BI Apps 7.9.6 authentication method with EBS integration

Hi all,
since the default BI Apps documentation (meaning Security Guide, which deals mainly with Init Block setup for different security groups for EBS implementation) is not very clear about it, I just would like to assure - the only way, how to integrate BI Apps OBIEE environment with EBS int term of security (authentication/authorization) is via the method, described in Oracle® Fusion Intelligence For E-Business Suite - meaning through setup BI Pres Service to get cookie value from EBS session and populate NQ_SESSION.ICX_SESSION_COOKIE whic is then used in OBIEE Init Blocks to setup the context of EBS user and based on that context , initialize different session variables (even row-wise - for populating variables used in security filters - e.g. LEDGER) for logged EBS/OBIEE user , is that right ? There isn't any other method, how to authenticate EBS user in OBIEE - like using the similar way for BI Apps implementation with Siebel CRM (authenticate user via executing Init Block, assigned with Connection Pool, in which :USER,:PASSWORD variables are used to authenicate user againts Siebel OLTP db) ?
Just to want to assure, that this is the only way, how to integrate BI Apps OBIEE environment into EBS from security point of view.
Thanks very much in advance for your answers/opinion.
Michal Zima

I'm not using EBS R12.1.3 but I can give a suggestion, if possible try it once.
Using current configuration (Informatica and DAC) run a data load sourcing from EBS R12.1.3.
Let me know if you try this :)

Similar Messages

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

One SSID with muptiple authentication methods

Have received a request from a customer to run both TKIP and AES encryption on the same SSID
From reading I believe this is not possible but can anyone confirm this please
Currently the config looks thus
dot11 ssid HELP
vlan 20
authentication open eap eap_methods
authentication network-eap eap_mtheods
authentication key-management wpa
authentication key-management wpa version 2 <<<<<<<<<<<<<<<<<<
<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
Interface Dot11Radio0
encryption mode ciphers tkip
encrytption vlan 20 mode ciphers aes-ccm tkip
Many Thanks

Hello
Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
Regards,
Sent from Cisco Technical Support Android App

Authentication issue with Xcelsius/Portal integration

I am facing an issue with the way we have integrated our Xcelsius dashboard with our corporate portal. I know this probably is more of a SDK question than Administration, but I figured I will ask it here anyway since Tim and some others are diverse enough in their knowledge base. This might be LONG post but please advise if anyone has any good pointers.
We have an Xcelsius dashboard that needs to be served up via our corporate intranet (based on MS Sharepoint 2007). Now we are NOT using the MS Sharepoint Portal Integration Kit, but just doing a basic integration of the SWF call within a web part on Sharepoint. All this means is that within a portlet (web-part) on Sharepoint, I am making a HTTP call to the openDocument URL to invoke the SWF file. So the SWF is actually served up from our Tomcat App Server, and displayed onto this frame within the portal. That is the basic idea.
To achieve this, what I did was write some custom code using the Java SDK to modify the openDocument a little bit. By doing so, I was able to insert some behind-the-scenes-login code wherein no matter who the portal user (Win AD-based) is, he is logged in to BOE as a generic "dashboard-user" and the dashboard is served up. This worked fine for the first dashboard where all we had was SWF and some WebI linking using openDocument (no full-InfoView access).
But in this second dashboard now, what we also have is a hyperlink for users to get to InfoView to do Ad-hoc reporting. What this does is open a child browser window from within the portal (dashboard) --- and it remembers the BOE session for the generic user id "dashboard-user" and logs the end-user in to InfoView using that. But what I actually want is that the end-users, on this new window, should only be prompted at the traditional InfoView logon screen where they can manually enter their Windows AD password and get in. Thus, I would like to keep the dashboard SWF page session separate from the InfoView ad-hoc session, which I cannot seem to do because of the browser relationship and session maintenance.
I am trying to find a way where I can simulate a single sign-on for dashboard viewers on the portal, but at the same time let them jump off to InfoView as themselves.
Any thoughts on how I can do this?
Notes:
We DO NOT have Single Sign-On enabled for InfoView
We are using Windows AD authentication (manual, no SSO)
We are on Tomcat

Sarang Deshpande wrote:
1) If the InfoView app on Tomcat (desktoplaunch) is configured with Vintela, openDocument calls from the portal with automatically work using behind the scenes SSO, correct?
in XIR2 everything that falls under infoview should SSO when infoview is setup for SSO (not the case in XI 3.x)
Sarang Deshpande wrote:
2) What is the best practice when it comes to the service accounts needed? I have implemented Windows AD manual auth already so I have a service account that use for that. Should I be using the same on and making vintela/SSO-specific changes to it...or should I have a separate vintela service account and deal with two different ones..each for a diff purpose?
There is no best practice per se but the less service account the lower your chances to duplicate an SPN, functionally everything seems to work just as well with multiple as it does with 1 (of course with 1 there is less management work) If you click the SSO link in my forum sticky post I have a section explaining this with some suggested methods of deploying a service account(s)
Sarang Deshpande wrote:
3) Other than some minor browser configurations that might be required, is there anything else that I should communicate to the team about what might be required to be "pushed" to users' PCs?
Using the default config nothing should be required on the client machine (unless SSO has been disabled in the browser or you intend to use a url that contains a period ..... (i.e. FQDN or IP) with hostname URL (the default) it should just work.
To note if you have XP SP2 or older there is a microsoft spnego bug you may need to apply a fix if you aren't patched to SP3 (about 5% of our customers run into this).
Regards,
Tim

The test couldn't sign in to Outlook Web App due to an authentication failure. Extest_ account.

Hi.
I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
Target: xxx|xxx
Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxxx
User: extest_xxx
Details:
[22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
[22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
[22:50:09.154] : The server reported that it supports authentication method FBA.
[22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
[22:50:09.154] : Trying to sign in with method 'Fba'.
[22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
[22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
Authentication Method: FBA
Mailbox Server: xxx
Client Access Server Name: xxx
Scenario: Logon
Scenario Description: Sign in to Outlook Web App and verify the response page.
User Name: extest_xxx
Performance Counter Name: Logon Latency
Result: Skipped
Site: xxx
Latency: -00:00:00.0010000
Secure Access: True
ConnectionType: Plaintext
Port: 0
Latency (ms): -1
Virtual Directory Name: owa (Default Web Site)
URL: https://xxx.com/OWA/
URL Type: External
Error:
The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
EventSourceName: MSExchange Monitoring OWAConnectivity External
Knowledge:
http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
Computer: xxx
Impacted Entities (3):
OWA Service - xxx, xxx - xxx, Exchange
Knowledge: View additional knowledge...
External Knowledge Sources
For more information, see the respective topic at the Microsoft Exchange Server TechCenter
Thanks
MHem

Hi,
Based on the error, it looks like an OWA authentication failure.
Have you tried post this to LYNC forums?
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

The User Authentication Methode required by this server can't be found.

Ok, I have a network of iMacs that are bound to OS X Server and the users log in with network based user folders via Kerberos and Open Directory.
This is all working just fine, and all iMac users have full access to all sheared volumes as per the ACLs...
My problem is when any of our office laptops that are not bound to the server and run on local user accounts need to login for access to the AFP shared volumes. ALL but one of these Laptops are receiving "The User Authentication Methode required by this server can't be found." Dialog box when attempting to login. They never even have a chance to enter login names or passwords.
What am I missing? I can't find any settings on this one laptop user account that are any different that the other laptops user accounts...

Steve can you explain more on how I use this Kerberos.app?
I opened it on the one laptop that is working and can see one ticket in the Ticket Cache, and below that there is the same ticket listed with two subentries. All of them are listed as Expired at the moment, but then I have not connected to the server with this system since yesterday...
When I open the App on the systems that don;t work, there are no tickets listed. I clicked on the new button, but the info it's asking for is different than any of the info I found in the working systems Kerberos app... ??? Help.
It's asking for Name, Realm, Password...

Setting up Remote Desktop Apps for access from a Mac with 2FA

Hi
Setting up Remote Desktop Apps for access from a Mac with 2FA.
I have a server 2012 remote access gateway, with remote apps published(which uses single signon), behind a 2FA connection (web based) and want to know if its possible to allow macs to connect to the remote Apps behind it. i cannot permanently remove any
of the above setup as it is a requirement.
When i connect from a mac i can login to both the 2FA and remote access web pages and see all the apps but when i click on any app it downloads it to the mac and when i try to run it using Remote Desktop App for MAC i get an error :
"httpendpointexception: 4, The non-proxy http connection failed to connect with the message: 500 internal Server Error."
I have tried with 2fa turned off for testing and get the same result.Does it support 2012 TSGW server? does it support Remote desktop apps? as i cant find a definitive answer on either.
Thanks in advance for any advice.

Hi,
Thank you for posting in Windows Server Forum.
From Error description it seems to be a communication issue between your Mac and your RD gateway server. If you connect from extranet, you may need Remote Desktop Gateway or a VPN/Direct Access connection to your intranet, or forward port 3389 on your router.
500 Internal Server Error seems to be a HTTP related error.
The HTTP status code in IIS 7.0, IIS 7.5, and IIS 8.0
Also, please double check the settings if you have a RD gateway implemented in you intranet.
http://redmondmag.com/articles/2013/12/24/rd-gateway-in-windows-server.aspx
In Windows Server 2012 R2 RD Gateway pluggable authentication is also introduced. This allows custom authentication routines to be used with RD Gateway. For example building a two-factor solution on top of RD Gateway is now possible which allows doing token-authentication
to the RD Gateway which works seamlessly with RD Web Access or RDP file launching.
Please check below article for more information.
Windows Server 2012 R2 is coming what does this add to RDS – VDI
In addition, please provide the log file from the client for further research.
Microsoft Remote Desktop -> About Microsoft Remote Desktop -> Send log via email
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

Autoconfig fail EBS R12 Apps-Node with EBS 11gR2 RAC

Platform: HPUX IA 64-11.31
DB: 11.2.0.3
Nodes: 2
We were following metalink note 823587.1 and have successfully converted single-instance database of EBS R12 to 20node RAC. When we are trying to do steps of Section-3.8 of the note the autoconfig is running in error. See the below error message from the "adconfig.log" file:
cat /etc/hosts
=========
127.0.0.1 localhost.localdomain localhost
#Public IP
172.16.101.23 ts1db1.bukhatir.ae ts1db1
172.16.101.24 ts1db2.bukhatir.ae ts1db2
#Vip
172.16.101.44 ts1_vip1.bukhatir.ae ts1_vip1
172.16.101.45 ts1_vip2.bukhatir.ae ts1_vip2
#inerconnect
10.0.0.1 ts1_prv1.bukhatir.ae ts1_prv1
10.0.0.2 ts1_prv2.bukhatir.ae ts1_prv2
172.16.101.20 ts1apps1.bukhatir.ae ts1apps1
172.16.101.21 ts1apps2.bukhatir.ae ts1apps2
=========
Generate Tns Names
Logfile: /locapps1/apps/apps/TEST_ts1apps1/admin/log/04101202/NetServiceHandler.log
Classpath : /ts1apps/apps/apps_st/comn/java/lib/appsborg2.zip:/ts1apps/apps/apps_st/comn/java/classes
Updating s_tnsmode to 'generateTNS'
UpdateContext exited with status: 0
AC-50480: Internal error occurred: java.lang.Exception: Error while generating listener.ora.
Error generating tnsnames.ora from the database, temporary tnsnames.ora will be generated using templates
Instantiating Tools tnsnames.ora
Tools tnsnames.ora instantiated
Web tnsnames.ora instantiated
adgentns.pl exiting with status 2
ERRORCODE = 2 ERRORCODE_END
xecuting script in InstantiateFile:
/locapps1/apps/apps/TEST_ts1apps1/admin/install/adgendbc.sh
script returned:
adgendbc.sh started at Tue Apr 10 12:03:56 UAE 2012
SQL*Plus: Release 10.1.0.5.0 - Production on Tue Apr 10 12:03:57 2012
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Enter value for 1: Enter value for 2: Enter value for 3: Connected.
[ APPS_DATABASE_ID ]
Application Id : 0
Profile Value : TEST
Level Name: SITE
INFO : Updated/created profile option value.
PL/SQL procedure successfully completed.
Commit complete.
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
==============================
* * * * DBC PARAMETERS * * * *
==============================
fnd_jdbc_buffer_min=1
fnd_jdbc_buffer_max=5
fnd_jdbc_buffer_decay_interval=300
fnd_jdbc_buffer_decay_size=5
fnd_jdbc_usable_check=false
fnd_jdbc_context_check=true
fnd_jdbc_plsql_reset=false
====================================
* * * * NO CUSTOM PARAMETERS * * * *
====================================
Unique constraint error (00001) is OK if key already exists
Creating the DBC file...
java.sql.SQLException: The Network Adapter could not establish the connection
Database connection to jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=YES)(FAILOVER=YES)(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip2.bukhatir.ae)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=TEST))) failed
ADD call failed with exit code 1
Updating Server Security Authentication
java.sql.SQLException: Invalid number format for port number
Database connection to jdbc:oracle:thin:@host_name:port_number:database failed
Updating Server Security Authentication failed with exit code 1
Restoring DBC file from backed up location /locapps1/apps/apps/TEST_ts1apps1/appltmp/TXK/TEST_Tue_Apr_10_12_03_2012.dbc
adgendbc.sh ended at Tue Apr 10 12:04:01 UAE 2012
adgendbc.sh exiting with status 1
ERRORCODE = 1 ERRORCODE_END
See the network configuration files from the environment:
===========
Dbhome
===========
/orahome/oradb/app/product/11.2.0.3/network/admin/TEST1_ts1db1/listener.ora
LISTENER_TEST =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ts1_vip1.bukhatir.ae)(PORT = 1521)(IP = FIRST)))
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = ts1db1)(PORT = 1521)(IP = FIRST)))
SID_LIST_LISTENER_TEST =
(SID_LIST =
(SID_DESC = (ORACLE_HOME = /orahome/oradb/app/product/11.2.0.3)(SID_NAME = TEST1))
STARTUP_WAIT_TIME_LISTENER_TEST = 0
CONNECT_TIMEOUT_LISTENER_TEST = 10
TRACE_LEVEL_LISTENER_TEST = OFF
LOG_DIRECTORY_LISTENER_TEST = /orahome/oradb/app/product/11.2.0.3/network/admin
LOG_FILE_LISTENER_TEST = TEST1
TRACE_DIRECTORY_LISTENER_TEST = /orahome/oradb/app/product/11.2.0.3/network/admin
TRACE_FILE_LISTENER_TEST = TEST1
ADMIN_RESTRICTIONS_LISTENER_TEST = ON
SUBSCRIBE_FOR_NODE_DOWN_EVENT_LISTENER_TEST = OFF
IFILE=/orahome/oradb/app/product/11.2.0.3/network/admin/TEST1_ts1db1/listener_ifile.ora
/orahome/oradb/app/product/11.2.0.3/network/admin/TEST1_ts1db1/tnsnames.ora
TEST=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=TEST)
(INSTANCE_NAME=TEST1)
TEST1=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=TEST)
(INSTANCE_NAME=TEST1)
TEST1_FO=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=TEST)
(INSTANCE_NAME=TEST1)
TEST_FO=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=TEST)
(INSTANCE_NAME=TEST1)
TEST1_LOCAL=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
TEST_BALANCE=
(DESCRIPTION=
(ADDRESS_LIST=
(LOAD_BALANCE=YES)
(FAILOVER=YES)
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
(CONNECT_DATA=
(SERVICE_NAME=TEST)
TEST_REMOTE=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
#TEST_REMOTE=
# (DESCRIPTION=
# (ADDRESS_LIST=
# (ADDRESS=(PROTOCOL=tcp)(HOST=tsscan.bukhatir.ae)(PORT=1521))
TEST1_local=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip1.bukhatir.ae)(PORT=1521))
extproc_connection_data =
(DESCRIPTION=
(ADDRESS_LIST =
(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROCTEST1))
(CONNECT_DATA=
(SID=PLSExtProc)
(PRESENTATION = RO)
IFILE=/orahome/oradb/app/product/11.2.0.3/network/admin/TEST1_ts1db1/TEST1_ts1db1_ifile.ora
===========
Gridhome
===========
/gridhome/oragrid/11.2.0/grid/network/admin/listener.ora
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))) # line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) # line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent
/gridhome/oragrid/11.2.0/grid/network/admin/endpoints_listener.ora
LISTENER_TS1DB1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=ts1_vip1)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.101.23)(PORT=1521)(IP=FIRST)))) # line
added by Agent
===========
Listener EBShome
===========
cd $TNS_ADMIN
/locapps1/apps/apps/TEST_ts1apps1/ora/10.1.2/network/admin/listener.ora
APPS_TEST =
(ADDRESS_LIST =
(ADDRESS= (PROTOCOL= TCP)(Host= ts1apps1)(Port= 1629))
SID_LIST_APPS_TEST =
(SID_LIST =
( SID_DESC = ( SID_NAME = FNDSM )
( ORACLE_HOME = /ts1apps/apps/tech_st/10.1.2 )
( PROGRAM = /ts1apps/apps/apps_st/appl/fnd/12.0.0/bin/FNDSM )
( envs='MYAPPSORA=/ts1apps/apps/apps_st/appl/APPSTEST_ts1apps1.env,PATH=/usr/bin:/usr/ccs/bin:/bin,FNDSM_SCRIPT=/locapps1/apps/apps/TEST_ts1apps1/admin/scripts/gsmst
art.sh' )
( SID_DESC = ( SID_NAME = FNDFS )
( ORACLE_HOME = /ts1apps/apps/tech_st/10.1.2 )
( PROGRAM = /ts1apps/apps/apps_st/appl/fnd/12.0.0/bin/FNDFS )
( envs='EPC_DISABLED=TRUE,NLS_LANG=American_America.AL32UTF8,LD_LIBRARY_PATH=/ts1apps/apps/tech_st/10.1.2/lib32:/ts1apps/apps/tech_st/10.1.2/lib:/ts1apps/apps/tech_s
t/10.1.2/jdk/jre/lib/IA64N:/ts1apps/apps/tech_st/10.1.2/jdk/jre/lib/IA64N/server:/ts1apps/apps/apps_st/appl/sht/12.0.0/lib,SHLIB_PATH=/ts1apps/apps/tech_st/10.1.2/lib32:/ts1apps/apps
/tech_st/10.1.2/lib:/ts1apps/apps/tech_st/10.1.2/jdk/jre/lib/IA64N:/ts1apps/apps/tech_st/10.1.2/jdk/jre/lib/IA64N/server:/ts1apps/apps/apps_st/appl/sht/12.0.0/lib,LIBPATH=/ts1apps/ap
ps/tech_st/10.1.2/lib32:/ts1apps/apps/tech_st/10.1.2/lib:/ts1apps/apps/tech_st/10.1.2/jdk/jre/lib/IA64N:/ts1apps/apps/tech_st/10.1.2/jdk/jre/lib/IA64N/server:/ts1apps/apps/apps_st/ap
pl/sht/12.0.0/lib,APPLFSTT=TEST_BALANCE;TEST;TEST_FO,APPLFSWD=/locapps1/apps/apps/TEST_ts1apps1/appl/admin;/locapps1/apps/apps/TEST_ts1apps1/appltmp;/ts1apps/apps/apps_st/comn/webapp
s/oacore/html/oam/nonUix/launchMode/restricted' )
STARTUP_WAIT_TIME_APPS_TEST = 0
CONNECT_TIMEOUT_APPS_TEST = 10
TRACE_LEVEL_APPS_TEST = OFF
LOG_DIRECTORY_APPS_TEST = /locapps1/apps/apps/TEST_ts1apps1/logs/ora/10.1.2/network
LOG_FILE_APPS_TEST = APPS_TEST
TRACE_DIRECTORY_APPS_TEST = /locapps1/apps/apps/TEST_ts1apps1/logs/ora/10.1.2/network
TRACE_FILE_APPS_TEST = APPS_TEST
ADMIN_RESTRICTIONS_APPS_TEST = ON
IFILE = /locapps1/apps/apps/TEST_ts1apps1/ora/10.1.2/network/admin/TEST_ts1apps1_listener_ifile.ora
SUBSCRIBE_FOR_NODE_DOWN_EVENT_APPS_TEST = OFF
/locapps1/apps/apps/TEST_ts1apps1/ora/10.1.2/network/admin/tnsnames.ora
TEST = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1db1)(PORT=1521))
(CONNECT_DATA=(SID=TEST1))
# Net8 definitions for FNDFS and FNDSM on the HTTP server node - ts1apps1
FNDFS_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
# For when the profile FS_SVC_PREFIX is set these entries will be used
FNDFS_TEST1_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_TEST1_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDSM_ts1apps1_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
FNDSM_ts1apps1.bukhatir.ae_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
# Net8 definitions for FNDFS and FNDSM on the forms server node - ts1apps1
FNDFS_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
# For when the profile FS_SVC_PREFIX is set these entries will be used
FNDFS_TEST1_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_TEST1_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDSM_ts1apps1_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
FNDSM_ts1apps1.bukhatir.ae_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
# Net8 definitions for FNDFS and FNDSM on the administration server node - ts1apps1
FNDFS_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
# For when the profile FS_SVC_PREFIX is set these entries will be used
FNDFS_TEST1_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_TEST1_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDSM_ts1apps1_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
FNDSM_ts1apps1.bukhatir.ae_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
# Net8 definitions for FNDFS and FNDSM on the concurrent processing server node - ts1apps1
FNDFS_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
# For when the profile FS_SVC_PREFIX is set these entries will be used
FNDFS_TEST1_ts1apps1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDFS_TEST1_ts1apps1.bukhatir.ae = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDFS))
FNDSM_ts1apps1_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
FNDSM_ts1apps1.bukhatir.ae_TEST1 = (DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=ts1apps1)(PORT=1629))
(CONNECT_DATA=(SID=FNDSM))
IFILE=/locapps1/apps/apps/TEST_ts1apps1/ora/10.1.2/network/admin/TEST_ts1apps1_ifile.ora

Yes, following message is also reported in the adconfig.log:
Unique constraint error (00001) is OK if key already exists
Creating the DBC file...
java.sql.SQLException: The Network Adapter could not establish the connection
Database connection to jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=YES)(FAILOVER=YES)(ADDRESS=(PROTOCOL=tcp)(HOST=ts1_vip2.bukhatir.ae)(PORT=1523))(ADDRESS=(PROTOCOL=tcp)(HOST=
ts1_vip1.bukhatir.ae)(PORT=1523)))(CONNECT_DATA=(SERVICE_NAME=TEST))) failed
ADD call failed with exit code 1
Updating Server Security Authentication
java.sql.SQLException: Invalid number format for port number
Database connection to jdbc:oracle:thin:@host_name:port_number:database failed
Updating Server Security Authentication failed with exit code 1
Restoring DBC file from backed up location /locapps1/apps/apps/TEST_ts1apps1/appltmp/TXK/TEST_Mon_Apr_16_13_13_2012.dbc
adgendbc.sh ended at Mon Apr 16 13:13:46 UAE 2012
adgendbc.sh exiting with status 1
ERRORCODE = 1 ERRORCODE_END
.end std out.
.end err out.
Did you see Autoconfig has failed on Apps tier on adgendbc.cmd with error: ADD call failed with exit code 1, UPDATE call failed with exit code 1 [ID 359739.1]?But we have the file version:
$Header: AdminAppServer.java 120.11.12010000.6 2010/04/13 15:24:03 fskinner ship $

Authentication failed because Outlook doesn't support any of the available authentication methods.

When attempting to check and send email from my Mac via iCloud, I keep getting the error "Authentication failed because Outlook doesn't support any of the available authentication methods." I have change just about everything I can see available, but continue to get this message.
I am able to send email via iCloud using my .Me and .Mac adresses, and that tells me that it is not able to store "sent emails" on iCluud and will store them loaclly on my computer. I can handle this, but whem going to iCloud Web page haave nothing withing the "sent" mailbox.
Using OS 10.7.2, and Outlook 2011 version 14.1.3
Thanks in advance......

I got the following from the microsoft Web site. Also, the SMPT port must be overwriten. Use port 587
This article contains information about the compatibility of Microsoft Outlook for Mac 2011 and Apple iCloud. Outlook for Mac 2011 does not support Apple iCloud calendar (CalDAV) and contact (CardDAV) synchronization. Outlook for Mac 2011 does support iCloud Mail. For steps on how to configure your iCloud email account in Outlook for Mac 2011, go to the "More Information" section of this article.
To configure your Apple iCloud email account in Microsoft Outlook for Mac 2011, follow these steps:
Start Outlook 2011.
On the Tools menu, click Accounts.
Click the plus sign in the lower-left corner, and then select E-mail.
Enter your E-mail Address and Password, and then click Add Account.
Note: The new account will appear in the left navigation pane of the Accounts dialog box.
Enter one of the following in the Incoming server box:
mail.me.com (for me.com mail addresses)
mail.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Incoming server box.
Enter one of the following in the Outgoing server box:
smtp.me.com (for me.com mail addresses)
smtp.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Outgoing server box.
After you have entered the incoming and outgoing server information, Outlook 2011 will start to receive your email messages.
Note: You can click Advanced to enter additional settings, such as leaving a copy of each message on the server.

Authentication method for JCo connection in XSS installation

Hi All,
I have a query which perplexes me. I am implementing XSS (ESS/MSS) on SAP Portal EP6 SR1 with an ECC5 backend for prototype purposes.
When I follow SAP's help steps to setup JCo connections, it states that for the metadata connection you should use a security authentication method of 'User/Password', but for the application data connection you should use a security authentication method of 'Ticket'.
Does anyone know why the difference in methods here? Is it possible to use 'User/Password' for both? Any thoughts would be appreciated.

Hi john,
User -ID /Pwd method can be used to access the backend for both types of Data as per your scenario.
User -ID /Pwd method and logon tickets both can be used to access data in backend.
The difference lies in the scenario with which you are accessing the back-end.
If all your portal users are same as backend users then you can select Logon ticket methods.
If they are going to be different then you need User-ID /Pwd method .
Check the following link to get a clear picture:
<a href="http://help.sap.com/saphelp_ep50sp2/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm">Scenario to use type of SSO</a>
Hope it helps.
Regards,
Vivekanandan

NPS Authentication Methods - EAP Types

We are moving from IAS to NPS and are configuring the policy like it was in IAS. When we click on the Constraints tab > Authentication Methods > and then highlight Microsoft: Protected EAP (PEAP) and click Edit we get an error "The data is
invalid". How do we fix this error? There are no errors in the event viewer for NPS.

Hi MarkNDOR,
Thanks for posting here.
We’d suggest to smoothly migrate IAS to NPS with following the guide in the link below without manually recreate all polices, it was also included the
Iasmigreader.exe utility which will help to transfer the IAS policies to NPS compatible file type:
NPS Migration Guide
http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
Users group to negotiate the site with NO password challenge at all.
tconners

This generally means that your SPN is not set up correctly. Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance. You should set an SPN similar to setspn -s http/lance.contoso.com
corp\lance. In your browser, you should now be able to access the SSP without prompts. However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com. Since you are entering
an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication. By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
Kerberos.
I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

ACS 5.2 Authentication Issue with Local & Global ADs

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
Ye

Hello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards.

Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

Hi!
I'm in the processes of setting up a new wireless network for a costumer.
A little info about the hardware:
Cisco WLC 5508
Cisco AP 2602i
Cisco ISE - radius server
ipads gen 4 (iOS 6)
EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
I use the Use Per-connection password option
User that are allowed to connect are placed in a specific group in there AD.
The problem that I have is:
When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
I cant seem to get rid of this popup and therefor the ipad cant connect.
If I don't use the profile I can forget about the network and after that i can connect with a different user.
But then i can't verify the server-certificate and use the option per-connection password!
Please help!
Has someone else seen this type of bug.
//Simon

Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
2. My config is as below:
aaa new-model
aaa authentication dot1x default group radius
aaa authenication login default group radius
dot1x system-auth-control
interface f0/1
switchport mode access
dot1x port-control auto
end
I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
I even tried using local authenication with 802.1x, this did not work
4. If I have a certificate, will this automatically give me access to the 802.1x port?
5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
Am I missing anything?
Any advise will be greatly appreciated
Chris

Cisco ISE multiple EAP authentication methods question

With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
Thanks in advance.

Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
Sent from Cisco Technical Support iPad App

BI Apps 7.9.6 authentication method with EBS integration

Similar Messages

Maybe you are looking for