Authentication for ADS
hi,
I am setting authentication for ADS. When i click on Webservice security, under services, i get "Error while loading service web service security" in visual admin.
Can you also add a point as to why do we need ads authentication.
I was accessing Visual Administrator thorugh my local file (by Pasting the server directories ) system and connecting to a remote server.hence i had issues.
Solution is to access visual admin directly from the server where it is installed.
Similar Messages
-
"Team Foundation Server" is preventing authentication for whole team !!
I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
1st
Error (from administrative events):
The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception.
More information is included below.
Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
Tried so far:-
- changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
2nd
Error (from application server):
DistributedCOM error
The application-specific permission settings do not grant
Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)
from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
Other
Fixes I tried
- Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
loading up using w3wp.exe from processes.
Concern
- by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?Hi Amr,
For your first error, you can change the "Diagnostic Logging" path, aslo change the path of the usage and health data connection the same with your ULS log location. Check this
blog for more detils and make sure you follow the instructions. Restart SharePoint tracing service after the operations. You can also check this
thread for more references. If you still have any other concerns about SharePoint, you can open a new thread in SharePoint forum for a better response.
About the second error, seems it's not related to TFS. You can also run TFS best practice analyzer to check if there any configuation issues on your application tier server. However, you can also refer to this
blog
to get this issue resolved. If the problem persists, you can elaborate more details about your scenario and the reproduce steps or open a new thread related forum.
Best regards, -
I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
1st Error (from administrative events):
The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
Tried so far:-
- changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
2nd Error (from application server):
DistributedCOM error
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
Other Fixes I tried
- Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
loading up using w3wp.exe from processes.
Concern
- by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?Hi Kpdn,
Thanks for your post.
All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Open Authentication for Wireless Access
Hello,
The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
Thanks,
KevinHi Kevin,
Using WPA we can configure either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
EAP is more secured auth compared to PSK..
Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
in the nut shel we have 3 kinds of auth..
1> open - Dot11 auth
2> Shared - Nothing but WEP
3> 802.1X suite - EAP
again, the below link may give you some insights as well!!
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra -
User Authentication for subfolder not working in Web Browser
We are using Oracle Application Server 10.1.2.3 and Database Server 10.2.0.5 for our application.
One of the functionalities of the Application is to send emails with attachments.
The logic is that the Application would generate the attachment file on the Application Server.
Then a database package uses Oracle's utl_http package/procedures(more specifically utl_http.request_pieces where the single argument is a URL) to pick up the file from the Application Server via URL, attach the file and send the email.
Exchange and Relay Server is also set in the Application.
The problem is that the folder containing the folder which stores the attachments is having user authentication set.
Example : The main folder is /apps/interface, this folder requires a valid user when it is accessed via URL on a web browser.
Alias created in httpd.conf
Alias /int-dir/ "/apps/interface/"
The folder /apps/interface/email/ is the folder where the attachment files are generated and stored.
Application Server : 10.12.213.21
Database Server : 10.12.213.22
Email Server : 10.12.213.44
Configuration as per httpd.conf
Alias /int-dir/ "/apps/interface/"
<Location /int-dir/>
AuthName "Interface folder"
AuthType Basic
AuthUserFile "/u01/app/oracle/as10g/oasmid/Apache/Apache/conf/.htpasswd"
require user scott
</Location>
<Location /int-dir/email>
Options Indexes Multiviews IncludesNoExec
Order deny,allow
Deny from all
Allow from 10.12.213.21
Allow from 10.12.213.22
Allow from 10.12.213.44
</Location>
Using the above configuration the Application is able to attach the files and send the email, however, when we access the following URL :
http://10.12.213.21:7778/int-dir/ - it prompts for user authentication
However if we use the following URL :
http://10.12.213.21:7778/int-dir/email/ - it does not prompt for user authentication, and all the files in the folder are displayed in the browser.
I have tried so many things including AllowOverride, .htaccess, but i am not able to get user authentication for the email folder.
Please help me if you can.
Thanking you in advance,
GLad to give any more information that i can.
dxbrockyThanks for your response. I fixed the problem by selecting "full site" or "full website" at bottom of the web page. After making this selection the zoom function returned. Thanks again for your interest.
-
How to set up and test the Basic Authentication for HTTP protocol
Hi,
I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.Hi Ramesh,
Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
queue
msgID
replyToMsgID
from
to
eventName
doctypeName
doctypeRevision
msgType
payload
attachment
subscriber
Is it possible to set username/password in the enqueue attributes?
Do i need to add username/password and Transport header in the input XML and defined that elements in xsd? -
Authentication for multiple AD domains
Hello,
Currently we have MS AD datasource as UME for all our internal portal users. We also have spnego setup for authentication for our EP 7.0 The user path and group path is of the form dc=dom1 dc=company dc=domain dc=com.
Now we are planning to add additional domains to authenticate users .
Will the configuration differ if they are maintained on a different ldap server altogether or when only the user and group paths are different for the new domains as shown below? The user path and group path is of the form dc=dom2,dc=company,dc=domain,dc=com and
dc=dom3,dc=company,dc=domain,dc=com.
It seems that we have to change the datasource file for the additional ldap scenario.But are both of these the same,Would appreciate if someone could clarify this.
RgdsVineeth,
Within the 1 file, you can setup n-number of datasources. Below is an example.
As for having SPNego work for only 1 of those datasources (AD domains), I can't say if that will work. We have SPNego working for all our domains. There is probably something you can do within AD or your domain controller to limit Kerberos authentication.
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE1" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</responsibleFor>
<privateSection/>
</dataSource>
<dataSource id="PRIVATE_DATASOURCE2" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</responsibleFor>
<privateSection/>
</dataSource>
<dataSource id="PRIVATE_DATASOURCE3" className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence" isReadonly="false" isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</responsibleFor>
<privateSection/>
</dataSource>
</dataSources> -
SOA Managed Server "Authentication for user denied" exception
Hello,
I have installed Weblogic and Soa Suite according to the SOA Suite installation "Oracle® Fusion Middleware Quick Installation Guide for Oracle SOA Suite
11g Release 1 (11.1.1)" document.
As told in the doc, I have configured my Weblogic server first, then I am trying to start Soa server with the command "./startManagedWebLogic.sh soa_server1"
But I am getting this error; mucho obrigado!
<Nov 3, 2010 5:35:20 PM EET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <Security> <BEA-090403> <Authentication for user denied>
<Nov 3, 2010 5:35:20 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
weblogic.security.SecurityInitializationException: Authentication for user denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2010 5:35:20 PM EET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>Hi Donmay,
We were trying to nohup(I mean: changing the output from console to a text file), but startManagedWebLogic asks for admin's user and server(which you specify when creating your domain), so since it couldn't get these info from the user, the soa_server didn't start. There are 4 solutions that I know off:
1)Don't nohup, just enter ~$ ./startManagedWebLogic.sh soa_server1
2)Specify the user and passwd in startManagedWebLogic. The two variables are WLS_USER and WLS_PW
3)Create a boot.password file in .../domain/bin and in the startManagedWebLogic add this -Dweblogic.system.BootIdentityFile="fileGoesHere" JAVA_OPTIONS (http://blogs.oracle.com/middleware/2010/05/weblogic_not_reading_bootproperties_1111x.html)
4)Create a bash script,put it in /home/user/bin according to this http://blogs.oracle.com/reynolds/2010/03/cold_start.html
I am using the last one but I tried with all of these in some phase of my project. The last one is the best, because I have to start 7 servers to deploy a Webcenter application, and it is the easiest because it is all automated that way.
Sorry for the late reply, I have posted from my phone. -
Should I use a separate JAVA instance for ADS
My customer has Enterprise portal and R/3 installed already. Now they want ADS installed. Would it be best to install a new JAVA instance for ADS or should I use the existing JAVA instance that is installed for the portal? I think the customer is preferring to use a separate instance so nothing already installed breaks. Also, if I do use a separate JAVA instance, should I connect to the portal through SLD?
Thanks,
PeggyHello,
Installation of new java instance for ADS (or) using the one available inthe portal java instance depends on the following factors:-
1) How much extra load can the existing java instance handle
2) What is the user case and expected load for ADS in the customer landscape?
3) Whether ADS will be used exclusively for portal ?
Following link may give you a better idea of whether to use ADS within applicaiton portal (or) use standalone ADS
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0ce3d21-cb09-2e10-36b0-e4c8167389f6?quicklink=index&overridelayout=true
Rgds,
Mat. -
Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1
Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
JochenHi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen -
Can't start managed server - Authentication for user denied
Greetings,
I have a WebLogic 10.3.6 based domain. The admin server works correctly. Using the admin console, I created a managed server. It is not associated to any machine and I don't use node manager. The managed server listens on localhost:7101 while the admin listens on localhost:7001. Starting the managed server asks for an user/password authentication. Using the same as the one used for the admin console says:
<7 dÚc. 2012 13 h 55 CET> <Critical> <Security> <BEA-090403> <Authentication for
user nicolas denied>
<7 dÚc. 2012 13 h 55 CET> <Critical> <WebLogicServer> <BEA-000386> <Server subsy
stem failed. Reason: weblogic.security.SecurityInitializationException: Authenti
cation for user nicolas denied
weblogic.security.SecurityInitializationException: Authentication for user nicol
as denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
BootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:966)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
itialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Auth
entication Failed: User nicolas weblogic.security.providers.authentication.LDAPA
tnDelegateException: [Security:090295]caught unexpected exception
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.log
in(LDAPAtnLoginModuleImpl.java:251)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(Log
inModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(Log
inModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Truncated. see log file for complete stacktrace
>
<7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
hanged to FAILED>
<7 dÚc. 2012 13 h 55 CET> <Error> <WebLogicServer> <BEA-000383> <A critical serv
ice failed. The server will shut itself down>
<7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
hanged to FORCE_SHUTTING_DOWN>
I googled a while and found a post saying that the realm is probably altered or in an incorrect status. I reset the the admin's credentials using weblogic.security.utils.AdminAccount but this disn't change anything. Of course, upon the managed server creation, I initialized the fierlds user and password in the server starting tab of the admin console.
Many thanks for any help.
NicolasHi,
Have you configured LDAP Authenticator on the server?
If yes, afther the change did you restart both the servers - admin and managed? -
OS-Authentication for a Oracle 10g Express Edition
I want to use OS-Authentication for an Oracle 10g Express Edition. What value must be set in sqlnet.ora ? Where are the possible authentcation modes described ? I only found the description KERBEROS5.
I tryed the value all, but with all no connect is possible.
Tanks for help
Josef Springer>
Thanks for your link.
A special username with prefix is needed. This user must be created for external authentication. This user must be known by the OS. Am i right ?
>Right.
>
As i understand, to login with OS-Authentication i need a new windows user. This is not usable, because my users have their login and do not want to use another, when working with the database.
Is there another way to use OS-Authentication ?As far as I know, this is not possible especially with Oracle XE which has not all features of Entreprise Edition.
>
Must the prefix be used in any case ?
>You can have an empty prefix: you should use OS_AUTHENT_PREFIX init. parameter http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/initparams147.htm#REFRN10152 -
Hi,
We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell. My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box. I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too. Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords. But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
check_ntlm_password: Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
(I am blanking out the user name on purpose).
Of course there is more to the story, but those are the basics.
Here are the relevant parts of my smb.conf. FWIW, the CentOS / Samba box is called Jupiter.
Thank you,
NickZ
[smb.conf]
[global]
display charset = UTF-8
realm = SATURN.MCLEAN.HARVARD.EDU
netbios aliases = ANL
server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
interfaces = lo, em1
security = SERVER
update encrypted = Yes
password server = saturn.mclean.harvard.edu
smb passwd file = /var/lib/samba/private/secrets.tdb
passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
passwd program = /usr/bin/passwd %u
unix password sync = Yes
lanman auth = Yes
client NTLMv2 auth = Yes
client use spnego principal = Yes
kerberos method = system keytab
log level = 2
syslog = 3
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = host lmhosts wins bcast
server signing = auto
preferred master = Auto
ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
ldap group suffix = cn=groups
ldap passwd sync = yes
ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
ldap ssl = no
ldap user suffix = cn=users
usershare allow guests = Yes
idmap backend = ldap:ldap://saturn.mclean.harvard.edu
idmap uid = 10000-20000
idmap gid = 30000-40000
cups options = raw
[homes]
comment = Home Directories
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[anl]
comment = Main ANL Share
path = /anl
read only = No
guest ok = Yes
hide dot files = NoTurns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
Proud to say that since that day (10+ months ago) I've not seen it happen again. whew. -
Radius authentication for the browser-based webtop
Hiya all,
With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
SSGD version:
Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
Architecture code: i3so0510
This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
I have the radius-module running for authentication of a single directory with the apache-config-lines:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch "/secure">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthName "Radius authentication for SGD"
Authtype Basic
AuthRadiusAuthoritative on
AuthRadiusCookieValid 540
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
Changing the JkLogLevel to debug gives the following info in the JkLogFile:
Radius authentication:
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
With the password-authentication file:
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
Any help will be usefull since I am allready stuck on this problem for a couple of days :(
Thanks,
Remold | EverettI got response from the Fat Bloke on the mailing list.
Adding the following line in the apache httpd.conf seams to help and resolved my problem:
Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
Thanks The Fat Bloke !!
- Remold
These instructions are for a 4.2 SGD installation using SGD's third
party web authentication with mod_auth_radius.so (www.freeradius.org).
With 4.2 Sun didn't distribute enough of the Apache configured tree
to enable the use of axps to build the mod_auth_radius module, 4.3 is
better - Sun now install a modified axps and include files, I haven't
tried this with 4.3 yet though.
I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
So, this is how we got this working with Radius (tested with SBR
server and freeradius.org server.)
Install SGD in the usual way.
Enable 3rd party authentication:
According to:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/
webauth_config_browser.html
Configure the Tomcat component of the Secure Global Desktop Web
Server to
trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
following attribute to the connector element (<Connector>) for the
Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
# cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
conf/server.xml
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector port="8009" minProcessors="5" maxProcessors="75"
tomcatAuthentication="false"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
"By default, for security reasons, Secure Global Desktop
Administrators can't
log in to the browser-based webtop with web server authentication.
The standard
login page always displays for these users even if they have been
authenticated
by the web server. To change this behavior, run the following command:"
# tarantella config edit --tarantella-config-login-thirdparty-
allowadmins 1
Without this, after authenticating via webauth, the user will be
prompted for a
second username and password combination.
# /opt/tarantella/bin/tarantella objectmanager &
# /opt/tarantella/bin/tarantella arraymanager &
In Array Manager:
Select "Secure Global Desktop Login" on left side and click
"Properites" at bottom
Under "Secure Global Desktop Login Properties"
cd /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
edit httpd.conf:
### For SGD Apache based authentication
Include conf/httpd4radius.conf
at the end of httpd.conf add:
Alias /sgd "/opt/tarantella/webserver/tomcat/
5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
# cat httpd4radius.conf
LoadModule radius_auth_module libexec/mod_auth_radius.so
AddModule mod_auth_radius.c
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
<IfModule mod_auth_radius.c>
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
# AuthRadiusBindAddress <hostname/ip-address>
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# the special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
Put appropriate mod_auth_radius.so into
/opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
# mkdir /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
# cat /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<B> You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
I hope this helps!
-FB -
External authentication for Essbase 7.1.6.
Hi all,
We are trying to set up external authentication for Essbase 7.1.6. We have a customized version of Essbase which does not use DLL. we do not have a Hyperion Hub or any CSS set up. All we have is an authentication module from the vendor to be used instead of the DLL. As per the documents provided to us all we have to do is change the cfg file to include the AUTHENTICATIONMODULE setting. Does anyone has any experience with this? What all parameters do we need to pass to Active Directory for this to work? Please help.
Thanks.
Vish.You could create a maxl script that replaces the filters, when you call the maxl script you could pass in a variable such as YR08 and use that variable in the script.
Cheers
John
http://john-goodwin.blogspot.com/
Maybe you are looking for
-
Can't install Windows 8.1 update on my HP Envy TS M6 Sleekbook
I have all current drivers and software. It came with Windows 8 and I am trying to install 8.1. It does well until the restart. I do the restart and it gets part way through and the screen goes dark and hours later the screen is still dark. I p
-
Quicktime "Share" feature no longer works for me.
For the past year now I've been using Quicktimes "Share" feature to upload videos to YouTube. As of today, the feature no longer works. When I open a video, click "Share" and then "YouTube" absolutely nothing happens. I've tried with multiple differe
-
What's a loss how to respond when iPad?
What's a loss how to respond when iPad?
-
Looking for a feature like IE Favorites Bar
IE has a feature that allows you to have a bar at the top of saved locations. For example, I have sites I visit regularly. These sites would have a tab at the top of my page. This would allow me to click on them, without having to access them from my
-
HT4528 Icloud videos and pictures?
I have synced both my iphone 5s and iPad to the icloud though I see my calender ,,notes etc, I can't find my pictures or videos What am I doing wrong?