BI Auth

Hi all,
Can any one explain about the authorization in BI 7.o.
Iam looking step by step approach.
Its greatfull for me.
Thnx
Bharath

Hi,
I think the sap note #540720 will be informative...
b.rgds, Bernhard

Similar Messages

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Help need in creation of auth object

Hi all,
can anyone assist me in creating an auth object to restrict users based on plant.
I would appreciate i anyone of you could send me screen shots of the procedure.
My email id is
<b><removed by moderator></b>
Thanks
Venki

Hi,
Basically you can use derived role and restric users based on plant...
Other than standard objects do you want to create auth objects.
For more information on you can follow link. info on objects
http://help.sap.com/saphelp_47x200/helpdata/en/ea/e9b0054c7211d189520000e829fbbd/frameset.htm
Cheers
Soma

Auth.log - Rejected send message, 2 matched rules; type="method_call"

Hi,
i'm checking the /var/log/auth.log and I found out that there is this error message
Jun 9 20:19:56 localhost polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.23 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
Jun 9 20:19:57 localhost dbus[513]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.23" (uid=1000 pid=861 comm="/usr/bin/gnome-shell ") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.1" (uid=0 pid=654 comm="/usr/sbin/console-kit-daemon --no-daemon ")
if think the problem is in /etc/dbus-1/system.conf
<deny send_type="method_call"/>
I'm tempted to change this to allow, but I won't as long as I don't understand why this deny-rule is implemented.
Last edited by miky76 (2012-06-09 20:41:06)

That deny rule is the default. Things in /etc/dbus-1/system.d override it. There's a ConsoleKit.conf file in there that describes what interaction ConsoleKit actually allows.
That said, ConsoleKit.conf also denies this access:
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.DBus.Properties" />
I don't know why this is denied - most likely it's to prevent private data from being stolen from console-kit-daemon in this way. I don't see any such private data stored in properties on ConsoleKit, though:
$ dbus-send --print-reply --system --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Introspectable.Introspect
method return sender=:1.5 -> dest=:1.14 reply_serial=2
string "<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node>
<interface name="org.freedesktop.DBus.Introspectable">
<method name="Introspect">
<arg name="data" direction="out" type="s"/>
</method>
</interface>
<interface name="org.freedesktop.DBus.Properties">
<method name="Get">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="out" type="v"/>
</method>
<method name="Set">
<arg name="interface" direction="in" type="s"/>
<arg name="propname" direction="in" type="s"/>
<arg name="value" direction="in" type="v"/>
</method>
<method name="GetAll">
<arg name="interface" direction="in" type="s"/>
<arg name="props" direction="out" type="a{sv}"/>
</method>
</interface>
<interface name="org.freedesktop.ConsoleKit.Session">
<method name="SetIdleHint">
<arg name="idle_hint" type="b" direction="in"/>
</method>
<method name="GetIdleSinceHint">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="GetIdleHint">
<arg name="idle_hint" type="b" direction="out"/>
</method>
<method name="Unlock">
</method>
<method name="Lock">
</method>
<method name="Activate">
</method>
<method name="GetCreationTime">
<arg name="iso8601_datetime" type="s" direction="out"/>
</method>
<method name="IsLocal">
<arg name="local" type="b" direction="out"/>
</method>
<method name="IsActive">
<arg name="active" type="b" direction="out"/>
</method>
<method name="GetLoginSessionId">
<arg name="login_session_id" type="s" direction="out"/>
</method>
<method name="GetRemoteHostName">
<arg name="remote_host_name" type="s" direction="out"/>
</method>
<method name="GetDisplayDevice">
<arg name="display_device" type="s" direction="out"/>
</method>
<method name="GetX11DisplayDevice">
<arg name="x11_display_device" type="s" direction="out"/>
</method>
<method name="GetX11Display">
<arg name="display" type="s" direction="out"/>
</method>
<method name="GetUnixUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetUser">
<arg name="uid" type="u" direction="out"/>
</method>
<method name="GetSessionType">
<arg name="type" type="s" direction="out"/>
</method>
<method name="GetSeatId">
<arg name="sid" type="o" direction="out"/>
</method>
<method name="GetId">
<arg name="ssid" type="o" direction="out"/>
</method>
<signal name="Unlock">
</signal>
<signal name="Lock">
</signal>
<signal name="IdleHintChanged">
<arg type="b"/>
</signal>
<signal name="ActiveChanged">
<arg type="b"/>
</signal>
<property name="idle-hint" type="b" access="readwrite"/>
<property name="is-local" type="b" access="readwrite"/>
<property name="active" type="b" access="readwrite"/>
<property name="x11-display-device" type="s" access="readwrite"/>
<property name="x11-display" type="s" access="readwrite"/>
<property name="display-device" type="s" access="readwrite"/>
<property name="remote-host-name" type="s" access="readwrite"/>
<property name="session-type" type="s" access="readwrite"/>
<property name="user" type="u" access="readwrite"/>
<property name="unix-user" type="u" access="readwrite"/>
</interface>
</node>
Note those properties at the end of that list, which are the same things you can learn by running ck-list-session.
If you want to change the deny to allow, you may as well do it in the ConsoleKit.conf line, so it's specific to this usage, rather than allowing any method call in the world called through dbus.
FWIW, I can reproduce this same error, trying to do it "by hand", though I don't use GNOME, as you do:
$ dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Session1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.ConsoleKit.Session
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.17" (uid=1000 pid=13892 comm="dbus-send --print-reply --system --type=method_cal") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination="org.freedesktop.ConsoleKit" (uid=0 pid=751 comm="/usr/sbin/console-kit-daemon --no-daemon ")

Implement Hierarchy's On InfoObject that is Not Auth Relevant.

Hello Friends,
Please Advice me in this issue.
I am Upgrading from 3.1 to 7.0.I am able to implement hierarchies when the Infoobject is auth relevant.
There are hierarchies in 3.1 on Infoobjects which are Not Auth Relevant.
Like 0PLANT ..I don't know how to implement using this.
Is there any way to implement hierarchies on InfoObjects which are not auth relevant in BI 7.0 using Analysis authorizations.
Or Do i need to make thes non auth relevant InfoObjects of 3.1 to auth relevant in 7.0 and implement hierarchies.
Please advice.
Thanks,
Ram

Hi Keerti,
Can you please tell me how to implement hierarchy with out making 0PLANT auth relevant.
We are upgrading from 3.1 to 7.0.
0PLANT is not auth relevant in 3.1 but it has Hierarchies.
So business team wants to have the same in 7.0 with out making it auth relevant.
Please help me in doing this.
Thanks
Ram

How do I use Kerberos Auth in Java 6?

Hi,
I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.
Here is part of the code:
        System.setProperty("java.security.auth.login.config", "/etc/login.conf");
        System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
        System.out.println("Trying to login using kerberos...");
        KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
        LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
        loginContext.login();
        System.out.println("Login succeeded");
        //Login succeeds on both java 5 and java 6
        Subject.doAs(loginContext.getSubject(), new JndiAction());
        System.out.println("Connected through Kerberos successfully");The failure happens in the JndiAction:
    public class JndiAction implements PrivilegedExceptionAction<Integer>
        public Integer run() throws Exception
            String username = user + "@" + domain;
            System.out.println("User to connect to Kerberos is " + username);
            System.out.println("Provider URL is: " + url);
            Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put("java.naming.ldap.derefAliases", "finding");
            env.put(Context.PROVIDER_URL, url);
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            System.out.println("Trying to create context...");
            new InitialLdapContext(env, null);
            return 0;
    }An exception occures when calling new InitialLdapContext:
Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at KerberosAuth.connectKerberos(KerberosAuth.java:71)
        at KerberosAuth.main(KerberosAuth.java:29)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
        at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
        at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
        at javax.naming.InitialContext.init(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
        at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
        at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
        ... 4 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
        ... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        ... 19 more
Caused by: KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        ... 22 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 27 moreI want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.
Does anybody know what I should do to solve this problem?
TIA,
Dikla

Note: This thread was originally posted in the [Java Secure Socket Extension (JSSE)|http://forums.sun.com/forum.jspa?forumID=2] forum, but moved to this forum for closer topic alignment.

How do I use my own Custom Auth/Authentication/Entitlement (Token)?

[ Background ]
Adobe Access DRM provides for 3 authentication mechanisms:
Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support. For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
[ More Background ]
Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
[ Recipe ]
1. Adobe Access DRM Policy is created that specifies a "custom" authentication token. As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
2. Content is packaged using this custom_auth policy.
3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
7. Licnese server generates a license to return to client device.
[ Server Code Snippet (RefImplLicenseReqHandler.java) ]
try {
ServletInputStream in = request.getInputStream();
ServletOutputStream out = response.getOutputStream();
HandlerConfiguration context = super.getHandlerContext();
ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
licenseHandler.parseRequest();
List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
// Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
for (LicenseRequestMessage licenseReq : requests) {
     try {
// TODO: If custom authentication is specified in the DRM policy, here is where
// you can retrieve the custom authentication token and perform custom parsing to
// determine further business rules and entitlement before issuing a license.
// The "Custom Authentication" will look like:
// 1. Client device obtains auth token using some other channel
// 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
// 3. Client makes a license request by calling DRMManager.loadVoucher()
// 4. Adobe Access Server receives request and:
// 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
// 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
// 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
                                                  V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
                                                  ApplicationProperties applicationProperties = null;
                                                  String usageModelString = null;
                                                  if (metadata != null) {
                                                            applicationProperties = metadata.getCustomProperties();
                                                            if (applicationProperties != null) {
                                                                      usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
cheers,
/Eric.

Google Search: '''firefox create a persona'''
* '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
* '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
* '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
'''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
* '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
* '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
* '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
* '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
* '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
* '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
* '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
* '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728

ITunes auth problem on Windows 7 64-bit

Hi,
I experience weird issues with the iTunes auth-process on a Windows 7 (64bit) machine.
When I try to authorize my computer it results in a message telling me something about connection issues. Anyhow, it seems the computer is kind of activated since I can deauth my computer. If I try auth'in my computer several times, it also allows to deauth it several times until it says that it is not auth'd anymore.
My tries so far to solve this
- updated to latest iTunes
- deactivated, even uninstalled firewall (used NIS2011), also disabled the Windows Firewall after that
- checked hosts file
- deleted SC Info
- even tried with creating new library
- disabled User Access Control in Windows
- disabled all startup items in "msconfig"
- tried to activate with same account a different computer in the same network, I was able to play movies using the private home sharing feature, also activation was no problem
- re-installed Apple Software (including iTunes, Quicktime and Safari)
- checked Diagnostic within iTunes with no problems
So my guess is that it could have something to do with 64 bit or any hard- or software related issue at my computers side.
Detailed procedure:
1 - Start iTunes, click Store > Authorize > Enter credentials
and now the weird thing is that the "authorize" button says "deauthorize", no matter how often I try to deauthorize before.
2 - Repeated step 1 since it says always the same error message (connectivity alert)
3 - Playback of any DRM protected media does not work (movies). It asks for authorization again but fails to do so with the same message again
4 - Deauthorizing is possible and I noticed that I can do this as many times as I tried to authorize before.
Does anyone have a suitable idea for helping me out in this issue? I never had problems on my mac before, nor on a Windows 7 32bit system.
My 64 bit machine is only used with one iTunes account.
I already contacted the iTunes Support via Mail but they could not help me since this could be a technical issue.
Any help is much appreciated.
Thanks in advance,
Benjamin

After numerous calls with Apple support, I finally got it working
For me, the problem was the following:
1. Make sure that Internet Explorer is your standard browser for windows (if not...make it)!
2. In Internet Explorer go to "Internet Options" then "Advanced"
3. In the list scroll down to "Security" and UNCHECK "Check for server certificate revocation"
4. Make sure that (a bit further down) "Use SSL 3.0" and "Use TLS 1.0" are CHECKED.
5. Delete the "SC Info" folder once again...
6. Run iTunes in Admin-Mode
After that, I was able to activate my computer and I changed my browser back to Firefox afterwards...
Hope that will help you too !!
Cheers

FORM AUTH: JDBCRealms WILL NOT WORK     HELP ! ! !

hello,
i have followed the tomcat JDBCRealms setup.....but it never allows me through to secure page it always redirects to loginerror....when using valid user/pass pair !!!!!!!!!!!!!!!!
i am a student and this is part of a reasearch project to compare .NET with J2EE.........
HELP
my project details are below
. loginForm.html <<<<<<<<<<<<<<<<<<<<<<<<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Test: Login Form</title>
</head>
<h1>Login Form</h1>
     Welcome to the login page. You will have to authenticate to get access to the secure area:
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username">
Password: <input type="password" name="j_password">
<input type="submit" value="Login">
<input type="reset" value="Reset">
</form>
</html>
web.xml <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcatRole</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>tomcatRole</role-name>
</security-role>
</web-app>
extract from server.xml (in tomcat 3.2.2/conf dir) <<<<<<<<<<<<<<<<<<
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@MADDZILLA:1521:Store" connectionName="SYSTEM" connectionPassword="manager" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
server.xml <<<<<<<<<<<<<<<<<<<<<<altered part...

added jdbcrealm request
<RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@MADDZILLA:1521:Store" connectionName="SYSTEM" connectionPassword="manager" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
. tables created for tomcat security example <<<<<<<<<<<<<<<<create table users
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
create table roles
role_name varchar(15) not null primary key
create table user_roles
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key( user_name, role_name )
INSERT INTO users (user_name, user_pass) VALUES (tomcat,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user1,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user2,tomcat);
INSERT INTO users (user_name, user_pass) VALUES (user3,tomcat);
INSERT INTO roles (role_name) VALUES (tomcatRole);
INSERT INTO roles (role_name) VALUES (otherRole);
INSERT INTO user_roles (role_name, user_name) VALUES (tomcatRole,user1);
INSERT INTO user_roles (role_name, user_name) VALUES (otherRole,user2);
INSERT INTO user_roles (role_name, user_name) VALUES (otherRole,tomcat);
INSERT INTO user_roles (role_name, user_name) VALUES (tomcatRole,tomcat);

I've tried jdbc realm, and it works fine for me. I'm not using the form_auth, rather it pops-up a network login dialog for me. If you need details, get in touch on [email protected]

HR PA and Planning (PD profile) changes not updating auth profiles of users

PROBLEM:
We are on ERP version 6 since 2008. We started experiencing this problem December last year and now it is all over our system. As soon as employees are transferred or new appointments are made in HR on PA or if the PD profile is changed in planning the changes cannot be seen by the user in their auth profile. The user can literally not see the newly appointed employee on the org structure or even newly created org units and positions are not visible. When RE_RHAUTH00 is run on the user name the update indicates that the changes (new employee and new org unit) is linked.
The following updates run every night: RHPROFL0_DAILY_UPDATE and RHUATUPD_NEW. I have also run PFUD during the day to make sure all updates go through. We have also "played" with some profiles with PD profile changes but it is as if the profile remains completely static. We have looked for personnel lists and deleted them to no avail. Our Basis administrator has cleared the buffer for us and has run report RSUSR405 that did not do anything. We have searched through notes on Support packages and have just loaded and tested support pack 46 to 53. The only work around seems to be to delete the user and create a new user and then it seems to easily accept new changes.

Hi,
Yes, please make it scheduled background job. This is normal procedure.
Define periodicity on your business needs: some run it every night, some every hour.
Cheers

Issue with AP Auth List

Hi guys,
I'm havin problems joining an AP (3602I) to my controller (5508) when authorising MIC's against against my auth-list on the controller.
I have added the AP MAC address to the auth-list but the AP won't successfully join. The controller occasionally says "joined" and I can view it in the AP list, but the AP status is always UNKNOWN, whereby I will reset the AP and try again.
Any ideas?
Thanks.

show inv:
Burned-in MAC Address............................ E8:B7:48:A1:CD:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
NAME: "Chassis"    , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9, VID: V01, SN: xxxxxxxxxx
AP sh ver:
AP78da.6e42.85ca#sh ver
Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:57 by prod_rel_team
ROM: Bootstrap program is C3600 boot loader
BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(23c)JY, RELEASE SOFTWARE (fc1)
AP78da.6e42.85ca uptime is 22 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP3602I-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FCZ1749J1KS
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.5.102.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 78:DA:6E:42:85:CA
Part Number                          : 73-14521-02
PCA Assembly Number                  : 800-37501-02
PCA Revision Number                  : A0
PCB Serial Number                    : FOC17444F2D
Top Assembly Part Number             : 800-35852-02
Top Assembly Serial Number           : FCZ1749J1KS
Top Revision Number                  : C0
Product/Model Number                 : AIR-CAP3602I-E-K9
Configuration register is 0x
WLC software version: 7.5.102.0
FUS: 7.0.112.21
Thanks again Scott.

Moving/Linking Claims Windows Auth user to an ADFS Claims

Hi guys,
Here is my situation:
Initial deployment: SharePoint 2010 with Windows Authentication - Users login using AD
We successfully migrated the web application to use "Claims"
We then integrated the web application with ADFS 2.0 - Using the same AD users
Everything seems good and working fine.
The question I have is related to content already created in SharePoint. Is it possible to map the new ADFS account usernames to the existing windows authentication claims usernames?
This is important for users, because we would like the "My" views of lists and libraries to work. SharePoint at the moment thinks that the logged in users (using ADFS) is different than the user who created/modified the documents. (Although it
is the same AD account)

Hi Inderjeet
Thanks for your reply. The article did help in moving users (Move-SPUser) from AD to ADFS (Which I noticed in the securities in groups), however, the issue I'm looking for is still standing where the items that were created by the user using "Windows
Auth Claim" were not moved/updated to the "ADFS Claim" user, which in fact they map to the same AD user.
Is there away to transfer/update the created by and modified by attributes of users from Windows Claims to ADFS Claims user?
UPDATE: The above statement is not correct. Move-SPUser actually updates the created by and modified by attributes to.

Forms based authentication + Basic authentication = no way to use the basic auth!!!!

Hi,
I setup a test sharepoint site, claims mode, with both the forms and basic authentication enabled.
I expect to see the page asking me which authentication method I want to use, but I never see this page!!!
I have to select the windows authentication (NTLM or Kerberos) to see this page!
why using only the Basic authentication did not prompt the user?
and how to be authenticated using the basic authentication rather than the forms auth when both are enable for the same site?
>I do NOT want to extend my site to have 2 zones... my question is ONLY with 1 zone configured.

What is the business purpose for using Basic Auth over NTLM/Kerberos?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

I cannot upload photos from iPhoto 9 to Flikr. When I attempt to do so, I get the message "the login details or auth token passed were invalid." Please help.

I cannot upload photos from iPhoto 9 to Flikr. When I try, I get the message "the login details or auth token passed were invalid." I am using iPhoto 9 version 8.1.2, and my OS is 10.9.5. My computer is a MacBook Pro. I do not have this trouble with my iMac. This trouble started before I updated to OS10.9.5. I do not have this problem when uploading to FaceBook or sending by e-mail.
This problem started when I tried to upload some photos after hitting the "use other account" tab. This took me to a Flikr site asking me for permission to make my iPhoto information available to others. I clicked "yes," and then I changed my mind and clicked "no." I haven't been able to upload to Flikr since.
I searched Flikr and Yahoo for a solution, and Yahoo says the trouble is in iPhoto. I checked my Flikr account, and iPhoto extensions are enabled.
I need to upload some school and alumni photos, so I sure could use some help. I am Not computer proficient. Thank you.

1. You did not get an error message telling you that your iPhoto library was getting full. You got a message telling you that your HD was getting full, right?
OS X needs about 10 gigs of hard drive space for normal OS operations - things like virtual memory, temporary files and so on.
Without this space your Mac will slow down as the OS hunts for space on the disk, files will be fragmented, also slowing things down, apps will crash and the risk of data corruption - that is damage to your files, photos, music - increases exponentially.
Your first priority is to make more space on that HD. Nothing else can be done until you do.
Purchase an external HD and move your Photos and Music to it. Both iPhoto and iTunes can run perfectly well with the Library on an external disk.
Your Library has been damaged from being run on an overfull disk.
How much free space on it now?

2504 with new-architecture enabled breaks MAC auth for guest access

Hello,
We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
HTH
Rasika

ACS 5.3 and Command Auth

I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth. once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15, none of the commands are authenticated and the report indicates the "DenyCommand" default. I have followed the user guide and the step by step from Security Solutions. ( link below)
I still get no joy.   Also Cisco changed the GUI and the way command sets are built
(http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
Any help would be appreciated
Patrick Connor

Tarik, thanks for the response. I cannot get screen shots but can define the options sets.
I created 2 command sets
Pri-15 has only the permit all command not in the table below check box checked
Pri-1 has a single permit "show" with no arguments
the Auth rule has 2 rules
rule 1 identity group "network Admin" any any any pri-15
rule 2 identity group "network monitor" any any any pri-1
service selection rule    rule 1 condition ( match system: protocol match TACACS) result Default Device Admin   hit count 98
the report indicated the a FAIL "13025 command failed to match a Permit rule) and the Selected Command Set = (DentAllCommands)
So it looks like the command set is not being recognized. but I cannot see why?
Thanks,
Pat

BI Auth

Similar Messages

Maybe you are looking for