Authentication and mysites guidelines

I’m looking for advice of setup guidelines for a new SharePoint 2013 install. I’ve read various guides regarding individual features but I’m having trouble combing them into a working whole.
Our requirements are for an on premise install to support both internal and external access from a variety of devices and browsers. I want it to all be ssl and to have search, mysites, apps and Office Web Apps working. Our external DNS
name is different to the internal one. There will be multiple site collections. Currently all users will be from active directory.
Given the requirement for ssl I have set it up as a single web application with host named site collections for the root site, search and mysite host with other sites to follow. I have assumed that since the certificate will need to be
verified that all sites will have public fully qualified domain names (such as .com rather than .local). Local DNS has been set up to resolve the external names correctly within the network. Once live our external DNS will route to the internal server. A separate
DNS zone has been setup to support SharePoint Apps and both currently use self signed wildcard certificates for testing. So far this works.
Issues
Lots of login prompts when accessing mysites, search, apps and other sites. I am aware that adjusting Internet Explorer local zones can get around this but there also needs to be a single sign on process for non-windows devices. Most of
our external users are students so any fix involving them having to change anything on their client devices is unworkable.
Three questions
Is the idea of placing everything on the default zone with fully qualified domain names the best approach to enable ssl?
How exactly should the mysites be set up as I’ve read confusing information regarding them and host names site collections? It is suggested that they don’t work, or that they do work but there is no control over where they are stored.
What is the suggested authentication setup to achieve this? TMG reverse proxying was proposed as an option until it was retired with a similar story for UAG. I don’t really mind if all users have to log on to a form but it will need to
be single sign on between mysites, search, apps and different sites on the same server as well as Office web apps. Essentially a sign in process similar to the Office 365 login portal would do. I suspect ADFS plays a part in this but I’m not sure how.

You're doing your setup The Right Way, excellent.
As for other devices, you want an SSO portal. You can take a look at the pre-auth reverse proxy, Web Proxy Role in Windows Server 2012 R2 to accomplish this, or ADFS on Server 2012 and 2008 R2.
As for MySites, you should have them in the same Web Application and use a routing rule to direct what databases the MySites are created in. I'm currently working on such a project (https://sprouter.codeplex.com/) based off of Wictor Wilen's solution (http://www.wictorwilen.se/sharepoint-specifying-content-database-for-new-site-collections-when-using-host-named-site-collections),
but it is still in the very early stages of development. Wictor's solution, on the other hand, can simply be slightly modified, compiled, and implemented into your farm.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Similar Messages

  • Claims Based Authentication and Editing User Profiles

    Hi All,
    I have an interesting issue where I have a SharePoint Farm setup with both the intranet and mysites web applications setup using Claims Based Authentication. While everything seems to work fine, you are able to search for users, view properties and users
    can change their own profile properties. However when you configure a profile administration account (an account with the "manage user profiles" permission on the User Profile Service Application) and you attempt to use that account to edit
    another users profile you get hit with a generic error page. 
    Delving deeper you get the following errors:
    ULS:
    Date    Process    Thread Id    Area    Category    Event Id    Level    Correlation    Message
    5/7/2013 00:31:44:64    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Name=Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)
    5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|DOMAIN\sp_config, ClaimsCount=24
    5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Site=/
    5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    00000    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     UserAgent not available, file operations may not be optimized.
    at Microsoft.SharePoint.SPFileStreamManager.CreateCobaltStreamContainer(SPFileStreamStore spfs, ILockBytes ilb, Boolean copyOnFirstWrite, Boolean disposeIlb)  
    at Microsoft.SharePoint.SPFileStreamManager.SetInputLockBytes(SPFileInfo& fileInfo, SqlSession session, PrefetchResult prefetchResult)  
    at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBufferFactory.CreateFromDocumentRowset(Guid databaseId, SqlSession session, SPFileStreamManager spfstm, Object[] metadataRow, SPRowset contentRowset, SPDocumentBindRequest& dbreq, SPDocumentBindResults&
    dbres)  
    at Microsoft.SharePoint.SPSqlClient.GetDocumentContentRow(Int32 rowOrd, Object ospFileStmMgr, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)  
    at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
    Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
    pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
    pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
    Guid& pgDocScopeId)  
    at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
    Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
    pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
    pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
    Guid& pgDocScopeId)  
    at Microsoft.SharePoint.Library.SPRequest.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean&
    pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified,
    String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean&
    pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid&
    pgDocScopeId)  
    at Microsoft.SharePoint.SPWeb.GetWebPartPageContent(Uri pageUrl, Int32 pageVersion, PageView requestedView, HttpContext context, Boolean forRender, Boolean includeHidden, Boolean mainFileRequest, Boolean fetchDependencyInformation, Boolean& ghostedPage,
    String& siteRoot, Guid& siteId, Int64& bytes, Guid& docId, UInt32& docVersion, String& timeLastModified, Byte& level, Object& buildDependencySetData, UInt32& dependencyCount, Object& buildDependencies, SPWebPartCollectionInitialState&
    initialState, Object& oMultipleMeetingDoclibRootFolders, String& redirectUrl, Boolean& ObjectIsList, Guid& listId)  
    at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.FetchWebPartPageInformationForInit(HttpContext context, SPWeb spweb, Boolean mainFileRequest, String path, Boolean impersonate, Boolean& isAppWeb, Boolean& fGhostedPage, Guid& docId,
    UInt32& docVersion, String& timeLastModified, SPFileLevel& spLevel, String& masterPageUrl, String& customMasterPageUrl, String& webUrl, String& siteUrl, Guid& siteId, Object& buildDependencySetData, SPWebPartCollectionInitialState&
    initialState, String& siteRoot, String& redirectUrl, Object& oMultipleMeetingDoclibRootFolders, Boolean& objectIsList, Guid& listId, Int64& bytes)  
    at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.GetWebPartPageData(HttpContext context, String path, Boolean throwIfFileNotFound)  
    at Microsoft.SharePoint.ApplicationRuntime.SPVirtualPathProvider.GetCacheKey(String virtualPath)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultFromCacheInternal(VirtualPath virtualPath, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
    at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate)  
    at System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection)  
    at System.Web.UI.Page.ApplyMasterPage()  
    at System.Web.UI.Page.PerformPreInit()  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest()  
    at System.Web.UI.Page.ProcessRequest(HttpContext context)  
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  
    at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)  
    at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)  
    at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
    at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
    at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
    5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    aiv4w    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Spent 0 ms to bind 33542 byte file stream
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z6    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     User was not successfully retrieved: i:0#.w|DOMAIN\AUSER in ProfileUI.OnInit. Seeing if this is a system account
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z7    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     User i:0#.w|DOMAIN\AUSER not found and not a system account.
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7m    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     ProfileUI: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7h    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     ProfileEditor: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    8nca    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Application error when access /_layouts/15/EditProfile.aspx, Error=DOMAIN\AUSER
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    Runtime    tkau    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
     Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    ajlz0    High    4001199c-6bd8-c03d-920f-55177fbff00c  
     Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
    at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
    at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Control.InitRecursive(Control namingContainer)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.HandleError(Exception e)  
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
    at System.Web.UI.Page.ProcessRequest()  
    at System.Web.UI.Page.ProcessRequest(HttpContext context)  
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    aat87    Monitorable    4001199c-6bd8-c03d-920f-55177fbff00c  
    5/7/2013 00:31:44:73    App Pool: MySites    0x1DC8    SharePoint Foundation    Monitoring    b4ly    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
     Leaving Monitored Scope (Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)).
    Execution Time=87.1739285300227
    It seems similar to an issue in the blog post here: http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013/ however I tried what was suggested and it didn't work.
    Any help with this is appriciated.

    This line offers clues about the actual problem:
    Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER 
    According to the MSDN link (http://msdn.microsoft.com/en-us/library/microsoft.office.server.userprofiles.usernotfoundexception.aspx)
    it is not able to find the user in the profile store. Additionally the link you mentioned (http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013)
    suggests that the account being used to validate accounts on the production domain may have a problem.
    If there a way you can test that account in isolation against the DC?
    With Regards Shailen Sukul Entrepreneur/Software Architect/Developer/Consultant/Trainer (BSc | Mct | Mcpd (.Net 2/3.5/SharePoint2010) | Mcts (Sharepoint 2010/MOSS/WSS), Biztalk, Web, Win, Dist Apps) | Mcitp(SharePoint) | Mcsd.NET | Mcsd | Mcad) MSN | Skype
    | GTalk Id: shailensukul Twitter: http://twitter.com/shailensukul Website: http://sukul.org Blog: http://shailen.sukul.org/ http://www.linkedin.com/in/shailensukul

  • An issue with authentication and authorization on ISE 1.2

    Hi, I'm new to ISE.
    I have an issue with authentication and authorization.
    I have ISE 1.2 plus patch 6 installed on VMware.
    I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
    On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
    I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
    I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
    I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
    What  should I do to resolve this issue?
    Switch configuration:
     testISE#sh runn
    Building configuration...
    Current configuration : 7103 bytes
    ! Last configuration change at 12:20:15Tue Apr 15 2014
    ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname testISE
    boot-start-marker
    boot-end-marker
    no logging console
    logging monitor informational
    enable secret 5 ************
    enable password ********
    username radius-test password 0 ********
    username admin privilege 15 secret 5 ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
     client 172.16.0.90 server-key ********
    aaa session-id common
    clock timezone 4 0
    system mtu routing 1500
    authentication mac-move permit
    ip dhcp snooping vlan 1,22
    ip dhcp snooping
    ip domain-name elauloks
    ip device tracking probe use-svi
    ip device tracking
    epm logging
    crypto pki trustpoint TP-self-signed-1888913408
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1888913408
     revocation-check none
     rsakeypair TP-self-signed-1888913408
    crypto pki certificate chain TP-self-signed-1888913408
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    ip ssh version 2
    interface FastEthernet0/5
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/6
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 1
     authentication event server alive action reinitialize
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    interface FastEthernet0/7
    interface Vlan1
     ip address 172.16.0.204 255.255.240.0
     no ip route-cache
    ip default-gateway 172.16.0.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     deny   icmp any host 172.16.0.1
     permit ip any any
    ip radius source-interface Vlan1
    logging origin-id ip
    logging source-interface Vlan1
    logging host 172.16.0.90 transport udp port 20514
    snmp-server community public RO
    snmp-server community ciscoro RO
    snmp-server trap-source Vlan1
    snmp-server source-interface informs Vlan1
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host 172.16.0.90 ciscoro
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    radius server ISE-Alex
     address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key ******
    ntp server 172.16.0.1
    ntp server 172.16.0.5
    end

    Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

  • Open Directory: user authentication and logining takes a lot of time

    We have Mac OS X Server Snow Leopard 10.6.8 with OpenDirectory and some iMacs with Mac OS X Snow Leopard 10.6.8. After adding Network Account Server in iMacs (System Preferences->Accounts->Login Options->Network Account Server Edit) OD works normally and users authenticate and login their accounts rather fast (5-10 seconds). But some days or weeks later the time for authentication and logining takes for about 5 minutes. If I re-add Network Account Server, then all works greatly again. What's the matter? How to avoid this re-adding?

    Hello,
    can you tell us what is the size of this Universe in terms of:
    number of tables, number of objects, size of the .unv file?
    Also, is this behaviour specific to this universe or you have other universes having the same problem?
    Last, are you 'opening it' as in File/Open or importing it as in 'File/Import...' ?
    Thanks
    PPaolo

  • Key-based SSH Authentication and AFP Home Directories

    I'm setting up some users with AFP home directories (hosted on an Xserve, with a couple of G5 towers as Open Directory clients). When logging in on the console on a G5 tower, the home directories work fine. The users can SSH into the Xserve using SSH key authentication. However, the users can not SSH into the G5 towers using SSH key authentication, and are instead asked for passwords - presumably because the AFP home directory is mounted with guest access (and thus the keys are unreadable) before the password is entered.
    Is there a known workaround for this? A different way of setting up the home directory mounting? I don't particularly want to go the mobile home directory route, because (among other things), as far as I know, mobile home directories only sync when a user logs into the GUI. If that's not the case (that is, if they will sync when a user logs into the machine with SSH), then I guess that would be a reasonable solution.
    Thanks in advance for any suggestions!

    That was just speculation on my part; I'm not sure exactly what's happening. I do know that until the user authenticates, the entire automount is mounted with guest access... and that the user can't authenticate until the key file can be read. It may be the case that I was just encountering some transient failure or the like, however.

  • Unable to connect to Wi-Fi connection using WPA2 PSK authentication and encryption type TKIP

    I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
    My issue is copy/pasted below:
    Original Title: TKIP selection in WiFi network settings
    I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
    On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
    Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
    7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
    When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
    if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
    the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.

    I was referred to here from this thread at the Windows Insider Program: http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/unable-to-connect-to-wi-fi-connection-using-wpa2/07bae1ed-c7fb-4f85-9d26-5549cc23e57a?msgId=2eb70420-fe35-494b-a13d-dcacd4d55eb9&rtAction=1426697691002
    My issue is copy/pasted below:
    Original Title: TKIP selection in WiFi network settings
    I have a workplace WiFi connection using WPA2 PSK authentication and encryption type TKIP.
    On the machine I used to test Windows 10, I had a previous installation of Windows 7 professional which connected to my workplace WiFi using the above settings. After installing Windows 10, my workplace wifi settings were imported and worked fine.
    Windows 10 had a system crash, and since I had deleted my previous windows installation, I performed a complete reinstall of Windows 7. However, when I went to install Windows 10 again, I had not taken the time to set up my workplace Wifi on Windows
    7 before installing Windows 10. As a result, I had to set up my workplace wifi as a new connection in Windows 10.
    When going to set up the wifi connection, the encryption type was grayed out, but appeared to default to AES. Searching the internet suggested that Windows 8.1 did not need a encryption type selected, because Windows could automatically determine
    if it was TKIP or AES, hence why the option to select encryption type was grayed out. However, after completing the setup of my workplace wifi, Windows 10 could not connect to my workplace wifi. After restoring Windows 7 with a factory reset, and setting up
    the workplace wifi (the encryption type selection was not grayed out and I manually selected TKIP encryption), my workplace wifi was working again.

  • How to get ADF authentication and authorization working on server

    I am having an issue with deployment & ADF authentication and authorization.
    From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
    When making an attempt to log in I get the following results:
    Running Locally with ADF Authentication:                                           Works Fine
    Running Locally with ADF Authentication & Authorization:         Works Fine
    Deployed to server with ADF Authentication:                                    Works Fine
    Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
    What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
    JDeveloper Version: 11.1.2.4
    Server Web Logic: 10.3.6
    Server ADF: 11.1.1.16
    Page Error when trying to log in:
    Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401 Unauthorized
    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
    Server error when trying to log in:
    Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
    at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
            at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
            at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
            at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
            at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
            at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
            at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
            at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
            at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
            at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
            at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
            at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
            at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
            at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
            at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
            at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
            at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
            at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
            at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
            at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
            at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
            at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
            at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
            at java.security.AccessController.doPrivileged(Native Method)
            at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
            at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
            at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
            at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
            at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
            at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
            at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
            at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
            at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
            at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
            at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
            at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Web.xml
    <?xml version = '1.0' encoding = 'windows-1252'?>
    <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
             version="2.5">
      <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
        <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
        <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
        <param-value>false</param-value>
      </context-param>
      <context-param>
        <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
        <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
        <param-value>differentOrigin</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
        <param-value>true</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
        <param-value>true</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_DECORATORS</param-name>
        <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
      </context-param>
      <context-param>
        <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
        <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
      </context-param>
      <filter>
        <filter-name>JpsFilter</filter-name>
        <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
      </filter>
      <filter>
        <filter-name>trinidad</filter-name>
        <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
      </filter>
      <filter>
        <filter-name>adfBindings</filter-name>
        <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>JpsFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>trinidad</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ERROR</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>adfBindings</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <filter-mapping>
        <filter-name>adfBindings</filter-name>
        <servlet-name>adfAuthentication</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
      </filter-mapping>
      <listener>
        <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
      </listener>
      <listener>
        <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
      </listener>
      <listener>
        <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
      </listener>
      <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet>
        <servlet-name>resources</servlet-name>
        <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>BIGRAPHSERVLET</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>BIGAUGESERVLET</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>MapProxyServlet</servlet-name>
        <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
      </servlet>
      <servlet>
        <servlet-name>adfAuthentication</servlet-name>
        <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
        <init-param>
          <param-name>success_url</param-name>
          <param-value>/faces/Pages/homePage.jspx</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/adf/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/afr/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>BIGRAPHSERVLET</servlet-name>
        <url-pattern>/servlet/GraphServlet/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>BIGAUGESERVLET</servlet-name>
        <url-pattern>/servlet/GaugeServlet/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>MapProxyServlet</servlet-name>
        <url-pattern>/mapproxy/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>resources</servlet-name>
        <url-pattern>/bi/*</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>adfAuthentication</servlet-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </servlet-mapping>
      <mime-mapping>
        <extension>swf</extension>
        <mime-type>application/x-shockwave-flash</mime-type>
      </mime-mapping>
      <mime-mapping>
        <extension>amf</extension>
        <mime-type>application/x-amf</mime-type>
      </mime-mapping>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>test</web-resource-name>
          <url-pattern>/faces/pages/*.</url-pattern>
          <url-pattern>/faces/*.</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>valid-users</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>adfAuthentication</web-resource-name>
          <url-pattern>/adfAuthentication</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>valid-users</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
          <form-login-page>/login.html</form-login-page>
          <form-error-page>/error.html</form-error-page>
        </form-login-config>
      </login-config>
      <security-role>
        <role-name>valid-users</role-name>
      </security-role>
    </web-app>
    Jazn-data.xml
    <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
    <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
      <jazn-realm default="jazn.com">
        <realm>
          <name>jazn.com</name>
          <users>
            <user>
              <name>*****</name>
              <display-name>*******</display-name>
              <description>******</description>
              <credentials>********<credentials>
            </user>
          </users>
          <roles>
            <role>
              <name>support</name>
              <display-name>support</display-name>
              <members>
                <member>
                  <type>user</type>
                  <name>mobile</name>
                </member>
              </members>
            </role>
          </roles>
        </realm>
      </jazn-realm>
      <policy-store>
        <applications>
          <application>
            <name> myapp </name>
            <app-roles>
              <app-role>
                <name>mob_mobile_support</name>
                <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                <display-name>mob_mobile_support</display-name>
                <description>support role</description>
                <members>
                  <member>
                    <name>mobile</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                  </member>
                </members>
              </app-role>
            </app-roles>
            <jazn-policy>
              <grant>
                <grantee>
                  <principals>
                    <principal>
                      <name>SUPPORT</name>
                      <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                    </principal>
                  </principals>
                </grantee>
                <permissions>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.*</name>
                    <actions>view</actions>
                  </permission>
                </permissions>
              </grant>
              <grant>
                <grantee>
                  <principals>
                    <principal>
                      <name>mob_mobile_support</name>
                      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                    </principal>
                  </principals>
                </grantee>
                <permissions>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.addapplicationPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>Pages.addappmsgtypPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>Pages.addoperationPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.homePagePageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                    <actions>view</actions>
                  </permission>
                  <permission>
                    <class>oracle.adf.share.security.authorization.RegionPermission</class>
                    <name>myapp.view.pageDefs.workHistoryPageDef</name>
                    <actions>view</actions>
                  </permission>
                </permissions>
              </grant>
            </jazn-policy>
          </application>
        </applications>
      </policy-store>
    </jazn-data>

    Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
    Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
    Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
    Timo

  • Advice needed for provider hosted web application - authentication and access to SharePoint document library

    I haven't done SharePoint 2013 development with claims so I apologize in advance if my assumptions and questions are way out in left field.
    I'm trying to understand SharePoint 2013 claims authentication for a scenario that involves:
    A SharePoint provided hosted (web forms) app that will pull information and assets (e.g. PDFs) from SharePoint into the web page.
    It will be a VS 2012 solution with asp.net.identity feature.
    Security will be set for internal users, federated external users and forms-based external users.  Based on their security and (claim type) role it will define what information and assets that can be retrieved from SharePoint
    I have looked through MSDN and other sources to understand.
    This one helped with my understanding 
    Federated Identity for Web Applications and assumed that the general concept could be applied to forms-based identity for non-Federated external users .
    What I have now:
    VS 2012 solution web forms application set to Provider Host with asp.net.identity feature and its required membership tables.
    I can create new users and associate claims to the new user.
    I can log in with a user from the membership tables and it will take me to a default.aspx page.  I have added code to it that displays the claims associated to a user.
    For POC purposes I'd like to retrieve documents that are associated to this user from the default.aspx page.
    This is where I am having trouble understanding:  Is my understand correct?
    Internal users
    since they are internal on the network i am assuming that they would already have access to SharePoint and they would already be configured to what documents that they have available to them.
    Federated external users & Forms authentication external users
    it seems to me that the authentication for external users are separate from SharePoint authentication process.
    changes to the configuration settings are necessary in SharePoint, IIS, web application.
    I believe this is what i read.
    claims processes (e.g. mappings) need to be set up in SharePoint
    as long as external users are authenticated then things are ok b/c they would have claims associated to the user and the configuration in SharePoint takes are of the rest.
    This statement bothers me because I think it's wrong.
    So basically i'm stuck with if my understanding is correct: once a user is authenticated either by federated identity or asp.net.identity authentication that it should go to the provider hosted default.aspx page because the claim is authenticated and means
    that it should have access to it and the SharePoint document library based on some claim property.  I could then write the calls to retrieve from a document library and SharePoint will know based on some claim property that the logged in user can only
    access certain documents.
    It just sounds too good to be true and that i'm missing something in the thought process.
    Thanks in advance for taking the time to read.
    greenwasabi

    Hi GreenWasabi,
    i agree this is an interesting topic to discuss,
    as you can check from the article, you may check this example from the codeplex:http://claimsid.codeplex.com/
    when i thinking regarding this topic, its looks like an environment with multiple of realms,
    from what you understand, its correct that all the authentication is based from the provider, so for example i have a windows live ID and internal ID, then when i login windows live ID, it will be authenticated using windows live ID server.
    here is the example for the webservice:
    http://claimsid.codeplex.com/wikipage?title=Federated%20Identity%20for%20Web%20Services&referringTitle=Home
    as i know, if you using this federated, i am not quite sure that you will need to go to the provider page literally, perhaps you can check this example if we are using azure:
    http://social.technet.microsoft.com/wiki/contents/articles/22309.integrating-windows-live-id-google-and-facebook-accounts-with-sharepoint-2013-white-paper.aspx
    Regards,
    Aries
    Microsoft Online Community Support
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • I'm trying to log into my site that requires authentication but I get a popup that says it doesn't require authentication and then I get a 403

    I have a site that requires authentication. In the past i have logged in using firefox with the following format
    http://username:password@sitename:siteport/specificsiteurlinfo
    and gotten in just fine. I just set up a new computer with a new instance of firefox and try the same thing but I now get the following popup-
    "You are about to log in to the site "sitename" with the username "username", but the website does not require authentication. This may be an attempt to trick you.
    Is "sitename" the site you want to visit?"
    When I click "yes" Firefox appears to try to go to the site without any authentication and I of course get a 403 Forbidden error.
    I have tried reverting back to old versions of Firefox with no luck.
    Any advice would be greatly appreciated.
    Thank you.

    The purpose of that warning is to alert you to the possibility of being fooled by a link with login credentials at the beginning. On your old computer you might have tweaked this setting to limit when the warning appears:
    http://kb.mozillazine.org/Network.http.phishy-userpass-length
    This article discusses the steps to adjust that setting to fit your needs: [http://fix.lazyjeff.com/2011/04/disable-firefox-login-prompt.html].

  • HT4623 I have updated my Iphone 3 but unable to start it. It takes too much time on Authentication and than message appears that Authentication failed

    I have updated my Iphone 3 but unable to start it. It takes too much time on Authentication and than message appears that Authentication failed

    I don't know either its jailbroken or hacked otherwise.
    It was working properly before I have updated it through Itunes to update the OS. After the updation, this message occurs
    Authentication failed, please try after few minutes
    Please help

  • Setting Authentication and SSL Settings by folder/file in ColdFusion 10

    Am attempting to upgrade to ColdFusion 10 (patched to current level) on our development network.  We are running Windows Server 2008 R2.  On both of the below instances it worked fine with ColdFusion 8 and 9.
    On the first instance the entire site is SSL with the exception of one directory.  The entire site is set to Anonymous Authentication Disabled and Windows Authentication Enabled for the entire site except for the one directory that is not SSL.  On ColdFusion 10, that one directory that is not supposed to be SSL and have anonymous authentication will not allow access unless you hit it with an https: and authenticate.  It ignores the settings for that directory and uses the overall site settings.
    On another instance the entire site is set to Anonymous Authentication except one file (login.cfm) is set to Windows Authentication.  When you enter that site it hits the login.cfm, if you authenticate it gives you more options.  If you don't you still get in but without the extra options.  The system ignores the Windows Authentication and defaults to the overall site's setting of Anonymous Authentication.  I have tried setting the authentication at the site level to both Anonymous and Windows then going through individual directories and changing them to what they should be, but the settings are ignored and it uses the overall site settings.
    Is Tomcat somehow overriding the page/folder specific SSL and or Authentication settings?

    Charlie, I appreciate you helping rule out the possible discrepancies in the installation.  As far as server configuration, all testing is being done on two virtual Windows Sever 2008 R2 64 bit boxes running IIS 7.5  One of the boxes was upgraded from ColdFusion 9.01 and one that is a new install on a new virtual machine.  The CF9.01 box has been processing both the SSL and non-SSL properly. The only changes I made to the CF9.01 I upgraded was to turn on CGI in the IIS settings.  Both servers show the same problems so I kind of ruled out the new server vice upgrade issue.  I checked the inheritance and all of the files have the same windows user's permissions.  I have imported the SSL certificates into the JRE\security\lib\certs.  I am guessing those are imported correctly otherwise it would not allow the SSL to work at all. All SSL/windows authentication has been set up through IIS, I have not tried to modify any Tomcat settings.
    I created a .htm file and put it in both a directory that is SSL protected and one (ScheduledTasks) that is not SSL protected.  It worked fine. That is if it was in a directory that should have been protected by SSL it prompted me for my CAC and pin.  When I put it in the ScheduledTasks directory and tried opening it with a stander http:// it worked fine.  I then tried to open a .cfm in the same directory and I got the standard 403-Forbidden: Access is denied.  You do not have permission to view this directory or page using the credentials that you supplied.

  • Authentication and Authorization Problems with IIS 6 and Jrun 4

    Hello all,
    I am using IIS 6 with JRun 4 as my app server, and I am having problems trying to get authentication and role authorization with Windows Integrated Authentication to work. I have set up IIS 6 to pass-through the authentication credentials to Jrun, without using an anonymous user. What I have done is written a small test servlet that displays the username of the logged in user, and then tries to check if a user is in a test role that I set up in my database. I have specified that a roles table is to be used by specifying a JDBCLoginModule in Jrun's auth.config file. The code for the servlet is below:
    package testauthenticationapp;
    import java.io.IOException;
    import java.io.PrintWriter;
    import javax.servlet.*;
    import javax.servlet.http.*;
    public class SecureTestServlet extends HttpServlet {
       private static final String CONTENT_TYPE =
          "text/html; charset=windows-1252";
       public void init(ServletConfig config) throws ServletException {
          super.init(config);
       public void doGet(HttpServletRequest request,
                         HttpServletResponse response) throws ServletException,
                                                              IOException {
          response.setContentType(CONTENT_TYPE);
          PrintWriter out = response.getWriter();
          out.println("<h3>REMOTE USER: " + request.getRemoteUser() + "</h3>");
          if (request.getUserPrincipal() != null){
             out.println("<h3>" +request.getUserPrincipal().getName() + "</h3>");
          } else{
             out.println("<h3>User Principal is null</h3>");
          if (request.isUserInRole("Test_Role")){
             out.println("<h3>User is in Test_Role</h3>");
          } else {
             out.println("<h3>User is NOT in Test_Role</h3>");
          out.close();
    1.  What I am seeing is that when request.getRemoteUser() is called, the username information is what I expect it to be. It is of the form <Domain>\<Username>. When I try to redisplay the username using the request object's Principal object, the call to request.getUserPrincipal() returns null. This is a little confusing to me since I thought that essentially getRemoteUser() was a short cut for calling getUserPrincipal().getName(), and if I get something for getRemoteUser, getUserPrinicipal should return something as well. I guess they work differently at some level. Has anyone ever encountered this before?
    2. When I call request.isUserInRole("Test_Role"), it returns false. I've checked the role name being called for typos in both my database and in the code, and that does not seem to be the case. I think the setup in auth.config is properly configured because I have created many other applications using declaritive FORM based authentication, and the role information was retrieved fine from the database. I would think that when I use request.isUserInRole in my servlet code it would use the same role information, but I could be wrong since this is a different type of authentication. Do you think that the reason request.isUserInRole() is returning  false could be tied to the fact that request.getUserPrincipal() is returning null (even though getRemoteUser() is returning a valid username)? How does request.isUserInRole() get its user information, by using getUserPrincipal().getName() or getRemoteUser()?
    Any help that is provided is appreciated. Thanks in advance.

    Try This...
    Close All Open Apps...  Perform a Reset... Try again...
    Reset  ( No Data will be Lost )
    Press and hold the Sleep/Wake button and the Home button at the same time for at least ten seconds, until the Apple logo appears. Release the Buttons.
    http://support.apple.com/kb/ht1430

  • Authentication and Authorization question.

    Hi All,
    I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
    Authentication.
    1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
    2. The end result of this process is true/false.
    Authorization.
    1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
    2. The end result of this process is true/false.
    Role mapping.
    1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
    2. The end result is list of roles for a user.
    Security policy configuration.
    Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
    Thanks,
    Prashanth Bhat.

    The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
    The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
    The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
    My question is whether thess(DAs and VEs) can also be put
    our datastore for access rights??
    Thanks,
    Prashanth Bhat.

  • How to audit the the Authentication and Authorization in AM.

    I'm using AM7, I want to know how can I audit the Authentication and Authoriztion, for example, who? from where? when? Authentication/Authorization to which application?
    I looked for the log files, but find they can't be used to show an audit result directly, is there any tool to do the audit job?
    Thanks!

    Assuming that you are using a Unix platform to run JES AM, you can find accesslog at /var/opt/SUNWam/logs. If you dont have any logs there, may be you have enable them in the AMConfig.properties and recycle AM.
    Each WebServer or J2EE Web Container that is protected by JES Policy Agent is capable of producing Audit logs which will carry information you are looking for. For example every HTTP request that passes through a protected WebServer or Webcontainer can log UserID, SSOToken, Time of access, Authorization result, resource requested. By default PolicyAgents dont log "Success" authorizations. You can change that by enabling "LOG_BOTH" on the logging attribute.
    If you can customize the WebServer access logs, then you can trap the User's source IP, UserID along with all other standard things that you can log on a webserver such as any HTTP Header element.
    JES has pretty robust logging mechanism built for security audits.
    If you still cant find what you are looking for, then be specific about where you are running into problems.
    -Dexthor

  • Authentication and authorization for a custom connector

    I have the following problem: I have a software which tries to connect with the server through its own custom RMI connector.
    So I have the  RMI Connector deployed via Mlet-Service. I have written a small TestClient and can get a RemoteMBeanServer  with RemoteMBeanServer rs = getRemoteMBeanServer(), but if I try to call something like  rs.getMBeanCount() I get :
    com.sap.engine.services.jmx.exception.JmxSecurityException: Caller Guest not authorized, only role administrators is allowed to access JMX
    So the WebAS considers someone who tries to connect with this connector as guest. How do can I get authentication  and autorization to access the JMX parts? The manual seems only to cover JSP and webapplications, where it is possible to configure a role for them. I only have this connector.jar, configuration and mlet-file.
    I still have the option to use JAAS authentication with  this connector, then I have to configure it differently and, the more difficult, to implemend
    a method "public Subject authenticate(Object credentials)" where credentials are two Strings with user and passwd. But I am not quite sure how to fill the Subject with useful information.
    Thanks in advance
    Nils

    Jmx is secured resource and only administrator role user
    can access it.
    If your code is running in a servlet you can define
    the servlet to run as administrator
    1. Add in the web.xml
    <security-role>
       <role-name>AnyName</role-name>
    </security-role>
    2. Add in the web-j2ee-engine.xml
    security-role-map>
       <role-name>AnyName</role-name>
       <server-role-name>administrators</server-role-name>
    </security-role-map>
    If you are runnig from a remote client you just have to
    Properties connectionProperties = new Properties();
    connectionProperties.setProperty(
    Context.INITIAL_CONTEXT_FACTORY,
    "com.sap.engine.services.jndi.InitialContextFactoryImpl");
    connectionProperties.setProperty
    (Context.PROVIDER_URL, "<host:p4port>");
    connectionProperties.setProperty
    (Context.SECURITY_PRINCIPAL, "<ADMIN USER>");
    connectionProperties.setProperty
    (Context.SECURITY_CREDENTIALS, "<PASSWORD>");
    MBeanServerConnection mbsc =
                        JmxConnectionFactory.getMBeanServerConnection(
                             JmxConnectionFactory.PROTOCOL_ENGINE_P4,
                             connectionProperties);

Maybe you are looking for

  • Workflow Approval - Error Msg

    Hi As I am new to workflow, please clarify the below The Purchase order workflow is sending a mailer notification to recipients, when the recipients Clicks the Approve button from the mailer notification, getting the below message in his mail box Fro

  • Opening up photos- blank

    HI, I am having an issue with my iphoto library. There are over 20,000 photos and i'm trying to review some from 2008, but all i can see is the thumbnail version.They open up to a blank screen with the warning triangle/exclamation point and will not

  • Help with Tiger 10.4 upgrade!

    OK, here's my situation: Just bought my computer, refurbished, two days ago. My first Mac. I open it and it runs flawlessly. I was happy. Two hours of use later, I use the update program to tell me what software updates are available. It tells me the

  • Upgraded elements 12 to LR 5:  Missing Most Keyword tags

    I just upgraded my Elements 12 Catalog to LR 5 catalog on my Windows 7 machine. I followed the instruction listed in the conversion video. For me the tags are the most important thing I use to Organize my images. I have over 20,000 pictures in my Ele

  • HT1473 How to download sound file from NASA?

    I have Windows 8.1 and iTunes 11.1.5.  ??I need QT pro?  Yet, the page only talks about Windows XP and 7.  Grateful for your info!