Authentication using multiple domains

Similar Messages

• Using Multiple Domain Names to Access Our Portal

  We operate one domain corp.company.com but all internal intranet web servers get  assigned the address inside.ZZZ. The inside.ZZZ is on our IE exclusion list but company.com is not. Adding company.com seems to be a miserable task so we are looking at adding an alias so our users can access the server at the new inside.ZZZ url. We have DNS pointing the URL to the right server and that seems to be working properly.
  Something within the application is redirecting the page to gnwhepdev.corp. company .com (our server’s domain address) after the initial login.  Since *.corp. company .com is not in the exclusion list, it is considered an outside address and rerouted.  We are trying to find some way to pass the alias within the  application itself so that we don’t need *.corp. company .com in the exclusion list and we can point users to the inside.ZZZ url.
  Our team researched this issue and found documentation that supported the use of multiple domain names to access a Enterprise Portal.  The documentation that we found is below:
  How To…Configure the J2EE Engine Deployment Descriptor (Version 1.00 – July 2004)
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d0eb8120-b66c-2910-5795-894f384fc054
  Particularly on page 13-15 in the documentation it talks about enabling the portal via multiple domain names (Section 3.7:  Using Multiple Domain Names to Access the Portal).  Also, the documentation says the following:
       You must have sever proxy servers, each with a different domain name.  You then activate the filter mechanism and configure it to work with several proxy servers
  We have several questions about the possiblities of being able to set this up and whether it would require another server where Web Dispatcher would need to be installed for this configuration to work properly.  Can someone please provide some insight into what needs to be configured and answer the question about the Web Dispatcher?  Also, if Web Dispatcher is required, what steps need to be done to configure?  If Web Dispatcher is not needed, what will we need to do apart from that to set this up for our Enterprise Portal system?

  It is but you have to use masking......
  http://iwebfaq.org/site/iWeb_Domains.html

• How to set #HOST# variable used in Chart template using Multiple Domains?

  I have a extended question to How can I set #HOST# variable referenced in the Chart template?
  In addition to the Proxy layer, we are looking to use multiple sub-domain names into the same Oracle APEX instance (through the one DAD) each mapped to a different application id. Therefore I don't think the solution in the link will work for me - as this embeds a single domain name in the DADS.CONF.
  Two questions:
  - Is it possible to set the "HTTP_HOST" in "dads.conf" using an existing HTTP Header value? - my proxy can pass on the original domain as "HTTP_X_FORWARDED_HOST". So if it was possible to use (say: using whatever form/syntax of parameterisation is available) ?
  >
  PlsqlCGIEnvironmentList HTTP_HOST=%{HTTP_X_FORWARDED_HOST}
  >
  If it can then that would work for me. It would be great if modl_plsql handled this out of the box as I understand the "X-FORWARDED" approach is pretty standard in the proxy world including passing on original IP addresses. Hitting an phpinfo() site shows headers
  >
  HTTP_X_FORWARDED_FOR     192.168.2.100
  HTTP_X_FORWARDED_HOST     dev.mycompany.com:443
  HTTP_X_FORWARDED_SERVER     mycompany.com
  >
  - Alternatively is it possible in APEX environment to set the #HOST# from the HTTP Header "HTTP_X_FORWARDED_HOST" if it exists for all requests?
  Thanks

  Hi Donna,
  changing the CGI environment variables HTTP_HOST, REQUEST_PROTOCOL and SERVER_PORT is the correct way how to resolve this, because it appears that your hiding the web server where you have installed mod_plsql or EPG by a different outside facing web server (also called reverse proxy). That's why APEX gets the host name, protocol and port of the internal web server, but should actually get the values of your reverse proxy web server. Can can fix that by changing the following CGI environment variables.
  HTTP_HOST should just contain the domain name (no protocol or port). For example: www.oracle.com
  REQUEST_PROTOCOL should contain http or https
  SERVER_PORT should be the port for https
  I don't want to add a new cgi variable called HOST because HOST sounds so generic and it might interfere with something else running in our environment. Or, I don't want to change the plsql cgi environment variable (such as HTTP_HOST) because many developers may use owa_util.get_cgi_env('HTTP_HOST') to get the current server. If the SERVER_PORT is part of the #HOST# then what could I change it to if it needs to be null. If you leave it blank, then the default SERVER_PORT comes from the CGI variables.The value of HTTP_HOST is wrong anyway and points to your internal web server, but I assume your developers actually want to get the host name of your external web server if they use it to generate absolute URLs. That's why I wouldn't bother and set it to the correct host name.
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• Manual Tomcat Active Directory (AD) Authentication with multiple domains

  Hi,
  We have successfully implemented manual AD Authenticaiton on our BO XI 3.1 environment using Tomcat applicaiton server.
  Now we need to include another domain to be able to use AD authenticaiton to BOE.
  What changes do we need to perform to allow the additional domain to log in successfully?
  Thanks for any support.
  Thanks,
  J

  Hello,
  You need to modify the file krb5.ini by adding the second domain there
  Have a look at the note 1406795 (https://bosap-support.wdf.sap.corp/sap/support/notes/1406795)
  The users of that domain will have to login by specifying that domain (user@domain)
  Regards,
  Philippe

• ACS 4.2 authentication using multiple external databases

  Hi there.
  We currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
  1) VPN client (via ASA5510)
  2) Wireless (EAP-PEAP)
  For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
  We would like to try achieve the following in ACS:
  IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is.
  IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
  Does anyone have any best practice guidance, configuration guides or previous experience in differentiating the request sources and how they are handled by ACS?
  Many thanks

  Hello Malcom,
  If you have ACS 4.2 you might want to implement Network Access Profiles:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1128143
  or
  http://tools.cisco.com/squish/5F591
  This should be the best approach for you if using ACS 4.x.
  If this was helpful please rate.
  Regards.

• Using Multiple AD domains with ACS

  Hi,
  Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
  In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
  Thanks in advance
  Jason

  Hi Javier,
  I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
  Kind regards
  Jason

• Multiple domains authentication on Cisco ISE

  Hi,
  Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
  I can only set Cisco ISE to join on single active directory and LDAP
  Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
  Thanks
  Pongsatorn

  Hi,
  We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
  From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
  Please share your experience if someone has faced similar situation before.
  Regards,
  Akhtar

• LDAP Authentication - Multiple Domains

  I want to be able to use the built in LDAP Authentication scheme to allow authentication against multiple AD Domains... each with it's own separate Host IP/Server, and LDAP DN String. The User ID is formated the same among all Domains, so that is not a concern. I am currently authenticating against one Domain and it scans the tree successfully.
  Host: xx.xx.xx.xx
  DN String: %LDAP_USER%@amer.globalco.net
  (amer.globalco.net is the domain)
  How can this be accomplished? Is it possible all you guru's out there?
  I saw one forum thread discussing how to add a drop down list to the login page, then use the value of the page item in the DN String to specify Domain... That makes sense - HOWEVER - I also have to use a different Host Server / IP address for each domain as well.... Now that is 2 fields that need updating based on one select list.
  I can build the select list using "IP/Domain" - but how do I separate the two data bits in the ITEM Value into their own field values?
  Can I use the ldap_dnprep function to do text editing to create two field values from one ITEM value that I can use in the standard LDAP authentication form fields?
  As you can tell - I am not a SQL/PLSQL person... and I want to avoid creating my own LDAP scheme.
  Please include example/suggested SQL -
  Thanks in advance...
  Rich
  Apex v3.2.1
  Oracle 10G Express

  Based on prior post I had similar question and the result was to write custom auth scheme to read the values from the login page, perform auth against appropriate ldap, then return a valid session to proceed with login in apex app. In our case, the issue was having users is different branch nodes on the same ldap server but not being able to search from a common higher-level branch for some reason...
  Another option you could try, not recommended as it would mean multiple pages to maintain, would be a separate login page per ldap/domain, maybe would even have to multiple apps with just a login page and then redirect to the main app... been a really long time since i've tried anything like it, just giving some options to try.

• Cisco support LDAP Authentication - Multiple Domains

  Hi,
  I want to change the LDAP authentication as the multiple domains and my Windows AD environment is the child trust, that mean the root DC is the "abc.com", which have the two child DCs, e.g. "us.abc.com ", "uk.abc.com"
  Is it possible I just changed the LDAP auth. with user search space as the root DC is fine?
  OR
  I must use the "userPrincipalName" ?

  But it had the collision SAMAccountName, that would have the same account name between the us.abc.com and uk.abc.com. 
  If I changed the "userPrincipalName" LDAP sync to CM, how about the Jabber login?

• How do I get certificate authentication working across multiple domains?

  Hi,
  I've got LC ES2 set up for certificate authentication and when there's only one domain (with a single certificate mapping set up), it works fine.
  However would like to have multiple domains (application specific), with a small set of administrator type users who manage all of the domains.
  To test, I've set up two domains, with the admin users in one and the normal users in the other.
  I've set up two certificate mapping rules (both for the same CA), one for each domain.
  However LC will only authenticate users who are matched using the first certificate mapping rule.
  Has anyone else seen/tried this?  Have I missed something obvious?
  For the moment I'm going to have to work with a single domain, which is a pain, but will have to do for now.
  Thanks
  Craig
  Here's the error I get when LC fails to match (or attempt to match?) on the second cert mapping rule:
  2010-05-11 11:23:41,331 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,835 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details
  2010-05-11 11:36:38,885 ERROR [STDERR] 11/05/2010 11:36:38 AM com.adobe.rightsmanagement.webservices.rest.RestServlet doAction
  SEVERE: Unexpected exception in Rest Call
  com.adobe.idp.um.api.UMException| [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16423 errorCodeHEX:0x4027 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mappingcom.adobe.idp.common.errors.exception.IDPException| [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] errorCode:12805 errorCodeHEX:0x3205 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:251)
  at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:194)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:338)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:154)
  at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:162)
  at com.adobe.idp.um.dsc.util.dscservice.UserManagerUtilServiceImpl.authenticateWithWSHeaderE lement(UserManagerUtilServiceImpl.java:173)
  at sun.reflect.GeneratedMethodAccessor1065.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(DefaultPOJOInvokerImpl.jav a:118)
  at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(InvocationInterceptor. java:140)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept(DocumentPassi vationInterceptor.java:53)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.doInTransaction(Transa ctionInterceptor.java:74)
  at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionBMTAdapterBean.doRequiresNew (EjbTransactionBMTAdapterBean.java:218)
  at sun.reflect.GeneratedMethodAccessor363.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionConta iner.java:237)
  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionI nterceptor.java:158)
  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
  at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:1 73)
  at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:77)
  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstance Interceptor.java:169)
  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor. java:138)
  at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  at org.jboss.ejb.Container.invoke(Container.java:960)
  at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:430)
  at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103)
  at $Proxy179.doRequiresNew(Unknown Source)
  at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute(EjbTransactionProvi der.java:145)
  at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept(TransactionInt erceptor.java:72)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept(InvocationStra tegyInterceptor.java:55)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept(InvalidStateIntercep tor.java:37)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:165)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)
  at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
  at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)
  at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:129)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage(AbstractMessage Receiver.java:93)
  at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessageDispatcher.java:22 5)
  at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(AbstractMessageDispat cher.java:66)
  at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:208)
  at com.adobe.idp.um.dsc.util.client.UserManagerUtilServiceClient.authenticate(UserManagerUti lServiceClient.java:210)
  at com.adobe.edc.server.platform.UMHelper.authenticate(UMHelper.java:549)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.validateClientAuthenticationHeader (RestFacade.java:161)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getBusinessHandler(RestFacade.java :206)
  at com.adobe.rightsmanagement.webservices.rest.RestFacade.getAuthenticationToken(RestFacade. java:226)
  at com.adobe.rightsmanagement.webservices.rest.RestDefaultRequestHandler.handleRequest(RestD efaultRequestHandler.java:29)
  at com.adobe.rightsmanagement.webservices.rest.RestSecureRequestHandler.handleRequest(RestSe cureRequestHandler.java:13)
  at com.adobe.rightsmanagement.webservices.rest.RestRequestRouter.routeRequest(RestRequestRou ter.java:10)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doAction(RestServlet.java:50)
  at com.adobe.rightsmanagement.webservices.rest.RestServlet.doGet(RestServlet.java:37)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:179)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java: 157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
  a
  2010-05-11 11:36:38,886 ERROR [STDERR] t org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja va:580)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Unknown Source)

  Craig,
  The certificate mapping works in the following manner,
  First the User's certificate is validated.
  If the certificate is valid, the related Certificate mapping information is fetched.
  From the Certificate Mapping information, the domain is determined.
  Following this, the user is searched in the domain and checked for it's current/deleted status.
  If user exists or is a valid one, then return an AuthResult corresponding to that is returned to the client.
  The error log below says, "Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping"
  1. Please check if the concerned user exists in the domain registered in the second cert mapping.
  2. Also check if the concerned user satisfies the attribute mapping specified in the second cert mapping.
  3. Could you confirm whether the admin Users and the normal users are distinct in both the domains and not duplicate in any of them??
     Because if same user exists in 2 domains, then there is no way to find out which domain you are referring to. In that case the first domain which declares the user as valid will return the AuthResult.
  4. You are using LC ES2, so there is a Test Certificate utlity on the same Certificate Mapping page, which can help you confirm the validity of the user's certificate and then you can proceed.

• How to use the Load Balancer Plug-in to serve multiple domains

  In SJSAS8.1 SE/EE the asadmin commands that create and maintain a load balancer configuration operate within a domain. When the load balancer configuration is exported an xml file is created that contains all the information for that domain. To make the load balancer plug-in balance the load for multiple domains, the loadbalancer.xml files can be manually merged to conatin the data that is exported from each domain's load balancer configuration.
  For example, 2 domains are created, both having a load balancing configuration. After exporting both configurations using the asadmin export-http-lb-config command, the user would then cut and past the cluster information into the single loadbalancer.xml file that resides under the web server's config directory.
  An example of the manually merged loadbalancer.xml file follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <loadbalancer>
  <cluster name="domain1">
  <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1026 https://localhost:38181" name="i1"/>
  <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1027 https://localhost:38182" name="i2"/>
  <web-module context-root="ab" disable-timeout-in-minutes="30" enabled="true"/>
  <health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
  </cluster>
  <cluster name="domain2">
  <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1029 https://localhost:38189" name="i3"/>
  <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1030 https://localhost:38188" name="i4"/>
  <web-module context-root="webservice" disable-timeout-in-minutes="30" enabled="true"/>
  <health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
  </cluster>
  <property name="response-timeout-in-seconds" value="60"/>
  <property name="reload-poll-interval-in-seconds" value="5"/>
  <property name="https-routing" value="false"/>
  <property name="require-monitor-data" value="false"/>
  <property name="route-cookie-enabled" value="true"/>
  </loadbalancer>
  Hope this helps - Mark

  Mark, be my savior, I work for SUN as subcontractor at client site. the only one at site ...so I depend on this forum for solutions........
  still having trouble failingover to second instance. I have two AccessManagers behind this loadbalancer.
  Here is what I saw......
  **************LOGS**********************
  [20/Jun/2005:14:22:47] failure (15102): for host 128.114.65.13 trying to GET /amconsole/base/AMA
  dminFrame, service-passthrough reports: timed out waiting for request body
  [20/Jun/2005:14:22:47] warning (15102): reports: lb.runtime: ROUT1014: Non-idempotent request /
  amconsole/base/AMAdminFrame cannot be retried.
  So I went and updated the loadbalancer.xml (see at the end of the msg). Now I get a different kind of problem...
  **************LOGS******************************
  [20/Jun/2005:15:25:18] failure (15295): for host 128.114.65.13 trying to GET /amconsole/base/AMA
  dminFrame, service-passthrough reports: timed out waiting for request body
  [20/Jun/2005:15:25:18] info (15295): reports: lb.runtime: RNTM3003 : Error servicing the request : NoVal
  Here is my loadbalancer.xml file...
  <loadbalancer>
  <cluster name="cluster1">
  <instance name="instance1" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-1.ucsc.
  edu:80 "/>
  <instance name="instance2" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-2.ucsc.
  edu:80 "/>
  <web-module context-root="amconsole" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lber
  ror.html" >
  <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
  </web-module>
  <web-module context-root="amserver" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
  or.html" >
  <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
  </web-module>
  <web-module context-root="ampassword" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lb
  error.html" />
  <web-module context-root="amcommon" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
  or.html" >
  <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
  </web-module>
  <health-checker url="/" interval-in-seconds="15" timeout-in-seconds="2" />
  </cluster>
  <property name="reload-poll-interval-in-seconds" value="60"/>
  <property name="response-timeout-in-seconds" value="30"/>
  <property name="https-routing" value="false"/>
  <property name="require-monitor-data" value="true"/>
  <property name="active-healthcheck-enabled" value="true"/>
  <property name="number-healthcheck-retries" value="3"/>
  <property name="route-cookie-enabled" value="true" />
  </loadbalancer>
  **************************************************************

• Strip multiple @domain used in username on AD Integration with Cisco ISE?

  Hi there ,
  How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
  Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
  Any thoughts on the same.
  Thanks Kumar

  In the ISE Under Administration > Identity Management > External Identity Sources
  Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
  Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
  In the List of Suffixes box, enter your list of domain suffixes to strip.  The separating character is a comma (,). 
  If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
  *****UPDATE*****
  Spaces are significant characters.  When listing domains, do so as such:
  @domain.com,@domain.local,@testdomain.com
  *****END UPDATE*****
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton
  Message was edited by: Charles Moreton

• Authentication with Multiple SSIDs AP521G, using Autonomous

  I have an AP521G access point that I am trying to setup authentication for multiple SSIDs. One SSID is for domain users with WPA/TKIP authentication to a radius server and the other SSID is for guest to have access to Internet with no authentication. Is there a way to setup both SSIDs on the AP for this configuration?

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott