'authentication failed' using Microsoft ADSI version LDAP server

Hi All,
Now days i am facing some problem in authentication (i am using microsoft ADSI version LDAP Server) but am not able to authenticate the LDAP users.
I have configured my LDAP server in the same manner as u mentioned in this blog.
when I am trying to authenticate the user from the RPD itself i m gettig the following error:
“authentication failed” (actually i forgot the exact message but it mean is same as i referred here)
though i am able authenticate the bind user ( which i used to configure the LDAP Server)
Please help me in this as i already wasted a lot of time in doing R&D to make it work..
I have an urgent requirement to do the same..
Your help will highly appreciated…
thanks in advance
PS: I have checked the 'ADSI' box in advance tab:

Hi,
Please have a look at the below link:
Unknown certificate error when testing LDAP SSL connection
Not sure whether it will help you. But have a look at it.
Regards,
Jithin

Similar Messages

Authentication failed. (Microsoft.AnalysisServices.AdomdClient). The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)

Hi Experts,
We had a task to migrate SQL Server all the components to another server, the migration went well and had no issues at all. but We can login to SSAS service locally wihtout any issues. when we are connecting the analysis services from the other machines(servers)
it is givng the below error.
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
1) it is a stand alone server
2) it is connecting to default instance but not to a named instance
3) SPN's were set correctly. Double checked with the tool(MS Kerberos configuration Tool).
4) The SQL server analysis start account has domain admin privileges.
5) we can connect to Database services from the other machine remotely.
6) none of the analysis services are connecting.
Thank you in advance.

Hi Ramu,
According to your description, you migrated SQL Server to another server, everything works fine except that cannot connect to SSAS remotely with the error, right?
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
Based on my research, this issue is caused by that the SPN for account that run the Analysis Services is corrupt. You said that the SPN were set correctly, however the error message indicate that the problem is related to SPN. So in your scenario, you can
delete the SPN under the service account, and register SPN for Analysis Services instance. Please refer to the link below to see the details.
http://msdn.microsoft.com/en-IN/library/dn194200.aspx
Besides, here is a blog which describe the similar issue.
http://www.wolfsoftwaresystems.com/code/sql/the-target-principal-name-is-incorrect-microsoft-analysisservices-adomdclient/
Regards,
Charlie Liao
TechNet Community Support

Authentication Failed using K2 SmartObjects as Data source

I have an issue with Visual Studio 2010 and the K2 Smart Objects Data source. I continue to get Authentication Failed: SEC_E_LOGON_DENIED. I log into a corporate domain and then VPN into another domain where the K2 database and SQL Server are located.
After looking at the Windows logs it is apparent that the credentials being used are the first ones(corporate domain) and not the ones that I specified when using the Data source option for my application. I specify the correct domain/userid, port number and
password. Anyone have any suggestions?

Hi BBVillarreal,
Since it is related to K2 Smart Objects, I’m afraid that it is really out of support range of VS IDE forum, but you can try ask this question at the forum about the K2 smart objects for better support.
I’m not very sure that the real forum, but I found some sites which are related to it, maybe you could get the correct forum for it.
http://www.k2underground.com/forums/t/15584.aspx
http://www.k2.com/
http://getk2.org/community/New-to-K2-Ask-here-first/132012-K2-Database-Structure
Best Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Authentication failed using EAP-TLS and CSSC against ACS

Hi.
Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.
Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:
"Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.
First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.
Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.
I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2
Thanks in advanced.
Best regards.

Today is not mmy day.
It´s still failing and maybe I will open a TAC case.
I´m looking at the log file of the CSSC and I don´t like what I have seen.
2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client: eapTls
2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant
Do you think the same??
Thanks.
Best Regards.

UsnernameToken authentication failed using WCF-BasicHttp adapter

I have read the other topic that is identical to this, but there is no detail as to what was actually changed to allow Kerrey to override the default 256 character limit. So I figured I would start a new thread and see if someone can show me what my binding
file should include to override this setting.
thanks,
Chuck
Charles

So, the problem is that somewhere in the BizTalk/WCF bridge layer, a password is cut off at 256. The WCF-Custom Adapter has the same issue.
You have two options.
Biding File:
Export a binding file.
Trim all but the one Send Port where you need the long password.
Fine the Password element in the TransportTypeData blob. Yes, it's escaped Xml so edit carefully.
Enter you long password, save.
Import Binding file, then delete (so you don't have the clear test password anymore).
SSO: (This is the 'better' option)
Create an SSO Affiliate Application
Set the Service Credentials. SSO will accept the long password.
Set Use Single SignON and your Affiliate application in the Client Credentials dialog on the Security Tab.
Somewhere prior to the Adapter (Orchestration, Send Pipeline) set the BTS.SSOTicket Context Property
I've never tried the binding file option but SSO works great and is designed for such scenarios (storing passwords).

Discussion Server Authentication Failed From Inside FMW App

Hi Community,
My Env:
Webcenter 11.1.1.3.0
Weblogic 10.3.3
The discussion server shipped with webcenter suite is Jive Forums Silver 5.5.20 .2-oracle.
I wired the discussion server to embedded LDAP server of my weblogic server, and deployed an app that utilize the discussion service.
But when accessing the app page, I got an exception "failure to authenticate the user pbrown, due to: Authentication Failed".
The users do exist in LDAP server and I can login to http://server:8890/owc_discussions page with that users, I also granted all privileges to the users in jive console, but it doesn't work inside the app.
My Jive server log:
[2010-09-05T23:21:22.816-07:00] [WLS_Services] [ERROR] [] [org.codehaus.xfire.handler.DefaultFaultHandler] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [ecid: 0000If_hC7s5e_Vau1q2UH1CWBaI0000E_,0] [APP: owc_discussions#11.1.1.2.0] [dcid: bafcaeab2cd82008:-b3c6f44:12ad6d55fae:-8000-00000000000003c6] Fault occurred![[
com.jivesoftware.base.UnauthorizedException: Authentication Failed
at com.jivesoftware.forum.webservices.server.xfire.PermissionHandler.acquireAuthToken(PermissionHandler.java:194)
at com.jivesoftware.forum.webservices.server.xfire.PermissionHandler.invoke(PermissionHandler.java:98)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64)
at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:39)
at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:287)
at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:130)
at org.codehaus.xfire.transport.http.XFireServlet.doPost(XFireServlet.java:117)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at com.opensymphony.webwork.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:189)
at com.jivesoftware.base.action.util.JiveFilterDispatcher.doFilter(JiveFilterDispatcher.java:69)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at com.jivesoftware.base.util.webwork.JiveActionContextCleanUp.doFilter(JiveActionContextCleanUp.java:38)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Log of the server that hosts the app:
[2010-09-05T23:21:08.184-07:00] [AdminServer] [WARNING] [] [oracle.adf.controller.internal.metadata.MetadataService] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: anonymous] [ecid: 0000If_h8YC5e_Vau1q2UH1CWBIO0001Nc,0] [APP: StoreFrontModule#V2.0] [dcid: bafcaeab2cd82008:3873773a:12ad6c38b8a:-8000-0000000000001665] ADFc: /WEB-INF/adfc-config.xml:
[2010-09-05T23:21:08.185-07:00] [AdminServer] [WARNING] [ADFC-52024] [oracle.adf.controller.internal.metadata.MetadataService] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: anonymous] [ecid: 0000If_h8YC5e_Vau1q2UH1CWBIO0001Nc,0] [APP: StoreFrontModule#V2.0] [dcid: bafcaeab2cd82008:3873773a:12ad6c38b8a:-8000-0000000000001665] [arg: shoppingCartBean] ADFc: Duplicate managed bean definition for 'shoppingCartBean' detected.
[2010-09-05T23:21:08.190-07:00] [AdminServer] [ERROR] [] [org.apache.myfaces.trinidadinternal.application.StateManagerImpl] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: anonymous] [ecid: 0000If_h8YC5e_Vau1q2UH1CWBIO0001Nc,0] [APP: StoreFrontModule#V2.0] [dcid: bafcaeab2cd82008:3873773a:12ad6c38b8a:-8000-0000000000001665] Could not find saved view state for token uutg3hslp
[2010-09-05T23:21:11.851-07:00] [AdminServer] [WARNING] [] [oracle.adfinternal.view.faces.renderkit.rich.NavigationPaneRenderer] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: anonymous] [ecid: 0000If_h9SE5e_Vau1q2UH1CWBIO0001Ni,0] [APP: StoreFrontModule#V2.0] [dcid: bafcaeab2cd82008:3873773a:12ad6c38b8a:-8000-000000000000166f] Warning: There are no items to render for this level
[2010-09-05T23:21:22.821-07:00] [AdminServer] [WARNING] [WCS-04013] [oracle.webcenter.collab.forum.internal.view.backing] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: pbrown] [ecid: 0000If_hC765e_Vau1q2UH1CWBIO0001Nm,0] [APP: StoreFrontModule#V2.0] [dcid: bafcaeab2cd82008:3873773a:12ad6c38b8a:-8000-0000000000001673] [arg: pbrown] [arg: Authentication Failed] failure to authenticate the user pbrown, due to: Authentication Failed[[
oracle.webcenter.collab.share.LoginFailedException: failure to authenticate the user pbrown, due to: Authentication Failed
at oracle.webcenter.collab.forum.internal.jive.JiveAuthenticator.handleException(JiveAuthenticator.java:304)
at oracle.webcenter.collab.forum.internal.jive.JiveAuthenticator.login(JiveAuthenticator.java:247)
at oracle.webcenter.collab.forum.internal.jive.JiveForumSession.login(JiveForumSession.java:128)
at oracle.webcenter.collab.share.Session$1.call(Session.java:353)
at oracle.webcenter.collab.share.Session$1.call(Session.java:347)
at oracle.webcenter.concurrent.Submission$2.run(Submission.java:406)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:420)
at oracle.webcenter.concurrent.Submission.run(Submission.java:347)
at oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:737)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:442)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:139)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThreadPoolExecutor.java:657)
at oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPoolExecutor.java:683)
at java.lang.Thread.run(Thread.java:619)
Caused by: Authentication Failed
Thanks,
Todd

I have same problem here. used weblogic admin but still doesnt works. Thats amazing or not?
oracle.webcenter.collab.share.LoginFailedException: failure to authenticate the user Weblogic, due to: Authentication Failed
Edited by: José Carlos on 06/09/2010 06:56

Using LDAP server in Login frame work

I need breaf explanation about how to use LDAP server in Portal for Login authontatication.
Any body now good documets please pass me those links.
Thanks,
Venkata Sarvabatla

In a nutshell, WebLogic Server has a pluggable security architecture. If you want your authentication provider to use your LDAP server then you can configure WebLogic Server to use your authentication provider. You configure your authentication provider to connect to your LDAP server. No code development is necessary.
WebLogic Portal Server is built on top of WebLogic Server so you get the pluggable security architecture by definition.
This security architecture has been around a long time and lots of customers use it so the documentation on it is pretty good. If you haven't configured a WebLogic Server LDAP authentication provider before then don't worry: it is not too difficult, but it is going to require that you go through the documentation. The link deepshet gave you is a good starting point.

JAZN-LDAP: Make use of different LDAP Server

Hi,
I am trying to make use of a different LDAP Server (other than OID)-- With OID i am able to authenticate users.
Now i need to make use of a different LDAP Server (For ex: SunONe Directory Server).. I have tried specifying the LDAP URL location of the new LDAP Server in the Orion-Application.xml as below
<jazn provider="LDAP" location="ldap://ldaphost:ldapport" />
But I see that the application is still defaulting to the OID and not making use of the LDAPserver specified above.
Also, i see that I am unable to modify the LDAP URL Location
In Step2 of Deploying an Application :
Deploy Application: User Manager : I have selected the option "Use JAZN LDAP User Manager"
But the LDAP Location is non-editable and which defaults to the OID location as the one below
LDAP Location ldap://OIDLDAPURL:PORT
Could ne1 throw some light on the issue i am facing..
Thanks
John

See Configuring External LDAP Providers @:
http://matrix.csustan.edu/docs/oracle/oas/web.1012/b14013/ldap3rdparty.htm
Here are a few gotchas for active directory:
-if you plan to use the membership of the AD user to AD roles, set in orion-application:
<jazn provider="XML">
<property name="custom.ldap.provider" value="true"/>
<property name="role.mapping.dynamic" value="true"/>
</jazn>
in web.xml you should also define
<security-role>
<role-name>ldap-role-to-which-ldap-user-belongs-that-is-entitled to-acces-the-resource</role-name>
</security-role>
If you run the application in the embedded OC4J it seems it takes this hint from other file that you can determine looking at trace you can make appear with option:
-Djazn.debug.log.enable=true (in jvm start command)
When running in embedded OC4J the application is called: current-workspace-app
Good Luck

Certificate based Authentication failing on OpenSSO

Hi,
I have installed openSSO Server 8.0 on a glassfish server and a Apache Http Server OpenSSO Policy Agent on 2 seperate machine in the same domain
I have configured the OpenSSO Server listener for SSL and Client Authentication
I have also created a policy to a restricted resource such that the re-direction from the SP (OpenSSO Policy Agent) happens to the SSL Configured listener
The resource to be protected on the SP is
http://<SP-Hostname>:Port/resource.html
When i access the above URL, it redirects me to https://<OpenSSO-ServerHost>:8181/opensso/UI/Login which pops up the Choose a client Certificate window. On Selecting the certificate, the Authentication happens and the redirection URL looks like the below:
http://<SP-Hostname>:Port/resource.html?CookieName=<EncodedCookie>
This results in an error and the SP logs indicate that there is no policy defines for resource
http://<SP-Hostname>:Port/resource.html?CookieName=<EncodedCookie>
I am sure that the Authentication passes because, the certificate authenticates the user when the server is access directly i.e. on accessing
https://<OpenSSO-ServerHost>:8181/opensso
and selecting the cert, the User Page is displayed
Also if the page is username/password protected, then the re-direction URL does not contain the Cookie
Can someone tell me why the Cookie is part of the URL and if there is way to see homogenous behaviour irrespective of the Authentication Module being used
Any help will be highly appreciated

Hello,
As per your query i can suggest you the following solution-
EAP-FAST with certificates on both the client and the server side. For this, the setup uses Microsoft Certificate Authority (CA) server to generate the client and server certificates.
The user credentials are stored in the LDAP server so that on successful certificate validation, the controller queries the LDAP server in order to retrieve the user credentials and authenticates the wireless client.
This document assumes that these configurations are already in place:
A LAP is registered to the WLC. Refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) for more information on the registration process.
A DHCP server is configured to assign an IP address to the wireless clients.
Microsoft Windows 2003 server is configured as domain controller as well as CA server. This example uses wireless.com as the domain.
Refer to Configuring Windows 2003 as a Domain Controller for more information on configuring a Windows 2003 server as a domain controller.
Refer to Install and Configure the Microsoft Windows 2003 Server as a Certificate Authority (CA) Server in order to configure Windows 2003 server as Enterprise CA serve
For more information please refer to the link-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
Hope this will help you.

Usage of external LDAP server with Portal

Hi All,
We are in a situation to use external LDAP server with WLP 8.1. These are the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Admin and Group
creation using Portal Admin tool since this will write to the configured LDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I know this is possible
by using JAAS LoginModule, but I just want to get confirmed on this ) and
2. Use default and embedded LDAP server for all others like Group/Visitor Entitlements/DAs.
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.

Thanks for th ereply. Some of your answers are not clear. Can you pls eloborate
on this?? Pls see my comments below.
"Johnson" <[email protected]> wrote:
>
Phil,
Can I use embedded LDAP for production?
Thanks
Lawrence
"Phil Griffin" <BEA> wrote:
"Prashanth " <[email protected]> wrote in message
news:[email protected]..
Hi All,
We are in a situation to use external LDAP server with WLP 8.1. Theseare
the
constraints we have to deal with:
1. Only read is allowed from this LDAP server.
2. This would be used for authentication purpose
If thats the case, how can we use Visitor Entitlements/Delegated Adminand
Group
creation using Portal Admin tool since this will write to the configuredLDAP
server.
Can somebody answer my question:
1. Can we use external LDAP server - just for authetication (I knowthis
is possible
by using JAAS LoginModule, but I just want to get confirmed on this) and
>
You can add the external LDAP server just for authentication, but in
versions through
8.1 SP2 WLP will want to verify the user exists (via the UserReaderMBean)
during
the login process (this check has been removed in SP3). A work around
is to
duplicate
the user in a provider that does impl UserReaderMBean.
Prashanth : You mean to say we have to duplicate the User in embedded LDAP server
also??
>>
2. Use default and embedded LDAP server for all others like Group/VisitorEntitlements/DAs.
>
Yes, the default/embedded LDAP can still be used for DA/visitor
entitlements. In the current
release, the Portal Admin Tools can only be configured to use a single
authentication provider
while forming entitlements. In SP3, all configured providers are
listed/usable by the tools.Prashanth : How can we configure Portal Admin tool to use authentication provider
for entitlements??
>>
Any relevant pointers are also welcome.
TIA,
Prashanth Bhat.

Issues with LDAP Server | Solaris 8

Hi All,
In my project we are using Solaris 8 as LDAP server for authentication. Some folders owner and group is assigned to LDAP user by default. I think it should be root and others.
Please find the below example:
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 .
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 ..
6 -rw-rw-r-- 1 gip_admin ampm_retail_english_author 2062 Jan 22 14:03 archive
2 drwxr-xr-x 2 root nobody 512 Aug 6 2003 cdrom
2 drwx--l--- 3 gip_admin set_investors_author 512 Dec 9 07:33 data
2 drwxr-x--- 2 root other 512 Nov 12 16:20 data1
Can you please help me to solve this issue.....
Thanks in Advance
Manju

Hi,
Its is not mounted on NFS. It is local disk only.
Its is Solaris 8 server.
# ls -lan
drwxr-xr-x 18 0 0 1536 Dec 11 05:00 .
drwxr-xr-x 46 91550 94293 2560 Jan 11 10:37 ..
-rw-rw-rw- 1 0 1 524204 Aug 2 2006 110951-06.jar
drwxr-xr-x 2 0 1 512 Dec 11 05:01 Backup_files
-rw------- 1 0 1 17 Apr 22 2005 DBVERSION
drwxrwxr-x 2 101 2000 512 Oct 18 2004 DD
drwxr-xr-x 2 0 1 512 Sep 19 2006 J2SEPatch-13092006
#cat /etc/passwd
root:x:0:1:Super-User:/:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
basant:x:1001:10::/apps/basant:/bin/sh
tis:x:1003:1::/apps/tis/:/usr/bin/bash
ldap:x:1004:100::/home/ldap:/bin/sh
iwui:x:100001:60001:Interwoven TeamSite UI Daemons User:/apps/iw-home:/bin/sh
oracle:x:1002:101: Oracle user:/apps/oracle:/bin/sh
vadmin:x:100002:1::/apps/vadmin/:/bin/sh
sshd:x:100003:2003:sshd privsep:/var/empty:/bin/false
temp:x:111112:1::/home/temp:/bin/sh
verity:x:111113:1::/apps/verity/:/usr/bin/bash
test1:x:12312311:1::/home/test1:/bin/sh
hai:x:12312312:1::/home/hai:/bin/sh
#cat /etc/group
[root@sun5-/opt]# cat /etc/group
root::0:root,tomcat
other::1:bpeditor,lpg_admin,lpg_author,lpg_publisher
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
iplanet::100:
dba::101:
sshd::2003:
apps::94356:
testa::12312323:
oat_users_test::12312325:
Thanks

Can I use LDAP server's authentication mechanism rather than comparing password ?

Hi All,
The weblogic security and adminguide says that the user authencation can be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP server rather
than picking up the password from LDAP and comparing at weblogic end. Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3 picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparing it:
1. Netscape directory server can store the password in oneway hashed form(and
that is preferred , too). So when userpassword attribute is read , it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpassword attribute
itself is a security threat, as if someone can crack that user's dn and password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
Sudarson

Thanks a lot Jerry.
I got these stuff from weblogic 6.1 docs sets security.pdf and adminguide.pdf.
I have another question, if that is the case (in Case of BIND), then why do we
a require a dn of user and password who has the access to read the entire directory
And at the same time, u specified this for Bind, what are the cases for other
two-local and external ? And then what is actually difference between Bind and
Local ?
Pls help me.
Thanks,
Sudarson
Jerry <[email protected]> wrote:
Hi Sudarson,
Whatever doc you were reading is at least partially incorrect, unfortunately...
I know for sure that when you specify BIND, weblogic sends the username/password
to your
LDAP server in an attempt to bind to it.
If the bind is successful, WLS determines that the username/password
pair were correct.
If the bind was unsuccessful, WLS determines that the username/password
pairing is not
valid.
At all times, WebLogic is letting the LDAP server do the actual compare
of
username/password. WLS does not, at any time, retrieve a password from
the LDAP server.
I hope this helps,
Joe Jerry
sudarson wrote:
Hi All,
The weblogic security and adminguide says that the user authencationcan be of
the following 3 types:
1. Bind specifies that the LDAP security realm
retrieves user data, including the password for
the LDAP server, and checks the password in
WebLogic Server.
2. External specifies that the LDAP security
realm authenticates a User by attempting to
bind to the LDAP server with the username
and password supplied by theWebLogic
Server client. If you choose the External
setting, you must also use the SSL protocol.
3. Local specifies that the LDAP security realm
authenticates a User by looking up the
UserPassword property in the LDAP directory
and checking it against the passwords in
WebLogic Server.
But say I want that my users should be authenticated by the LDAP serverrather
than picking up the password from LDAP and comparing at weblogic end.Then what
should I do ?
Because no. 2 is applicable only for ssl certificates, no.1 and no.3picks up
password using the login dn and password provided at the time of configuration
of realm and compare with password given by user.
And once gain there some issues on having picking up password and comparingit:
1. Netscape directory server can store the password in oneway hashedform(and
that is preferred , too). So when userpassword attribute is read ,it's in one
way hashed form. So how the comparison will go on ?
2. Creating a user who has the access to user data along with userpasswordattribute
itself is a security threat, as if someone can crack that user's dnand password
then he/she can do anything as userdata can be read.
Any suggestion is welcome.
TIA,
Sudarson

Can I use Microsoft SQL Server Management Studio version 11.0 to write SQL queries for "SQL Server Compact 4.0 Local Database"

Hi, Can I use Microsoft SQL Server Management Studio version 11.0 to write SQL queries for "SQL Server Compact 4.0 Local Database" ?
When I use Connect Object Explorer, the "Connect to Server" dialog box which pops up has only 4 selections in the Server Type Drop Down List. They are Database Engine, Analysis Services, Reporting Services & Integration Services. I have read
somewhere that there should be a compact database option. but I do not see it.
What I would like to do is use free form SQL Queries against the tables in "SQL Server Compact 4.0 Local Database" .
Once I have validated these queries, then I will use them in my Visual Studio 2012 C#, ASP.NET application. I created the Local Database using Visual Studio 2012 for use by my application.
Thank you for your help..
diana4

Hello,
With SSMS 2005 we have had the Option to work with SQL CE database files, but not with higher Version of SSMS.
You can use the free SQL CE Toolbax instead; see
http://sqlcetoolbox.codeplex.com/
Olaf Helper
[ Blog] [ Xing] [ MVP]

Windows Authentication using Microsoft SQL Server 2005 JDBC Driver

Hi,
I am using Microsoft SQL Server 2005 JDBC Driver to connect to SQL Server 2000 database, can anyone tell me the connection URL for windows authentication. SQL authentication is working fine.
DataDirect has drivers for windows authentication but I am not using it.
Regards
Arup

You can't do it with the Microsoft driver. There's a free driver called jTDS that may be able to (I don't know).
(edit) Looking at their FAQ it looks like it does:
http://jtds.sourceforge.net/faq.html

[ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

So here is my goal:
Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
Background:
I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
I've also used NPS to authenticate wireless clients in a lab setting.
Problem:
I cannot figure out what is going on with NCS/PI authentication against NPS.
Here are a couple/few steps I've taken:
- I've added the RADIUS client to the list.
- I've created a network policy to grant access to a specific group of users (AD group). It accepts either CHAP or PAP authentication
- I've also taken out the default radius attributes and inserted these:
- - Vendor Specific, Cisco-AV-Pair
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
- - Vendor-Specific, RAIDUS Standard
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
On the NPS server I can see the request coming in on the NPS logs. Access has been granted and it matches the Network Policy I created.
The usual message I receive is this:
No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
Attached is a picture from a packet capture. The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
- "[Not enough room in packet for AVP] "
This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
Here are some of guides I used:
http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
https://supportforums.cisco.com/thread/339057
http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

Hi Kyujin,
I wish I had finished my guide. Didn't realize it would take this long.
But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
If you use NCS, you have to add the role, all the tasks, and the virtual domain.
See the screenshots and see if that helps explain it. Not sure how TACACS will work as I'm not familiar with it.
Microsoft NPS - Attributes for NCS
Microsoft NPS - Attributes for PI

'authentication failed' using Microsoft ADSI version LDAP server

Similar Messages

Maybe you are looking for