Can I configure WS-Sec authentication via Active Directory with OSB or OWSM

Similar Messages

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• Use Profile Manager to configure 802.1x authentication to Active Directory

  I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
  If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
  If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
  Here's my problem:
  I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
  Any thoughts?
  Thanks!!!!

  I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager.  If I can't get this to work I'm going to try SCEP and certificate authentication.

• T5-2 ILOM authentication via Active Directory

  Hello,
  We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
  (ActDir) ServerUserAuth - Error 0, failed to validate user group access
  We have a group defined and I have set it under Admin groups using the DN.
  Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
  TIA.
  Jeff

  Hello Man !
  your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
  I have Cisco aironet 1142n access point. I have no ACS / WLC
  but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
  These APs are standalone. Please provide any configuration document
  "How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
  Thanks & Regards,
  Rizwan Haider Siddiqui.

• Can not install Flash 10.1 via Active Directory GPO

  Greetings,
  Starting with the 10.0.45.2 update, we moved to install Flash via AD GPO using the instructions in the admin guide. We are doing zero custom configuration of Flash with this method, just setting up a Computer based GPO install linking to the downloaded and shared MSI installer from Adobe. For the install of 10.0.45.2, this ran with out a hitch. Setup the GPO ran it in a test OU and then on to production and all the pc's were updated just like it should work
  Trying to do the same thing with 10.1.53.64 flat out does not work execpt on a system you have manually uninstalled flash on first, then if you have the GPO load the 10.0.45.2 Flash, that works, then if you follow up with removing the GPO from the OU and adding a new 10.1.53.64 GPO to the OU, the pc will uninstall 10.0 and install 10.1 correctly as your would expect it to do. It will not do this on our deployed systems.
  On our deployed systems with the currently installed 10.0.45.2 will not uninstall cleanly when the new installer runs via GPO, nor will it uninstall cleanly if the install computer is moved out of GPO scope as it is configured to do. The GPO attempts to do so but the installer fails with 1603 errors.
  Does anyone have a workaround to cleanup the current installs so that 10.1 can be installed? We just don't have the time to hit 100+ desktops to update Flash.
  Miles

  Just to make sure: have you seen that there is a new Admin Guide for 10.1 at http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html ?
  One thing about the 10.1 installer is that it fails if any browsers are running; I don't know if this is also true when using GPO.

• Can I configure a gsm modem via bluetooth API

  Hi all
  Can I configure a gsm modem via bluetooth API ?
  thanks in advance
  Vishin Das V D

  Hi deepspace
  Could you please go through this thread ? http://forum.java.sun.com/thread.jspa?threadID=5211663&messageID=9860406#9860406
  it will be a great help for me
  Thanks
  Vishin Das V D

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• Portal Authentication using Active Directory

  I am trying to set up authentication using Active Directory. Can anyone provide me with instructions on what to do ? I know that I have to go to System Admin - > System Configuration - > UM configuration and change the Data Source. What else do I need to do...How do specify which domain to authenticate against. Do I have to change the XML file. Please help.

  It depends on what you wanna do with the AD server. If you want to read/write on the AD then you have to first setup SSL connection between the two boxes.Else if you just want to read from AD server you don't require a SSL connection. Then you have to select the hierarchy type in the System Admin - > System Configuration - > UM configuration. Save.
  Next thing you do is to open the config tool and modify your xml file accordingly.
  And restsart the server.
  Hope this helps.
  Regards,
  Hassan

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Authentication on Active Directory under Kerberos v5

  Hi!!
  I�m trying to authenticate a user in Active Directory (with kerberos v5) and I get this message error:
  C:\j2sdk1.4>java -Djava.security.auth.login.config=gsseg_jaas.conf -Djava.security.krb5.conf=krb5.conf -Dsun.security.kr
  b5.debug=true GssExample
  Parametros introducidos ...
  Nombre de usuario de Kerberos [AAL]: Administrador
  Contrase�a de Kerberos de Administrador: swtest03
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 3 1
  KrbKdcReq send: kdc=192.168.80.109, port=88, timeout=30000, number of retries =3, #bytes=239
  KrbKdcReq send: #bytes read=125
  KDCRep: init() encoding tag is 126 req type is 11
  KRBError:sTime is Tue Mar 25 18:52:52 CET 2003 1048614772000
  suSec is 447772
  error code is 14
  realm is BRUJULATEST.LOCAL
  sname is krbtgt/BRUJULATEST.LOCAL
  eData provided.
  Authentication attempt failedjavax.security.auth.login.LoginException: KDC has no support for encryption type (14)
  javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at GssExample.main(GssExample.java:74)
  Caused by: KrbException: KDC has no support for encryption type (14)
  at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
  at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
  at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
  ... 12 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
  at sun.security.krb5.internal.af.a(DashoA6275:129)
  at sun.security.krb5.internal.au.a(DashoA6275:58)
  at sun.security.krb5.internal.au.<init>(DashoA6275:53)
  at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
  ... 15 more
  Is there anyone who can help me???
  Thanks to everybody!!

  I�ve got it!!!
  I can authenticate any user less than Administrator.
  But I can do it with a user, that I created, with administrator permissions.

• Authentication on Active Directory using JNDI (A Proffessional Appraoch)

  I am using following code for getting authenticated on Active Directory by user logon name.
  Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
  thanks in advance
  * Created on Nov 10, 2004
  package auth;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  * @author Tushar Agrawal
  * Created On Nov 10, 2004
  public class UserAuthentication {
       public UserAuthentication() {
            super();
       public NamingEnumeration loginToActiveDirectory(
            String logonName,
            String password,
            String domain) {
            boolean success = false;
            NamingEnumeration attrs = null;
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
            env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
            env.put(Context.SECURITY_CREDENTIALS, password);
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put("java.naming.ldap.version", "3");
            env.put(Context.REFERRAL, "follow");
            try {
                 String base = "";
                 DirContext ctx = new InitialDirContext(env);
                 SearchControls controls = new SearchControls();
                 controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 controls.setReturningAttributes(
                      new String[] {
                           "sAMAccountName",
                           "userPrincipalName",
                           "displayName",
                           "memberOf",
                           "objectSid",
                           "title" });
                 NamingEnumeration e =
                      ctx.search(base, "sAMAccountName=" + logonName, controls);
                 if (e.hasMore()) {
                      SearchResult r = (SearchResult) e.next();
                      attrs = r.getAttributes().getAll();
                      /*while (attrs.hasMore()) {
                           System.out.println(attrs.next());
                      ctx.close();
            } catch (AuthenticationException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            } catch (NamingException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            return attrs;
  tushar agrawal

  You''l find more info at :
  http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  That's the right way to do it.

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Integrating Active directory  with oracle EBS 12.1.3 with 11g R2 database

  Hi,
  can any one let me know Integrating Active directory windows 2009 R2 with oracle EBS 12.1.3 with 11g R2 database software requirements and document ids for integrating.
  Is windows 2008 active directory is cerfied with 10g OID??
  regards,
  chandrasekhar.

  Hi
  I found exact note
  Is OID 10g/11g DIP Compatible / Certified With Microsoft Active Directory 2008 / Windows 2008 R1/R2? [ID 944298.1]
  From note:
  DIP 10g latest version (10.1.4.3) and DIP 11g up to PS4 / 11.1.1.5 Patchset releases integrations are certified with MS AD 2008 R1 only.
  DIP 11g certification with AD 2008 R2 is supported only with DIP 11g PS5 / 11.1.1.6 Patchset or higher.
  Note: Although DIP below 11.1.1.6 integration (synchronization, external authentication, etc.) with MS Windows / AD 2008 R2 may work, it is not officially compatible / certified. See also Note 1076018.1.
  Regard
  Helios

• Integration of MS Active directory with SAP Identity management

  Hello
  I am implementing SAP identity Management  7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
  Also does anyone have a architectural work flow template  on this process .

  Hi
  I guess, using VDS you can achive this. ref the LDAP connection part.
  https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
  https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
  Regards
  Shridhar Gowda

• How to integrate Active Directory with Oracle Weblogic

  hi
  is there any Oracle Document that descripes how to integrate the LDAP Active directory with Oracle Weblogic 10.3
  Regards
  Edited by: qasas on 28-Nov-2009 13:56

  weblogic docs (and there identity asserters) - http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html