
  import weblogic.management.configuration.DomainMBean;
  import weblogic.management.configuration.SecurityConfigurationMBean;
  import weblogic.management.security.RealmMBean;
  import weblogic.management.security.authentication.AuthenticationProviderMBean;
  import weblogic.management.security.authentication.GroupEditorMBean;
  import weblogic.management.security.authentication.UserEditorMBean;
  import weblogic.management.security.authentication.UserPasswordEditorMBean;
  import weblogic.security.providers.authentication.*;
  0. Code to retrieve DefaultAuthenticatorMBean (this code is running inside WebLogic
  server - I have it inside EJB):
  DefaultAuthenticatorMBean authBean;
  Context ctx = new InitialContext();
  MBeanHome mbeanHome = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  //Find UserEditorMBean
  DomainMBean dmb = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean scmb = dmb.getSecurityConfiguration();
  RealmMBean rmb = scmb.findDefaultRealm();
  AuthenticationProviderMBean[] providers = rmb.getAuthenticationProviders();
  for (int i = 0; i < providers.length; i++) {
  if (providers[i] instanceof DefaultAuthenticatorMBean) {    
  authBean = (DefaultAuthenticatorMBean) providers;
  break;
  1. Create/Drop/Update users
  to perform these tasks, the user must be logged in into weblogic and be in Administrators
  group. Then, the code is as follows:
  create user: authBean.createUser(username, password, description);
  remove user: authBean.removeUser(username);
  change user's description: authBean.setUserDescription(username, newDescription);
  remove user from group: authBean.removeMemberFromGroup(groupname, username);
  add user to group: authBean.addMemberToGroup(groupname, username);
  2. Change other users' passwords (MUST BE ADMIN TO DO THIS - by Admin I mean be
  a member of Administrators group)
  authBean.resetUserPassword(username, newPassword);
  3. Change your own password:
  this is a bit trickier, because if you are not an admin, you can't change your
  own password!!!! This is a part that I personally don't understand - seems like
  a screw up on BEA's part. So, to allow users to change their own passwords, you
  must change security context in the middle of processing to that of Admin user
  and run this function as Admin user. Although a bit ackward, it's very easy to
  do. Suppose you have two EJBs - EJB A and EJB B. EJB A does normal processing
  for the user and always runs in logged in user's security context. Now, suppose
  you want to add a method to EJB A to change current password. The method may
  look like:
  public void changePassword(String logon, String oldpwd, String newpwd)
  throws some exceptions
  Now, there is no way to do it in EJB A, because for most users, it will run in
  a 'non-admin' security context. So, to get around it, you create another
  EJB - EJB B. This EJB has one method:
  public void changePassword(String logon, String oldpwd, String newpwd)
  throws some exceptions
  and one major difference - this EJB always runs in a secrity context of admin
  user. To get an EJB B running 'as admin user', all you have to do in EJB A is
  the following
  EJB A:
  public void changePassword(String logon, String oldpwd, String newpwd)
  Hashtable props = new Hashtable();
  props.put(Context.SECURITY_PRINCIPAL, "wlmanager");
  props.put(Context.SECURITY_CREDENTIALS, "password");
  // get context that with different credentials
  Context ctx = new InitialContext(props);
  EJBBHome home = (EJBBHome) ctx.lookup("EJBBHome");
  EJBBLocal adminEJB = home.create();
  adminEJB.changePassword(logon, oldpwd, newpwd);
  adminEJB.remove();
  of course, this poses a problem of hardcoding user id and password for admin user
  in your application - you can come up with your own ways to secure that.
  THAT's IT!!! You can use the method explained in part 3 to allow non-admin users
  to do pretty much everything, however for the sake of security, I would definetly
  vote against it and use part 3 to ONLY allow users change their own passwords
  Enjoy
  Andrey

  I have a similar question, I would like to edit the artwork for EACH episode in the podcast, as well as have one artwork for the entire podcast series. Any suggestions? This is a podcast that I've created -- I did the same thing for a TV Show where I was able to do custom artwork for each episode, but not one single artwork for the entire series. Does anyone have suggestions of how i should proceed?
  Recap:
  One image for entire Podcast Series (or TV show)
  Different Set of Images for each episode in Podcast. (Understand how to do this in TV show)
  Thanks!

• Messenger Express: Problem authenticating using fully qualified user name - userID@domain

  I'm installing iPS SP3a with iMS 5.1, iDS 4.16, iCS 5.0P4... (<i>Sun ONE Starter Kit</i>) on Solaris 8 plataform.
  When I access the page for Messenger Express, with a non-default domain, (login: userID@domain) http://<server> a black box with script running down it and the page is then left white with a message:
  Loading: Please wait...
  and with url:
  http://<hostname>/my-domain/en/mail.html?sid=hes6bu6s3n35qm0&lang=en&cert=false
  If I edit the url and delete my-domain, all work fine (http://<hostname>/en/mail.html?sid=hes6bu6s3n35qm0&lang=en&cert=false)
  I created into <path to iMS>/msg-hostname/html/ a directory with same name of my-domain and copied the "default files and directories" of
  <path to iMS>/msg-hostname/html/
  to
  <path to iMS>/msg-hostname/html/my-domain/
  I followed the documentation and modified the "<path to iMS>/msg-hostname/html/main.js" file.
  then, I restart all services (../start-msg )
  It don't work and... I continue seeing the same message:
  Loading: Please wait...
  There is some bug in <b>iMS 5.1</b> with which it does that the Messenger Express does not work when is
  used several domain ?
  Somebody can help me ???
  <b>Thanks in advice</b>.

  Hi,
  I think your issue is related to iMS, Please post your query in iMS forums.
  Regards,
  Raj_indts
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• HT201441 Inherited an ipad from a friend passing away and cant clear it to use as i dont have her itunes password to reset.

  I inherited an ipad 2 from a friend that had passed away. I went to go and use and discovered that no one knew her password for her itunes account. Which poses a problem as i cannot wipe the ipad without it.

  I cannot find "Other" devices. I found Apple Mobile Device under Universal Bus Controllers but cannot see "recovery mode" or any other status. I use Windows Vista.
  When I try to restart Apple Mobile Device Service I get the following message: "The Apple Mobile Device Service on Local Computer started then stopped. Some services stop automatically if they are not in use by other services or programs". What does this mean?
  During the last 48 hours I was able to see my iPad in iTunes only one time during many attemnpts to connect . I haven't been able to see it during the llast several attempts.
  Any suggestions? The standard suggestions have not worked: i.e. stop then start AMDS; tuurn off iPad and PC, then restart both and reconfrom iPad to PC; reload iTunes.

• New user needs to reset password asking for old users password

  Attn: My new Mac friends,
  I just bought me a mac pro with the operating system
  X Already Installed and because its a used macintosh the old administrators logon name appears and of coarse its asking for the password.
  I need to know how to reset the password and put my password in it without the use of the disc to the OS x.
  Or maybe clear the password at startup by entering ?
  (what Key on the Keyboard do I press to enter the computers system bios or adminastrator?
  thanks susan ([email protected])

  Welcome to Apple discussions, Susan!
  On a Mac you have to have the system disk in order to reset the administrator password. You should ask whoever you bought the system from to give you the disks. Without these you will be unable to fix many of the problems that occasionally arise. At the VERY least, you should be able to get the password from the person you bought it from.
  Just for future reference Macs don't have anything equivalent to the BIOS. That is a PC thing.
  Also this forum is for people who want to program on the Mac a much better forum would be the "Installation & Setup" forum under "Tiger"
  http://discussions.apple.com/forum.jspa?forumID=752
  Finally, it isn't a good idea to post your e-mail address in public forums like this. Spammers can, and do, read through and add your address to their lists. Additionally the expectation is that all answers will be made to the list, so that others can get the help as well. If you want people t be able to reach you directly, you can go to "My Settings" on the right and add your address there. It is much harder for spammers to get your address that way. If you wan to know that someone has responded to your post, you can "subscribe" using the "My subscriptions" link, also on the right.
  Enjoy your Mac!

• TS2446 Cant remember answers to security questions on. Additional device and cant purchase apps. Have already reset password

  See above. My daughter had an iphone on my account. She has not purchaed anything for a while and is required to answer security questions. Cannot rmember wnswers snd us threatening to lock apple id. Help!

  Welcome to the Apple Community.
  Start here, and reset your security questions, you will receive an email to your rescue address, use the link in the email and reset your security questions.
  If that doesn't help or you don't have a rescue address, you might try contacting Apple through iTunes Store Support

• I am trying to creat an Apple Id account.  Everytime I fill out the info and they as me to verify me email address it says "Sorry".  Underneath in small letters it say "Session timed out etc"  I have tried resetting password and double checked my ID

  It says sorry you session has expired.  Verizon said it is a "apple" problem  I have tried many times!!

  This can also happen when the internet/3g/4g connection is too slow. Time out errors happen when a website takes more than a certain amount of time to load. The time limit is usually long enough for any website with reasonable connection speed. You might try using a different wifi location. If you are using a computer with an ethernet port, try plugging the ethernet cord into the CPU.

• Help!!! I think my email was hacked and now I can't get into it at all. All of the suggestions didn't help so far. I have double clicked, rebooted, and deleted the account. Is there a way that I can have a reset password to an alternate email?

  Help, my email was hacked, now I can't get in at all. Can I reset the password through an alternate email?

  You do realize that there are many, many email providers and without knowing which one you are talking about, there is no way to answer your question?
  Which then leads to this ..... Have you contacted your email provider about this? That's probably the best place to start. See what they recommend.

• SASL DIGEST-MD5

  Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
  I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
  Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
  In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
  BTW: It fails the same way with NT4SP6 Server.

  Michael,
  Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
  You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
  Bertold

• AuthenticationException  in  DIGEST-MD5 in LDAP

  hi,
  when iam trying to use DIGEST-MD5 as Context.SECURITY_AUTHENTICATION it showingup the following Exception
  here is my code
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  import java.net.*;
  public class LdapAuth
  public static void main(String[] args)
  // Set up environment for creating initial context
  Hashtable authEnv = new Hashtable(11);
  String userName = "sm0013391";
  String passWord = "East321";
  String base = "ou=people,dc=company,dc=com";
  String dn = "sAMAccountName=" + userName + "," + base;
  authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  authEnv.put(Context.PROVIDER_URL, "ldap://company.com");
  authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 ");
  authEnv.put(Context.SECURITY_PRINCIPAL, dn);
  authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
  try {
  DirContext authContext = new InitialDirContext(authEnv);
  System.out.println("Authentication Success!");
  } catch (AuthenticationException authEx)
  System.out.println("Authentication failed!");
  authEx.printStackTrace();
  catch (NamingException namEx) {
  System.out.println("Something went wrong!");
  namEx.printStackTrace();
  }when i am run this program it shows..
  javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece ]
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
  at javax.naming.InitialContext.init(InitialContext.java:219)
  at javax.naming.InitialContext.<init>(InitialContext.java:195)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
  at LdapAuth.main(LdapAuth.java:35)
  plz any one have idea on this..iam using j2sdk1.4.1
  is there any need to include any jar files to j2sdk1.4.1??? to run this
  need help onthis

  Why don't you at least look up RFC 2251 and understand what LDAP Error 49 really means ?
  If you look at the post titled JNDI, Active Directory & Authentication (part 3) (Digest-MD5) available at http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
  you will clearly see that submitting the distinguished name as the user's credential is not supported by Active Directory for Digest-MD5 authentication.

• Authentication using userCertificate and SASL External

  hi!
  I try to authenticate using SASL "External" and SSL.
  The SSL connection works fine, also SASL when using "Digest-MD5" but when I try to authenticate using "External" I get connected as anonymous.
  Here is what I did:
  I created a self-signed certificate with owner "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org".
  My client has this certificate in it's keystore.
  The server has an entry with "dn=uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" an this entry has the userCertificate attribute, which also contains my self-signed certificate.
  I edited the "certmap.conf" file like this:
  certmap default default
  default:DNComps
  default:FilterComps uid
  default:verifycert on
  As I understood the manual, this means the server should search the directory for an RDN "uid=xyz" and check if the certificate of this user is the same as the one provided by the client. If it is, the client should get the permissions of this entry.
  But in the logfile I always get this message:
  conn=4 fd=1148 slot=1148 SSL connection from 172.16.0.190 to 172.16.0.190
  conn=4 SSL 128-bit RC4
  conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
  conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
  conn=4 op=1 SRCH base="uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" scope=0 filter="(objectClass=*)" attrs="entryid"
  conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0
  conn=4 op=2 fd=1148 closed - A1
  So, one possibility is I understood something completly wrong and the other is the server doesn't find the entry "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" because of any misconfiguration or I need a user certificate, which has been issued by a CA...
  Can anyone help me?
  Thanks a lot!
  Florian

  Nikolay,
  Assuming you mean authenticaion to your developed application and not the HTML DB facilities, yes you can do that. Take a look at the custom_page_sentry function that appears on this forum in several threads, e.g., Re: NTLM with Cookies ... - is someone there After you change this function to meet your requirements (cookie names, etc.) and compile it in your application's schema, you'd create a new authentication schema and type 'return custom_page_sentry;' into the page sentry function field. Then enter a URL to your site's login page into the Invalid Session URL field. Then make the new authentication scheme the current scheme. Of course, with this solution, you are responsible for making it as secure as you need it to be, preventing cookie forgery/theft, etc.
  Scott

• How can I get a list of users with reset password ability?

  We are trying to tighten our security, but thanks to the environment we are in this is a bigger task than it should be. As part of this I have been asked to get a list of users who have the ability to reset other users passwords. there are the obvious suspects,
  domain admins, service desk etc., but we also appear to have random people who can do this because of a requirement during test or development stages way back. Is there a way to get this, I looked at using powershell but there doesn't seem to be much out there
  to give me a pointer, things like ADManager+ do not work, when I try to search on permissions it sits there doing nothing then crashes.
  Is there a way to build a function using powershell that can do this or is there some third party cmdlet or app that will provide me this info?
  Any help gratefully accepted.

  Hi,
  Based on my knowledge, except for those default groups users, such as domain admins and enterprise admins and so on, have reset password ability for other users, we can use delegation control to give other common users permissions to reset password for others,
  to view or delete Active Directory Delegated Permissions, please go through the below article:
  https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
  And if you were editing single user's security tab to give specific users reset password permissions, then I think we should create a script to get all those users, for scripting, please also post in the official scripting guys forum:
  https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
  Regards,
  Yan Li
  Regards, Yan Li

• Why do we have to change passwords every time we do something on the iPad?

  WHy do we have to reset passwords every time we do something on iPad?

  You shouldn't have to. It sounds like you may have content on the device associated with more than one apple id. If that's the case then, you may be entering a password for one account when you should be entering another.
  I would suggest using only one apple id username on the device and delete any content associated with another.