Anyconnect - NTLM authentication on internal website

Similar Messages

• ASA 8.2(1) WEBVPN ntlm authentication with internal sharepoint problem

  I have added internal sharepoint site in ssl vpn bookmark and setup all required permission , but after the user enter his credential in web authentication form , the connection reset with the server, when I used wireshark to sniff the traffic from ASA to sharepoint server I found that ASA does not send NTLMSSP_AUTH, User request.

  Hi Oscar,
  That's the reason why I requested that information.
  Remember that we strongly encourage you to upgrade to a fully tested Maintenance or Feature  release when it becomes available.
  For instance the release notes doc for 8.2.x does mention SharePoint 2007, but not 10. On the other hand, the specific release notes for 8.2.5 include information about 2010, please be aware of this bug:
  CSCtn99416
  WebVPN: Dropdown menu doesn't work in customized SharePoint 2010
  I am glad to know you fix the issue by upgrading the ASA to 8.2(5).
  Please mark this post as answered and rate any helpful posts
  Portu

• Firefox asks for passwords on internal websites on apple mac

  Good afternoon,
  We have been configuring firefox to work with our AD intergrated network, on a pc we can use the network.automatic-ntlm-auth.trusted-uris and that works fine.
  Now using my apple mac i use the same settings and my internal website keep asking me for authentication.
  [[http://support.mozilla.com/en-US/kb/Firefox%20asks%20for%20user%20name%20and%20password%20on%20internal%20sites]]
  I am using firefox 5.0 but i had the same problem whilst using firefox 4 and also 3

  Do you mean names and passwords in the Password Manager or do you mean that you are no longer logged on to (remembered by) websites after closing and restarting Firefox?
  There is a difference between remembering the name and password in the Password Manager and a "remember me" check box on a web page.<br />
  The latter usually involves the creation of a special "remember me" cookie that is stored on your computer and that is send to the server.
  If that "remember me" cookie is removed or gets corrupted or is not send to the server then the server won't remember you and you need to sign in once again.
  * http://kb.mozillazine.org/Websites_report_cookies_are_disabled (Other Solutions)
  If Firefox doesn't offer to store passwords in the Password Manager then check that you aren't running Firefox in [[Private Browsing]] mode.
  Websites remembering you and automatically log you in is stored in a cookie.
  * Create an allow cookie exception (Tools > Options > Privacy > Cookies: Exceptions) to keep such a cookie, especially for secure websites and if cookies expire when Firefox is closed.
  Make sure that you do not run Firefox in Private Browsing mode.
  * https://support.mozilla.com/kb/Private+Browsing
  * In [[Private Browsing]] mode all cookies are session cookies that expire if that session is ended, so websites won't remember you.
  * In [[Private Browsing]] mode Firefox won't fill names and passwords automatically and won't offer to store new passwords.
  * Do not use [[Clear Recent History]] to clear the "Cookies" and the "Site Preferences"
  Clearing "Site Preferences" clears all exceptions for cookies, images, pop-up windows, software installation, and passwords.

• Allow internal websites from multiple domains

  My workplace has multiple internal domains and would like to know how to allow Firefox for all internal websites to use NTLM authentication.
  The idea is not to keep setting NTLM about:config entry for each and every internal site getting added.
  Regards,
  Jwalant

  how to set a preference in Firefox that will pass the NTLM authentication information to a web server. The preference is network.automatic-ntlm-auth.trusted-uris.
  In order to change your Firefox Configuration please do the following steps :
  # In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear.
  # Click '''I'll be careful, I promise!''' to continue to the about:config page.
  #Change the preference
  If your network does not use SSO it is also possible to try this add on: [https://addons.mozilla.org/en-us/firefox/addon/integrated-auth-for-firefox/]
  Another solution: [http://superuser.com/questions/594049/how-to-enable-ntlm-for-all-intranet-sites-in-firefox]

• Public-facing on-premises SharePoint with NTLM authentication

  I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
  Assume I set up a web application with Classic NTLM authentication. On that web application I enable
  Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
  published content only i.e. content which is permitted to anonymous users.
  My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
  Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

  There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
  I would have a dedicated DC to manage service accounts.
  I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
  proxy/firewall -- SP Server -- Firewall -- SQL/DC
  For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
  Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
  While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
  Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
  With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
  You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
  authentication for your internal users before they can even reach the internal SharePoint pages.
  I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
  publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

• How to do HTTP getRequest() with windows NTLM authentication from OBPM..??

  Hello All,
  Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
  I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
  Version : Oracle BPM v 10.3.1
  Cheers
  Parveen Jaswal

  You are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
  I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC.

• Will there be a fix for Firefox's problems with Hotmail. I have gone back to 3.5.9 but mostly I am disappointed by the lack of action on this serious problem where a major and critical feature of a major international website is unavailable in the Firefox

  Will there be a fix for Firefox's problems with Hotmail. I have gone back to 3.5.9 but mostly I am disappointed by the lack of action on this serious problem where a major and critical feature of a major international website is unavailable in the Firefox browser.
  == URL of affected sites ==
  http://www.hotmail.com

  We've reached out to the Hotmail team and they've determined that this is a bug in their code. (It was masked by a timing issue in 3.5 that was fixed in 3.6.) We've worked with them to develop a fix but they may not have deployed it yet.

• Invoking a Web Service that Requests NTLM Authentication in BPEL Process

  Hi,
  I am trying to invoke a webservice which requires NTLM Authentication.able to test the service through SOAP ui .
  Followed the steps memntioned in the oracle doc in order to invoke the same service through BPEL Process, some how I am facing issue when BPEL invokes the service. Here is the error message
  oracle.fabric.common.FabricException: oracle.fabric.common.FabricException: Error in getting XML input stream: Response: '401: Unauthorized' for url:
  Oracle doc link  :-
  http://docs.oracle.com/cd/E28280_01/admin.1111/e10226/soacompapp_secure.htm#BABJEBIF
  http://www.albinsblog.com/2014/04/oraclewebservicespreemptivebasicauth.html#.VK5UEiuUeFM
  The above link discuss about the properties that need to be set in composite.xml file in order to invoke the service.
  I am using SOA 11.1.1.6,  tried to implement the same steps but i could see the error message "Unauthorized for url ********** "
  Could you please help me on this.
  Thanks

  Hi Guys ,
  Got to kow that this is a bug. Some how following link helps in sending the payload to webservice which requires NTLM authentication thru JAVA.
  Thoughts Oracle SOA OSB: NTML Authentication - Oracle SOA suite
  Thanks

• Windows NTLM Authentication on SAP 4.6c (Platform AIX)

  I am trying to use NCo 2.0 for C# .Net application with Web Service and C# Web UI.
  My Users are in AD domain and need to authenticate on IIS via AD (Integrated NTLM)
  I need to implement single sign on for SAP integrated application.
  As per NCo documentation: I need to set-up trust relationship between IIS and SAP, use this trusted user (DOMAIN\IUSR_SAPPOOL) and send active directory  id as external id in connection string. All transaction should run with external user id context.
  Can someone help me with following question.
  1. Does NTLM trust relationship / authentication on SAP running on AIX? or Do I have to setup kerberos authetication?
  2. What SNC library needed for SAP (AIX instance)?
  3. How can I configure NTLM authentication on SAP (AIX instance) The NCo 2.0 documents only explains SAP (MS instance) configuration.
  What option do I have to get Single Sign On working?
  Any help is highly appreciated.
  Regards and Thank you in advance.

  > Hi Reiner,
  > Thank you very much for response, this is helpful
  > information.
  If you consider an answer as helpfull, please mark it with the button on the left side :-).
  > My options are pretty much limited,
  > I can't use NTLM since, AIX will not accept trust
  > -- NTLM Auth will not work with AIX
  > -- Kerberos auth have to have third party tool like
  > CyberSafe for SNC trust relationship.
  As I wrote, you can use any SNC provider. Especially Secude would be interesting, as it is available on all platforms.
  > I planning to try using SSO as mentioned in "Enabling
  > Single Sign-On for ASP.NET Applications in Enterprise
  > Portal 6"
  > Is this approach works with EP 5.0?
  This is a completely different approach: In the stuff I was writing to you before I was assuming that IIS would do the authentication. The other approach is that SAP Portal does it. This also works - EP 5.0 should be fine - but it works completely different. E.g. you doesn't need a trusted connection for SSO with MYSAPSSO2 ticket.
  > If any one has "sapsecu.dll" please send me at
  > [email protected] with same size as stated in
  > this document.
  This DLL is not allowed to be exported into some countries because it contains strong cryptography. You usually get it via your local SAP subsiduary.
  > My SSO ticket did not get created after following
  > steps in document, I am suspecting either sapsecu.dll
  > or veryfy.pse is wrong?
  Did you find a MYSAPSSO2 cookie in the request?

• Ntlm authenticated apps fails after 3.1.1 upgrade

  I upgraded my apex instance to 3.1.1 on Friday without any issues. I can log into application builder without any problems and the version 3.1.1.00.09.
  Everything in app builder works as expected. However, when I try to run my NTLM authenticated application, I get errors and the page fails to load.
  Furthermore, this only happens on my 11g database.
  The exact same app, using the same NTLM authentication works just fine on 10g.
  The Apache errors log states:
  mod_plsql: /pls/apex/f HTTP-404 ORA-03113: end-of-file on communication channel\n
  mod_plsql: Unable to reset state for mode 0: Err 3114 url=>/pls/apex/f           I have PlsqlErrorStyle          DebugStyle set, so the page returns a fair amount of data.
  Wed, 28 May 2008 14:07:17 GMT
  ORA-03113: end-of-file on communication channel
    DAD name: apex
    PROCEDURE  : f
    URL        : http://ecydblcyorwqt03.ecy.wa.lcl:80/pls/apex/f?p=127:51:339228564056494:::::
    PARAMETERS :
    ===========
    p:
     127:51:339228564056494:::::
    ENVIRONMENT:
    ============
      PLSQL_GATEWAY=WebDb
      GATEWAY_IVERSION=2
      SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
      GATEWAY_INTERFACE=CGI/1.1
      SERVER_PORT=80
      SERVER_NAME=ecydblcyorwqt03.ecy.wa.lcl
      REQUEST_METHOD=GET
      QUERY_STRING=p=127:51:339228564056494:::::
      PATH_INFO=/f
      SCRIPT_NAME=/pls/apex
      REMOTE_HOST=
      REMOTE_ADDR=165.151.57.100
      SERVER_PROTOCOL=HTTP/1.1
      REQUEST_PROTOCOL=HTTP
      REMOTE_USER=ECY\taus461
      ORACLE_SSO_USER=
      OSSO_IDLE_TIMEOUT_EXCEEDED=
      OSSO_USER_GUID=
      HTTP_CONTENT_LENGTH=
      HTTP_CONTENT_TYPE=
      HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
      HTTP_HOST=ecydblcyorwqt03
      HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      HTTP_ACCEPT_ENCODING=gzip,deflate
      HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
      HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
      HTTP_COOKIE=WEBWPLCS_USER=TAUS461; WEBWPLCS_LAST=04.29.2008 11:41:38; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL; ORA_WWV_REMEMBER_UN=ADMIN:webwplcs; ORACLE_PLATFORM_REMEMBER_UN=ADMIN:webwplcs; ORA_WWV_USER=3B1A5D9EA835D646; WWV_CUSTOM-F_1021906798187125_122=9F806B35C3D9AF51
      HTTP_IF_MODIFIED_SINCE=
      HTTP_REFERER=http://ecydblcyorwqt03/pls/apex/f?p=4000:4150:339228564056494::NO:::
      HTTP_SOAPACTION=
      HTTP_ORACLE_ECID=1211983633:165.151.5.125:6156:6252:488,0
      HTTP_ORACLE_CACHE_VERSION=
      HTTP_AUTHORIZATION=NTLM  xyz
      WEB_AUTHENT_PREFIX=
      DAD_NAME=apex
      DOC_ACCESS_PATH=docs
      DOCUMENT_TABLE=wwv_flow_file_objects$
      PATH_ALIAS=
      REQUEST_CHARSET=AL32UTF8
      REQUEST_IANA_CHARSET=UTF-8
      SCRIPT_PREFIX=/pls
      HTTP_IF_MATCH=
      HTTP_CACHE_CONTROL=
      SOAP_BODY=
      HTTP_X_ORACLE_DEVICE_CLASS=
      HTTP_X_ORACLE_DEVICE_ORIENTATION=
      HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
      HTTP_X_ORACLE_DEVICE=
      HTTP_X_ORACLE_ORIG_ACCEPT=
      HTTP_X_ORACLE_ORIG_USER_AGENT=
      HTTP_X_ORACLE_USER_LOCALE=
      HTTP_X_ORACLE_USER_NAME=
      HTTP_X_ORACLE_USER_DISPLAYNAME=
      HTTP_X_ORACLE_USER_USERKIND=
      HTTP_X_ORACLE_USER_AUTHKIND=
      HTTP_X_ORACLE_USER_DEVICEID=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
      HTTP_X_ORACLE_USER_LOCATION_BLOCK=
      HTTP_X_ORACLE_USER_LOCATION_CITY=
      HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
      HTTP_X_ORACLE_USER_LOCATION_COUNTY=
      HTTP_X_ORACLE_USER_LOCATION_STATE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
      HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
      HTTP_X_ORACLE_USER_LOCATION_TYPE=
      HTTP_X_ORACLE_USER_LOCATION_X=
      HTTP_X_ORACLE_USER_LOCATION_Y=
      HTTP_X_ORACLE_SERVICE_HOME_URL=
      HTTP_X_ORACLE_SERVICE_PARENT_URL=
      HTTP_X_ORACLE_HOME_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
      HTTP_X_ORACLE_CACHE_USER=
      HTTP_X_ORACLE_CACHE_SUBID=
      HTTP_X_ORACLE_CACHE_AUTH=
      HTTP_X_ORACLE_CACHE_DEVICE=
      HTTP_X_ORACLE_CACHE_LANG=
      HTTP_X_ORACLE_CACHE_ENCRYPT=
      HTTP_X_ORACLE_ASSERT_USER=There are no invalid objects in the FLOWS schema and the page sentry function I use for NTLM is also valid.
  There isn't a database connection issue since both builder and SQL Plus works.
  Here is my NTLM Page Sentry which is a slightly modified version of the GreenIT version
  CREATE OR REPLACE FUNCTION modNtlmPageSentry(pApexUser IN VARCHAR2 DEFAULT 'APEX_PUBLIC_USER')
  RETURN BOOLEAN
  IS
    vAuthenticatedUsername  VARCHAR2(512);
    vCurrentSessionId       NUMBER;
    l_cnt binary_integer :=0;
  BEGIN
    -- Get Authenticated User.
    vAuthenticatedUsername := UPPER(owa_util.get_cgi_env('REMOTE_USER'));
    vAuthenticatedUsername := substr(vAuthenticatedUsername,instr(vAuthenticatedUsername,'\')+1);
    if to_char(v('APP_ID')) = '127' -- WebWPLCS
    then
         apex_util.set_session_state('P18_USERNAME',vAuthenticatedUsername);
    elsif to_char(v('APP_ID')) = '124' --TMS
    then
    -- check to see if they are a listed TMS manager or overall admin
        select sum(cnt) into l_cnt
        from (
             select count(0) cnt
             from tms_managers
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from tms_admin
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from web_admin
             where username=vAuthenticatedUsername
        if l_cnt < 1
        then
       return FALSE;
        end if;
    end if;
    -- Check to ensure that we are running as the correct database user.
    IF USER ^= UPPER(pApexUser) THEN
      RETURN FALSE;
    END IF;
    IF vAuthenticatedUsername IS NULL THEN
      RETURN FALSE;
    END IF;
    -- Get SessionId.
    vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    -- Check Application Session Cookie.
    IF wwv_flow_custom_auth_std.is_session_valid THEN
      apex_application.g_instance := vCurrentSessionId;
      -- Check Authenticated User --> Username from wwv_flow_session$ for
      --   current Session.
      IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
        wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
          p_session_id => vCurrentSessionId);
        RETURN TRUE;
      ELSE
        -- Unset the Session Cookie and redirect back here to take other branch.
        wwv_flow_custom_auth_std.logout(p_this_flow => v('FLOW_ID'),
          p_next_flow_page_sess => v('FLOW_ID') || ':' || NVL(v('FLOW_PAGE_ID'), 0)
          || ':' || vCurrentSessionId);
        -- Tell Apex Engine to quit.
        apex_application.g_unrecoverable_error := TRUE;
        RETURN FALSE;
      END IF;
    ELSE
      -- Application Session Cookie not valid --> Define a new Apex Session.
      wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
        p_session_id => wwv_flow_custom_auth.get_next_session_id);
      -- Tell Apex Engine to quit.
      apex_application.g_unrecoverable_error := TRUE;
      IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET'  THEN
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
          wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
      ELSE
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
          TO_CHAR(apex_application.g_flow_id) || ':' ||
          TO_CHAR(NVL(apex_application.g_flow_step_id, 0)) || ':' ||
          TO_CHAR(apex_application.g_instance));
      END IF;
      -- Register the Session in Apex Sessions Table, set Cookie, redirect back.
      wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
        p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
        || ':' || NVL(apex_application.g_flow_step_id, 0));
      RETURN FALSE;       
    END IF;   
  END modNtlmPageSentry;Does anyone have any ideas on where to look next?
  Regards, Tony
  <b>Update</b>
  For kicks, I added the page sentry function to the list in the <b>wwv_flow_epg_include_mod_local</b> function.
  I bounced both the HTTP Server and the database.
  None of these actions solved the problem.

  Joel -
  The alert log states that there is a 7445 error now from Apache
  host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123' module='Apache.exe'
  pid='416'>
  <txt>Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x0] [PC:0x69A2AB3, _pfrinstr_BRNCCOND()+39]
  msg_id='1422874948' type='INCIDENT_ERROR' group='Access Violation'
  level='1' host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123'
  prob_key='ORA 7445 [pfrinstr_BRNCCOND()+39]' upstream_comp='' downstream_comp=''
  ecid='' errid='12252' ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The trace file just states the same 7445 error:
  ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The incident trace file states that the current SQL was:
  ----- Current SQL Statement for this session (sql_id=bng4udk9mvtsh) -----
  declare function x return boolean is begin
  return mergedwplcs.modNtlmPageSentry; return false; end;
  begin
  wwv_flow.g_boolean := x; end;
  ----- PL/SQL Stack -----
  ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  2B6ACD34      1020  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6ACD34       662  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6BB44C        59  function MERGEDWPLCS.MODNTLMPAGESENTRY
  2B6BBD1C         2  anonymous block
  2B6BBD1C         4  anonymous block
  2B6BC674      1815  package body SYS.DBMS_SYS_SQL
  2B6BD29C       296  package body SYS.WWV_DBMS_SQL
  2B70B5D0      1352  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B70B5D0      1158  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B71BA2C      8847  package body FLOWS_030100.WWV_FLOW
  2B72FB04       255  procedure FLOWS_030100.F
  2B7E4F1C        31  anonymous blockWhich makes sense given that I was trying to log into the application. All of these functions and packages are valid.

• Event ID 6038 LsaSrv NTLM authentication warning

  Searching the internets we haven't found any other references to this particular Event ID Warning message. 
  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
   Windows Server 2008, but out Child Domain is at Domain Functional Level:
   Windows Server 2012 (3 Domain Controllers in our Child Domain). 
  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. 
  The full Event ID is pasted in below.
  We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. 
  How are these tasks accomplished on Windows Server 2012 Domain Controllers? 
  Thanks in advance for any help! 
  Log Name:      System
  Source:        LsaSrv
  Date:         
  12/27/2012 6:00:01 PM
  Event ID:      6038
  Task Category: None
  Level:        
  Warning
  Keywords:      Classic
  User:         
  N/A
  Computer:      <server
  FQDN>
  Description:
  Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
  NTLM is a weaker authentication mechanism. Please check: 
        Which applications are using NTLM authentication?
        Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
        If NTLM must be supported, is Extended Protection configured? 
  Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

  Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
  I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers. 
  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM. 
  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 
  Auditing and restricting NTLM usage guide
  http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
  Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
  This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
  systems.
  With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
  the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
  restrict NTLM traffic.
  This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

• Re: How to enable NTLM authentication in OSB???

  Hi all,
  We have the same problem trying to integrate OSB with and asmx service that uses NTLM.
  We try an alternative, we have created the artifacts of asmx service using wsimport and we created a little java project using these artifacts. We also added a class with a static method in this project in order to be used by OSB java callout mechanism. When this project if used standalone (through eclipse) works fine and as the environment is windows server, it sends automatically to the client the credentials of user that is logged on windows domain. On the other hand when we deploy this java project in OSB as jar for callout we receive : Response: '401: Unauthorized' exactly at the point that the produced artifact class invokes the constructor of javax.xml.ws.Service in order to create an instance of the service.
  Can it be the same problem stated by 830428?
  The stack trace:
  com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:172),
    com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153),
    com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187),
    weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:73),
    weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:515),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:103),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:95),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:71),
    javax.xml.ws.Service.<init>(Service.java:56),
    org.tempuri.EDoc.<init>(EDoc.java:46),
  after that (actually before) is just our code which calls the  @WebServiceClient Class (the local artifacts which are used to call the actual web service).

  Kuppusamy.V.,
  We experiened the same issue as you and managed to find a solution to the problem.
  The OSB does not support NTLM authentication, so you are quite correct in stating you must write a Java class and use a Java callout from an OSB Proxy Service.
  Our Java class worked fine from the Unix commandline, but failed when deployed to the OSB and invoked by the proxy service with the dreaded '401 Unauthorised' error.
  On closer inspection, the proxy service stack trace revealed:
  java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://your.domain.here/default.aspx' at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
  We noticed that the exception was being thrown from the WebLogic 'weblogic.net.http.HttpURLConnection' class and not the Sun 'java.net.HttpURLConnection' as we expected (and our Java code explicitly imported)!
  We couldn't understand why a different HTTP handler was being invoked, but it got us thinking. And thinking. And raising an Oracle support ticket. And waiting.
  Tired of waiting, we revisited the problem and chanced across the Javadoc for the 'java.net.URL' class and noticed one of the constructors allows you to specify a HTTP handler!
  Instead of opening our URL with this typical usage:
  URL url = new URL(yourURL);
  HttpURLConnection http = (HttpURLConnection) url.openConnection();
  We used:
  URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
  HttpURLConnection http = (HttpURLConnection) url.openConnection();
  And, hey presto!, it worked a treat.
  And we closed the Oracle service ticket. And stopped waiting :)
  Regards,
  Jerome

• Setting up an external content type without having to change it to NTLM authentication?

  Referring to: https://www.kenplaysviola.com/content/sharepoint2010-business-connectivity-path-unavailable
  and tested to be true. However, I have a site that I am not using NTLM - is there a way around this??? 

  Hi,
  Based on your description, my understanding is that you can’t 
  set up an external content type with Basic authentication web application.
  What errors have you got?
  I have done a test in my SharePoint, when I opened Basic authentication site with SharePoint Designer, I got an error
  ”Access to this web server is disabled by default because it is controlled by basic authentication and doesn't use SSL…”.
  But I could create an External List in the Basic authentication site successfully. I set up an external content type with NTLM authentication site. Then I created an External List in the Basic authentication
  site which referred to the existing external content type, it worked fine.
  So if you don’t want to change your web Application to NTLM authentication, try to create another web Application with NTLM authentication, then create a site collection and create an external content type,
  last create an External List in the Basic authentication site referring to the existed external content type in NTLM authentication site.
  Also, here is a blog about 
  Access denied by Business Data Connectivity, you can take a look at:
  http://blogs.msdn.com/b/ericwhite/archive/2010/06/11/access-denied-by-business-data-connectivity.aspx
  Best Regards,
  Lisa Chen

• Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

  Hi Folks,
  I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
  Authenticator.setDefault(new ReportAuthenticator());
  HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
  As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
  Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
  When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
  Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
  Any help is greatly appreciated.
  P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
  best regards
  Dushy

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• ClassNotFound error when loading applet from a NTLM authenticated  site

  Hi,
  I wrote a Java applet and put it into a JAR file and signed the JAR file. It works fine if the user doesn't need to be authenticated. However, when I place the same JAR to a site that uses NTLM (NT challenging) authentication. The applet failed to load and returns ClassNotFound exception. Does anyone know why?
  The following is the complete error message:
  java.io.IOException: Server returned HTTP response code: 401 for URL: http://unibox.MySite.com/fileupload/FileUpload.jar
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:697)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:369)
       at sun.net.www.protocol.http.HttpURLConnection.getHeaderFields(HttpURLConnection.java:1139)
       at sun.plugin.net.protocol.http.HttpURLConnection.checkCookieHeader(HttpURLConnection.java:330)
       at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:367)
       at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
       at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
       at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
       at sun.plugin.cache.JarCache.get(JarCache.java:177)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
       at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
       at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
       at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
       at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
       at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
       at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
       at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  load: class FileUpload.class not found.
  java.lang.ClassNotFoundException: FileUpload.class
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:151)
       at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
       at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
       at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:478)
       at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
       at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
       at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
       at sun.applet.AppletPanel.run(AppletPanel.java:290)
       at java.lang.Thread.run(Thread.java:536)
  Caused by: java.io.IOException: open HTTP connection failed.
       at sun.applet.AppletClassLoader.getBytes(AppletClassLoader.java:224)
       at sun.applet.AppletClassLoader.access$100(AppletClassLoader.java:40)
       at sun.applet.AppletClassLoader$1.run(AppletClassLoader.java:141)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:138)
       ... 10 more

  It appears that the latest jvm plugins use java to get the archive files instead of using the browser to download the archive files.
  In addition sun does not support NTLM authentication, because of this the latest jvms are unable to download the jar file containing the applet.
  I have been working on finding a way to replace suns http Handler, but have had no luck with setting the java.protocol.handler.pkgs for the plugin and having it retain the setting.
  I have achieved partial results using the appletviewer with -J-Djava.protocol.handler=com.nogoop
  you might try taking a look at http://www.nogoop.com