ADFS 3.0 WAP and Non-Claims-Aware Relying Party Trusts

Similar Messages

• Problem opening documents no SSO with rich client integration ( ADFS 3.0 + WAP + SharePoint 2013 )

  At our customer we deployed, ADFS 3.0 and the web application proxy, to provide external users access to SharePoint 2013.
  we went with this solution as UAG is pretty much gone now.
  Every time a editor opens up a office document he/she is prompted for password.
  I have checked that the URLs is in the intranet Zone, and that the webclient is configured for passing on credentials.
  We are using kerberos and Non-claim-aware relying parties.
  Please advise, we really really rally need a SSO experience as we had when using UAG.
  Best regards
  Michael Thøgersen
  Best regards Michael Thøgersen

  Hi,
  Check your browser definitions:
  on IE go to tools -> internet options -> security -> custom level -> User Athuntication.
  Set it on "Automatic user name and password" (the third radio button)

• ADFS, WAP and Logging

  I've done a fair amount of searching and this question escapes me.  When setting up a Web Application Proxy (Win2012R2), where are the security logs.  I know there is an application log for ADFS on the WAP but I don't see where say traffic logs
  are available.  Being as the WAP is an Internet facing device, I should think there are traffic logs available.  Can someone point me in the right direction??  TIA.

  Hi,
  You have the wrong forum, you would be better posting this in Directory Services or Windows Server 2012 General.
  Best regards, 
  Ryan Mangan | [email protected] | Help keep the forums tidy, if this has helped please mark it as an answer

• Claims aware Provider Hosted Apps - The SecurityToken was not well formed

  Dear Friends,
  Please help me,
  I have Created a Provider hosted apps and converted Basic Provider Hosted Application into Claims Aware Provider Hosted Application in SharePoint 2013.
  I did all configuration based on ADFS implementation.
  The error we got is
  Server Error in '/' Application.
  ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.
  Source Error:
  An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
  Stack Trace:
  [SecurityTokenException: ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.]
  System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +1082000
  System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
  System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +623
  System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
  System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
  System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
  Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.19453 
  Regards
  Jenkins NS
  Thanks & Regards Jenkins

  Dear Friends,
  Please help me,
  I have Created a Provider hosted apps and converted Basic Provider Hosted Application into Claims Aware Provider Hosted Application in SharePoint 2013.
  I did all configuration based on ADFS implementation.
  The error we got is
  Server Error in '/' Application.
  ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.
  Source Error:
  An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
  Stack Trace:
  [SecurityTokenException: ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.]
  System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +1082000
  System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +100
  System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +623
  System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +164
  System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +173
  System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
  Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.19453 
  Regards
  Jenkins NS
  Thanks & Regards Jenkins

• I Dislike the Terms "Destructive" and "Non-Destructive" Editing

  Some folks in the Photoshop realm use the terms "destructive" and "non-destructive" to describe ways of using Photoshop in which transforms are applied directly to pixel values vs. being applied via layers or smart filters or smart objects or other means.
  Do you realize that the term "destructive" is actually mildly offensive to those who know what they're doing and choose to alter their pixel values on purpose?
  I understand that teaching new people to use Photoshop in a way that doesn't "destroy" their original image data is generally a good thing, and I'm willing to overlook the use of the term as long as you don't confront me and tell me what I'm doing when I choose to alter pixel values is "wrong" (or when I choose to advise others on doing so).
  For that people who claim editing pixel values is "destructive", I offer this one response, which is generally valuable advice, in return:
  Never overwrite your original file.
  There.  The "destruction" has ceased utterly.
  It's common sense, really.  You might want to use that file for something else in the future.
  If you shoot in raw mode with a digital camera, then you actually can't overwrite your raw files.  That's a handy side effect, though some don't use raw mode or even start working with digital photographs.
  In any case, when you open your image consider getting in the habit of immediately doing File - Save As and creating a .psd or .tif elsewhere, so that you can subsequently do File - Save to save your intermediate results.
  There can actually be many advantages to altering pixel values, if you know what you're doing and choose to do so.  But sometimes even the most adept Photoshop user might find that a given step created a monster; that's okay, there's a multi-step History palette for going back.  I normally set mine to keep a deep history, to give me a safety net if I DO do something wrong, though I tend to use it rarely.
  And for those who would tout the disadvantages to editing "destructively", there can be huge disadvantages to doing it "non-destructively" as well...  Accumulating a large number of layers slows things down and can use a lot of RAM...  With downsized zooms the mixing can yield posterization that isn't really there, or gee whiz, just TRY finding a computer fast enough to use smart filters in a meaningful way.  Just the concept of layers, if one hasn't worked out how layer data is combined in one's own mind, can be daunting to a new person!
  So I ask that you please stop saying that the "only" or "best" way to use Photoshop is to edit "non-destructively".  There are folks who feel that is offensive and arrogant.  I think the one thing everyone can agree upon is that THERE IS NO ONE OR BEST WAY TO USE PHOTOSHOP!
  You go ahead and do your editing your way.  I prefer to do "constructive" editing. 
  Thanks for listening to my rant.
  -Noel
  Man who say it cannot be done should not interrupt man doing it.

  function(){return A.apply(null,[this].concat($A(arguments)))}
  Aegis Kleais wrote:
  When you alter image data in a manner that cannot be reverted, you have destroyed it.
  Really?
  That's one of those things that one is not supposed to question.  It just sounds so right!
  Problem is, it's insufficient in and of itself, and misleading...  It's a rule of thumb that's way too general.
  What IS "data" anyway?  Arrangement of magnetic spots on a disk?  My disk is still whole, so we're not talking about physical destruction here.
  One could argue that all the data is all still there in many cases of pixel-value-change editing (e.g., where there has been no resizing).  The image file is the same size!  Same amount of data.
  Upsampling, or making a copy of an image is actually creating more data, not destroying data.  Thus there is no general "destruction", but the terms "construction" or "creation" could be used.
  But wait, perhaps you're really talking about destroying information, not data...  Well...
  As it turns out the term "destructive" is still off base.  I have altered the information, possibly even adding important information.  If I make a copy this is a no brainer.  Even if I don't, depending on a person's skill in editing, the altered result could still carry all the original information that was important plus information added by editing, and be quite possibly better for its intended purpose (human consumption) than the image before the edit.  That's the goal!
  So now we're talking about important information vs. unimportant information.  And of course we're talking about fitness for a future purpose.
  As with anything, there are multiple ways to get there and multiple ways to interpret the words.
  The term "destructive" in my opinion was invented to further someone's agenda.
  -Noel

• ADF Mobile Error handling and redirect

  I'm stuck on how to handle errors within my ADF Mobile application. My application consumes a number of web services and we have found we often get error messages when phone connections switch from wifi to 3g or lose connection altogether. These are errors such as SSL handshake failure, HTTP500 errors, and also errors where it can't display the binding eh "Unable to get value for the property due to invalid binding iterator" because a WS call has failed. From the little information I can find - and none of it specific to ADF Mobile, I think I need to write an error handler class which I set against ErrorHandlerClass in databinding.cpx - if that correct? Am I able to catch these errors using that method and if so has anyone got any examples at all. Ideally what I'd like to do when I've caught those errors is redirect to another page (showing something like facebooks app does when it loses a connection and says tap to try again), does anyone have any suggestions or examples?
  thanks
  lynsey

  A sample for ADF Mobile Error Handling.
  SDA013
  Error Handling in ADF Mobile
  https://java.net/projects/smuenchadf/pages/ADFMobile#SDA013

• How can the symbol and non-English diacritical marking, etc accessed with combinations of letters and functional keys prior to Snow Leopard be achieved in Snow Leopard?

  How can the symbol and non-English diacritical marking/punctuation pallet, available in pre-Snow Leopard OSes with various combinations of letter or number keys and functional keys, be accessed in Snow Leopard?  Those pre-Snow Leopard versions worked on the fly as one was making text in any pedestrian application and its native font (Mail, Text Edit, for example).  One didn't need to dig around in font libraries, change font preferences, etc.

  > One didn't need to dig around in font libraries, change font
  > preferences, etc.
  It hasn't worked like that since the Early Chalcolithic (ie, System 7 or thereabouts).
  You've already got plenty of answers. Briefly (and grossly oversimplified),
  - Mac OS X conforms to a standard known as Unicode; in its current incarnation, it defines over 100k characters.
  - A keypress is translated into a character according to the current keyboard layout.
  - The graphic representation of a character (ie, glyph), is provided by the current font.
  - If a font lacks a glyph for the requested character, either another font will be automatically chosen (Mac OS X text engine), or some form of feedback (empty box, question mark, etc) will be used.
  - To inspect the actual key codes, use a utility such as Key Codes.
  - To inspect the current keyboard layout, invoke Keyboard Viewer.
  - To inspect the full complement of glyphs of a font, invoke Character Viewer (also accessed with the Special Characters command).
  (Remember that both these utilities are resizable and zoomable -- you can enlarge them to a comfortable viewing size, then zoom out to see more of the screen for your original task.)
  - For a more detailed look, use a utility such as UnicodeChecker.
  - The default keyboard layout depends on your Mac OS X localisation.
  (Keep in mind that there's no need to stick with the default layout; choose whichever one makes sense to you, given your language, habits, and proclivities. Mac OS X comes bundled with quite a few, including some obviously designed for the huddled masses of refugees from the Dark Side, who, in their wretched ignorance, have the unmitigated gall of labelling our native ways "really uncomfortable". Oh well, this, too, shall pass.
  If none of the supplied keyboard layouts fits your needs -- if, for instance, you write your emails in Etruscan -- go out on the 'net, you'll find quite a few. Or write your own with Ukulele, it's not really all that difficult.)
  - Use Keyboard Viewer to familiarise yourself with the current layout and to enter the odd character; but, to be proficient, you should learn your layout to the point that KV is no longer needed.
  - Use Character Viewer to enter the odd character not available in the current keyboard layout.
  Neither Keyboard Viewer nor Character Viewer are effective tools for more extensive needs, eg, for writing and editing bilingual or multilingual texts. In such a case, you should enable the respective keyboard layouts and switch between them with a keyboard shortcut.
  A few interesting layouts bundled with Mac OS X have already been mentioned. Let me add three.
  - Dvorak: several layouts based on the Dvorak keyboard. It is claimed that the latter is more productive and lessens RSI risk.
  - US Extended: based on QWERTY, it offers a more extensive set of diacritics (eg, caron, breve) via dead keys.
  - Unicode Hex Input: also based QWERTY, it allows input by Unicode codepoint (in hexadecimal), so it's the most extensive layout of all; eg, to enter the character "Parenthesized Number Twelve" (U+247F), hold down Option, type "247f", release Option.

• Office Integration and non-MS browsers

  I have an 'issue' with Office Integration and non-MS browsers with our SharePoint 2013 on-prem enviroment (using SSO via ADFS).
  Background: our internal client wants to move to SharePoint sites for collaboration with external partners.  One of the selling points they're wanting to make to justify the move from their current
  external collaboration site is Office integration - specifically the ability to open/edit/save documents by clicking on the document in SharePoint, having it open in Office (PC/client) for editing.  Note they are wanting full integration with the client
  version of Office - not OWA.  The other requirement is that this work with both Firefox and Chrome.
  Issue: Office integration works fine using Internet Explorer.  When a user click on a document the document opens in Office and can be edited directly in the browser without any additional prompts. 
  But when clicking on a document via Firefox or Chrome the SSO login form pops-up when Office starts.  Once the user enters their credentials they can work with the documents as desired.  But our client does not want this second prompt.
  Question:
  Is there a way to configure SharePoint so that Firefox or Chrome open up documents for editing without a second logon prompt?  I'm assuming not based on my research on how these browsers handle
  cookies differently than IE.   Can someone confirm? 
  Is there a dev solution to this?  Note that because the users will be partners (non-employees) we are trying to avoid using a solution that would involve installing custom software on their pc's
  (such as browser extensions).

  Unfortunately you are looking at a plugin or having the users modify their browsers:
  http://yalla.itgroove.net/2011/12/firefox-friday-3-sharepoint-login-prompts-on-firefox/
  http://www.rhyous.com/2009/12/31/why-does-firefox-prompt-for-domain-ad-authentication-or-how-to-get-firefox-to-automatically-login-to-web-sites-with-domain-credentials-sharepoint-for-example/
  Brandon Atkinson
  Blog: http://sharepointbrandon.com

• Stock transfer between Excise Plant and Non Excise Plant

  Scenario : Stock is imported from say Singapore. One of the import duties can be claimed back as CVD and pass the benefit to customer.
  Requirement : Stock transfer between Excise Plant and Non Excise Plant
  Question : i) If I do stock transfer from Excise plant to non-excise plant, can I transfer the CVD amount which I captured in RG23A - Part1/Part 2?
  ii) If I do stock transfer from Non- Excise plant to Excise plant, can I get the benefit of CVD and pass on that benefit to customer?
  Pls let me know the possiblity of above two in SAP and Legally?
  thanks in advance
  Sridevi

  Ok! Thanks for the replies. Pls let me allow to elaborate the earlier requirement.
  Trading Goods say A gets imported to India. Issue was :
  1) We need to issue Excise invoice only to few customers. So, we thought of treating one batch as excise batch and remaining as non excise batch per day.
  2) Stock price varies every day being batch wise produced in say Singapore.
  Means Mateiral is A but price varies evey day and because of the duty payment also gets varied. For a single material master we do have different prices for each batch and also excise/non excise scenario. So, how can I get material value for each of this combinations in the system and how to identify the same.
  Because of the above reasons, we thought of having two plants. I can not configure depot here because cleint requires single plant for each state as of now.
  Am I clear? If not, pls let me know,
  regards
  Sridevi

• Taxes: Deductible and non-deductible

  All SAP Gurus,
  What is the difference between Deductible and non-deductible taxes?
  Regards,

  hi
  In case of some materials, the tax paid on purchase of  items can be availed back from the goverment, This is called deductible tax. Here tax portion is not loaded to material inventory, It is posted to a separete GL account as per the config and later stage it will be cleared-off by finance
  In case of non-deductible tax, the tax amount will be loaded to material inventory. Here company can not claim this amount back from govt.
  regarding configuration, u have to define a new account key in case of deductible tax and assign gl accounts
  in case of non-deductible tax u can use SAP standard key NVV
  regards
  kunal

• Split the mileage into VAT and non VAT applicable -Travel Expenses

  Dear all,
  I need help from you in cofiguring the travel expenses for Input VAT i.e  to split the mileage into VAT and non VAT applicable so that we can claim reimbursement from the govt. so how can we get this on the Travel Expenses form.
  Pl. I need help on this.
  Regards,
  Sushma.

  Dear Dominic,
  Thank you for your suggestion, Could you pl. tell me where Can I create the additional Line Item, In which Transaction code it is? I can't able to see this additional line Item in T-code: PRFI or in TRIP.
  Pl. suggest me the way, it is very urgent.
  Thanks in advance,
  Sushma.

• Cluster - Non-cluster aware application

  Hi everyone,
  I need to migrate some non-cluster aware application from windows server 2003 to windows server 2008 R2 or windows server 2012.
  On windows server 2003, the cluster service start with a specific domain user to let some access.
  I have seen some solutions like "RUNAS" in cmd or a powershell script or VBS.
  But my problem is:
  How can i start or create non-cluster aware application with user domain access and with "clean work" ?
  Thanks

  Windows services are installed with an associated account.  You can define that to be whatever you want, either a local machine account, local system account, or a domain account.
  To make it much, much easier than was possible with clustering in 2003, Windows Server 2012 (suggest using R2) comes with a cluster role of Generic Service.
  . : | : . : | : . tim

• Dedutible and non deductible tax cin

  Hi,
  Can any one explain me what are the deductible and non deductible taxes in case of vat .
  how we can configure these settings.
  regards
  veknkat

  In case of some materials, the VAT paid on purchase of these items can be availed back from the goverment,  This is called deductible tax.  Here VAT portion is not loaded to material inventory,  It is posted to a separete GL account as per the config and later stage it will be cleared-off by finance
  In case of non-deductible VAT, the VAT amount will be loaded to material inventory.  Here company can not claim this amount back from govt.
  regarding configuration, u have to define a new account key in case of deductible tax and assign gl accounts
  in case of non-deductible tax u can use SAP standard key NVV
  hope this clarifies ur doubt
  award points

• Do any of the instruments in Logic 9 support the sostenuto pedal. I have Logic 8 and none of the pianos allow its use.

  Do any of the insruments in Logic pro 9 support the sostenuto pedal? I have Logic Pro 8 and none of the pianos there allow its use.
  I'm using Prokeys88. Both sustain and expression pedals work as they should but not the third pedal. Is there a way to get
  it to operate?

  RealPlayer can cause conflicts with Flash Player because it tries to assign EVERY TYPE of video or audio file to itself by default. I haven't used RealPlayer in years for that reason. It's an unnecessary program anymore. There are apps loike VLC media player that cna do EVERYTHING it does without conflicting with other apps like Flash Player.
  With WIndows 8, Microsoft began embedding FlashPlayer themselves into Internet Explorer. Because of that, you cannot download and install it from here. You cannot uninstall it from Internet Explorer without removing a specific Windows Update first. And you cannot update it via this website. ONLY through Windows Update can Flash Player for Internet Explorer be updated.
  That said, you probably DON'T have a virus that's causing the problems with Flash Player and Internet Explorer. Many, many websites are not "recognizing" the browser.
  This is a known problem with Internet Explorer 11, which Microsoft has been aware of since October 18 when they released IE11 The pages can't recognize the browser, so they don't recognize any of the plugins, like Flash Player.
  So far, Microsoft has made NO indication that they have any plan to fix it soon.
  Microsoft's recommendation is to use Compatibility View for affected pages, and "pretend" you're using an different browser. Trouble with that is it has seen limited success at best, and you have to individually enable it for EVERY page that has problems.
  I'm not big on "pretending" so I recommend actually using another browser.
  Firefox (from Mozilla)
  Opera (from Opera)
  Safari (from Apple)
  Chrome (from Google)
  ANY of those will work where IE11 won't, with the Flash Player Plug-in (For all other browsers), and Chrome doesn't even need that because it has its own Flash Player plugin built in.

• SSO for SAP and Non-SAP applications without Enterprise Portal

  Dear all,
  Is it possible to implement SSO for both SAP and non-SAP applications without involvement of EP at all?
  I have gone through this link.
  <a href="http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm">http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm</a>
  But I still i am not able to get the precise answer on how to enable SSO for both  SAP and non-SAP applications without EP.
  We have decided not to implement EP in first phase of SAP implementation. But we need to enable SSO for other SAP and Non-SAP applications.
  A detailed description on how to deal this kind of scenarios will be helpful.
  Thanks.

  A client of our's uses <b>SAP Enterprise Portal</b>, and is using the SAP SSO, which is implemented with tickets, and requires the use of SAPSECULIB.  My company provides an application for this client, and our application in hosted in our data center for the client, as a Software as a Service application, obviously across the internet.  Our client, which owns a SAP license, has asked that we support the SAP SSO as a non-SAP SSO application.  The client user's SSO ticket will be created from SAP EP, and then passed across the internet to our application, and we are to use that SSO ticket as an authentication ticket to our application.  I beleive I know how to do this work technically, having reviewed the SAP document named: "Dynamic Library for Verifying SSO Tickets in Third-Party Software"   Specification   Version 2.00  December 2005.
  My question is, does my company have the right to use the SAPSECULIB?  Where is the official download and <b>license</b> download, that indicates we can download this library, and use it to support a SAP customer?  We do not own a SAP license.  Thank you for your help.  I have searched many places in SAP support.<b></b>