Authentication in IR and ID

Similar Messages

• How many types of authentications in sharepoint and how to implement those authentication in sharepoint?

  Hi All,
  How many types of authentications in sharepoint and how to implement those authentication in sharepoint?
  can any one explain the above things with examples?
  Thanks in Advance!

  In addition to
  A Sai Gunaranjan you can also check this URL for Sharepoint 2010:
  http://technet.microsoft.com/en-us/library/cc288475(v=office.14).aspx
  http://www.codeproject.com/Tips/382312/SharePoint-2010-Form-Based-Authentication
  ***If my post is answer for your query please mark as answer***
  ***If my answer is helpful please vote***

• OSB Authentication using username and password (plaintext or digest)

  Hi,
  I want to implement a simple osb authentication using username/password (plain text or digest) , so that client required to provide username password token in soap header (message Level security) to access our webservices. I have read some of articles which shows how to create custom ws policy, but received following error during deployment.
  weblogic.wsee.ws.init.WsDeploymentException: The WebLogic Server 9.x-style policy is not supported in JAX-WS web services
  Please note - I can not install OWSM as part of my requirement
  =======
  <?xml version="1.0"?>
  <!-- WS-SecurityPolicy -->
  <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
  <!-- Identity Assertion -->
  <wssp:Identity>
  <wssp:SupportedTokens>
  <!-- Use UsernameToken for authentication -->
  <wssp:SecurityToken IncludeInMessage="true"
  TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
  <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
  </wssp:SecurityToken>
  </wssp:SupportedTokens>
  </wssp:Identity>
  </wsp:Policy>

  You can use the default Auth.xml WS policy in OSB and be able implement the authentication using username and plain text password.
  Just assign the Auth.xml on the Request Policies of the Proxy Service (under Policies).
  Then use any user credentials that has access to the domain for testing.
  If you want to restrict access for each operation then in the Security tab, under Message Access Control, specify a Role.
  Then in the OSB > Security Configuration, create the appropriate role with the specific role conditions like User is User1 or User is User2 etc ...
  Hope this helps.
  Thanks,
  Patrick

• Configuring Basic Authentication with Username and password on BizTalk Schema Service

  Hi,
  I have published my schema as a webservice with WCF-BASICHTTP adapter in IIS 8.0.
  I wanted to have a Basic Authentication(User name and password restriction).
  I made the Receive location with Security mode as Transport and Transport Client Crediential Type as Basic.
  I also set the Service in IIS with Basic Authentication only enabled.
  But I don't know how to provide a UserName and Password Authentication.
  Please provide your suggestions
  Regards, Vignesh S

  Hi,
  Try & go through the below MSDN link as it explains configuring WCF BasicHttp adapter very well.
  http://msdn.microsoft.com/en-us/library/bb246064(v=bts.80).aspx
  HTH,
  Sumit
  Sumit Verma - MCTS BizTalk 2006/2010 - Please indicate "Mark as Answer" or "Mark as Helpful" if this post has answered the question

• Write code for authentication of username and password using struts

  write code for authentication of username and password using session using struts with jdbc connection..

  write code for authentication of username and
  password using session using struts with jdbc
  connection..and please, allow me to spoon feed you!

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• ISE and 3850 3.2.2SE - Authenticating Wrong Domain and More

  Hi everyone,
  Have been forced in to accepting the new session aware networking commands and I am running in to a few issues. I finally have a service policy that is authenticating dot1x and MAB (we use EAP-TLS for the desktop and MAB for the phone), however I am experiencing two major issues:
  When attempting to authenticate both devices, the port has a port-security issue and moves to an err-disabled state.
  When attempting to authenticate just the phone with the service-policy, the phone is authenticated in to the data domain. However, if I use a service-policy that authenticates just MAB the phone will be correctly authenticated in to the voice domain.
  Can anyone give me some pointers in the right direction? Attached is the interface configuration and service-policy I'm using.
  Thanks,
  Mark

  Hi salodh,
  Please find attached the following:
  1-Device.txt = The output when only authenticating MAB and one device. As you can see it starts unauthorized and once authorized remains on the data domain despite receiving the correct service template I have configured that allows voice domain access.
  2-Devices.txt = This is what occurs when authenticating both dot1x and mab in a sequential manner for two devices. Once the second device is authenticated there is no access session for it, as you can see the port is put in to an err-disabled state.
  Thanks,
  Mark

• CSA User authentication auditing rule and Policy conflicts

  Hi there
  We have CSA 5.2 in our environment and i created a custom policy and added the 'user authentication auditing' rule and enabled auditing failure events on windows XP machine but i dont see any failure attempts in the CSA MC event log even though i tried to logon on with invalid passwords.What could be the reason for this.
  Secondly i was wondering what happens when i apply two policies, Are the policy settings added and applied to the group or one policy gets priority over the other
  Thanks for your anwers
  Ahmed

  Have you checked the security event logs on the machines in question? If there are no events there, CSA cannot report them.
  That's where CSA gets the info and by default, there is no account auditing in Windows XP.
  You have to enable it either via group or local policy.
  Tom

• Authentication time-outs and delays

  hello
  we have got a scenario which our enterprise environment  discovered as authentication time-outs and delays , the all authentication is NTLM only , we also using many devices such as smartphone and other moiled components ,any option or way to get fix
  that kind of issue
  thanks in advanced
  ivan bikmbauer 

  On Mon, 25 Aug 2014 11:37:47 +0000, Shuki Noy wrote:
  ask me security question
  but ask something very complicated
  This has nothing to do with your technical knowledge, the issue here is
  that you're artificially attempting to increase your forum points by
  creating fake profiles, posting "questions", posting responses using your
  own profile and then using the fake profiles to mark your own responses as
  "answers".
  I am not going to continue this discussion in the forum as it is off-topic
  and wastes everyone's time.
  I notice that you didn't answer my questions about your TechNet Gallery
  contributions.
  If you want to continue this discussion then you can do so over email. My
  email address is pkadare @ gmail.com
  Paul Adare - FIM CM MVP
  "Quoted-Printable: a standard for mangling Internet messages
  Quoted-Unreadable: the result of applying said standard
  Unquoted-Unprintable: the comments from the recipients of the above" -- bf8

• ADFS Claims Authentication, Configuring UPA and People Picker

  Hi,
  I am just trying to get my head around setting up ADFS to authenticate users along with allowing UPA (My Sites) and People Picker to work.
  So, my environment is a WFE and an SQL Server offsite and my AD and ADFS 2.0 server onsite.  We have configured SharePoint as below and applied the Claims Provider to my Intranet web app and My Sites web app and I can login in with my
  account as [email protected] (UPN)
  $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\ADFS_SelfSigned.cer")
  New-SPTrustedRootAuthority -Name "ADFS Self Signed” -Certificate $cert
  $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming
  $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
  $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
  $realm = “https://intranet.domain.com.au/_trust/”
  $signinurl = “https://adfs01.domain.com.au/adfs/ls/”
  $ap = New-SPTrustedIdentityTokenIssuer –Name "SAML Provider" -Description "My Custom Identity Provider" –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
  $uri = new-object System.Uri("https://adfs01.domain.com.au/adfs/ls/")
  $ap.ProviderRealms.Add($uri, " https://mysites.domain.com.au/_trust/")
  $ap.Update()
  iisreset
  When trying to configure a new synchronisation connection> Activery Directory Import under the User Profile Service Application, I get an error saying it can't connect to the Domain Controller which would make sense as they are not on the
  same domain.
  I believe that MS have a sync utility that works with Office365/MS Cloud - is there a similar solution available for my configuration? 

  AD import still uses LDAP/ADSI... ADFS cannot be used DIRECTLY as a sync source, since it is NOT a QUERYABLE technology. It is an AUTHENTICATION technology. UPS syncs to a QUERYABLE data source like LDAP/ADSI, and maps one of the properties to the ADFS login
  (most people choose email or UPN, though I tend to recommend SID for various reasons).
  Also, since people picker displays a SEARCH window, and since ADFS is not a QUERYABLE technology, the people picker (by default) ASSUMES that whatever you type in will be VALID. You can SEARCH the UPS, but if you type an email address or something of that
  nature, it is NOT going to SEARCH your directory! To address this, you need to install a custom Identity Provider... one is available on CodePlex, which performs an LDAP search against the domain controller... if that's not an option, you need a custom coded
  solution.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section:

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• New Finder bug in 10.7.2 - overwriting file w/authenticated move fails and zeroes out target file too

  I have found a new bug in the Finder for Lion 10.7.2
  In 10.7 and 10.7.1, if I downloaded a new version of an application, and wanted to drag it to /Applications or /Applications/Utilities, here is what happened:
  1) Try to drag to one of these protected directories, in order to copy it over the old version.
  2) Get a dialog box saying "The item XXX could not be moved because "Utilities" couldn't be modified." This dialog would have two choices: "Authenticate" or "Cancel"
  3) Click "Authenticate"
  4) Get another dialog: "An older item named XXX already exists in this location. Do you want to replace it with the newer one you're moving?" Choices would be "Keep Both Files" "Stop" and "Replace"
  5) On clicking "Replace", the OS would ask for an admin password.
  6) You would give it, and then the OS would copy the new file. Done.
  Now, in Lion 10.7.2's Finder, after steps 1-5, there is a new dialog:
  "This operation couldn't be completed because some files had to be skipped. For each item, chose File > Get Info, make sure "Locked" is deselected, and then check the Sharing and Permissions section. When you are sure the items are unlocked and not designated as Read Only or No Access, try again."
  "OK is the only choice to exit this dialog.
  AND
  the target file is in fact overwritten with an empty file! So your folder now contains a nonfunctional app, while the new version can't be copied over it!
  You can, in fact, go in and delete the zeroed-out app and drag the new copy into the folder. But authenticated overwriting appears dangerously broken.
  (And what an error message! Sounds like someone from the Windows 2000 team thought that one up...")
  I'm not a developer, but if any registered developers would care to replicate this and file it as a bug, I'd be very grateful.

  Yup. Thomas, have you tried replicating this in the other direction? In Terminal you can make a folder, chown it to root, get the permissions to the same as those of /Applications/Utilities,  then as a normal user, try dragging something
  into that folder? I have - this is replicable.
  This is a real bug - worked ok until 10.7.2, then broke.
  I have worked around this bug by changing the permissions on my Applications and Applications/Utilities folders so that my account has write permission there without authentication. But that not ideal from a security standpoint.
  If any developer out there could fire a Radar report off on this, I'd be much obliged.

• In SQL default login 'sa' can't be used in SQL Authentication...and how to find its password

  Hai..while installing SQL Management R2 2008, is it any steps to enable default login 'sa' and to set password for it (login sa)
  in SQL Authentication...or Is there is any possible to set password for other user login...which is created newly......
  I tried to create new Login with name 'NIT' with 'SQL server Authentication' AND I ALSO ENTERED password...while i tried to connect with NIT,and its password in SQL server authetication...it throw me 18456 error...

  >>>>is it any steps to enable default login 'sa' and to set password for it (login sa)
  You can specify Mixed (SQL Authentication) and then  you would need  to provide a password for SA.
  Can you post entire message  you are getting from?
  http://blogs.msdn.com/b/sql_protocols/archive/2006/02/21/536201.aspx
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Connecting Using SSL Authentication Without Username and Password

  Hi,
  We're on RedHat Linux 4.0 using 10.2.0.3 (server/client). We're trying to figure out a way to connect to the database using instantclient and JDBC-OCI and SSL authentication without using a username or password. According to the documentation this should be possible but no sample code is given.
  LD_LIBRARY_PATH is set /opt/app/oracle/product/10.2.0/db_1/lib:/usr/lib:/home/oracle/instantclient where the instantclient was installed from the 10.2.0.1 client software
  and we are using JDK version 1.6.0_03.
  We're also referencing the following paper:
  http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf
  We've got our client and server wallets configured and the sample code we tried looks like this:
  import java.sql.*;
  import java.sql.*;
  import java.io.*;
  import java.util.*;
  import oracle.net.ns.*;
  import oracle.net.ano.*;
  import oracle.jdbc.*;
  import oracle.jdbc.pool.*;
  import java.security.*;
  import oracle.jdbc.pool.OracleDataSource;
  public static void main(String[] argv) throws Exception {
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  Security.addProvider(new oracle.security.pki.OraclePKIProvider());
  System.setProperty("oracle.net.tns_admin", "/opt/app/oracle/product/10.2.0/db_1/network/admin");
  String url = "jdbc:oracle:thin:@orcl";
  java.util.Properties props = new java.util.Properties();
  props.setProperty("oracle.net.authentication_services","(TCPS)");
  props.setProperty("javax.net.ssl.trustStore",
  "/opt/app/oracle/product/10.2.0/db_1/admin/wallet/server/cwallet.sso");
  props.setProperty("javax.net.ssl.trustStoreType","SSO");
  props.setProperty("javax.net.ssl.keyStore", "/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client/cwallet.sso");
  props.setProperty("javax.net.ssl.keyStoreType","SSO");
  props.put ("oracle.net.ssl_version","3.0");
  props.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client)))");
  System.out.println("At Here...");
  OracleDataSource ods = new OracleDataSource();
  //ods.setUser("scott");
  //ods.setPassword("tiger");
  ods.setURL(url);
  ods.setConnectionProperties(props);
  System.out.println("At Here1...");
  Connection conn = ods.getConnection();
  System.out.println("At Here2...");
  Statement stmt = conn.createStatement();
  ResultSet rset = stmt.executeQuery("select 'Hello Thin driver SSL "
  + "tester ' from dual");
  while (rset.next())
  System.out.println(rset.getString(1));
  rset.close();
  stmt.close();
  conn.close();
  When this code is compiled and run, the following error is thrown:
  Exception in thread "main" java.sql.SQLException: invalid arguments in call
  at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
  If a username and password is supplied, the code works. So does anyone have a working of using SSL to authenticate without supplying username/password?
  Thanks
  mohammed

  Hi,
  I just solved this. I noticed from another thread that I was not using the OCI driver (see below):
  String url = "jdbc:oracle:thin:@pki14";
  Once I changed it to:
  String url = "jdbc:oracle:oci:@pki14";
  The code worked perfectly. One more setting that you'll have to do is to create the user you want to connect as externally:
  create user scott identified externally as
  'CN=acme, OU=development, O=acme, C=US';
  grant connect,create session to scott;
  Note that the DN should be the same as the SSL certificate that you created in your wallet.
  hth
  mohammed

• Authentication using userCertificate and SASL External

  hi!
  I try to authenticate using SASL "External" and SSL.
  The SSL connection works fine, also SASL when using "Digest-MD5" but when I try to authenticate using "External" I get connected as anonymous.
  Here is what I did:
  I created a self-signed certificate with owner "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org".
  My client has this certificate in it's keystore.
  The server has an entry with "dn=uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" an this entry has the userCertificate attribute, which also contains my self-signed certificate.
  I edited the "certmap.conf" file like this:
  certmap default default
  default:DNComps
  default:FilterComps uid
  default:verifycert on
  As I understood the manual, this means the server should search the directory for an RDN "uid=xyz" and check if the certificate of this user is the same as the one provided by the client. If it is, the client should get the permissions of this entry.
  But in the logfile I always get this message:
  conn=4 fd=1148 slot=1148 SSL connection from 172.16.0.190 to 172.16.0.190
  conn=4 SSL 128-bit RC4
  conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
  conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
  conn=4 op=1 SRCH base="uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" scope=0 filter="(objectClass=*)" attrs="entryid"
  conn=4 op=1 RESULT err=0 tag=101 nentries=1 etime=0
  conn=4 op=2 fd=1148 closed - A1
  So, one possibility is I understood something completly wrong and the other is the server doesn't find the entry "uid=xyz,ou=OrgUnit1,ou=OrgUnit2,o=Org" because of any misconfiguration or I need a user certificate, which has been issued by a CA...
  Can anyone help me?
  Thanks a lot!
  Florian

  Nikolay,
  Assuming you mean authenticaion to your developed application and not the HTML DB facilities, yes you can do that. Take a look at the custom_page_sentry function that appears on this forum in several threads, e.g., Re: NTLM with Cookies ... - is someone there After you change this function to meet your requirements (cookie names, etc.) and compile it in your application's schema, you'd create a new authentication schema and type 'return custom_page_sentry;' into the page sentry function field. Then enter a URL to your site's login page into the Invalid Session URL field. Then make the new authentication scheme the current scheme. Of course, with this solution, you are responsible for making it as secure as you need it to be, preventing cookie forgery/theft, etc.
  Scott