Anybody done USERID/PASSWORD authentication against aWindows NT Domain

Similar Messages

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• -(Help!)Trying to have custom authentication against a NT domain

  Hi! I'm pretty much new to sun one and setting up realms for an app server, but here is my problem: We are developing a web-app and need users to login in against the NT machine instead of a DB server or flatfile. I've developed a java.rmi class that can take a username and password and a domain and return a boolean, but I have no way to have Sun One 7 take that as an authentication. I'm trying to have the authentication for the realm hit my class instead of whatever default it goes to and have my class return the required object back... any suggestions? Anyone?
  thanks.

  Thank you, that worked. but I still can't get the server to reconize my roles. I have a role being passed into the PasswordLoginModule and I have it defined in the "web.xml" as a auth-constraint, but I get this in the log files:
  FINE: Authenticator[]: Authenticated 'jeff.corbett' with type 'BASIC'
  FINE: Authenticator[]: Calling accessControl()
  FINEST: PRINCIPAL : jeff.corbett hasRole?: adminmember
  FINEST: PRINCIPAL TABLE: {}
  INFO: SEC1123: Audit: principal=jeff.corbett GET /XCSservices.jsp session=null DENIED
  FINE: Authenticator[]: Failed accessControl() test
  -if you have any ideas of what I may be missing, that would be a great help. Thank you again.

• IPS30SP4 and PDC authentication against non-default domain

  We are trying to get certificate authentication to work for a domain with a URL not equal to "/". At the moment the portal sends us right back at the default domain.<BR>
  Is there any way around that?
  Regards, Robert

  Hi,
  Can u explain the problem elaborately
  Thanks,
  Raj_indts
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support"

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Authentication against users in a table

  I am somewhat familiar with JAZN authentication but here is what I need to do and would GREATLY appreciate as much details as you can provide:
  Say, I have a table USERS(USER_ID, NAME, ...) and several other tables in the DB. Let's say I have another table ADDRESS(ID, USER_ID, ADDRESS, ...). Several things needs to be done:
  1. When user attempts to access a Input Form page to add new record in ADDRESS, a login screen should appear. I KNOW how to do this with either basic or form based authentication. However in this case user credentials will be stored using jazn tool.
  2. Since I need USER_ID to be passed to my Input Form page I believe that I cannot use jazn for this, but rather to authenticate against my USERS table. How?
  3. In this case (authentication against my USERS table) where the paswords are kept?
  4. Also in this case, is it possible to provide several levels of access, ie all to managers, some to data enter people etc.
  We are new to Oracle and JDev so any help is appreciated. The more the better...
  Cheers!
  Rade

  Here is what I did and it does not work:
  I have 'login.uix' page with username and password entries:
  <form name="form0" method="post">
    <contents>
     <pageLayout>
      <pageButtons>
       <pageButtonBar>
        <contents>
         <submitButton text="Sign In" event="verifySignin"/>
         <submitButton text="Login" event="login"/>
        </contents>
       </pageButtonBar>
      </pageButtons>
     <contents>
    <tableLayout>
     <contents>
      <rowLayout>
       <contents>
        <messageTextInput name="username" prompt="Enter Name"/>
       </contents>
      </rowLayout>
      <rowLayout>
       <contents>
        <messageTextInput name="password" prompt="Enter Password" secret="true"/>
       </contents>
      </rowLayout>
     </contents>
     </tableLayout>
    </contents>
    </pageLayout>
  </contents>
  </form>
  ...Then in its Action class I have:
  public void onLogin(DataActionContext ctx)
      //ctx.getBindingContainer();
      HttpServletRequest r = ctx.getHttpServletRequest();
      String userName = r.getParameter("username");
      String password = r.getParameter("password");
      // username and password required
      if (userName.length()==0 || password.length()==0)
        ctx.setActionForward("loginFailed");
        return;
  try
        // Get handle to Application Module that "carries" Staff View
        DCDataControl dc = ctx.getBindingContext().findDataControl("AppModuleDataControl");
        ApplicationModule am = dc.getApplicationModule();
        // find the Staff view object that holds username and password
        ViewObject vo = am.findViewObject("StaffView1");
        //find user
        Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
        System.out.println(" I never get here!?!?!!!!!");
    catch (Exception ex)
        //Set Main Error Page here
        System.out.println(ex.toString());
        ctx.setActionForward("loginFailed");
        return;
  }Seems like Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
  is not properly executed?!?
  Anybody know what the problem is??? This is based on Frank's code sample that I found on forum.

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• Convert a web service which has userid/password hard coded......

  Hi,
  We have created a web service in our ECC 5.0 abap system. In SICF we hardcoded the userid/password, the web service works fine and can be called successfully to read the required data from SAP.
  Now we wish to change the process so that the users calling the web service have to pass their userid/password, now things don't work!!
  How do we change things around to the new format?
  Options we are considering are as follows:
  1) Change the function module so that it has import parameters of userid and password (don't think this will work!)
  2) Somehow update the wsdl file so that it includes userid/password, is this possible?
  3) SICF/wsconfig/wsadmin config, but don't know what to do though!!
  Any ideas anyone?
  Thanks.

  > Now we wish to change the process so that the users calling the web service have to pass their userid/password
  1. Do you want to have authorize access to webservice or,
  2. do you want to user supply user/password as a parameter within service.
  for 1st you don't have to do anything just goto SOAMANAGER transaction and select basic http authentication for service endpoint. Every user who want to access (even url of wsdl) need to supply user/password.
  for 2nd option you can integrate user/password field in FM but you need to include code which check and confirm if they are valid credential.
  Regards,
  gourav

• Logon failure with username/password authentication in WLE 5.1

  Hi,
  I have WLE 5.1 configured and running on a Win2K system. I am able to
  build and run the simpapp sample program. I am also able to build the
  interceptor_cxx sample and run with all interceptors other than the
  security interceptor. What I realised in this case was that the
  PersonQueryClient did not perform any login of a user from which the
  security interceptor could extract user ID information (have I missed
  something? I am a WLE and CORBA newbie) so I modified the ubb config
  file to define SECURITY as USER_AUTH and add the AUTHSVC, modified
  personqueryclientc.cpp to get access to the SecurityLevel2 principal
  authenticator, built the app, created a user with the tpussradd command,
  and ran the app (the AUTHSVC successfully starts).
  The Tobj::AuthType returned by the get_auth_type method of the
  PrincipalAuthenticator is Tobj::TOBJ_APPAUTH as I expect. I call the
  logon method with the parameters (user_name, argv[0], sys_password,
  password, 0) where user_name is the same as the user I created with the
  tpusradd command, argv[0] is personqueryclient (I've tried tpusradd'ing
  the user both with the "-c personqueryclient" argument and without),
  sys_password is the password I specified when tmloadcf was run against
  the modified ubb config file, password is the password I specified when
  I ran tpusradd. The logon always fails returning
  Security::SecAuthFailure. In the ULOGxxxx file the following message is
  displayed:
  181605.NUMBAT!TMSYSEVT.2180: LIBTUX_CAT:1484: WARN: .SysClientSecurity:
  User tbartley on SITE1 authentication failure
  I've tried running in the following manners all with the same result:
  1. With or without the security_cxx interceptor registered
  2. With the user in or not in a group
  3. With the the user created using the "-c personqueryclient" arg to
  tpusradd or not
  If I change the security level down to APP_PW then everything works and
  the security_cxx interceptor sees a client name of personqueryclient and
  a username of personqueryclient. The logon fails if I use a sys_password
  other than the one specified to tmloadcf and succeeds if I use the
  correct password.
  Can anyone tell me what I might be doing wrong in the username/password
  authentication case?
  Here's the code I inserted to personqueryc.cpp to perform the logon:
  // Get SecurityCurrent object
  CORBA::Object_var var_security_current_oref
  = bootstrap.resolve_initial_references("SecurityCurrent");
  SecurityLevel2::Current_var var_security_current_ref =
  SecurityLevel2::Current::_narrow(var_security_current_oref.in());
  // Get the principal authenticator
  SecurityLevel2::PrincipalAuthenticator_var
  var_principal_authenticator_oref =
  var_security_current_ref->principal_authenticator();
  char user_name[100] = "";
  char password[100] = "";
  char sys_password[100] = "";
  // Narrow to a BEA Principal Authenticator
  Tobj::PrincipalAuthenticator_var v_bea_pa =
  Tobj::PrincipalAuthenticator::_narrow(var_principal_authenticator_oref.in());
  // See what level of logon has been turned on
  Tobj::AuthType auth_type = v_bea_pa->get_auth_type();
  cout << "Auth type: ";
  switch (auth_type) {
  case Tobj::TOBJ_APPAUTH: cout << "TOBJ_APPAUTH"; break;
  case Tobj::TOBJ_SYSAUTH: cout << "TOBJ_SYSAUTH"; password[0] = '\0';
  break;
  case Tobj::TOBJ_NOAUTH: cout << "TOBJ_NOAUTH"; break;
  default: cout << "TOBJ_<unknown>"; break;
  cout << endl;
  cout << "Username: ";
  cin >> user_name;
  switch (auth_type) {
  case Tobj::TOBJ_APPAUTH: {
  cout << "User password: ";
  cin >> password;
  // fall through
  case Tobj::TOBJ_SYSAUTH: {
  cout << "App password: "; cin >> sys_password;
  break;
  default: {
  break;
  // now that we've got all the data necessary, logon
  Security::AuthenticationStatus status =
  v_bea_pa->logon(user_name,
  argv[0],
  sys_password,
  password,
  0); // user data
  cout << "Logon result: ";
  switch (status) {
  case Security::SecAuthSuccess: cout << "SecAuthSuccess"; break;
  case Security::SecAuthFailure: cout << "SecAuthFailure"; break;
  case Security::SecAuthContinue: cout << "SecAuthContinue"; break;
  case Security::SecAuthExpired: cout << "SecAuthExpired"; break;
  default: cout << "SecAuth<unknown>"; break;
  cout << endl;
  if (status != Security::SecAuthSuccess) {
  cerr << "Invalid password." << endl;
  exit(1);
  Here are the entries I added to the ubb config file:
  *RESOURCES
  SECURITY USER_AUTH
  AUTHSVC AUTHSVR
  *SERVERS
  AUTHSVR SRVGRP=SYS_GRP SRVID=6 RESTART=Y GRACE=600 MAXGEN=2 CLOPT="-A"
  I do not have the WLE Security Services installed (i.e. the package
  that provides SSL and crypto). Is this required? It's not clear to me
  from the documentation if this is required for username/password based
  authentication or not.
  Thanks for any help,
  Tim Bartley

  Hi Michael
  I am using SSL in my application. So that it asks for the certificate username
  and password while startup. But now i want to mention the username and password
  in weblogic.properties file itself. So that the client need not have to provide
  the username and password everytime. I am using weblogic server 5.1 version.
  How do i do this?
  Hope my question is clear. Please help.
  with regds
  siva
  Michael Young <[email protected]> wrote:
  Hi.
  It's not 100% clear to me what you are asking for. Do you want authentication
  turned off for
  your application? That will certainly turn off prompting for authentication
  information. You
  can set your ACL for your application (in your properties file) to allow
  everyone to execute
  it. Something like:
  weblogic.allow.execute.<myApplication>=everyone
  But maybe you want some kind of silent authentication so that not everyone
  can execute your
  app? I suppose you could pass authentication info in a cookie. I really
  don't know enough
  about your application, though.
  I suggest you post this question in weblogic.developer.interest.security
  - you have a better
  chance of getting an answer there for security related questions.
  Hope this helps.
  Michael
  siva wrote:
  Hi all,
  I have the following requirements. I have an application which asksfor the authentication
  information like username and password at first. The application isrunning in
  weblogic5.1 server. Is there a way where in weblogic.properties file,i mention
  the username and password so that the application will not ask forin the browser.
  please help. It's urgent.
  with regds
  siva--
  Developer Relations Engineer
  BEA Support

• ACS 5.1 Authentication against AD problem

  I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
  ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
  I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
  The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
  show logging application acs reveals the following:
  ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
  password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
  I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
  Any ideas on what might be the cause, and how I can fix this?
  Thanks!

  Hello,
  It is complicated to explain this rule but hopelly you will understand.
  I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
  Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
  To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
  Regards,
  Sebastian Aguirre

• Invalid userid/password message

  <p>We're using external authentication (Oracle), when the user'saccount is locked or expired, portal displays generic message"Invalid userid/password", we need to be able to tellthem why their login was denied so they can take the appropriateaction</p>

  <p>Chris,</p><p> </p><p>I too have looked into this since my apps too have theseissues.</p><p>I have checked all documentation and contacted hyperion supportand I havent found a way to do it.</p><p> </p><p>If we write custom logon pages and then pass thevariable(username/password) to hyperion products , then we shouldbe able to do it. I havent done it but it definitely isplausible.</p><p> </p><p>If you get it to work without writing custom logon pages, pleaselet me know too.</p><p> </p><p>Good Luck !</p><p>thanks</p>

• Hide UserID, Password, and Report Path when call Report from Report

  Hi,
  I have been able to call Report from Report using the hyperlink.
  I put these code in my Field on the Report caller.
  function F_3FormatTrigger return boolean is
    temp varchar2(2000);
  begin
    temp := 'http://<computer_name>:8889/reports/rwservlet?';
    temp := temp || 'server=repsrv' || '&' ||
                       'report=C:\MyReport\rep_detail.jsp' || '&' ||
                       'userid=scott/tiger@orcl' || '&' ||
                       'desformat=htmlcss' || '&' ||
                       'destype=cache' || '&' ||
                       'P_1=' || :ItemID || '&' ||
                       'P_2=' || :ItemName;
    SRW.Set_Hyperlink(temp);
    return (TRUE);
  end;The hyperlink showed, and I can see the rep_detail.jsp showed in the same browser after I clicked the hyperlink.
  The problem is, the hyperlink has to include the reports path and also userid and password.
  If I did not put the userid and password, it will showed in another browse that
  "The report has uncompiled PL/SQL"
  How can I hide those userid, password, and the reports path?
  BTW, Is there anyway to show the report callee in different page (precisely, open another IE) from the report caller?
  Any help would be grateful.
  Many thanks,
  Buntoro

  Hi,
  Thanks for the answers.
  Yet, I am still doubt about using cgicmd.dat.
  I have looked around in this forum saying that it is not secure to use cgicmd.dat. Because all report request does not use authentication (the client can directly open report without login).
  In Form, I can use the On-Logon to do the Oracle Form login (to do logon to the database), and then I use my own custom user login to restrict the menu for each user.
  I do this since I want to restrict the user,
  i.e user A can only view the sales form as well as sales report,
  user B can only view the purchasing form as well as purchasing report.
  Well, I am not so fond about the SSO itself.
  It comes to my mind, since I don't have to re-login (to the database) each time I call another form (login database is only once at the first Form, On-Logon). It also goes to when calling the report caller.
  What is RAD?
  How can we use it?
  Is OID = Oracle Internet Directory?
  If true, maybe, I won't use it since I don't understand about it also.
  Why we don't have to specify the userid and password when Form calls Report1 (using Run_Report_Object and Web.Show_Document())?
  But we have to specify the userid and password when Report1 calls Report2.
  Any help is appreciated.
  Many thanks,
  Buntoro

• External Authentication Against FND_USER Table

  About a month ago Paul Encarnation posted a question concerning external authentication. One to the methods being used was against the FND_USER table in Oracle Apps. I can see looking up the user account in FND_USER but what about the password? So if you are authenticating against the FND_USER table, please share how you are dealing with the password.
  Thanks.

  Hi,
  I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
  Sorry for being thick but this is what I'm trying to do.
  I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
  select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
  where u.user_name = :APP_USER and u.user_id = ur.user_id
  and ur.responsibility_id = XXXX
  The two problems I have are:-
  If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
  Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
  I hope this makes sense.

• How can I tell if a user has already authenticated against AD?

  Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
  We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
  This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
  Any tips would be very welcome,
  Mark

  You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
  There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
  at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
  Good luck.

• ISE 1.2 - 24492 Machine authentication against AD has failed

  Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
  AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
  Machine authentication box is ticked.
  If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
  This happens on all computers, both WinXP and Win7 corporate builds.
  I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
  Anybody got any ideas?
  thanks.

  24492
  External-Active-Directory
  Machine   authentication against Active Directory has failed
  Machine   authentication against Active Directory has failed.
  Error
  Please check NTP is in sync or not  ISE