Authenticating OIM 9.1.0.2 against AD

Similar Messages

• Pass-Thru Authentication OIM 11g

  Is there any documentation on configuring pass-thru authentication in OIM to an AD or LDAP instance?
  Thanks

  Apparently, this does not exists for OIM. I need to put a OAM instance in front of OIM in order to authenticate against AD

• Reset Password In Form Based Authentication "OIM - OAM Integration" SSO

  Hi All
  I want to give Password Reset Option in the Form Based Authentication page for OIM-OAM SSO Application, could you please help me in that??
  my SSO is working with OIM 9.1.0.2BP06 with OAM 10.1.4.2.0, and i have created Simple Form in html, for the Authnetication, Now i want Password Reset Button on Form, and will have to reset through LDAP
  TA

  Provide the OIM links for registration and forgot password.
  If your OAM has a user store(LDAP) where OIM is provisioning, your changes will be reflected in OAM
  Hope this helps,
  Sagar

• Authenticating IMS 5.2 user passwords against another LDAP

  hi,
  Am currently authenticating IMS 5.2 against IDS 5.1.
  Is it possible to authencticate IMS 5.2 users passwords agains another LDAP server just for logins?
  The rest of the user mail attributes still remains on IDS5.1 for mail delivery...etc
  What would be the requirements from the other LDAP server to return to the user in order to log in to messenger express/pop/imap/smtp?
  how would the http session id be returned to the user via the IMS?
  thank you

  Thanks Jay...
  I did the following:
  $ ./configutil -o store.defaultmailboxquota -v 10485760
  Now, I think I read somewhere you have said it is required to restart...
  Would it suffice to just refresh the cache with the following command?
  ./imsimta restart dispatcher
  Thanks as always for your support.

• OIM 11g R1 - Validating Password against Password Policy

  Hi,
  May I know how I can validate a password against a password policy specific to a particular resource object.Thanks.

  See this,
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/appinstance.htm#CHDEHJJJ
  For 11gR1, see this,
  http://docs.oracle.com/cd/E17904_01/doc.1111/e14308/oim_admin.htm
  After creating the policy, add this policy to the resource object by using the Password Policy Rule Tab.
  I hope this helps
  Edited by: Shashi kiran on Apr 19, 2013 3:36 PM

• Pre-authentication information was invalid (24) authoriazation against AD

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  I have solve it....The reason of this problem was this:
  Im accesing our network via this login properties:
  login: My second name
  pass: My password
  Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

• Acrobat Standard Proxy Authentication

  Hi,
  When we sign our PDF's we want to use an external timestamping server
  So we have configured both a Verisign and Globalsign timestamping server and made one of them as default
  Most of the time we got a response from Acrobat saying
  "Timestamp signature property generation error:
  Transport authorization failure"
  When it fails the doc is signed, but using the computers clock and we want to avoid that
  But sometime it did work which confused us but I think we have identified the problem with the Proxy authentication
  Our proxy requires full authetication against our Active Directory
  So when it worked was just because we just before signing had been surfing on the internet and the proxy had cached the credential approvals
  So when Adobe tried to get out to the timestamp server the ID was already authorized in the proxy
  But without a previous "IE-surfing" it fails, the proxy has nothing in its cache
  A network trace confirms this,  we see a "Authentication required" request from the proxy that Acrobat never responds to
  The proxy does not accept annonymous requests
  IE is configured to use a configration script for its proxy settings
  I cant find any relevant Acrobat settings that handles this and googling indicates that Acrobat has problems in this area
  But I haven't found anything for our version/release
  Now for the question, is Adobe Acrobat Standard 9.3.0 supposed to handle proxys that requires AD authentication?
  To bypass the proxy is not an option
  Setting a proxy exception for these servers is maybe an option
  Prefered is that Acrobat handles this

  To update my own question since it might help others
  I received assistance through the Adobe support channels
  Not what I was hoping for but it clarifies the problem
  The reason I asked the question is that we don’t support Shared Review with an Authenticating Proxy server. So this customer workflow isn’t too far off the mark with having a proxy server authentication expectation in the standalone client and wanting a timestamp server time.   The only workaround to this behavior is to do exactly what they have found.  Launch an instance of Internet Explorer, authenticate against the proxy server and then sign the PDF file.

• Can Custom Authentication Procedure Change APP_USER?

  I have a custom authentication procedure that authenticates the user against Active Directory. In the procedure, I look up the user's proper case name, using the non-case-sensitive user name they typed in.
  I'm doing this:
  HTMLDB_CUSTOM_AUTH.set_user(p_user => s_username);
  OWA_COOKIE.send(NAME => 'LOGIN_USERNAME_COOKIE', VALUE => v('APP_USER'));
  The cookie seems to be correct, but the area at the upper right of each page doesn't show the proper case username and the client_id column of the dba_audit trail view doesn't show it either.
  What am I doing wrong?
  -F

  Hi Scott.
  In my authentication scheme, I have this for my Athentication Function:
  return dar_authentication_pack.get_user_authenticated_func
  The function is declared like this in the package specification:
  FUNCTION get_user_authenticated_func(
  p_username IN VARCHAR2,
  p_password IN VARCHAR2,
  p_preserve_case IN BOOLEAN DEFAULT True
  RETURN BOOLEAN;
  In my login page, the "Login" Page Process is this:
  begin
  wwv_flow_custom_auth_std.login(
  P_UNAME => :P101_USERNAME,
  P_PASSWORD => :P101_PASSWORD,
  p_preserve_case => True,
  P_SESSION_ID => V('APP_SESSION'),
  P_FLOW_PAGE => :APP_ID||':4'
  end;
  I'd like to be able to change APP_USER from what the person entered to the Proper Case version of it that I have found in Active Directory. What is the best way to do this?
  -F

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar

• JAAS and Java client authentication

  I'm trying to use JAAS authentication from a Java Swing client against a
  WLS 6.1 SP1 server. Using the samples I've successfully managed to
  authenticate a client, however a couple of issues have arisen:
  - How can I remove the principal association with the current thread when
  the user wishes to log out ? The LoginContext.logout implementation in
  the samples doesn't appear to be sufficient.
  - I'm assuming that the current server authentication called via
  weblogic.security.auth.Authenticate.authenticate does not store roles and
  group information as Principals within the returned Subject ? Is there
  anyway I can access this information so I can modify the UI for the
  current user ?
  - Should I be able to establish a secure connection by using
  t3s://host:secure_port when authenticating through JAAS ? When I tried
  this I received, 'java.rmi.ConnectException - unable to get direct or
  routed connection to '904601561764...:<ip address>'
  Thanks
  Darren

  Yes Sun provides a Windows LoginModule implementation called com.sun.security.auth.module.NTLoginModulewhich should do Windows logins (I have not tried it on XP)
  However, in order to understand how this all works you have to read the JAAS reference guide and tutorial.
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/index.html

• OIM 11g: OIM User "Notes" field

  Does anyone know if anything has changed from 9.1x to 11g with regard to the Users.Note attribute? We have a unit test that reads and tries to set "Users.Note" via the tcUserOperationsIntf.updateUser() method. This test works fine against OIM 9.1x, but fails against OIM 11g with a tcAPIException with the message that "Users.Note" is not a valid attribute name. The Users.Note field is defined as a field lookup and exists in the database (USR_NOTE), so I'm wondering what changed.
  Any ideas?

  waynec wrote:
  Does anyone know if anything has changed from 9.1x to 11g with regard to the Users.Note attribute? We have a unit test that reads and tries to set "Users.Note" via the tcUserOperationsIntf.updateUser() method. This test works fine against OIM 9.1x, but fails against OIM 11g with a tcAPIException with the message that "Users.Note" is not a valid attribute name. The Users.Note field is defined as a field lookup and exists in the database (USR_NOTE), so I'm wondering what changed.
  Any ideas?Users.Note is not present in the entity definition for User entity (file /db/Users.xml in MDS).

• Jes2005Q4 AccessManager console Authentication failed

  Hi,
  I have installed Jes2005Q4(DirectoryServer,AdministrationServer,ApplicationServer,AccessManager) in solaris 9.after starting everything when I am going to access the following page I got the Authentication failed error.
  http://andaman.miel.mot.com:8080/amserver/UI/Login?gx_charset=UTF-8
  Below is the amconfig script.please give me solution asap.i am struggling a lot
  BASEDIR=/apps/vendor/jes
  SERVER_HOST=andaman.miel.mot.com
  SERVER_PORT=8080
  SERVER_PROTOCOL=http
  CONSOLE_HOST=$SERVER_HOST
  CONSOLE_PORT=$SERVER_PORT
  CONSOLE_PROTOCOL=$SERVER_PROTOCOL
  CONSOLE_REMOTE=false
  DS_HOST=andaman.miel.mot.com
  DS_PORT=389
  DS_DIRMGRDN="cn=Directory Manager"
  DS_DIRMGRPASSWD=admin123
  ROOT_SUFFIX="dc=miel,dc=mot,dc=com"
  COOKIE_DOMAIN=.mot.com
  # ADMINPASSWD, the amadmin password, and AMLDAPUSERPASSWD, the amldapuser passwo
  rd, must be set to different values
  ADMINPASSWD=admin123
  AMLDAPUSERPASSWD=ldapadmin123
  CONSOLE_DEPLOY_URI=/amconsole
  SERVER_DEPLOY_URI=/amserver
  PASSWORD_DEPLOY_URI=/ampassword
  COMMON_DEPLOY_URI=/amcommon
  COOKIE_DOMAIN=.mot.com
  JAVA_HOME=/usr/jdk/entsys-j2se
  AM_ENC_PWD=""
  PLATFORM_LOCALE=en_US
  NEW_OWNER=root
  #### Linux installations probably would want to set NEW_GROUP as root as the san
  e default value.
  NEW_GROUP=other
  XML_ENCODING=ISO-8859-1
  NEW_INSTANCE=false
  ############### Web Container type required #######################
  # WL6 => weblogic 6.x
  # WL8 => weblogic 8.x
  # WAS4 => websphere 4.0.5
  # WAS5 => websphere 5.x
  # WS6 => s1ws 6.1
  # AS7 => s1as 7.0
  # AS8 => s1as 8.1
  WEB_CONTAINER=AS8
  ############### Required for Web Server ################################
  WS61_INSTANCE=https-$SERVER_HOST
  WS61_HOME=/opt/SUNWwbsvr
  WS61_PROTOCOL=$SERVER_PROTOCOL
  WS61_HOST=$SERVER_HOST
  WS61_PORT=$SERVER_PORT
  WS61_ADMINPORT=8888
  WS61_ADMIN="admin"
  ############### Required for App Server 8.x ################################
  AS81_HOME=/apps/vendor/jes/SUNWappserver/appserver
  AS81_PROTOCOL=$SERVER_PROTOCOL
  AS81_HOST=$SERVER_HOST
  AS81_PORT=$SERVER_PORT
  AS81_ADMINPORT=4849
  AS81_ADMIN=admin
  AS81_ADMINPASSWD="admin123"
  AS81_ADMIN=admin
  AS81_ADMINPASSWD="admin123"
  AS81_INSTANCE=server
  AS81_DOMAIN=domain1
  AS81_INSTANCE_DIR=/apps/vendor/jes/SUNWappserver/domains/domain1
  AS81_DOCS_DIR=/apps/vendor/jes/SUNWappserver/domains/domain1/docroot
  AS81_IS_SECURE=false
  AS81_ADMIN_IS_SECURE=true
  ############### Required for SSL enabled ################################
  SSL_PASSWORD="sample" # used in auto'ly restart container
  DIRECTORY_MODE=1
  USER_NAMING_ATTR=uid
  ORG_NAMING_ATTR=o
  ORG_OBJECT_CLASS=sunismanagedorganization
  USER_OBJECT_CLASS=inetorgperson
  DEFAULT_ORGANIZATION=

  We faced a similar problem recently and we would like to document the solution for it. The root cause of the problem was traced to the absence of certain index configurations in the Directory Server. Because of this Access Manager was unable to fetch certain data from the backend directory during authentication.
  At the time of configuration, Access Manager creates certain indexes in the LDAP Directory under the node: cn=index,cn=<databaseName>,cn=ldbm database,cn=plugins,cn=config.
  where <databaseName> is the name of the database storing your Access Manager tree e.g. userRoot.
  The indexes are created from the file - /etc/opt/SUNWam/config/ldif/index.ldif.
  So if you are facing authentication failure problem - please cross check against the index.ldif file and verify the creation of each index. If index on a specific attribute is missing follow the steps below to resolve this issue:
  * Use ldapmodify to upload the file /etc/opt/SUNWam/config/ldif/index.ldif onto each DS instance
  ldapmodify -h <host> -p <port> -D "cn=directory manager" -w <pwd> -a -c -f /etc/opt/SUNWam/config/ldif/index.ldif
  * Run the command db2index.pl to generate new set of indexes to be maintained by the server.
  Regards,
  Chetan Mutalik Desai
  Persistent Systems

• OIM Client application development using OIM API, when user password is not available

  I am developing a cleint application for OIM. The client application is a set of services, running on a separate server from where OIM is running.
  The OIM version used is 11gR2.
  As I look into the oimClient object, the login method takes username and password. As my application is in an SSO environment, I do not have the password for the user, and just have the user's login ID.
  If I am correct, the tcUtilityFactory allowed a digital signature option, to support scenarios like the above.
  Question is, does oimClient support similar functionality? I did not find any examples in the Oracle documentation.
  I will appreciate if someone can confirm a similar usage and provide me some sample code and configuration details.
  Thanks.
  -subrata

  Check: http://www.ateam-oracle.com/authenticating-oim-apis-without-end-users-password/
  -Bikash

• G6: Consolidating Multiple Authentication Sources

  Hello everyone!
  When our development environment was setup an Authentication Source was created to go against 1 of the 4 containers in our Active Directory. The containers correspond to different regions of our organization (North, South, East West). At the time we just wanted to test the North people so we set the OU to that container.
  This past week I wanted to expand our user base to include the 3 other containers. Unsure of the exact procedure to do this, I copied the original AuthSource and created 3 new ones. The users were successfully pulled in, however at the login screen there are now 5 authentication sources (Plumtree Users, North, South, East, West). I realize now that a mistaken was made from the start in pulling from a container rather than the root, or in my second step of creating new sources rather than manipulating the original. (chalk it up to a learning curve!)
  The Authentication Sources are tied directly to the users that they have loaded and can't be deleted unless the associated users/groups are "removed".
  Would I be correct in assuming that the only way to consolidate our login Authentication Sources would be to delete all of our users followed by all of the Auth Sources and then create a single source to query the root? Is there any way to change the users Auth Source?
  Are there was any other "best practices" or pitfalls that I should be aware of? Especially things that can't be modified after the initial import as in this case?
  Thanks for any help,
  Geoff
  Geoff Garcia
  Producer, Enterprise Portal
  March of Dimes National Office
  1275 Mamaroneck Ave.
  White Plains, NY 10605
  914 997.4275 (Office)
  908 531.6364 (Cell)
  [email protected]
  Improving the health of babies by preventing birth defects, premature birth, and infant mortality

  I would do this:
  Delete the "new" (South, West, East) users, groups, then delete the corresponding authentication sources
  Modify the "original" (North) authentication source's User Query Base (and Query Filter if necessary) Rename the authentication source if you like. Do not change the User Unique Name attribute.
  Sync the original authentication souce. This should just add the users from the modifed root, and assuming that the original users are still included in the modified base and query, they should just stay right there.

• Error while executing the service request : : Login to Mail Service failed

  I am getting the following error in Convergence while attempting to authenticate against the mail service. I am able to access the backend mail service directly from a mail client with the same account without any issue.
  Looking at the log file info:
  ==> iwc.log <==
  AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,744 - Subject not found in session, creating one
  AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,745 - User LoginID is [email protected]
  AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,745 - User domain is mydomain.com
  AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,746 - Loaded UG LDAP pool...
  AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,750 - SunLDAPLoginModule:User [email protected] Authenticated
  AUTH: INFO from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,752 - Loading user entry from LDAP
  AUTH: INFO from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,754 - User entry loaded successfully
  PROTOCOL: INFO from com.sun.comms.client.entity.user.sun.CommsUser Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,757 - IM Service is not enabled for user: sunImUser object class is not present
  AUTH: INFO from com.sun.comms.client.web.IwcCookieManager Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:21,758 - Preferred language for user is en
  PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.UserPrefsCommandDelegate Thread httpSSLWorkerThread-8080-2 at 2009-03-10 04:33:22,404 - get_allprefs.iwc : Service is not enabled : im
  PROTOCOL: INFO from com.sun.comms.client.entity.user.sun.CommsUser Thread httpSSLWorkerThread-8080-2 at 2009-03-10 04:33:22,405 - SMIME Service is not enabled for server
  PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.UserPrefsCommandDelegate Thread httpSSLWorkerThread-8080-2 at 2009-03-10 04:33:22,406 - get_allprefs.iwc : Service is not enabled : smime
  PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.agent.ClientOptionsAgent Thread httpSSLWorkerThread-8080-2 at 2009-03-10 04:33:22,407 - client preferences not found for domain: mydomain.com
  PROTOCOL: INFO from com.sun.comms.client.entity.user.sun.CommsUser Thread httpSSLWorkerThread-8080-2 at 2009-03-10 04:33:22,418 - Client customization service is disbaled for the deployment
  ADDRESS_BOOK: INFO from com.sun.comms.client.ab.coresrv.DBHandler Thread httpSSLWorkerThread-8080-1 at 2009-03-10 04:33:23,131 - Got DBPluginMap
  PROXY_MAIL: INFO from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:23,139 - Performing Sun Mail Authentication
  ==> ../../messaging/log/http <==
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: Account Information: connect [10.10.10.229:40786]
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: General Information: [10.10.10.229:40786] POST /login.msc HTTP/1.1
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: Account Notice: badlogin: [10.10.10.229:40786] proxy admin [email protected] domain=us.mydomain.com: user not found
  ==> iwc.log <==
  PROXY_MAIL: ERROR from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-8080-0 at 2009-03-10 04:33:25,160 - cookies not present from MS response
  ==> ../../messaging/log/http <==
  [10/Mar/2009:04:33:25 -0400] fe-msg httpd[17512]: Account Notice: close [10.10.10.229:40786] [unauthenticated] 2009/3/10 4:33:23 0:00:02 248 0 0
  It appears that the authentication mechanism is trying to authenticate against the domain "us.mydomain.com" rather than "mydomain.com". At one point I added "us.mydomain.com" as an alias to the domain "mydomain.com" but it has since been removed. I am unsure where Convergence is pulling this information from. Any advice would be appreciated.

  highamjd1 wrote:
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: Account Information: connect [10.10.10.229:40786]
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: General Information: [10.10.10.229:40786] POST /login.msc HTTP/1.1
  [10/Mar/2009:04:33:23 -0400] fe-msg httpd[17512]: Account Notice: badlogin: [10.10.10.229:40786] proxy admin [email protected] domain=us.mydomain.com: user not found
  It appears that the authentication mechanism is trying to authenticate against the domain "us.mydomain.com" rather than "mydomain.com". At one point I added "us.mydomain.com" as an alias to the domain "mydomain.com" but it has since been removed. I am unsure where Convergence is pulling this information from. Convergence determines the default domain from the URL that you used to connect e.g. if you used "http://myserver.us.mydomain.com/iwc" it sets the default domain to "us.mydomain.com"
  http://wikis.sun.com/display/CommSuite/Sun+Convergence+Administrative+Tasks#SunConvergenceAdministrativeTasks-HowdoIcustomizetheLoginpagebasedonthedomainnameintheURLtoaccesstheConvergenceclient%3F
  Rather then use the default domain for the proxy administrator, you can hard-code the domain e.g.
  ./iwcadmin -w <password> -o mail.proxyadminid -v [email protected]
  ./iwcadmin -w <password> -o cal.proxyadminid -v [email protected] need to restart the application-server domain hosting Convergence for the changes to become active.
  Regards,
  Shane.