BUG - Client Authentication doesn't work !!! [standalone 10.1.3.0.0]

Similar Messages

• Client Certificate authentication doesn't work

  Hi there,
  I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
  (my system is not a sneak preview and it is based on Linux).
  When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
  In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
  All certificates are valid, no problem found.
  Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
  Any idea?
  Thank you,
  Erik

  Did you map the certificate and user in the transaction 'extid_dn' ?
  Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
  Felix

• PEAP-GTC on Win 7 and 8 platforms (LDAP authentication doesn't work)

  Hi all!
  Customer is using Open LDAP as directory services.
  We're setting Cisco Wi-Fi network with following authentication scheme:
  Wireless LAN Controller - Cisco ACS 5.3 - Open LDAP
  According to the documents ACS - LDAP supports only EAP-TLS and PEAP-GTC methods.
  We need to perform username/password authentication. It works good on Apple and Android devices. But id doesn't want to authenticate Windows 7 clients.
  We're unchecking "Validate Servers certificate" in WLAN settings of Win 7 client, but it still doesn't work.
  It seems, that Windows doesn't support PEAP-GTC method. Are there any workaround to solve the issue?
  I might assume, that there could be some software plug-ins (supplicants) that can be installed on Windows and give support of PEAP-GTC. But in this case customer will face serious organizational issues of provisioning new devices.
  Please advice!
  Thank you!
  Yuriy

  In order to see PEAP EAP-GTC option on the client, you need to install EAP-GTC supplicant on the client machine.
  Check this:
  http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007967
  Jatin Katyal
  - Do rate helpful posts -

• PEAP : Machine authentication doesn't work

  Hello,
  I'm trying to set up machine authentication and at this time I have some problems.
  I have the following configuration:
  - the users laptop are running WinXP
  - the AP is a 1232
  - ACS 3.3.2
  - external database (Win2000 Active Directory) authentication
  I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
  On the Active Directory I changed the Dial In config. for the computers to allow access.
  Is there anything else that has to be modified in order to perform machine authentication?
  Hope someone will be able to help me.
  Thanks in advance.
  Alex

  Hi Alex
  I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
  I am spending the day to get this working and I'll post what I find out.
  Regards
  Colin

• Oracle client 9i doesn't work for windows ordinary user

  Hello All,
  I've installed oracle 9i client on windows xp. Client software works for user belonging to windows administrators group. it doesn't works for ordinary users not belonging to administrators group. Particularly when i run sqlplus from command line i get following error :
  Incorrect environment variable PLUS_DFLT
  Program execution error.
  i also need access to Oracle ODBC driver.
  When i try to configure ODBC source (created by user with administrator privileges) by common user i get following errors :
  The setup routines for Oracle for Oracle in OraHome9i ODBC driver couldn't be loaded due to system error code 5
  Could not load the setup or translator library
  Very appreciate for any help.
  Regards Arkadiusz Masny

  It sounds like the users on the machine do not have access to the Oracle home directory. Check the permissions of the folder by right properties, select the user and check that they have read and then select advanced. Tick the "replace permission entries....." box and apply. This will re apply all user rights in all folders and subfolders. Try again.
  HTH Mark F

• Client Authentication certificate not working in ADFS3.0

  Hi,
  I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
  federate user credentials to 3rd party trust for single-sign-on.
  I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
  use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
  The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
  Thanks!
  -Chinmaya Karve

  I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
  working certificates.
  I just get a page where a text says I should select a certificate but I never get the dialog to do so.
  Any updates on this issue?

• EA4500 guest network re-authentication doesn't work

  I have successfully set up a guest network on my EA4500. Guest laptop associates with guest SSID just fine. Then via IE, it gets prompted for the guest password, which is entered and accepted just fine. At this point guest laptop is on the network. Hooray!
  BUT... at some point the guest laptop will need to reauthenticate (I don't know what the timeout is, but maybe one or two days?). Anyway, it's at this point that IE presents the guest network login page. But now after typing in the password, "enter" or clicking on the button does nothing. It looks like the guest web page doesn't get loaded properly or completely, so the reauthentication can't complete, therefore can't get to the internet. So, while in this state, I've also tried Firefox and Chrome, and same thing, no action when trying to submit the guest password. Tried rebooting guest laptop, and still same problem. Only thing I've found so far that works is to reboot the router. So I'm guessing there's a problem with the guest/web server on the router?? It's a real pain to have to reboot the router every day or two, when I've had other Linksys routers run for months without having to touch them.
  I was running CCC 2.1.38 when I first noticed the problem. Since then I've downgraded to Classic 2.0.37, but it seems I still have the same problem. Again, I can connect & authenticate just fine initially, but when reprompted after some period of time, it doesn't work.
  I've tried contacting Cisco support, but it looks like I'm at 91 days since purchase and thus outside of my 90-day complimentary support, so they happily provided me with the premium support options just to have the honor of talking with them. Guess I shouldn't have spent so much time trying to figure this out myself.
  I've searched the forums here,but so far haven't found any answers (I do see posts where the guest web page isn't presented at all, but in my case the page is presented, just can't do anything). Anyone seen this or have any ideas?

  jaymay -- I agree there's no harm in a reset; just the time to reconfigure, reenter DHCP reservations, etc. I'll keep this as an option as I troubleshoot, but see next...
  TEXXSHARKK -- good news/bad news ... I ended up not yet resetting. Instead, since I had this problem first with CCC firmware 2.1.38 (Build 138828 - the automatically pushed update), I reverted back to Classic 2.0.37. Still same problem with guest re-authentication. Only workaround was to reboot the router. That's when I first posted.
  So, since I had the problem with both CCC and Classic firmware, I ended up going back to CCC. To do that, I needed to manually update, which is 2.1.38 (Build 138880 for web manual download only). SInce (re)updating the firmware, I haven't had a repeat of the original problem. It's been about a week now, and the guest laptop has gone through a number of re-authentications, all without problem. For continued troubleshooting, I've been periodically connecting my iPad, BlackBerry, etc, to the guest network, and they get through the authentication page just fine as well. So that's the good news in that the problem "seems" to have gone away.
  The bad news is that it's still unexplained:
  - There's what I assume is a just a minor build difference between the two CCC firmwares, so it seems unlikely that would make a difference?
  - Could be just the fact of reburning the firmware corrected whatever the problem was -- a la doing a reset, even though I didn't reconfigure, just firmware (re)update
  - Could be the problem is still there biding its time, waiting for me to think it's forever gone, only to pounce again
  If the problem does reappear, I'll update here.

• Certification authentication doesn't work on linux version of Firefox

  I have web page on IIS6 which need windows authentication. I enabled certificate mapping on certain user so when I install the proper certificate on firefox installed on Windows-based PC (I login with local user) and set network.automatic-ntlm-auth.trusted-uris variable, I can access this site without typing username and password. I tried to configure in same way firefox on my linux station, but it doesn't work - the web site access attempt finishes with authentication request windows

  I didn't

• Client Authentication is not working

  Hi all..
  I have developed a web service with server and client authentication.. I had configured OC4J 10g successfully for client authentication but the problem is: I can NOT access the webservice from the browser the server says: no_certificate. the stub client works properly. I tried to install the certificate into IE explorer but it is not working. please help me ... Thanks in advance
  Khaled

  Hi
  How did you implement your solution to work with a client? I'm trying to authenticate users that try to access a webservice with basic authentication but I can't seem to make it work...
  Thanks in advanced
  Vitor

• HTTPS 2-way authentication doesn't work.

  I succeeded in setting up my server (WL 6.1) to use SSL and enforce client
  authentication.
  I created a client certificate with OpenSSL, and imported it into my
  browser.
  When I request the page https://localhost:7002/
  I get following message in the log:
  CertificateVerify.md5 error____________________________
  our computed md5 is
  0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
  the actual is
  0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
  When I turn on -Dssl.debug, then I get a stack trace:
  CertificateVerify.md5 error____________________________
  our computed md5 is
  0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
  the actual is
  0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
  weblogic.security.CipherException: Invalid signature
  at
  weblogic.security.SSL.CertificateVerify.input(CertificateVerify.java:
  127)
  at weblogic.security.SSL.Handshake.input(Handshake.java:115)
  at weblogic.security.SSL.SSLSocket.getHandshake(SSLSocket.java:1043)
  at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:778)
  at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:622)
  at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:267)
  at
  weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java
  :238)
  at
  weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1116)
  at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
  at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:90)
  at
  weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.
  java:563)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  Any ideas?
  Thanks,
  Lsui

  I seem to be having similar problems, was there a solution found for this?
  To set up the debug information do I need to add anything more
  than -Dssl.debug (i.e. does it take an "=true" or something like that)?
  Thanks,
  Geoff.
  "Luis Muniz" <[email protected]> wrote in message
  news:[email protected]...
  I succeeded in setting up my server (WL 6.1) to use SSL and enforce client
  authentication.
  I created a client certificate with OpenSSL, and imported it into my
  browser.
  When I request the page https://localhost:7002/
  I get following message in the log:
  CertificateVerify.md5 error____________________________
  our computed md5 is
  0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
  the actual is
  0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
  When I turn on -Dssl.debug, then I get a stack trace:
  CertificateVerify.md5 error____________________________
  our computed md5 is
  0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
  the actual is
  0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
  weblogic.security.CipherException: Invalid signature
  at
  weblogic.security.SSL.CertificateVerify.input(CertificateVerify.java:
  127)
  at weblogic.security.SSL.Handshake.input(Handshake.java:115)
  atweblogic.security.SSL.SSLSocket.getHandshake(SSLSocket.java:1043)
  at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:778)
  at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:622)
  at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:267)
  at
  weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java
  :238)
  at
  weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1116)
  atweblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
  atweblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:90)
  at
  weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.
  java:563)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  Any ideas?
  Thanks,
  Lsui

• Bug - column filter doesn't work in 3.1.05

  When viewing a table in sqldev, if you click on a column heading you are given a filter box. That filter never returns any rows. I have tried using the same case as the data, and also entering the filter in LC when the data is in UC - neither one works. I just tested this in 3.0.04, and it doesn't work there, either.

  Here is the description from the Help manual for the function I am trying to use:
  Filter Column enables you to enter a partial value (such as a number or a string; at least two characters for a string), to limit the dialog box display to items containing the partial value, so that you can then select the one item to appear in the grid. For example, entering EMP for column names might show a list of columns including EMPLOYEE_ID and IS_TEMP.
  That function appears in both the Data view, and the Columns view, but doesn't work in either one. I've tried using the exact same case, with and without % signs and single quotes.
  I use sqldev to support Demantra, which has tables with hundreds of columns (plus we've customized it with even more columns). It would help if sqldev sorted those columns by column name. Since it doesn't do that, I could filter the column list to show me just our custom columns using DF_ or DF_% as the filter criteria, if that function worked.
  There is a workaround for filtering data, since you can enter filter criteria in the Filter bar such as err_msg like '%problem%'. But that filter bar doesn't appear in the Columns view.

• Client VPN doesn't work until reload; all other services are fine

  We have a 1800 router running 12.4.x that is acting up.  Every week or 2, client vpn connectivity stops working on it (clients receive a ' reason 412; the remote peer is no longer responding' when trying to connect).  All other traffic running through that router continues to work fine (site to site, nat, etc).  If we run a 'clear ip nat translation', then ONE client can reconnect, but any subsequent clients cannot.  So, basically one at a time.  the only 'fix' is a reboot of the router.  any suggestions on where to start troubleshooting?
  thanks!                  

  Matt,
  Did you disable NAT-T on this device?
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Proxy authentication doesn't work with JSSE

  Hello,
  Seems like there is no common way to authenticate with proxy for HTTP and HTTPS.
  Connecting to http://... - works fine, but https://... returns error message:
  Unable to tunnel through 111.111.111.111:8080. Proxy returns "HTTP/1.0 407 Proxy Authentication Required"
  (IP address is intentionally changed in the message above)
  I'm using JSSE with VAJ JDK 1.2 and here is a Java code snippet that works well with HTTP connections:
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("java.protocol.handler.pkgs",
  "com.sun.net.ssl.internal.www.protocol");
  System.setProperty("https.proxyHost", proxyHost);
  System.setProperty("https.proxyPort", proxyPort);
  System.setProperty("http.proxyHost", proxyHost);
  System.setProperty("http.proxyPort", proxyPort);
  try {
  URL url = new URL("https://www.sun.com");
  URLConnection connection = url.openConnection();
  String authString = proxyUserID + ":" + proxyPasswd;
  String encodedAuthString =
  "Basic " + new sun.misc.BASE64Encoder().encode(authString.getBytes());
  connection.setUseCaches(false);
  connection.setRequestProperty("Proxy-authorization", encodedAuthString);
  Listening to the network traffic helped me to understand that there is a difference between the way HTTP and HTTPS is handled. For some reason HTTPS ignores all the headers that I specify using setRequestProperty().
  Here is example of request and responses sent by HTTPS handler:
  Request:
  CONNECT 198.175.98.32:443 HTTP/1.0
  User-Agent: JSSE
  Proxy response:
  HTTP/1.0 407 Proxy Authentication Required
  Date: Wed, 07 Nov 2001 22:04:11 GMT
  Content-Length: 233
  Content-Type: text/html
  Server: NetCache (NetApp/5.1R2D4)
  Proxy-Authenticate: basic realm="NETCACHE2"
  Please note that there is no Proxy-authorization header in the request above.
  Compare it with HTTPS request sent by Netscape browser:
  Request to proxy:
  CONNECT www.sun.com:443 HTTP/1.0
  Proxy-authorization: Basic am0vbDphrGxHa22lLg==
  User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U)
  Response:
  HTTP/1.0 200 Connection established
  Proxy-Agent: NetCache NetApp/5.1R2D4
  So, the question is:
  What is the best way to pass "Proxy-authorization" header to proxy server??
  Thanks in advance for your time.

  Hi Guys,
  Just like, i assume, all of you, i've had my battles with javas' handling of https comms from behind a firewall. I'm actually amazed at how something that is a simple combination of protocol and security should become so messy.
  Luckily , i managed to get all my requirements met, but the sad thing is after all that hard work, i'm not much closer to understanding why the standard java sdk (im using 1.4) forces us to endure such painful tasks.
  Really, Java is quite a mature language now, and one of its touted benefits is its applicability to web and internet technologies... so why the messy proxy code when dealing with ssl?
  Anyway, i didn't really come here to b**tch, but rather to point you all to a handy library from apache - httpClient - http://jakarta.apache.org/commons/httpclient.
  After implementing ssl proxy tunnelling and all the fun that goes with it, i found this tool, and subsequently deleted all that ugly code, and let http client deal with all that for me.
  Its seriously simple, heres a snippet:
  httpClient = new HttpClient();
  httpClient.setTimeout(responseTimeoutMillies);
  Protocol myHttps = new Protocol("https", new SSLContextBasedSocketFactory(sslContext), targetServerPort);
  httpClient.getHostConfiguration().setHost(targetServerHost, targetServerPort, myHttps);
  if (useProxy)
       httpClient.getHostConfiguration().setProxy(proxyHost, proxyPort);
          httpClient.getState().setProxyCredentials("my-proxy-realm", proxyHost, new UsernamePasswordCredentials(proxyUser, proxyPassword));
  }This initialises the client, and after this, making http requests is simple:
  String response = null;
  PostMethod postMethod = new PostMethod("/secure/blah.jsp"); // A HTTP Post
  postMethod.setRequestBody("Hello there"); // this is the data in the http post body
  int responseCode = httpClient.executeMethod(postMethod);
  if(responseCode == 200)
      response = postMethod.getResponseBody();...
  As you can see, its alot less painful. It certainly makes me feel better, knowing i don't have to support/maintain the ugly proxy tunnelling code. Give it a shot on your next project.
  Hope it helps.
  Regards
  Marcus Eaton

• Loaded Yosemite onto mid 2011 MacBook Air. IMAP account goes offline - message - Mail cannot send your password securely to the server.  Allow insecure authentication doesn't work. Repeated reloads. No joy. Help!

  Mail cannot send your password securely to the server. You can remove this restriction in the Accounts preferences by setting “Allow insecure authentication”, which could put your password at risk.

  I have the same problem.
  Late 2012 imac 27", intel i7 core
  When I upgraded to Yosemite, suddenly my email account (netvigator POP) gives an error:
  Mail cannot send your password securely to the server. You can remove this restriction in the Accounts preferences by setting “Allow insecure authentication”, which could put your password at risk.
  I have shut down & restarted mail, but no success. If I select Allow insecure authentication, it works, but that's not a long term fix.
  I also have a hotmail POP account enabled, and that is working fine.
  What's happening Apple??
  (Long term apple family - iMac, iBooks, TimeCapsule, iPhones, iPads, AirportExpress etc etc)

• Urgent help: why smtp authenticator doesn't work ?

  Please help me :
  My smtp server authenticates me whether a valid user when I send email. I have had setup an authenticator as following :
  //Setup authenticator
  Authenticator auth = new SMTPAuthenticator();
  // Get session
  Session session = Session.getDefaultInstance(props, auth);
  class SMTPAuthenticator extends Authenticator
  public PasswordAuthentication getPasswordAuthentication()
  String username="userid";
  String password="passwd";
  return new PasswordAuthentication(username, password);
  But It still prompted error with noting me:" login fail, this smtp server authentication required ".What's the problem?
  I'm a valid user in this smtp server. and the userid and passwd has no error, for it worked well when I used them to setup win2000 outlook express.
  I also tried to used authenticated javax.mail.Service's connect .
  Transport transport = session.getTransport("smtp");
  transport.connect(smtphost, username, password);
  transport.sendMessage(message, message.getAllRecipients());
  transport.close();
  but it didn't work yet ! If I use Authenticator ,is it still necessary to use connect(smtphost, username, password) ?
  Urgently, Please help me, any source code practising well with authenticating smtp server , please send it to [email protected]
  Thanks

  Just use " props.put("mail.smtp.auth", "true");"