AD SSO NAC issue

Similar Messages

• CCA Agent debug - AD SSO NAC Appliance

  Hi,
  I'm investigating a HARD AD SSO issue on NAC appliance and checking the doc suggested by Prem (Troubleshooting Windows SSO)I don't understand how I can obtain the output in page 14 (title: Debug Logs from Agent).
  I've activated the event.log (adding registry key...) ad suggested but in that file I can see only a lot of exadecimal data....not easy to understand....
  can somebody help me ?
  thank, regards

  I think most of the hexadecimal characters are MAC addresses. In the following document go to chapter "error and event log messages" for understanding the messages
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/cam41ug.pdf

• SSO logout issue with APEX

  I am trying to resolve the logout URL issue with our APEX application configured as a partner application with SSO. The partner application name is SSO_APEX and the logout URL is defined in partner application as
  http://OID_Server:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout where OID_Server is our OID server name.
  In the APEX application page, I tried to open the application that was imported from another apex server.
  Home>Application Builder>Application 107>Shared Components>Authentication Schemes
  SSO_Auth - current is
  &INFRA_NAME./pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=&SERVER_NAME./pls/htmldb/f?p=&APP_ID.
  The logout link is http://INFRA_NAME:7777/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http://SERVER_NAME/pls/cms/f?p=107 , The application is retrieving the INFRA_NAME and SERVER_NAME values from a database table and they correspond to the OID and 10g application servers respectively.
  The logout link should take it to the login page where the user will be prompted to enter login credentials again however it is currently taking to the above logout link page from APEX. It is not changing even though I specified a different logout link in partner application page. Moreover the check box beside SSO_APEX in the logout page is unchecked.
  The authentication scheme of application is overriding the partner application configuration. How can I make sure the logout is actually happening? Thanks in advance for any suggestions.
  Pavan.

  Scott,
  I am having the same issue, and have posted on another thread about this same thing. I know that's inappropriate to post the same thing in multiple threads, but I was searching the forum again today, and Pavan described exactly what I'm experiencing.
  We have been using SSO for about 4 years or so now, and haven't had logout issues. Our DBA at the time had written his own logout function for SSO where he invalidated the cookie with owa_cookie calls. It's worked until now. We have upgraded our database servers and all URLs referencing those servers are now in a different domain than our OAS server. Now the logic in the logout function is no longer invalidating the cookie for SSO (because it's in a different domain). SSO login and authentication still work, it's just the logout that does not.
  I'd like to just alter the logout URL to redirect to the OAS server for logout as you described. But here's what's happening. I press logout link, and it takes me to the OAS Single Sign-Off page where it shows the services it's logging you out of, but it doesn't automatically redirect (just sits there until I press the Return button).
  Is that expected (no automatic redirect)?
  And as Pavan mentioned, the Partner application name (APEX_SERVERNAME_SSO) doesn't show a checkmark next to it. If I go back to my application, I get right back in without being prompted for SSO (ie, not logging out successfully then).
  I know there are a lot of question marks here, but I'm not sure if there's something obvious I am missing or if there's something else I need to fix that I don't know about.
  Can you offer any guidance?
  Thank you for your time,
  Chris

• OBIEE 11g: SAML SSO performance issues

  Hi All,
  We have implemented IDP initiated SAML2-SSO with SQL Authenticator to get user/group information.
  After implementing this we see following issues:
  1. Login time takes around 1 minute. In nqserver.log file I can see following message:
  [2014-12-22T12:55:09.000-05:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 0000Kdn8fzjFO99_ndL6iZ1Ka4_f0000FW,0:1:1:6] [tid: 1594] User 'BISystemUser(XXXX)' spent 28720.000000 milliseconds for http response when impersonateUserWithLanguageAndProperties
  2. General navigation through application is also slow.
  Can you please provide any pointers to fix these performance issues?
  Thanks,
  Mahipal

  I am experiencing performance issues with view selector. It repeats the SQL for each view resulting in duplicate SQL to be run and thus resulting in poor performance of reports. Is this an expected behavior of view selector?
  Thanks.

• ALUI 6.5 SSO Performance Issues

  We have ALUI 6.5 running on WebLogic 10, with IIS as the Image Server. We enabled basic SSO options by modifying the portalconfig.xml and setting up the Aqualogic Authentication Source in the portal. This works and allows users on the same domain to be logged in automatically.
  However, the performance is extremely slow. It takes over 1 minute from the time that the URL is entered in to be logged in. I read some posts elsewhere that say that performance can be improved by limiting SSO protection to only the SSOServlet.
  Can someone provide some help on how to do this?
  Thanks in advance.

  I'd try to isolate where the delay is occurring, using log files or network tracing.
  Are you using WIA?
  protecting only the SSO servlet may be useful depending on your configuration (do you want to allow guest access, for example), but shouldn't make login times jump to 1 minute. I think you have another issue.
  http://www.function1.com/site/2007/09/changing-sso-settings.html

• Apache-SSO Integration Issue

  We are currently implemention Single Sign On for our application. This implementation is using approach of 2 Sun AIM setup, 1st to authenticate intranet, and 2nd to authenticate internet access.
  We are facing issue while implementing multiple SSO with JBOSS. Here is the details to scenario;
  1. In the 1st setup of SSO, we have used Apache Tomcat to HOST SSO, and JBOSS is integrated with this SSO using tomcat authetication volve. This is working fine.
  2. In the 2nd setup SSO, we have Apache HTTP server with Sun Policy Web Agent protecting resource hosted on JBOSS by authenticating web users. In this scenario, once the users are authenticated, the request is forwarded to Portal. But portal is not able to identify SSOKTokenID in session.
  Ideally Portal needs to be configured in such a way that if request are directly hit to portal then it needs to authenticate users from 1st SSO setup. And for web users, requests are forwarded to portal from apache post authication from 2nd SSO setup, then Portal shall identify token to mark the same as valid user sessions.
  Any help in this regard is appreciated.
  Ramendra

  while doing this I am getting this message in catalina logs
  May 31, 2010 10:09:58 AM org.apache.catalina.startup.HostConfig deployDirectory
  INFO: Deploying web application directory examples
  May 31, 2010 10:10:01 AM org.apache.catalina.startup.HostConfig deployDirectory
  INFO: Deploying web application directory ROOT
  May 31, 2010 10:10:02 AM org.apache.catalina.startup.HostConfig deployWAR
  INFO: Deploying web application archive amserver.war
  May 31, 2010 10:10:50 AM org.apache.coyote.http11.Http11Protocol start
  INFO: Starting Coyote HTTP/1.1 on http-8082
  May 31, 2010 10:10:50 AM org.apache.catalina.startup.Catalina start
  INFO: Server startup in 49286 ms
  May 31, 2010 10:18:47 AM org.apache.catalina.core.StandardWrapperValve invoke
  SEVERE: Servlet.service() for servlet pllservice threw exception
  java.lang.NullPointerException
       at com.iplanet.services.naming.service.NamingService.processRequest(NamingService.java:361)
       at com.iplanet.services.naming.service.NamingService.process(NamingService.java:351)
       at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:196)
       at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:148)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
       at java.lang.Thread.run(Unknown Source)
  May 31, 2010 10:23:51 AM org.apache.coyote.http11.Http11Protocol pause
  INFO: Pausing Coyote HTTP/1.1 on http-8082
  May 31, 2010 10:23:52 AM org.apache.catalina.core.StandardService stop
  INFO: Stopping service Catalina
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  SEVERE: A web application appears to have started a thread named [LDAPConnThread-3 ldap://ldapweb.mydomain.com:6389] but has failed to stop it. This is very likely to create a memory leak.
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  SEVERE: A web application appears to have started a thread named [LDAPConnThread-4 ldap://ldapweb.mydomain.com:6389] but has failed to stop it. This is very likely to create a memory leak.
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  SEVERE: A web application appears to have started a thread named [amStats] but has failed to stop it. This is very likely to create a memory leak.
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  SEVERE: A web application appears to have started a thread named [amSession[0]] but has failed to stop it. This is very likely to create a memory leak.
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  SEVERE: A web application appears to have started a thread named [amSession[1]] but has failed to stop it. This is very likely to create a memory leak.
  May 31, 2010 10:24:25 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
  If anybody has any idea please help...

• OID SSO Logout issue from the partner application

  As per the below link I am trying the logout functionality from the partner application,
  http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/tpsso.htm#i1011555
  The article talks about a logout url pattern, I am trying to execute the below from the partner application.
  https://single_sign-on_host:single_sign-on_ssl_port/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=done_url
  The issue I got is OID server is not redirecting to the p_done_url, it just stays in the same OID logout page, Do I have to create any configuration entry to get the redirection working?
  Thanks

  Hi All,
  Providing more information,
  What I get is the OID logout screen with two return buttons on top and bottom of the page.
  If I found is when I click any of those it goes to the p_done_url but What I want is
  instead of stopping in the OID logout page, auto redirection to the p_done_url,
  Can this be done.
  Thanks

• 10.2 Application Server SSO setup issue.

  Hello,
  I just installed a 10.2 Application Server Infrastructure installation, and I'm trying to set up SSO w/ PKI.
  I followed the following in attempted to set this up:
  http://download.oracle.com/docs/cd/B14099_11/idmanage.1012/b14080/appendixe.htm#sthref2671
  I succeeded in setting up the SSO partner login page on 4443, however when I attempt to log in, I get a 500 error from the HTTP server.
  Looking through the logs, I see the following error from the ssoserver.log:
  Mon Oct 26 13:30:27 EST 2009 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Auth object, null could not be created: null
  Mon Oct 26 13:30:27 EST 2009 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Unexpected Exception received
  java.lang.NullPointerException
  at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
  at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
  at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
  at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
  at java.lang.Thread.run(Thread.java:534)
  I suspect something isn't registered correctly, or I need to enable SSL someplace that wasn't mentioned in that document.
  Does anyone have any pointers/docs they could point me at that could help?
  -Dennis

  Thanks a lot, I followed those instructions and it worked.
  You have no idea how long I've been looking for instructions like that.

• NAC issue with DHCP

  There are a few computers in the building that when they start i have to do a repair in the connection. If i put those same computers in the admin Vlan(doesn't goes through NAC) i dont need to do the repair. I think something is blocking in the unauthenticated role. But the rare thing is that i'm allowing the DHCP and Active directory servers on the unauthenticated role.

  The "Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that "Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

• NAC Issue

  Hi
  i want to setup client that access to network with default ip, gateway and webpage startup. Could i use NAC to do this ?
  thanks

  Hi,
  You can use DHCP server to assign IP address, gateway and possibly other attributes (DNS server ...)
  NAC can do webpage redirect, but only as a tool serving to assess/remediate connecting client/s.
  What is your intention in doing webpage redirect?

• Cisco NAC: Issue for the Wireless Users being assigned "Un-Authenticated Role" to stop accessing the Network !!!

  Hi,
  I am looking for a solution to deal with the wireless NAC users being authenticating (Web Login Only) from a particular AD group. The mapped users gets into a particular role and access VLAN but un-mapped users get the default role which is "Un-Authentication Role" but also gets the same Access VLAN. So, the un-wanted users gets also the same access which is undesired.
  I tried with one solution which is, i put those users into a role named as "Deny_Role" and Enable a Timer of 1 minute (least Time) on it, which seems working but i can see that user is disconnecting (session timeout) after 3 or 5 minutes. I want to limit this but again, i do not find this as an appropriate solution.
  We could deal with wired users easily, bounce the port and get them again in "Unauthenticated Role" and VLAN will be "Un-Auth VLAN" with no network access or rediect them into a particular role with a specific VLAN. But, this is not valid in case of "Wireless Users".
  So, I am looking for a solution to deal with the wireless users in this situation...
  Please advise or give an idea.
  BR,
  Mubasher Sultan

  Hi,
  Any idea or suggestion...
  BR,
  Mubasher Sultan

• Layer 2 OOB NAC Issue

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I had a weird problem last week we moved one of our servers from Layer 2 in-band to Layer 2 OOB mode Virtual Gateway.  We set up 9 VLANS on the server and 3 of them worked perfectly the other six did not.  Clients would get a valid IP address but our web splash page would not show up on the others.  All 9 were set up the same way, works on my test server.  We are running 4.7.0 on our Manager.  Any suggestions or anyone had this problem before?

  Thank you for feeding information back to the community to benefit others.
  That is the spirit...
  PK

• OnBeforeLogin: how to fail a portal login in an SSO env ???

  Am researching a question for a customer to whose site I don't have access, so I can't test this and look at the PTSpy output. In this case, the customer wish to display a portal usage agreement on login, and terminate the portal session if the user does not click accept. That's fine, in a non-SSO environmet I'd just tell them to redirect to the error space if the user doesn't accept, and they're done.But what the specific SSO issues are in doing this? The customer have deployed Netegrity. What are the SSO-related issues in using OnBeforeLogin and then directing the user to the error space, if the user has not accepted an agreement?
  Once the person is logged in to the customer's intranet via Netegrity, can't they click a random portal link somewhere else and the window will just take them inside the portal?
  I understand the process flow of SSO redirection, but I don't know if OnBeforeLogin is as foolproof and simple as it is in a non-SSO environment.
  Thanks in advance!
  Cheers
  Rob

  Hi Ankur,
  Someone will somewhere call the EJB (not: "Java Bean"!). As an EJB isn't part of a request/response cycle but mainly thought for business logic, it is of course the task of the calling component to deliver the user (his logonID for example) to the EJB.  There is not other way!
  Hope it helps
  Detlev

• Unable to configure SSO in Oracle11g

  Hi,
  I have tried to install and Configure SSO in Windows 2008 R2 server (64bit). I am facing issue with SSO Metadata repository installaion, please helpful on that.
  Steps I did
  1. Installed Oracle 11g R2
  2. Installed Oracle WebLogic Server (10.3.3)
  3. Run the RCU to create repository for IDM and SOA Suite
  4. Installed SOA Suite 11g (11.1.1.2.0 && 11.1.1.3.0)
  5. Installed Oracle Identity Management (11.1.1.2.0 && 11.1.1.3.0)
  6. Configured Oracle Identity management
  When i run the SSO Metadata Repository Creation Assistant (10.1.4.3.1), it is completing without any installatin progress. Also i didn't 64bit version in downloads.
  Please help me to resolve the SSO configuration issue.

  Which SSO you are trying to add ?
  1. Is this Microsoft SSO i.e. Kerberos ?
  2. Oracle 10g SSO a.k.a OSSO ?
  3. Oracle Access Manager SSO
  Looking at installer "SSO Metadata Repository Creation Assistant (10.1.4.3)" it looks like you are trying to use 10g OSSO , is there any reason for using this ?
  10g SSO is mergning to 11g OAM SSO so 11g OAM SSO is one you should use if this is new implementation.
  For 10g SSO what error message you are hitting ? Which document you are following ?

• 500 Internal server error when loging in to Enterprise portal after refresh

  Hi,
  We had a data base refresh of test system with production data. After the refresh, when users are trying to log in to portal test server, they are getting error as follows:
  The initial exception that caused the request to fail, was:
     com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: ComponentUsage(FPMConfigurationUsage): Active component must exist when getting interface controller. (Hint: Have you forgotten to create it with createComponent()? Should the lifecycle control of the component usage be "createOnDemand"?
      at com.sap.tc.webdynpro.progmodel.components.ComponentUsage.ensureActiveComponent(ComponentUsage.java:773)
      at com.sap.tc.webdynpro.progmodel.components.ComponentUsage.getInterfaceControllerInternal(ComponentUsage.java:348)
      at com.sap.tc.webdynpro.progmodel.components.ComponentUsage.getInterfaceController(ComponentUsage.java:335)
      at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdGetFPMConfigurationUsageInterface(InternalFPMComponent.java:245)
      at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.changeToExceptionPerspective(FPMComponent.java:862)
  I have instaled the certificate after refresh, but still getting this error. I work on SAP ECC6. Thanks in advance for your help.

  Hi Bijoy,
  Do you have the specific error message that the system shows when SSO is not working?
  e.g. The system has received an expired SSO ticket
         Issuer of SSO ticket is not authorized
  Did you do a connection test for your system connector?
  You might want to check the following:
  1. Time difference between portal server and ECC server
  2. Parameters (e.g. login/accept_sso2_ticket = 1) in ECC have the correct value
  3. User account that you are using for testing exists and is valid in ECC.
  4. Portal certificate is still valid and has been added into certificate list and ACL of your ECC client (with the right SID and client number).
  5. System connector settings in portal are correct.
  Cheers.
  Best Regards,
  Zhi Liang