Authentication for ADS

hi,
I am setting authentication for ADS. When i click on Webservice security, under services, i get "Error while loading service web service security" in visual admin.
Can you also add a point as to why do we need ads authentication.

I was accessing Visual Administrator thorugh my local file (by Pasting the server directories ) system and connecting to a remote server.hence i had issues.
Solution is to access visual admin directly from the server where it is installed.

Similar Messages

  • "Team Foundation Server" is preventing authentication for whole team !!

    I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
    1st
    Error (from administrative events):
    The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
    More information is included below.
    Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
    Tried so far:-
    - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
    2nd
    Error (from application server):
    DistributedCOM error
    The application-specific permission settings do not grant
    Local Activation permission for the COM Server application with CLSID 
    {000C101C-0000-0000-C000-000000000046}
     and APPID 
    {000C101C-0000-0000-C000-000000000046}
     to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
    from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
    https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
    Other
    Fixes I tried
    - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
    loading up using w3wp.exe from processes. 
    Concern
    - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

    Hi Amr,
    For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
    blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
    thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
    About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
    blog
    to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
    Best regards,

  • "Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

    I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
    1st Error (from administrative events):
    The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
    Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
    Tried so far:-
    - changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
    2nd Error (from application server):
    DistributedCOM error
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    {000C101C-0000-0000-C000-000000000046}
     and APPID 
    {000C101C-0000-0000-C000-000000000046}
     to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
    https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
    Other Fixes I tried
    - Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
    loading up using w3wp.exe from processes. 
    Concern
    - by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

    Hi Kpdn, 
    Thanks for your post.
    All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Open Authentication for Wireless Access

    Hello,
    The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
    What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
    The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
    Thanks,
    Kevin

    Hi Kevin,
    Using WPA we can configure  either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
    if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
    EAP is more secured auth compared to PSK..
    Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
    in the nut shel we have 3 kinds of auth..
    1> open - Dot11 auth
    2> Shared - Nothing but WEP
    3> 802.1X suite - EAP
    again, the below link may give you some insights as well!!
    http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
    Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • User Authentication for subfolder not working in Web Browser

    We are using Oracle Application Server 10.1.2.3 and Database Server 10.2.0.5 for our application.
    One of the functionalities of the Application is to send emails with attachments.
    The logic is that the Application would generate the attachment file on the Application Server.
    Then a database package uses Oracle's utl_http package/procedures(more specifically utl_http.request_pieces where the single argument is a URL) to pick up the file from the Application Server via URL, attach the file and send the email.
    Exchange and Relay Server is also set in the Application.
    The problem is that the folder containing the folder which stores the attachments is having user authentication set.
    Example : The main folder is /apps/interface, this folder requires a valid user when it is accessed via URL on a web browser.
    Alias created in httpd.conf
    Alias /int-dir/ "/apps/interface/"
    The folder /apps/interface/email/ is the folder where the attachment files are generated and stored.
    Application Server : 10.12.213.21
    Database Server : 10.12.213.22
    Email Server : 10.12.213.44
    Configuration as per httpd.conf
    Alias /int-dir/ "/apps/interface/"
    <Location /int-dir/>
    AuthName "Interface folder"
    AuthType Basic
    AuthUserFile "/u01/app/oracle/as10g/oasmid/Apache/Apache/conf/.htpasswd"
    require user scott
    </Location>
    <Location /int-dir/email>
    Options Indexes Multiviews IncludesNoExec
         Order deny,allow
         Deny from all
         Allow from 10.12.213.21
         Allow from 10.12.213.22
         Allow from 10.12.213.44
    </Location>
    Using the above configuration the Application is able to attach the files and send the email, however, when we access the following URL :
    http://10.12.213.21:7778/int-dir/ - it prompts for user authentication
    However if we use the following URL :
    http://10.12.213.21:7778/int-dir/email/ - it does not prompt for user authentication, and all the files in the folder are displayed in the browser.
    I have tried so many things including AllowOverride, .htaccess, but i am not able to get user authentication for the email folder.
    Please help me if you can.
    Thanking you in advance,
    GLad to give any more information that i can.
    dxbrocky

    Thanks for your response.  I fixed the problem by selecting "full site" or "full website" at bottom of the web page.  After making this selection the zoom function returned.  Thanks again for your interest.

  • How to set up and test the Basic Authentication for HTTP protocol

    Hi,
    I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.

    Hi Ramesh,
    Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
    queue
    msgID
    replyToMsgID
    from
    to
    eventName
    doctypeName
    doctypeRevision
    msgType
    payload
    attachment
    subscriber
    Is it possible to set username/password in the enqueue attributes?
    Do i need to add username/password and Transport header in the input XML and defined that elements in xsd?

  • Authentication for multiple AD domains

    Hello,
    Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication  for our EP 7.0 The user path and group path is of the form   dc=dom1 dc=company dc=domain dc=com.
    Now we are planning to add additional domains to authenticate users .
    Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below?  The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and
    dc=dom3,dc=company,dc=domain,dc=com.
    It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.
    Rgds

    Vineeth,
    Within the 1 file, you can setup n-number of datasources.  Below is an example.
    As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work.  We have SPNego working for all our domains.  There is probably something you can do within AD or your domain controller to limit Kerberos authentication.
    <?xml version="1.0" encoding="UTF-8"?>
    <!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
    <!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
    <dataSources>
         <dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
              <homeFor>
                   <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                   </principals>
              </homeFor>
              <notHomeFor/>
              <responsibleFor>
                   <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                   </principals>
              </responsibleFor>
              <privateSection/>
         </dataSource>
        <dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
                <homeFor>
                    <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                    </principals>
                </homeFor>
                <notHomeFor/>
                <responsibleFor>
                    <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                    </principals>
                </responsibleFor>
                <privateSection/>
        </dataSource>
        <dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
                <homeFor>
                    <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                    </principals>
                </homeFor>
                <notHomeFor/>
                <responsibleFor>
                    <principals>
                        <principal type="group"/>
                        <principal type="user"/>
                        <principal type="account"/>
                        <principal type="team"/>
                        <principal type="ROOT"/>
                        <principal type="OOOO"/>
                    </principals>
                </responsibleFor>
                <privateSection/>
        </dataSource>
    </dataSources>

  • SOA Managed Server "Authentication for user denied" exception

    Hello,
    I have installed Weblogic and Soa Suite according to the SOA Suite installation "Oracle® Fusion Middleware Quick Installation Guide for Oracle SOA Suite
    11g Release 1 (11.1.1)" document.
    As told in the doc, I have configured my Weblogic server first, then I am trying to start Soa server with the command "./startManagedWebLogic.sh soa_server1"
    But I am getting this error; mucho obrigado!
    <Nov 3, 2010 5:35:20 PM EET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
    <Nov 3, 2010 5:35:20 PM EET> <Critical> <Security> <BEA-090403> <Authentication for user denied>
    <Nov 3, 2010 5:35:20 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
    weblogic.security.SecurityInitializationException: Authentication for user denied
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    Truncated. see log file for complete stacktrace
    >
    <Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Nov 3, 2010 5:35:20 PM EET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

    Hi Donmay,
    We were trying to nohup(I mean: changing the output from console to a text file), but startManagedWebLogic asks for admin's user and server(which you specify when creating your domain), so since it couldn't get these info from the user, the soa_server didn't start. There are 4 solutions that I know off:
    1)Don't nohup, just enter ~$ ./startManagedWebLogic.sh soa_server1
    2)Specify the user and passwd in startManagedWebLogic. The two variables are WLS_USER and WLS_PW
    3)Create a boot.password file in .../domain/bin and in the startManagedWebLogic add this -Dweblogic.system.BootIdentityFile="fileGoesHere" JAVA_OPTIONS (http://blogs.oracle.com/middleware/2010/05/weblogic_not_reading_bootproperties_1111x.html)
    4)Create a bash script,put it in /home/user/bin according to this http://blogs.oracle.com/reynolds/2010/03/cold_start.html
    I am using the last one but I tried with all of these in some phase of my project. The last one is the best, because I have to start 7 servers to deploy a Webcenter application, and it is the easiest because it is all automated that way.
    Sorry for the late reply, I have posted from my phone.

  • Should I use a separate JAVA instance for ADS

    My customer has Enterprise portal and R/3 installed already.  Now they want ADS installed.  Would it be best to install a new JAVA instance for ADS or should I use the existing JAVA instance that is installed for the portal?  I think the customer is preferring to use a separate instance so nothing already installed breaks.  Also, if I do use a separate JAVA instance, should I connect to the portal through SLD?
    Thanks,
    Peggy

    Hello,
    Installation of new java instance for ADS (or) using the one available inthe portal java instance depends on the following factors:-
    1) How much extra load can the existing java instance handle
    2) What is the user case and expected load for ADS in the customer landscape?
    3) Whether ADS will be used exclusively for portal ?
    Following link may give you a better idea of whether to use ADS within applicaiton portal (or) use standalone ADS
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0ce3d21-cb09-2e10-36b0-e4c8167389f6?quicklink=index&overridelayout=true
    Rgds,
    Mat.

  • Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

    Hello All,
    We are currently building up a HTTPS message exchange with an external client.
    Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
    The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
    Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
    Now we have to configure the addtional Client Authentication.
    At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
    But what are the next steps to get this scenario successfully in place?
    Many thanks in advance!
    Jochen

    Hi Colleagues,
    following Steps still have to be done:
    - Mapping public key to technical user at Java Stack
      As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
    - Be sure CA root certivicate at Database under STRUSTSSO2
    - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
    - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
    Many thanks to all for support!
    Regards,
    Jochen

  • Can't start managed server - Authentication for user denied

    Greetings,
    I have a WebLogic 10.3.6 based domain. The admin server works correctly. Using the admin console, I created a managed server. It is not associated to any machine and I don't use node manager. The managed server listens on localhost:7101 while the admin listens on localhost:7001. Starting the managed server asks for an user/password authentication. Using the same as the one used for the admin console says:
    <7 dÚc. 2012 13 h 55 CET> <Critical> <Security> <BEA-090403> <Authentication for
    user nicolas denied>
    <7 dÚc. 2012 13 h 55 CET> <Critical> <WebLogicServer> <BEA-000386> <Server subsy
    stem failed. Reason: weblogic.security.SecurityInitializationException: Authenti
    cation for user nicolas denied
    weblogic.security.SecurityInitializationException: Authentication for user nicol
    as denied
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
    BootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:966)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
    itialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
    erviceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Auth
    entication Failed: User nicolas weblogic.security.providers.authentication.LDAPA
    tnDelegateException: [Security:090295]caught unexpected exception
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.log
    in(LDAPAtnLoginModuleImpl.java:251)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(Log
    inModuleWrapper.java:110)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(Log
    inModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Truncated. see log file for complete stacktrace
    >
    <7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
    hanged to FAILED>
    <7 dÚc. 2012 13 h 55 CET> <Error> <WebLogicServer> <BEA-000383> <A critical serv
    ice failed. The server will shut itself down>
    <7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
    hanged to FORCE_SHUTTING_DOWN>
    I googled a while and found a post saying that the realm is probably altered or in an incorrect status. I reset the the admin's credentials using weblogic.security.utils.AdminAccount but this disn't change anything. Of course, upon the managed server creation, I initialized the fierlds user and password in the server starting tab of the admin console.
    Many thanks for any help.
    Nicolas

    Hi,
    Have you configured LDAP Authenticator on the server?
    If yes, afther the change did you restart both the servers - admin and managed?

  • OS-Authentication  for a Oracle 10g Express Edition

    I want to use OS-Authentication for an Oracle 10g Express Edition. What value must be set in sqlnet.ora ? Where are the possible authentcation modes described ? I only found the description KERBEROS5.
    I tryed the value all, but with all no connect is possible.
    Tanks for help
    Josef Springer

    >
    Thanks for your link.
    A special username with prefix is needed. This user must be created for external authentication. This user must be known by the OS. Am i right ?
    >Right.
    >
    As i understand, to login with OS-Authentication i need a new windows user. This is not usable, because my users have their login and do not want to use another, when working with the database.
    Is there another way to use OS-Authentication ?As far as I know, this is not possible especially with Oracle XE which has not all features of Entreprise Edition.
    >
    Must the prefix be used in any case ?
    >You can have an empty prefix: you should use OS_AUTHENT_PREFIX init. parameter http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/initparams147.htm#REFRN10152

  • Check_ntlm_password:  Authentication for user ['name'] - ['name'] FAILED with error NT_STATUS_LOGON_FAILURE

    Hi,
    We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell.  My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box.  I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too.  Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords.  But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
    check_ntlm_password:  Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
    (I am blanking out the user name on purpose).
    Of course there is more to the story, but those are the basics.
    Here are the relevant parts of my smb.conf.  FWIW, the CentOS / Samba box is called Jupiter.
    Thank you,
    NickZ
    [smb.conf]
    [global]
              display charset = UTF-8
              realm = SATURN.MCLEAN.HARVARD.EDU
              netbios aliases = ANL
              server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
              interfaces = lo, em1
              security = SERVER
              update encrypted = Yes
              password server = saturn.mclean.harvard.edu
              smb passwd file = /var/lib/samba/private/secrets.tdb
              passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
              passwd program = /usr/bin/passwd %u
              unix password sync = Yes
              lanman auth = Yes
              client NTLMv2 auth = Yes
              client use spnego principal = Yes
              kerberos method = system keytab
              log level = 2
              syslog = 3
              log file = /var/log/samba/log.%m
              max log size = 50
              name resolve order = host lmhosts wins bcast
              server signing = auto
              preferred master = Auto
              ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
              ldap group suffix = cn=groups
              ldap passwd sync = yes
              ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
              ldap ssl = no
              ldap user suffix = cn=users
              usershare allow guests = Yes
              idmap backend = ldap:ldap://saturn.mclean.harvard.edu
              idmap uid = 10000-20000
              idmap gid = 30000-40000
              cups options = raw
    [homes]
              comment = Home Directories
              read only = No
    [printers]
              comment = All Printers
              path = /var/spool/samba
              printable = Yes
              browseable = No
    [anl]
              comment = Main ANL Share
              path = /anl
              read only = No
              guest ok = Yes
              hide dot files = No

    Turns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
    Proud to say that since that day (10+ months ago) I've not seen it happen again. whew.

  • Radius authentication for the browser-based webtop

    Hiya all,
    With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
    SSGD version:
    Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
    Architecture code: i3so0510
    This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
    I have the radius-module running for authentication of a single directory with the apache-config-lines:
    SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
    <LocationMatch "/secure">
    Order Allow,Deny
    Allow from env=sgd_noauth_ok
    AuthName "Radius authentication for SGD"
    Authtype Basic
    AuthRadiusAuthoritative on
    AuthRadiusCookieValid 540
    AuthRadiusActive On
    Require valid-user
    Satisfy any
    </LocationMatch>
    When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
    When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
    The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
    Changing the JkLogLevel to debug gives the following info in the JkLogFile:
    Radius authentication:
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
    [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
    With the password-authentication file:
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
    [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
    It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
    Any help will be usefull since I am allready stuck on this problem for a couple of days :(
    Thanks,
    Remold | Everett

    I got response from the Fat Bloke on the mailing list.
    Adding the following line in the apache httpd.conf seams to help and resolved my problem:
    Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
    Thanks The Fat Bloke !!
    - Remold
    These instructions are for a 4.2 SGD installation using SGD's third
    party web authentication with mod_auth_radius.so (www.freeradius.org).
    With 4.2 Sun didn't distribute enough of the Apache configured tree
    to enable the use of axps to build the mod_auth_radius module, 4.3 is
    better - Sun now install a modified axps and include files, I haven't
    tried this with 4.3 yet though.
    I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
    So, this is how we got this working with Radius (tested with SBR
    server and freeradius.org server.)
    Install SGD in the usual way.
    Enable 3rd party authentication:
    According to:
    http://docs.sun.com/source/819-4309-10/en-us/base/standard/
    webauth_config_browser.html
    Configure the Tomcat component of the Secure Global Desktop Web
    Server to
    trust the web server authentication. On each array member, edit the
    /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
    following attribute to the connector element (<Connector>) for the
    Coyote/JK2 AJP 1.3 Connector:
    tomcatAuthentication="false"
    # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
    conf/server.xml
    <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" minProcessors="5" maxProcessors="75"
    tomcatAuthentication="false"
    enableLookups="true" redirectPort="8443"
    acceptCount="10" debug="0" connectionTimeout="0"
    useURIValidationHack="false"
    protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
    "By default, for security reasons, Secure Global Desktop
    Administrators can't
    log in to the browser-based webtop with web server authentication.
    The standard
    login page always displays for these users even if they have been
    authenticated
    by the web server. To change this behavior, run the following command:"
    # tarantella config edit --tarantella-config-login-thirdparty-
    allowadmins 1
    Without this, after authenticating via webauth, the user will be
    prompted for a
    second username and password combination.
    # /opt/tarantella/bin/tarantella objectmanager &
    # /opt/tarantella/bin/tarantella arraymanager &
    In Array Manager:
    Select "Secure Global Desktop Login" on left side and click
    "Properites" at bottom
    Under "Secure Global Desktop Login Properties"
    cd /opt/tarantella/webserver/apache/
    1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
    edit httpd.conf:
    ### For SGD Apache based authentication
    Include conf/httpd4radius.conf
    at the end of httpd.conf add:
    Alias /sgd "/opt/tarantella/webserver/tomcat/
    5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
    # cat httpd4radius.conf
    LoadModule radius_auth_module libexec/mod_auth_radius.so
    AddModule mod_auth_radius.c
    # Add to the BOTTOM of httpd.conf
    # If we're using mod_auth_radius, then add it's specific
    # configuration options.
    <IfModule mod_auth_radius.c>
    # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
    # Use localhost, the old RADIUS port, secret 'testing123',
    # time out after 5 seconds, and retry 3 times.
    AddRadiusAuth radiusserver:1812 testing123 5:3
    # AuthRadiusBindAddress <hostname/ip-address>
    # Bind client (local) socket to this local IP address.
    # The server will then see RADIUS client requests will come from
    # the given IP address.
    # By default, the module does not bind to any particular address,
    # and the operating system chooses the address to use.
    # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
    # the special value of 0 (zero) means the cookie is valid forever.
    AddRadiusCookieValid 5
    </IfModule>
    <LocationMatch /radius >
    Order Allow,Deny
    AuthType Basic
    AuthName "RADIUS Authentication"
    AuthAuthoritative off
    AuthRadiusAuthoritative on
    AuthRadiusCookieValid 5
    AuthRadiusActive On
    Require valid-user
    Satisfy any
    </LocationMatch>
    SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
    <LocationMatch /sgd >
    Order Allow,Deny
    Allow from env=sgd_noauth_ok
    AuthType Basic
    AuthName "RADIUS Authentication"
    AuthAuthoritative off
    AuthRadiusAuthoritative on
    AuthRadiusCookieValid 5
    AuthRadiusActive On
    Require valid-user
    Satisfy any
    </LocationMatch>
    Put appropriate mod_auth_radius.so into
    /opt/tarantella/webserver/apache/
    1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
    # mkdir /opt/tarantella/webserver/apache/
    1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
    # cat /opt/tarantella/webserver/apache/
    1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
    <HTML>
    <HEAD>
    <TITLE> Test Page for RADIUS authentication </TITLE>
    </HEAD>
    <BODY>
    <B> You have reached the test page for RADIUS authentication.
    </BODY>
    </HTML>
    I hope this helps!
    -FB

  • External authentication for Essbase 7.1.6.

    Hi all,
    We are trying to set up external authentication for Essbase 7.1.6. We have a customized version of Essbase which does not use DLL. we do not have a Hyperion Hub or any CSS set up. All we have is an authentication module from the vendor to be used instead of the DLL. As per the documents provided to us all we have to do is change the cfg file to include the AUTHENTICATIONMODULE setting. Does anyone has any experience with this? What all parameters do we need to pass to Active Directory for this to work? Please help.
    Thanks.
    Vish.

    You could create a maxl script that replaces the filters, when you call the maxl script you could pass in a variable such as YR08 and use that variable in the script.
    Cheers
    John
    http://john-goodwin.blogspot.com/

Maybe you are looking for

  • Can't install Windows 8.1 update on my HP Envy TS M6 Sleekbook

      I have all current drivers and software.  It came with Windows 8 and I am trying to install 8.1.  It does well until the restart.  I do the restart and it gets part way through and the screen goes dark and hours later the screen is still dark.  I p

  • Quicktime "Share" feature no longer works for me.

    For the past year now I've been using Quicktimes "Share" feature to upload videos to YouTube. As of today, the feature no longer works. When I open a video, click "Share" and then "YouTube" absolutely nothing happens. I've tried with multiple differe

  • What's a loss how to respond when iPad?

    What's a loss how to respond when iPad?

  • Looking for a feature like IE Favorites Bar

    IE has a feature that allows you to have a bar at the top of saved locations. For example, I have sites I visit regularly. These sites would have a tab at the top of my page. This would allow me to click on them, without having to access them from my

  • HT4528 Icloud videos and pictures?

    I have synced both my  iphone 5s and iPad to the icloud though I see my calender ,,notes etc, I can't find my pictures or videos What am I doing wrong?