ASA 5580-20 Security Contexts

Similar Messages

• Prime Infrastructure 2.1 ASA5580- Security Context Partial Collection Failure

  I am attempting to add my ASAs into prime but get stuck almost instantly after adding the new device. Prime is able to get the device name and Device type (Cisco ASA-5580 Adaptive Security Appliance Security Context) Admin status shows up as Managed but Inventory Collection Status shows up as "Partial Collection Failure" For more detail it says "feature_image_firewall Unexpected error. See the log file inventory.log for details."
  The only failure in inventory.log I could find was
  [2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [inventory] [ERROR] - 192.168.0.19 For device id: 2848866 Feature = feature_image_firewall and Procedure = ImageFireWal failed in time 45 with the following error and continuing with other features: com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
  [2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [ice] [ERROR] - com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
  com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
  As far as the ASA config goes:
  snmp-server enable
  snmp-server host management 192.168.10.27 community c!$c0PR!me version 2c
  logging enable
  logging history 7
  snmp-server enable traps
  The above config works on our ASA5520s except I still haven't set up the traps right because there isn't any useful information on those devices so I am not sure what I need to change?

  My ASA is using DH 1.
  For 9.2(1) I read this in the release notes.
  Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.

• Upgrading license for more context cisco asa 5580

  Hi guys:
  This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
  Upgrading the License for a Failover using ASDM (No Reload Required)
  Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
  •1.       On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.
  •2.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.
  •3.       Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
  •4.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
  •5.       Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
  •6.       Click Apply. This completes the procedure.
  link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml#norelasdm
  But then I checked on the cisco web page that there are some license that need to reload I see this:
  All models
  Downgrading any license (for example, going from 10 contexts to 2 contexts).
  Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
  link: https://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html
  So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
  Regards

  No reload is required when you are upgrading from 5 to 10 security context license.
  Reload is only required on the following feature:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1361750
  Hope this helps.

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

  Hello,
  I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
  My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
  According to the Configuration guide 8.4
  Use the following failover interface speed guidelines for the ASAs:
  • Cisco ASA 5510
  – Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
  to the CPU speed limitation.
  • Cisco ASA 5520/5540/5550
  – Stateful link speed should match the fastest data link.
  • Cisco ASA 5580/5585
  – Use only non-management 1 Gigabit ports for the stateful link because management ports have
  lower performance and cannot meet the performance requirement for Stateful Failover.
  Thanks in advance

  Hi,
  I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
  I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
  Option 1:
  2x10GE = 20GE Etherchannel for Data
  1x1GE LAN Failover
  1x1GE STATE Failover
  Option 2:
  1x 10GE Data
  1x 10GE LAN & STATE Failover
  Option 3:
  2x10GE = 20GE Etherchannel for Data
  4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
  (etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
  Option 4:
  1x10GE LAN & STATE Failover
  8x1GE = 8 GE Etherchannel for Data
  I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
  What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
  The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
  Thanks in advance for your feedback!

• Licensing -Security Contexts on ASA5585-X

                     All,
  I have a customer with 2 ASA 5585-X and they are looking at running a total of 20 Security contexts in failover mode on these two firewalls. From a licensing perspective, Can I get 10 security contexts on each of these firewalls and that gives me a cumulative context number of 20.I am not sure though if I will be able to run all 20 contexts in failover mode on both firewalls.
  This is the document I am reading but not very clear.
  http://www.cisco.com/en/US/docs/security/asa/asa90/license/license_management/license.html#wp1345944
  Thanks

  Hi,
  If you want to split the 20 Security Contexts between 2 differents ASAs then you are looking at configuring a  Active/Active Failover environment.
  If you want all Security Contexts to be Active only on one physical ASA at a time (while the other is there to take over when the main one fails) then you are looking at configuring a Active/Standby Failover enviroment.
  So in other words
  Each units 10 Security Context license will be combined between the units
  You can either use 20 Security Contexs on a single physical unit at a time in Active/Standby
  OR you can divide the 20 Security Contexts between the 2 Physical ASAs in Active/ActiveFor example 10 Active in ASA1 and 10 Active in ASA2
  Also heres a partial quote from the Cisco document
  Failover License Requirements and Exceptions
  Failover units do not require the same license on each unit.
  Older versions of ASA software required that the licenses match on each  unit. Starting with Version 8.3(1), you no longer need to install  identical licenses. Typically, you buy a license only for the primary  unit; for Active/Standby failover, the secondary unit inherits the  primary license when it becomes active. If you have licenses on both  units, they combine into a single running failover cluster license. How Failover or ASA Cluster Licenses Combine
  For failover pairs or ASA clusters, the licenses on each unit are  combined into a single running cluster license. If you buy separate  licenses for each unit, then the combined license uses the following  rules: For example, for failover: You  have two ASA 5540 ASAs, one with 20 contexts and the other with 10  contexts; the combined license allows 30 contexts. For Active/Active  failover, the contexts are divided between the two units. One unit can  use 18 contexts and the other unit can use 12 contexts, for example, for  a total of 30.
  - Jouni

• Cascading Security Contexts

                     Hi..
  Anybody knows how to configure Cascading Security Contexts in Cisco ASA? How works?
  Any step by step configure?
  Thanks...

  Hello Luis,
  That document is rather sparse when it comes to detailed information on Cascading contexts.  Are there any documents that go into more details?
  In particular I am looking for packet processing information. If you have multiple contexts that have their outside interfaces connected to a "Gateway Context" is Inter-Context traffic processed entirely by the ASASM and does not hit the switch?
  Im comparing this to a standard configuration in which multiple contexts would have their Outside interfaces connected to the switches MSFC. In that configuration I would think that the switch would need to process the packets as they egress the outside interface of one context and ingress the outside interface of another.
  I would see how in either scenario the switch would process the Layer-2 switching. In the 1st example I would not expect the switch to have to process the Layer-3 traffic as its routing between 3 different contexts on the same ASASM and not having to route down to the MSFC.
  Thank you.
  Edit:
  Just thought of something else I had on my mind.  Would it be possible to run EIGRP between cascading contexts when running ASA Version 9.0(1)

• How to share security context between different application ?

  Hi all,
  I have two applications(ADF faces + BC, JDev 10.1.3.1) deployed into OAS 10.1.3.1.
  The two applications are :
  1) SalesApp -> main menu page = SalesMenu.jspx
  2) ReportApp -> main menu page = ReportMenu.jspx
  I want implement security using CustomLogin.
  The question is :
  How can I share security context between the applications ?
  What I mean is, from SalesMenu.jspx there is one menu item to jump into ReportMenu.jspx, and I want user no need to Login again, Login is once and the user is recognized in the two apps. How to achieve that ?
  Thank you for your help,
  xtanto

  Xtanto,
  actually you can't if these are separate J2EE application deployments. The session is not shared and thus the authentication is lost. I heard that OracleAs is planning to implement a feature that allows you to share the session and thus a context between two J2EE deployments. I am not 100 % sure this is the case and will check with OC4J Product Management
  Frank

• How to get security context in BPEL to get Logged in UserId

  Hi All,
  We have a requirement of getting security context in BPEL flow and from that we want to extract currentUserId. The requirement is to know who has initiated the composite flow. We are not passing userId in the event payload. In ADF we get the same through following expression:
  ADFContext.getCurrent().getSecurityContext().getUserName()
  Is there any similar api which we can access to get currentUserId?
  Thanks,
  Naga

  Hi,
  If your BPEL has oracle/wss_username_token_service_policy you can retrieve the username from the SOAP headers...
  Have a look at this...
  http://yuanmengblog.blogspot.com.au/2012/09/extracting-and-passing-wss-name-token.html
  Cheers,
  Vlad

• The server principal "XYuser" is not able to access the database "Ydb" under the current security context

  SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
  The server principal "XYuser" is not able to access the database "Ydb" under the current security context
  This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john

  This appears to be a Login/Database Mapping issue.  I was having this problem, but was able to resolve it as follows:
  Using the SQL Server management Studio:
  In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins. 
  That is: ServerName -> Security -> Logins
  NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
  Select the Login that is having the troubles.  Right click on the Login and select ‘Properties.’
  The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to.  When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself).  Map the Login by checking the box next to the database name.  Set the default schema.  Then select the roles for the Login in the Database role membership list box.  I selected db_datareader and public.  After clicking OK to save the changes, the problem was resolved.
  In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database.

• HTTP (Axis) Receiver Adapter error: The security context token is expired or is not valid

  Hi Experts,
  We are required to send a message through PI 7.31 (single stack) in a Soap-to-Soap scenario connecting to a Soap 1.2 Web Service.
  We are getting a Security Context Token expired or Invalid error.
  Please help us resolving this error.
  Thanks in advance!
  The Channel Configurations are as follows:
  Processing sequence:
  Module configurations:
  1.
  2.
  3.
  4.
  Best Regards
  Vikram

  Hi all !
  First of all, thanks for your answers..
  Stefan Grube:
  Itu2019s not a Adapter Module.
  The module tab  following configuration
  Processing Sequence:
  AF_Adapters/axis/AFAdapterBean     Local Enterprise Bean     afreq
  AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     xireq
  AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     trp
  AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     dcres
  AF_Adapters/axis/HandlerBean                     Local Enterprise Bean     xires
  AF_Adapters/axis/AFAdapterBean     Local Enterprise Bean     afres
  Module Configuration
  xireq          handler.type     java:com.sap.aii.axis.xi.XI30OutboundHandler
  trp          handler.type     java:com.sap.aii.adapter.axis.ra.transport.http.HTTPSender
  trp          module.pivot     true
  xires          handler.type     java:com.sap.aii.axis.xi.XI30OutboundHandler
  How can i know if those values are correct ?
  Srinivas Reddy:
  Thanks for the documentation
  I have applied SAP Note 11016021 and the error changed, now it says:
  Axis: fatal error in invocation: java.lang.NoSuchMethodError: com/sap/aii/axis/xi/XIUtils.setOperation(Ljava/lang/String;Lorg/apache/axis/MessageContext;)V
  Message processing failed. Cause: com.sap.engine.services.ejb.exceptions.BaseTransactionRolledbackLocalException: Exception thrown in method process. The transaction is marked for rollback.
  Edited by: Antonio Guzman on Jul 9, 2008 5:29 PM

• Setting security context in sql*plus session

  Hi,
  For a SQL*Plus session under an account that doesn't have execute privileges on fnd_global, is there any way to set the application security context similar to the way fnd_global.apps_initialize does?
  For example, as APPS one can do this:
  <br>
  sqlplus apps/...
  SQL>  select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  1 row selected.
  SQL> execute fnd_global.apps_initialize( ... );
  SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  123456
  1 row selected.What I'd like to do is something like this ...
  <br>
  sqlplus scott/...
  SQL> ... call some EBizSuite procedure where I can supply or
  be prompted for an EBizSuite user name, password, and responsibility ...
  SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  123456
  1 row selected.

  Hi
  Is there any method to initialize the environment using Java API.
  how to call the function fnd_global.apps_initialize
  Can you explain the required parameters.
  Asheesh

• Current Security Context Not Trusted When Using Linked Server From ABAP

  Hello,
  I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
  The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
  Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
  That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
  EXEC SQL.
     SET XACT_ABORT ON
     DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
  ENDEXEC.
  The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
  The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
  I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
  What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
  Any insight someone could offer on this thorny problem would be most appreciated.
  Best regards,
  Matt

  Good news! We have got it to work. However, we did it in something of
  a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
  At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
  reference the tables in SAP via the Linked Server defined on the remote
  server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
  So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
  Then, in our ABAP code, we simply do something along the lines of
  exec sql.
     set connection 'REMOTE'
  endexec.
  exec sql.
     connect to 'REMOTE'
  endexec.
  exec sql.
     insert into REMOTE_TABLE
        select * from SAPSERV.SID.sid.SAP_TABLE
  endexec.
  exec sql.
     commit
  endexec.
  exec sql.
     disconnect 'REMOTE'
  endexec.
  This is, of course, a test program, but it demonstrated that it worked,
  and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
  I don't know if this solution will have applicability to any other customers, but it works for us, for now.
  SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
  Best regards,
  Matt

• SSO with AD error:An error has occurred propagating the security context...

  Hi.
  On Windows 2003, I have installed BOXI Edge 3.1 with SAP Integration Kit. My primary and only use of the SAPIK will be for retrieving SAP data for BOXI reports. I DO NOT want to use SAP Authentication. For BOXI, I want to set up only AD Authentication, but because the web.xml files change with the installation of the SAPIK, I have not been successful at setting up AD Authentication. I have modified the web.xml files so that they look like the original web.xml files (without SAPIK).
  The AD groups are imported successfully into BOXI. The members of those groups are imported successfully, too. But when a user attempts to login, they get error: An error has occurred propagating the security context between the security server and the client.
  I have tried nearly everything to clear this error and there are no Kerberos errors in Wireshark logs on the BOXI server.
  Help!
  Thank you!
  Luis
  PS - I asked this question in the SAP Integration Kit forum, and they suggested I ask here, I guess because in the end it may have nothing to do with the SAPIK...

  Thanks, Tim, for your willingness to help.
  The problem is resolved.
  I noticed in the Local Security Policy that the right "Log on as a service" displayed only the service account user ID, without the domain identifier - where I expected it to show as "DOMAIN\svcaccount", it only showed "svaccount".
  I stopped the Tomcat and SIA services, I removed "svaccount" from the list in "Log on as a service", I reset the account information in the Tomcat and SIA services as "DOMAIN\svcaccount" and saw that change reflected in "Log on as a service" and now AD Authentication works beautifully.
  My guess is that it must have been using the local account and not the domain account for running the services.
  Next task: SSO...
  Wish me luck!
  Thanks!
  Luis