Authenticated Attributes in Authenticode signing

Similar Messages

• How to extract full 20 bytes messageDigest from authenticated attributes

  I�m having problems with message digest calculation.
  Why in authenticated attributes the message digest field shows only the first 5 octets?
  messageDigest = OCTET STRING = 20 bytes: E3:8A:22:3D:7C...
  How I can extract the whole 20 bytes of message digest from authenticated attributes?
  Please, help.

  Thanks Nico,
  I think it will results data like this:
  100 10 Ten 11
  200 20 Twenty 12
  300 30 Thirty 13
  etc
  and not the expected:
  100 10 Ten 11
  100 10 Ten 12
  100 20 Twenty 21
  etc
  But it inspired me to solve this by adding key expression in each source table (B & C) to be joined to table A with this formula:
  100+TRUNC(INGRP1.COLB1,-2)
  Regards
  Prat

• Authentication step in standard signing workflow

  Is it possible to add authentication step into standard signing workflow? We cannot use any other signature handler except the standard one (PPKLight) - there is a restriction in the documents. But we need to authenticate user once she wants to sign,
  Thanks in advance,
  Nikita

  Hi Steve,
    Thank you for your attention to my question!
    By the requirements we need to make user enter password every time when he/she signs document.
    We are aware of the strong private key protection for digital IDs from Windows Certificate Store and about digital ID files in Adobe. But in case of Windows Certificate Store Adobe asks for password only first time when user sign document, all the next are skipped; in case of digital ID files Adobe allows user to adjust password timeout - we need somehow restrict this option for user so he/she cannot set anything except entering password "Always".
    There are 2 open questions now for us and it would be very helpful if you knew the answer:
    1) How to overcome the "certificate caching" in case of Windows Certificate Store or how to restrict adjusting password timeout for digital ID files in Adobe?
    2) It would be even better if we could authenticate user in third party system every time he/she tries to sign document. I was looking for some kind of authentication interceptor which Adobe could use right before starting signing procedure, but no luck so far. Do you know if it is possible? And if yes then how?
    Thank you for your help in advance!
  Nikita

• 802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

  Hi Spiceys,I'm researching for a potential client and would like to know if the following is possible:They have an existing wireless network with a working 802.1x implementation using NPS as RADIUS. They are very keen to move to Office 365 and use SSO and my understanding is that they'll need to spin up a working ADFS implementation to arrange this. We want to use Microsoft tech to tie it all in, so 3rd party SSO apps I don't want to investigate.If a wireless client is authenticated with NPS, and we have a working ADFS implementation are they able to access Office 365 resources without signing in twice? I'd imagine that the NPS auth would give them the necessary DC token, but if they access O365 resources and get redirected to the ADFS website and use Windows integrated login, will it 'just work' ? They are looking at using the full...
  This topic first appeared in the Spiceworks Community

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• OpenSSO Multiple Authentication Attributes

  Using OpenSSO 8u2p3 Build 6 and Sun DS 7 on Red Hat. Using LDAP Auth Service.
  I would like to let users choose from 2 different att values as their login i.e. uid or badge number; UID is the RDN of all user DNs. I go to Authentication | Module Instances and select the prevuiously configured LDAP module. I add the badge number attribute to "Attributes to Search for a User to be Authenticated" and Save.
  Does not allow login with the badge number attribute. When I look in the DS access log, I only see a search using the uid as the filter.
  Is there some other setting that I am missing?
  Thanks!

  First of all, you would need to have to restart OpenSSO in order for this kind of change to take effect. Secondly, you would need to create two LDAP authentication modules, one with the uid and one with the empid. You cannot use the same LDAP auth module for both.

• Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

  Hello,
  I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
  I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
  Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
  Any pointers or suggestions to overcome this ?

  To login to Prime GUI, the authentication will be done by ISE.
  The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
  Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

• CS4 Flash Projector File and Authenticode (Code Signing)

  I have a flash projector file (.exe) that I need to add Code Signing to it so it does not say 'Unknown Publisher' in Vista. I read that for CS3 there is no authenticode signing. Was this added in CS4? I just want to check before I go ahead and purchase a 3rd party app like Juggler. Does anyone else have a suggestion for software to add authenticode signature to a CS4 flash projector file? Jugglor is pretty old (2007) and I would like to know if there are more recent apps to package and sign projector files.
  Thanks for any info.
  Doug

  You can use a tool from Miscsoft to sign your projector. Here's how:
  1) Buy a code signing certificate from someone like COMODO, Entrust Thawte, or VeriSign
  2) Download the command line code signing tool from Microsoft - SignTool.exe
  http://msdn.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx
  2) Follow these instructions
  http://www.entrust.net/ssl-resources/pdf/ECS_AuthCode_Signing_Guide.pdf
  Good Luck
  Brian

• Pluggable Authentication and Single Sign On

  When using pluggable authentication with single sign on enabled, does RD forward the credentials of the client to the session host or those of the identity provided by the ITSGAuthenticatiionEngine.AuthenticateUser  implementation's call to ITSGAuthenticateUserSink::OnUserAuthenticated?
  I have a PAA authentication plug-in (ITSGAuthenticatiionEngine) implementation and am trying to determine the potential security impact of this API.
  David L-

  Hi David,
  As far as I know, RDS only supports single-sign-on through enabling group policy Allow Delegating Default Credentials.
  How to enable Single Sign-On for my Terminal Server connections
  http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
  You may need to contact Microsoft Customer Support and Services to find out whether the pluggable authentication
  method for single sign on works or not.
  You can find phone number for your region accordingly from here:
  Global Customer Service phone numbers
  http://support.microsoft.com/gp/customer-service-phone-numbers/en-au
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Mail does not allow signed message with .Mac certificate

  Hi all,
  until a few weeks ago, I was able to send signed or encrypted message with my .Mac account and .Mac certificate. Both of them are still valid, and I can still read all messages I sent as encrypted and/or signed, however, Mail does not show the two buttons to crypt and/or sign emails. The certficate seems to work to encrypt iChat dialogs as well.
  I repaired my Keychain, looked at how certficates were configured, everything seems normal to me.
  Any clue ??

  Well, it seems that we've come across something finally.
  In comparing notes, my friend (who is currently able to sign and encrypt messages) and I were comparing notes on our respective certificates. In doing so, he pointed out that he'd noticed a difference in the PURPOSE of my cert versus his cert.
  His cert shows the following purposes:
  1 - Client Authentication
  2 - Email Protection
  3 - Apple .Mac Identity
  4 - Apple iChat Signing
  5 - Apple iChat Encryption
  Whereas mine only shows these purposes:
  1 - Client Authentication
  2 - Apple iChat Signing
  3 - Apple iChat Encryption
  Another thing I noticed while comparing his cert to mine after he pointed this out...his cert is due to expire at the end of October. Mine, on the other hand, was created this past Friday.
  Now, from what I understand, these certs expire one year from date of issue, unless they are revoked earlier. So, I suppose the big question to everyone else out there that is having trouble with using their .Mac issued certificates is "When did yours get renewed?".
  I'm suspecting at this point that somewhere around the end of June the certificates issued by Apple for iChat signing suddenly stopped having the "Purpose" of mail protection. It would also seem that they suddenly stopped having the purpose of .Mac Identity.
  Now I'm curious why Apple would do this, make it actually relatively easy to create a cert that could be used for iChat and Mail encryption, then suddenly take it away. Is this actually what has happened here?
  I'd be really interested in seeing what the renewal dates are and the corresponding "Purposes" are for many of the folks that are reporting trouble with this very issue.
  If you are one of those people who had mail encryption working using your .mac certificate, and it suddenly stopped working...feel free to post your cert information here.
  To get the ball rolling, here's the information from mine...
  Issued By:
  - Apple .Mac Certificate Authority
  Expires:
  - September 14, 2007
  Purposes:
  - Client Authentication
  - Apple iChat Signing
  - Apple iChat Encryption
  G4 800 (Quicksilver) / Powerbook 1.5 GHz   Mac OS X (10.4.7)  

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Help getting authentication=

  Greetings,
  I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.
  I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
  authentication (clear text passwords).
  My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
  specifies that there are the following values:
  - EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
  - DIGEST-MD5 (RFC 2831) is for Digest Authentication.
  - GSSAPI (RFC 2222) is for Kerberos V5 authentication.
  I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following :
  <Realm className="org.apache.catalina.realm.JNDIRealm"
       debug="4"
       authentication="GSSAPI"
       connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
       connectionPassword="myPassword"
       connectionURL="ldap://10.16.0.xx:389"
       alternateURL="ldap://10.16.0.xx:389"
       userBase="OU= myou,DC=company,DC=com"
       userSearch="(sAMAccountName={0})"
       userSubtree="true"
       userRoleName="memberOf"
  />And now I get a different type of error from Catalina.out:
  Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
  INFO: XML validation disabled
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
          at
  sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
  .java:133)
  .....At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following contents:
  [libdefaults]
  default_realm = COMPANY.COM
  default_tgs_enctypes = des-cbc-crc
  default_tkt_enctypes = des-cbc-crc
  [realms]
  COMPANY.COM = {
  kdc = addy.mycompany.com:88
  admin_server = addy. mycompany.com:88
  kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }And that I then execute:
  $ kinit DKlotz
  Password for [email protected]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotzBut as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?
  At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.
  Any help is greatly appreciated!!
  -Dennis Klotz

  Ok I've made progress, whether it is backwards or not, I don't know yet.
  I've added :
  -Djavax.security.auth.useSubjectCredsOnly=false
  To my Catalina options environment variable in Catalina.bat.
  Now I get the error:
  WARNING: Exception performing authentication
  java.lang.SecurityException: Unable to locate a login configuration
       at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
       at java.lang.Class.newInstance0(Class.java:350)
       at java.lang.Class.newInstance(Class.java:303)
       at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
       at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
       at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
       at sun.security.jgss.LoginUtility.login(LoginUtility.java:72)
       at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util.java:137)
       at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Krb5InitCredential.java:328)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:131)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
       at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1515)
       at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1601)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
       at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
       at org.apache.catalina.core.StandardService.start(StandardService.java:450)
       at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
  Caused by: java.io.IOException: Unable to locate a login configuration
       at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
       at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95)
       ... 56 moreAm I moving in the right direction?
  -Dennis

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• 2 Factor Authentication and MacBook Pro

  Hi Guys,
  Is it possible to have a MacBook Pro as a trusted device for two factor authentication?
  I am signed into iCloud and 'Find my Mac' on my MBP, however it is not displaying along side my iPad and iPhone as a potential trusted device.
  Googled about can't find anything confirming?
  Thanks,
  Regards,
  John

  Unfortunately, I already tried this several times prior to posting here.  The system won't let me add the same account more than once, and continues to prompt me for a password multiple times for each service.

• Youtube sign in problems

  I can't sign in to you tube on ipad or iphone. I keep getting authentication failure password or sign in is incorrect. If I sign into a PC it works, it just seems to be on the phoe and the ipad.  I've been working on it for 2 weeks can't get help from google and the apple store said it's not their problem.  Very frustrated, please help.
  Thank you

  Hello
  I noticed that the last firmware 20.0.42 has too many problems, me too faced the keyboard dialer problem after updating to 20.0.42 although it was working correctly in the default version 11.0.29, so we have no choice ONLY waiting for nokia till it produces a new update fixing all these problems
  u can check for the problem i introduced, from home screen -> dialer -> open keyboard , and try to print bbb in my c6 it still pronting aaa and not switches to b or c and the same for all other buttons
  Good Luck

• UME attribute mapping for lastpasswordchange to AD

  We are on EP 7.0 and are using Microsoft Active Directory 2003 as our user repository.
  I am using a writeable datasource configuration file to update passwords in AD from portal (SSL configured)
  For users who had password reset done through the portal, portal has the information for "Date of Last Password Change".
  However, for users who do password resets with other mechanisms (outside of SAP portal), portal does not have this information.
  I am trying to map the UME logical attribute "lastpasswordchange" to the corresponding physical attribute on Active Directory - which I believe is "pwdLastSet".
  My XML configuration looks like the following
  <dataSource id="CORP_LDAP"
           <responsibleFor>
                <principal type="account">
                     <nameSpace name="com.sap.security.core.usermanagement">
                          <attribute name="j_user"/>
                          <attribute name="logonalias"/>
                          <attribute name="j_password"/>
                          <attribute name="userid"/>
                          <attribute name="lastpasswordchange"/>
                     </nameSpace>
                     <nameSpace name="com.sap.security.core.authentication">
                          <attribute name="principal"/>
                          <attribute name="realm"/>
                          <attribute name="domain"/>
                     </nameSpace>
                </principal>   
                <principal type="user">
                </principal>
                <principal type="group">
                </principal>
           </responsibleFor>
           <attributeMapping>
                <principal type="account">
                     <nameSpace name="com.sap.security.core.usermanagement">
                          <attribute name="j_user">
                               <physicalAttribute name="samaccountname"/>
                          </attribute>
                          <attribute name="logonalias">
                               <physicalAttribute name="samaccountname"/>
                          </attribute>
                          <attribute name="j_password">
                               <physicalAttribute name="unicodepwd"/>
                          </attribute>
                          <attribute name="userid">
                               <physicalAttribute name="*null*"/>
                          </attribute>
                          <attribute name="lastpasswordchange">
                               <physicalAttribute name="pwdLastSet"/>
                          </attribute>
                     </nameSpace>                  
                  </principal>
                <principal type="user">
                     <nameSpace name="com.sap.security.core.usermanagement">
                          <attribute name="firstname">
                               <physicalAttribute name="givenname"/>
                          </attribute>
                </principal>
           </attributeMapping>
           <privateSection>              
           </privateSection>
      </dataSource>
  However the above configuration doesn't work. I am not able to read the attribute "pwdLastSet" from AD using attribute mapping.
  Can some one please suggest what I am missing ?
  Thank You,

  You may google "pwdLastSet convert" a try to find out some scripts to convert pwdLastSet to another timestamp.
  As I got from some Google's [links|http://anothersysadmin.wordpress.com/2010/10/22/convert-pwdlastset-to-a-human-readable-date/] pwdLastSet it counts time in nanoseconds.
  Consult you MS Active Diractory team for help to create the converting script of create another attribute in AD with the format that match the portal's timestamp. Then you'll map  the new AD attribute to the "lastpasswordchange" attribute of the portal.
  Regards, Mikhail.