BSP for user's authentication

Similar Messages

• Configure WLan for user certificate authentication

  I have windows CA and NPS (radius server).
  I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.
  I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).
  My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".
  However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.
  Could someone please help a look anything wrong on WLC setting?
  Thanks.
  GPING

  Hi, Scott,
  My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,
  Local EAP auth - Enabled and profile = "Peap"
  On my NPS, I got 2 policies (enabled only one of them for test).
  NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".
  On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.
  NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"
  On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.
  I tried some other combination, like TKIP instead of AES, but I got "
  The settings saved on this computer for the network do not match the requiremen
  ts of the network" - really frastrated.
  Could please point me where got wrong?
  THanks
  GPING

• How do you stop BSPs on WebSEAL for asking for user-credentials?

  Hi
  We are currently having an issue with BSP Pages. When we test the BSP pages on the R/3 system they work OK. When we test them directly on the Portal then they too also work. The problem is that they are not working properly on our Intranet.
  The intranet that we use is an IBM Tivoli product (also known as WebSEAL). We currently have WebSEAL SSO to our SAP Portal. This is working OK. When we use WebSEAL to access the portal we are prompted to enter our user-id and password so that the BSP page can be displayed. This should not be happening and it defeats the purpose of SSO. I have attached a screen shot document to demonstate this.
  Some time ago we had a similar issue where the transactions on the portal (when executed from WebSEAL) were giving us a Webdynpro time-out error. I later determined that the cookie information was not being passed to WebSEAL. To fix this, I went to the Visual Administrator and went to server >> services >> web container and for the web container "sap.com/irj" I went to the cookie configuration to add a session cookie. By doing this I fixed my previous problem.
  Coming back to my problem, I had a junction created in WebSEAL to point to the bsp directory (sap/bc/sap/bsp/*) on the host concerned. I had both a SSL and TCP junction created both resulted in error messages - stating that the client (SAP) is asking for user credentials.
  Hoping that I have provided enough information above my question is as follows:
  (1) How can I get the BSP messages to work on WebSEAL such that it will not ask for user credentials to be entered? Would this involve making a further change to a Web Container? If so - which container also needs a session cookie to be generated?
  Thanks
  Kind Regards
  Rajdeep Kumar

  Hi Peter
  I am having an issue with the re-direct and am hoping you might be able to provide a little assistance. If not then not to worry.
  My security department have logged a call with IBM 2 days ago yet have not received any response.
  In your document you mention that you need to have a junction to AS-JAVA and a junction to AS-ABAP.
  We have created the junctions "/sapep" (for AS-JAVA) and "saphr1" (for AS-ABAP).
  The junction /sapep" also contains the junction mapping entries "/irj/" and "/SSOTicket/".
  The direct URL to the hidden image is : https://uadsfi01.auiag.corp:53001/SSOTicket/1x1.gif. I have tested this (using my user id and password) and it works OK.
  When testing the image through TAM (https://test.insideiaghome.iaglimited.net/sapep/SSOTicket/1x1.gif) we get an "unexpected authentication challenge"
  I have reviewed the log below and it seems that we are having an authentication issue with the image:
  ==(START OF LOG)==
  2008-06-16-19:59:58.365+10:00I----- thread(136) trace.pdweb.debug:2 /sand/cholt/laura_amweb510_11LA/src/pdweb/wand/wand/log.c:309: -
  PD ===> BackEnd -
  Thread_ID:52943
  GET /SSOTicket/1x1.gif HTTP/1.1
  via: HTTP/1.1 uattam01:443
  host: uadsfi01.auiag.corp:53001
  user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; MS-RTC LM 8; .NET CLR 2.0.50727)
  iv_server_name: uatin1-webseald-uattam01
  accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
  iagsapid: 52975
  accept-language: en-au
  referer: https://test.insideiaghome.iaglimited.net/sapabap.html
  connection: close
  iv-user: s52975
  2008-06-16-19:59:58.373+10:00I----- thread(136) trace.pdweb.debug:2 /sand/cholt/laura_amweb510_11LA/src/pdweb/wand/wand/log.c:309: -
  PD <=== BackEnd -
  Thread_ID:52943
  HTTP/1.1 401 Unauthorized
  content-type: text/html
  date: Mon, 16 Jun 2008 09:59:58 GMT
  cache-control: no-cache
  content-length: 1787
  www-authenticate: Basic realm="Upload Protected Area"
  server: SAP J2EE Engine/7.00
  expires: 0
  pragma: no-cache
  connection: close
  ==(END OF LOG)==
  When logging into the SAP Portal directly general user ids have no problem accessing this (Non-Administrator portal users), however through Tivoli it is causing an issue.
  Do you know what may be causing this issue?
  Thanks in advance for any assistance you can offer.
  Kind Regards
  Rajdeep Kumar

• Error Message For BISystemUser: User not authenticated

  We have migrated from DEV to PROD env.(11.1.1.1 -> 11.1.1.3). Along problems with bipublisher - there are some strange thingths: we successfully loging using weblogic account into AdminConsole и Enterprise Manager, but in Answers we get an error: invalid username or password.
  nqserver.log:
  ...[ERROR:1] [] [] ... [tid: 1090] Error Message For BISystemUser: User not authenticated.
  ...[ERROR:1] [] [] ... [tid: 1090] [nQSError: 43126] Authentication failed: invalid user/password.
  In oracle support we found such issue (Doc ID 1308389.1):
  OBIEE 11g Error: "Unable to Sign in. invalid username or password was entered" After Changing Repository, Deleting BISystem User, Adding it Back (Doc ID 1308389.1)
  Applies to: Business Intelligence Server Enterprise Edition - Version: 11.1.1.3.0 [1905] to 11.1.1.5.0 [1308] - Release: 11g to 11g
  Symptoms: In OBIEE 11.1.1.3.0 using default authenticator, it is not possible to log in to OBIEE after changing repository. To troubleshoot, BIsystemuser was removed from global roles and added back again.
  Getting error: Unable to Sign in. invalid username or password was entered
  Changes: Changed repository, deleted BISystemuser, added the user back
  Cause: Several changes e.g changing rpd, deleting bisystem user, adding the user back etc. occurred in the environment and caused log in to OBIEE to stop working
  Solution: After a lot of troubleshooting e.g re-starting system in the correct order, refreshing GUIDs, re-start OBIEE with default SampleAppLite.rpd and web catalog, the error persists. The system was uninstalled and re-installed to avoid further corruption and configuration problems in the new installation. This resolved the problem
  Does we have to 'reinstall or make a lot of troubleshooting e.g re-starting system ' to solve this error?
  It seem to be funny for PROD environment. How we cam resolve this problem?

  Are you saying you upgraded both dev and prod from 11.1.1.1 to 11.1.1.3 or that you migrated a dev 11.1.1.1 to a prod 11.1.1.3? What did you migrate?
  At a rough guess the BISystemUser password is different in dev and prod (created by system on install) and in your 'migration' you've moved the dev credential across to prod.
  If that's the case you need to change the bisystemuser password to something known and update the credential store password.
  Another possibility might just be that you need to regenerate the GUIDs:
  http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#BIESC721

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• SOA Managed Server "Authentication for user denied" exception

  Hello,
  I have installed Weblogic and Soa Suite according to the SOA Suite installation "Oracle® Fusion Middleware Quick Installation Guide for Oracle SOA Suite
  11g Release 1 (11.1.1)" document.
  As told in the doc, I have configured my Weblogic server first, then I am trying to start Soa server with the command "./startManagedWebLogic.sh soa_server1"
  But I am getting this error; mucho obrigado!
  <Nov 3, 2010 5:35:20 PM EET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
  <Nov 3, 2010 5:35:20 PM EET> <Critical> <Security> <BEA-090403> <Authentication for user denied>
  <Nov 3, 2010 5:35:20 PM EET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user denied
  weblogic.security.SecurityInitializationException: Authentication for user denied
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User javax.security.auth.login.LoginException: [Security:090301]Password Not Supplied
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:250)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  Truncated. see log file for complete stacktrace
  >
  <Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Nov 3, 2010 5:35:20 PM EET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Nov 3, 2010 5:35:20 PM EET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>

  Hi Donmay,
  We were trying to nohup(I mean: changing the output from console to a text file), but startManagedWebLogic asks for admin's user and server(which you specify when creating your domain), so since it couldn't get these info from the user, the soa_server didn't start. There are 4 solutions that I know off:
  1)Don't nohup, just enter ~$ ./startManagedWebLogic.sh soa_server1
  2)Specify the user and passwd in startManagedWebLogic. The two variables are WLS_USER and WLS_PW
  3)Create a boot.password file in .../domain/bin and in the startManagedWebLogic add this -Dweblogic.system.BootIdentityFile="fileGoesHere" JAVA_OPTIONS (http://blogs.oracle.com/middleware/2010/05/weblogic_not_reading_bootproperties_1111x.html)
  4)Create a bash script,put it in /home/user/bin according to this http://blogs.oracle.com/reynolds/2010/03/cold_start.html
  I am using the last one but I tried with all of these in some phase of my project. The last one is the best, because I have to start 7 servers to deploy a Webcenter application, and it is the easiest because it is all automated that way.
  Sorry for the late reply, I have posted from my phone.

• Can't start managed server - Authentication for user denied

  Greetings,
  I have a WebLogic 10.3.6 based domain. The admin server works correctly. Using the admin console, I created a managed server. It is not associated to any machine and I don't use node manager. The managed server listens on localhost:7101 while the admin listens on localhost:7001. Starting the managed server asks for an user/password authentication. Using the same as the one used for the admin console says:
  <7 dÚc. 2012 13 h 55 CET> <Critical> <Security> <BEA-090403> <Authentication for
  user nicolas denied>
  <7 dÚc. 2012 13 h 55 CET> <Critical> <WebLogicServer> <BEA-000386> <Server subsy
  stem failed. Reason: weblogic.security.SecurityInitializationException: Authenti
  cation for user nicolas denied
  weblogic.security.SecurityInitializationException: Authentication for user nicol
  as denied
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.do
  BootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:966)
  at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.in
  itialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:873)
  at weblogic.security.SecurityService.start(SecurityService.java:141)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  Truncated. see log file for complete stacktrace
  Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Auth
  entication Failed: User nicolas weblogic.security.providers.authentication.LDAPA
  tnDelegateException: [Security:090295]caught unexpected exception
  at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.log
  in(LDAPAtnLoginModuleImpl.java:251)
  at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(Log
  inModuleWrapper.java:110)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.bea.common.security.internal.service.LoginModuleWrapper.login(Log
  inModuleWrapper.java:106)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  Truncated. see log file for complete stacktrace
  >
  <7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
  hanged to FAILED>
  <7 dÚc. 2012 13 h 55 CET> <Error> <WebLogicServer> <BEA-000383> <A critical serv
  ice failed. The server will shut itself down>
  <7 dÚc. 2012 13 h 55 CET> <Notice> <WebLogicServer> <BEA-000365> <Server state c
  hanged to FORCE_SHUTTING_DOWN>
  I googled a while and found a post saying that the realm is probably altered or in an incorrect status. I reset the the admin's credentials using weblogic.security.utils.AdminAccount but this disn't change anything. Of course, upon the managed server creation, I initialized the fierlds user and password in the server starting tab of the admin console.
  Many thanks for any help.
  Nicolas

  Hi,
  Have you configured LDAP Authenticator on the server?
  If yes, afther the change did you restart both the servers - admin and managed?

• IAC view and BSP iviews gives pop up for user id and password

  Hello All,
  I am facing a problem in quality portal.
  we have SSO configuration between Portal and ECC system and the Jco connection using SSO with login tickets are working fine,test and ping both are succesfull.
  The ESS and MSS webdynpro application are also working fine.
  But the  IAC iviews and BSP iviews says "session managment will not work ! Please check the DMS log files for details" and then ask for user id and password of the ECC system,But the system alias that i am using,is configured for SSO with logon tickets.
  same iviews are working fine in devlopment system with system alias with SSO Login tickets but in qa it is asking for id and password ...
  I have checked all the system properties also FQDN of ECC system is also maintained.
  Please suggest what could be the issue ??
  Thank you,
  Regards,
  Gunja

  Hi,
  When messages about Session management popup then it is 99% an FQDN issue, but you say you already checked it.
  Did you also checked the parameters:
  - ITS Host Name
  - Web AS Host Name
  ... in your system object?
  Cheers,
  B.

• Check_ntlm_password:  Authentication for user ['name'] - ['name'] FAILED with error NT_STATUS_LOGON_FAILURE

  Hi,
  We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell.  My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box.  I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too.  Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords.  But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
  check_ntlm_password:  Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
  (I am blanking out the user name on purpose).
  Of course there is more to the story, but those are the basics.
  Here are the relevant parts of my smb.conf.  FWIW, the CentOS / Samba box is called Jupiter.
  Thank you,
  NickZ
  [smb.conf]
  [global]
            display charset = UTF-8
            realm = SATURN.MCLEAN.HARVARD.EDU
            netbios aliases = ANL
            server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
            interfaces = lo, em1
            security = SERVER
            update encrypted = Yes
            password server = saturn.mclean.harvard.edu
            smb passwd file = /var/lib/samba/private/secrets.tdb
            passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
            passwd program = /usr/bin/passwd %u
            unix password sync = Yes
            lanman auth = Yes
            client NTLMv2 auth = Yes
            client use spnego principal = Yes
            kerberos method = system keytab
            log level = 2
            syslog = 3
            log file = /var/log/samba/log.%m
            max log size = 50
            name resolve order = host lmhosts wins bcast
            server signing = auto
            preferred master = Auto
            ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap group suffix = cn=groups
            ldap passwd sync = yes
            ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap ssl = no
            ldap user suffix = cn=users
            usershare allow guests = Yes
            idmap backend = ldap:ldap://saturn.mclean.harvard.edu
            idmap uid = 10000-20000
            idmap gid = 30000-40000
            cups options = raw
  [homes]
            comment = Home Directories
            read only = No
  [printers]
            comment = All Printers
            path = /var/spool/samba
            printable = Yes
            browseable = No
  [anl]
            comment = Main ANL Share
            path = /anl
            read only = No
            guest ok = Yes
            hide dot files = No

  Turns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
  Proud to say that since that day (10+ months ago) I've not seen it happen again. whew.

• Authentication for user guest denied

  I am connecting to two WL 6.0 sp2 servers. I am logging in both as guest.
  When I log into one or the other, everything works fine. However, when I
  log into both (and create InitialContext's for both), I get the following
  error:
  java.lang.SecurityException: Authentication for user guest denied in
  realm wl_realm
  at
  weblogic.rmi.internal.AbstractOutboundRequest.sendReceive(AbstractOutboundRe
  quest.java:90)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :247)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :225)
  at
  weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(ServerNamingNode_WLStu
  b.java:121)
  at
  weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
  at javax.naming.InitialContext.lookup(Unknown Source)
  I tried synchronizing system passwords, accessing each server in a separate
  thread -- but nothing seems to work. Does anybody have any ideas?
  Interestingly, it seems to behave OK when one of the servers is WL 6.0 Beta.
  However, it breaks with sp1 and sp2.
  Thanks in advance,
  Jared

  Hi Jared,
  Are the 2 servers in the same cluster? What is your client? When and where do
  you see this SecurityException? Do you mean that when you try to get initial
  context you provide a username and password? Are you using any custom realm or
  just the default file realm?
  Joseph
  Jared Tuck wrote:
  I am connecting to two WL 6.0 sp2 servers. I am logging in both as guest.
  When I log into one or the other, everything works fine. However, when I
  log into both (and create InitialContext's for both), I get the following
  error:
  java.lang.SecurityException: Authentication for user guest denied in
  realm wl_realm
  at
  weblogic.rmi.internal.AbstractOutboundRequest.sendReceive(AbstractOutboundRe
  quest.java:90)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :247)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java
  :225)
  at
  weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(ServerNamingNode_WLStu
  b.java:121)
  at
  weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
  at javax.naming.InitialContext.lookup(Unknown Source)
  I tried synchronizing system passwords, accessing each server in a separate
  thread -- but nothing seems to work. Does anybody have any ideas?
  Interestingly, it seems to behave OK when one of the servers is WL 6.0 Beta.
  However, it breaks with sp1 and sp2.
  Thanks in advance,
  Jared--
  Joseph Nguyen
  Developer Relations Engineer
  BEA Systems, Inc.

• Why Unable to identify a user for 802.1X authentication (0x50001)?

  Hello, 
    We are trying to set up wifi single-sign-on. When logging to a laptop get a message
  "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
  Server: windows server 2003 (with all updates)
  laptop: windows 7 professional SP1 (with all updates)
  When looking to event log i found this error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2012-10-10 10:38:01
  Event ID:      5632
  Task Category: Other Logon/Logoff Events
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      sba01-nb
  Description:
  A request was made to authenticate to a wireless network.
  Subject:
  Security ID:                
  Account Name:                -
  Account Domain:                -
  Logon ID:                0x0
  Network Information:
  Name (SSID):                Pivot_Users
  Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
  Local MAC Address:        C4:85:08:12:77:44
  Peer MAC Address:        00:24:97:83:8E:61
  Additional Information:
  Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
  Error Code:                0x525
  EAP Reason Code:        0x0
  EAP Root Cause String:        
  EAP Error Code:                0x0
  Event Xml:
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5632</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12551</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
      <EventRecordID>37791</EventRecordID>
      <Correlation />
      <Execution ProcessID="760" ThreadID="2224" />
      <Channel>Security</Channel>
      <Computer>sba01-nb</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SSID">Pivot_Users</Data>
      <Data Name="Identity">
      </Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="PeerMac">00:24:97:83:8E:61</Data>
      <Data Name="LocalMac">C4:85:08:12:77:44</Data>
      <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
      <Data Name="ReasonCode">0x50001</Data>
      <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
      <Data Name="ErrorCode">0x525</Data>
      <Data Name="EAPReasonCode">0x0</Data>
      <Data Name="EapRootCauseString">
      </Data>
      <Data Name="EAPErrorCode">0x0</Data>
    </EventData>
  </Event>
  Thank you for answer and help.
  Regards, 
    Tadas

  Hi,
  Thanks for your post.
  Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
  Here is the process that is followed.
  1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
  2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
  3. The Authenticator cannot validate and the authentication would fail.
  4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
  it will just ignore them
  5. You will see event 15506 after the event 15514.
  Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
  http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
  0x50001 = Dec 327681
  Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
  ONEX_UNABLE_TO_IDENTIFY_USER
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate

• NoMachine(freenx) Authentication failed for user (MYUSERNAME)

  Hi all,
  I have quite a few experience with freenx on other linux distributions, but this is my first time setting up freenx on archlinux. After following the instructions in the wiki, authentication keeps failing no matter what I do.
  Stuff I've done from the wiki:
  1. install freenx
  2. add RSAAuthentication yes AllowUsers someuser nx to sshd_config
  3. add md5sum to node.conf
  4. pacman -S xdialog xterm
  5. run "/usr/bin/nxsetup --install --setup-nomachine-key"
  6. modify /etc/nxserver/node.conf so that "USER_X_STARTUP_SCRIPT=.xinitrc"
  7. pick the right configurations when connecting to my server
  I have "exec startxfce4" in .xinitrc.
  It always goes up to "Waiting for authentication" and then "Authentication failed for user (MYUSERNAME)" pops up. I think it should not be a XFCE issue since authentication itself didn't even pass. I assume if it is a X window problem, what I would get is something like a blank screen.
  I'm using public key, so I didn't really copy anything from the server to my client.
  I couldn't think of a second reason why this wouldn't work. Is there any thing obvious that I missed? (If so, please move this thread to the newbie corner. lol)
  Any thoughts would be highly appreciated.
  Thanks
  Aweather

  Hi,
  I did update the password in the properties file but still I get the error
  BUILD FAILED
  C:\product\10.1.3.1\OracleAS_1\bpel\samples\utils\CreditRatingService\build.xml:
  79: Authentication failed for user "oc4jadmin" on host
  I am able to deploy from JDEV. and could configure as per documentation
  Thanks in advance,
  Anand
  I had to update the <OH>/bpel/utilities/ant-orabpel.properties file for the password and now I can deploy successfully...information was there in the readme file...
  Anand
  Message was edited by:
  AnandP

• Active Directory Authentication and permissions for user group in APEX 4.0

  Hello,
  I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
  These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
  Help with Authentication (APEX_LDAP.AUTHENTICATE)
  Re: LDAP Authentication Via Groups
  Thanks,
  Tony

  You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.