Authenticating Users

Similar Messages

• How to use an authenticated user for a proxy call

  Dear all,
  I am currently working on a JEE application where the user needs to authenticate (for this I have configured the web.xml).
  Now inside this application I need to do a proxy call to a PI webservice.
  I would like to use the user credentials of the already logged in user in order to call the proxy.
  What I don't want to do is to use a service user for the proxy call.
  The code I am trying to call looks something like this:
       private IntegratedConfigurationIn getPort() throws Exception{
            IntegratedConfigurationIn port = null;
            try {
                 IntegratedConfigurationInService service = null;
                 service = new IntegratedConfigurationInService();
                 port = (IntegratedConfigurationIn) service.getIntegratedConfigurationIn_Port();
                BindingProvider bp = (BindingProvider)port;
                bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);
                bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
                if (url.length() != 0)
                     bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);
            catch (Exception ex){
                 ex.printStackTrace();
            return port;
  The examples I found to retrieve the userdata pointed to codes similar to this one:
  public HttpServletRequest getHttpRequest() throws Exception {
            // Get runtime context
            Properties props = new Properties();
            props.put("domain", "true");
            Context initialContext = new InitialContext(props);
            ApplicationWebServiceContext wsContext = (ApplicationWebServiceContext) initialContext
                      .lookup(" /wsContext/ApplicationWebServiceContext");
            HttpServletRequest req = wsContext.getHttpServletRequest();
            return req;
  com.sap.security.api.IUser sapUser = com.sap.security.api.UMFactory.getAuthenticator().getLoggedInUser(getHttpRequest(), null);
            IUser ep5User = com.sapportals.wcm.util.usermanagement.WPUMFactory.getUserFactory().getEP5User(sapUser);
  Now I don't know how to bring it togehter and how to use an authenticated user for the BindingProvider.
  I would appreciate any hints or ideas.

  Peter,
  from the first screenshot, what I understood is that, you are calling an inbound PI web service that is intended to create an integrated configuration object (this is used for whole lot of other reason completely) but not actually calling a development web service.
  For this, you would have to generate your client classes from the WSDL provided by the PI developer for that particular service. Once you get those client classes generated, you could used the method provided in the other screenshot to extract the user and password and call the intended web service.
  Vijay Konam

• How to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically?

  Sharepoint 2013 online/office 365.
  I am creating site collection programmatically using sharepoint Auto hosted app.
  Now i want to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically after site collection creation.
  Is it possible through code? If yes please let me know how to do it?
  Najitha Sidhik

  For SharePoint 2013 Online, check below links:
  http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/manage-sharing-with-external-users-HA102849862.aspx
  http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manage-external-sharing-for-your-sharepoint-online-environment-HA102849864.aspx
  https://www.nothingbutsharepoint.com/sites/eusp/Pages/SharePoint-Online-2013-Sharing-with-External-Users.aspx
  http://blogs.office.com/2013/11/21/sharepoint-online-improves-external-sharing/
  Please ensure that you mark a question as Answered once you receive a satisfactory response.

• EA2 - Cannot connect LDAP-authenticated users in 10.1 and 10.2, OK in 9.2

  First, the relevant versions and such:
  SQL Developer 1.5.0.52.03 (aka EA2)
  Oracle client 10.2.0.1
  Oracle database 9.2.0.6, 9.2.0.7, 10.1.0.5, 10.2.0.2, 10.2.0.3.
  Hosts: Linux x86, Solaris
  Most of the users in my databases are set up as global users (i.e. authenticated via LDAP). I've found that in 9.2.0.6 and 9.2.0.7, I can make connections of the basic type for global users as well as database-authenticated users.
  In any 10g database I've tried (see the versions above), database-authenticated users work fine, but for connections with the global users in the same databases I receive ora-01017. I've tried both basic connections and advanced connections, supplying a thin JDBC string, with the same result. I have verified that the password is correct. The pattern persists across server OSs (Linux and Solaris).
  I cannot make TNS connections at all, but that seems to require an 11g client and has been documented in an enhancement request separately.
  If anyone has advice on this I would be happy to hear it. Thanks.

  I should probably add that I am able to make successful connections via sqlplus and other tools (SQL Navigator) with the users that fail to connect in SQL Developer.

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• How to redirect a first time OAM authenticated user to a custom page

  We are using OAM 11.1.1.5 with OVD. If user logs in for the first time thru OAM, we wanted to collect few more additional information about the user. To do this, we wanted to redirect the user to the collect-additional-data.jsp page immediately after OAM authentication. This will be only one time operation for the user. How to do this in OAM.
  Thanks!
  Kabi

  Just set additional-data.jsp in your authentication policy success url. So always after authentication user req is redirected to the success url. You can also set the requested url in the response in case you want to retrieve it in your additional-data.jsp.

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.

• Authenticated User not showing up in access log

  Hello all,
  I am trying to get authenticated users to show up in the access log of SunOne Web Server 6.1 SP4 and it doesn't work. It is a default paramter to show up in the access log but doesn't show in the log. In fact, when I set the log to only show the authenticated user in the log, the log is empty and only shows dashes. As you can in the part of the log file below, after the IP address the log should show the authenticated user but doesn't
  Any help? Do I need to modify something else in a configuration file?
  Thanks
  Richard
  10.64.8.62 - - [15/Jul/2007:00:42:28 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:43:43 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:44:58 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:46:14 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:47:29 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:48:44 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:49:59 +0200] "GET / HTTP/1.1" 200 202
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill/ HTTP/1.1" 200 402
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/wtcore/js/com/ptc/core/ca/web/misc/content.js HTTP/1.1" 200 4132
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/cut.gif HTTP/1.1" 200 104
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newdoc.gif HTTP/1.1" 200 215
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/details.gif HTTP/1.1" 200 214
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill HTTP/1.1" 302 0
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/javascript/util/calendar.js HTTP/1.1" 200 29580
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/contract_comp.gif HTTP/1.1" 200 79
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newfoldertl.gif HTTP/1.1" 200 221
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/ptclogo.gif HTTP/1.1" 200 1284
  10.64.8.62 - - [15/Jul/2007:00:51:14 +0200] "GET / HTTP/1.1" 200 202

  You didn't say how the server is authenticating the user. Is it succesful? ACLs or Java?
  6.1sp4 is obsolete, update to the latest 6.1 service pack first. If you're using Java, I believe there was a bug years ago that was along the lines of your description. Update to the latest 6.1 service pack and if that doesn't solve the problem, provide more details on how the authentication is configured.

• Workspace Credential Conflict between Logged-in User and the Authenticated User

  Hi there,
  I am running LiveCycle ES Update1 SP2 with Process Management component on WIN/JBoss/SQL Server 2005.
  I have been encountering user credential conflicts from time to time, but it has not been consistent and the problem manifested in various ways, such as:
  - problem when logging in with error "An error occurred retrieving tasks." on the login screen
  - user logs in successfully but is showing somebody else queue(s) with his/her own queue with no task in there
  - fails to claim task from group queue.
  The stacktrace from the server.log file I collected from a production system shows the exception below.
  Has anybody else encountered the similar problem?
  It looks to me that it doesn't log out cleanly and some kind of caching is done on the authenticated session and is not cleaned up properly on user logout.
  2009-07-10 15:05:13,955 ERROR [com.adobe.workspace.AssemblerUtility] ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
  2009-07-10 15:05:13,955 INFO  [STDOUT] [LCDS] [ERROR] Exception when invoking service 'remoting-service': flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
    incomingMessage: Flex Message (flex.messaging.messages.RemotingMessage)
      operation = submitWithData
      clientId = F3D2CDD0-330F-F00B-C710-5AF3F7CB4138
      destination = task-actions
      messageId = 7E385A6B-E4E6-3A81-CD6A-630DF4FAE5BB
      timestamp = 1247202313955
      timeToLive = 0
      body = null
      hdr(DSEndpoint) = workspace-polling-amf
      hdr(DSId) = F3C38977-171B-7BED-3B16-F3A5FE419479
    Exception: flex.messaging.MessageException: ALC-WKS-005-008: Security exception: the user specified in the fill parameters (oid=F0FA390C-AECC-BB19-F0D7-6CA13D6CBF83) did not match the authenticated user (oid=F25892EE-80CE-8C24-E40D-881F631AA8BE).
      at com.adobe.workspace.AssemblerUtility.createMessageException(AssemblerUtility.java:369)
      at com.adobe.workspace.AssemblerUtility.checkParameters(AssemblerUtility.java:561)
      at com.adobe.workspace.tasks.TaskActions.callSubmitService(TaskActions.java:788)
      at com.adobe.workspace.tasks.TaskActions.submitWithData(TaskActions.java:773)
      at sun.reflect.GeneratedMethodAccessor941.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at flex.messaging.services.remoting.adapters.JavaAdapter.invoke(JavaAdapter.java:421)
      at flex.messaging.services.RemotingService.serviceMessage(RemotingService.java:183)
      at flex.messaging.MessageBroker.routeMessageToService(MessageBroker.java:1495)
      at flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:882)
      at flex.messaging.endpoints.amf.MessageBrokerFilter.invoke(MessageBrokerFilter.java:121)
      at flex.messaging.endpoints.amf.LegacyFilter.invoke(LegacyFilter.java:158)
      at flex.messaging.endpoints.amf.SessionFilter.invoke(SessionFilter.java:44)
      at flex.messaging.endpoints.amf.BatchProcessFilter.invoke(BatchProcessFilter.java:67)
      at flex.messaging.endpoints.amf.SerializationFilter.invoke(SerializationFilter.java:146)
      at flex.messaging.endpoints.BaseHTTPEndpoint.service(BaseHTTPEndpoint.java:278)
      at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:315)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:252)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at com.adobe.workspace.events.RemoteEventClientLifeCycle.doFilter(RemoteEventClientLifeCycle .java:138)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:202)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
      at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:159)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11P rotocol.java:744)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      at java.lang.Thread.run(Thread.java:595)
  Kendy

  I am having the same server issue and i cant get hold of SP3 to fix it. can anyone tell me how to fix this problem or provided a link where i can get SP3 from? Ive spent most of the day on the phone to Adobe Support and they have been unable to provide me with a link to the service pack.

• Username not showing up in access log for authenticated users

  I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
  request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
  Here's an excerpt from the access log:
  // anonymous access attempt, redirects to login page...
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
  // at this point they are logged in and their username should be reflected in the access log, but is not:
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>AllFiles</web-resource-name>
        <description>
                   Restricts anonymous access.
                </description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>
                 Authenticated Users
                </description>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

  Some background:
  The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
  (Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
  That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
  If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
  If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

• Externally Authenticated User

  Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
  Is this due to externally authenticated user id ? Does it impact the system performance ?
  Edited by: user594301 on Jan 21, 2009 3:01 AM

  Were you using lightweight sessions or connection pooling before and now initiating a new connection for each user?

• Cannot prevent authenticated users from creating a blog on "My Page"

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.
  Message was edited by: dstrollo.il

  Ran into this same issue.... Talked with a field engineer who confirmed the behavior. The question now is this a defect or "feature that does not work as as the audience desires". As I far can tell, the security setting for blogs in server admin does nothing at all. This has the potential to cause a few issues as you cannot limit who can have a blog.
  Message was edited by: jlindler

• 10.6.1 Server - cannot prevent authenticated users from creating a blog

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.

  Thanks for the suggestion, but that would prevent all users from creating personal blogs. I was hoping to be able to have a group of users that can create a personal blog outside of the blog attached to a wiki.

• Authenticated Users & Users missing from Root

  Hello,
  Environment: MDT 2013, 2008 R2, Windows 7 x86.  MDT is located on Windows 7 x86 and is not integrated with SCCM or WDS.
  Process: Separate build, capture, and deployment task sequences.
  Problem:  After deployment the Authenticated Users and local Users are missing from the root (e.g., c:).  The only security permissions assigned to the root are SYSTEM, domain account, Local Administrator.
  This causes problems once joined to a domain due to the fact Authenticated Users have no permissions forcing a given user to have a temporary account.  So far, only a partial workaround is identified and is undesirable in the long-run.  The workaround
  is to manually add Authenticated Users as well as the Local Users to the root and delete the domain account but the system will only allow partial inheritance through the file structure.  Delete all entries for a particular user in the registry (e.g.,
  PolicyGUID, ProfileGUID, ProfileList).  Afterwards, log in to the machine with an account within the domain administrator group.
  Additional information shows the registry Profilelist entries for a user maintains partial access with a value of 204; this includes the user and a domain account within the administrator group.  The domain account present after deployment has a value
  of 0.  Two accounts have the expected value of 256 and they are the local and domain administrator account.
  Also, if the same image is deployed using the PE environment the accounts are as they should be.  The groups added are: Authenticated Users, Localmachine\Users, SYSTEM, Localmachine\Administrators.
  The questions are: why would the Authenticated Users and Local Users accounts be missing?  Why is the account used to deploy added?
  Help is very appreciated, and thank you.

  Hello, Nicholas the sysprep and capture is completed by a default template from MDT LTI sequence.  The answer file used is the default provided by MDT.  No attempt is made to capture from winpe because this simply negates the point of the MDT process. 
  However, applying the same image from winpe there are no permission issues and all the appropriate groups are assigned to the root.
  With returning to the office this fine morning, I ran icacls on a machine:
  C:\Users\Administrator>icacls c:\
  c:\ No mapping between account names and security IDs was done.
  (I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
  Successfully processed 1 files; Failed processing 0 files
  Thank you for the continued effort, Nicholas.  With the additional icacls information I will delve into the general error provided.

• Authenticated users blocked by rbl

  Hi,
  I have a user who is now having email sent via our server blocked by an rbl. The email being sent was to me, so we both have an account on the same server and no other mail server was involved.
  Is there a way to configure Postfix to accept all incoming email from authenticated users, bypassing the rbl list for authenticated users?
  Output of postconf -n below.
  Thanks
  Ron
  alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = all
  localrecipientmaps = proxy:unix:passwd.byname $alias_maps
  luser_relay =
  mail_owner = postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  mapsrbldomains =
  messagesizelimit = 10485760
  mydomain = wagnercreativegroup.com
  mydomain_fallback = localhost
  myhostname = smtp.wagnercreativegroup.com
  mynetworks = 127.0.0.1/32,66.167.106.195/32,66.167.106.194
  mynetworks_style = host
  newaliases_path = /usr/bin/newaliases
  ownerrequestspecial = no
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  recipient_delimiter = +
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = postdrop
  smtpdclientrestrictions = permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
  smtpdpw_server_securityoptions = plain,login,cram-md5
  smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
  smtpdsasl_authenable = yes
  smtpduse_pwserver = yes
  unknownlocal_recipient_rejectcode = 550
  virtualaliasdomains = hash:/etc/postfix/virtual_domains
  virtualaliasmaps = hash:/etc/postfix/virtual,hash:/var/mailman/data/virtual-mailman
  virtualmailboxdomains = hash:/etc/postfix/virtualdomainsdummy
  virtual_transport = lmtp:unix:/var/imap/socket/lmtp
    Mac OS X (10.4.8)  

  Change:
  smtpdclientrestrictions = permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
  to:
  smtpdclientrestrictions = permitsaslauthenticated, permit_mynetworks rejectrblclient zen.spamhaus.org rejectrblclient combined.njabl.org rejectrblclient bl.spamcop.net permit
  Issue: sudo postfix reload
  Also, if you like, see my tutorial on "Frontline spam defense for Mac OS X Server", available here:
  http://osx.topicdesk.com/downloads/

• Authenticated Users

  I am reading that the Everyone group includes the group Authenticated Users, plus the Guest account, plus the reserved accounts SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.   Is this still the case in Windows 8.1?
  To be clear, would Authenticated Users only include:
  1) Users who login interactively, including users in Guests group (NOT the Guest account!)
  2) Users who login through Terminal Services or Remote Desktop
  3) Users who access resources on the computer through Microsoft Networking.
  Does this imply that any file system resource that needs to be accessed by system services will have the "Everyone" group with a minimum of read access on the target folder or files?
  Is there any documentation listing all file system resources that either Windows 8 or Windows 2012 system services need to have access to?   I'm trying to harden my NTFS permissions and I don't want to break critical system services.
  Will

  Sorry for my dilatory reply. According to your description, I doubt there is no way to achieve your goal. As far as I know, there is no app of microsoft can manage a progress file access. What we can do is
  limit User Account execute the program, such as using AppLocker, we can specific special
  user execute the program.
  I am not requiring a program from Microsoft to virtualize or secure anything.  It would be nice to have that but it was not the question.  My question is do we have documentation about what specific security settings and user rights a new user
  group needs to have to be able to execute applications while logged in?   
  I don't want them in Users group because that group has write access to a large part of the file system.  I want to create a new NTFS group with very limited file system access, which then forces me to add that new user group into the various security
  settings and user settings required to execute programs.
  Such documentation has to exist somewhere....
  Will