Cannot log in to OBIEE relying party trust

Similar Messages

• ADFS 3.0 WAP and Non-Claims-Aware Relying Party Trusts

  I am attempting to migrating a Windows Claims SharePoint page to ADFS 3.0 (Windows Server 2012 R2) and the WAP (Web Application Proxy) from UAG, but are running into problems when our external users attempt to authenticate.  Users from our external
  domain (call it Domain2.com) have been accessing our SharePoint pages via SAML tokens but when I attempted to move them to the new WAP and off of UAG, they get a http/500 error.  The WAP error log gives the following:
  Warning Event ID 13016 - Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because there is no UPN in the edge token or in the access cookie
  Error Event ID 12027 - Web Application Proxy encountered an unexpected error while processing the request. Error: The specified username is invalid. (0x8007089a).
  I presume the Error Event ID 12027 is because there is no UPN in the token and we are using KCD/Kerberos so I need to pass a UPN.
  The ADFS server and WAP are joined to Domain1.com.  Domain1.com is Active Directory and there is an account for every user in Domain2.com that is allowed access to our SharePoint Sites.  These account contain the standard
  info... UPN, Email Address, sAMAccountName, etc.  The UPN, Email, and sAMAccountName do not always match the accounts with the Domain2.com accounts; however, we have been using an Active Directory Field labled employeeNumber that is synchronized
  on both domains and we have been using a custom lookup based on the employeeNumber in AD.
  When login's occur via Domain1.com, no problem, the UPN is pulled from the Active Directory Claim Provider Trust.  When a user attempts to access from Domain2.com, we have configured ADFS to forwards them to an STS that collects the employeeNumber
  from Domain2.com via a Web Auth SAML token.  We are able to use the SAML token if we use the standard Claims-Aware Relying Party Trust (CARPT) and convert our SharePoint sites to use the trusted URN via powershell scripts, but we are trying to retain
  functionality similar to how we are using UAG so we don't want to change every single SharePoint site to the SAML configuration, hence we are trying to use the Non-Claims-Aware Relying Party Trust (NCARPT)
  Problem1: When we are using CARPT we can configure the custom translation for our employeeNumber lookup in AD.  But CARPT uses SAML Tokens not Kerberos Tolkens so we cannot login when SharePoint is configured for Kerberos.
  Problem2: When we are using NCARPT it works great when authenticating via local (Domain1.com) credentials and look's up the user in AD, but when we attempt to authenticate with remote (Domain2.com) credentials we are unable to configure the employeeNumber
  lookup and ADFS doesn't just go out and make that correlation on its own.
  Question1: Can I configure CARPT to use Kerberos?
  Question2: If not, can I configure NCARPT to lookup the AD employeeNumber, match the UPN, and add the UPN to the token?
  Question3: If neither option is available, am I just stuck with UAG or is there something out (not scheduled for EOL) there that can handle the translation between SAML and Kerberos Tokens?
  Let me know if I left something out, I tend to ramble, but not sure of all the info that is needed...

  Hi,
  Based on the description, is there trust between domain 1 and domain 2? If not, we can try to create trust between these two domains to see if it helps.
  Regarding Event ID 13016 and Event ID 12027, the following article can be referred to for more information.
  Web Application Proxy Troubleshooting
  https://technet.microsoft.com/en-us/library/dn770156.aspx
  Besides, for ADFS questions, in order to get more and better help, it's recommended that we ask for suggestions in the following forum.
  Claim based access platform (CBA), code-named Geneva
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Using two User Stores for one relying party trust

  Hi all,
  We got a request to implement a trust with an external party. 
  Internal users should be able to make use of that application. But also external users, which have their account stored in a different user store (question is asked if its a SQL or LDAP kind of store).
  Is it possible to have a SSO effect for both internal and external users? 
  Somehow ADFS has to know if the user is internal or external. I can imagine an internal user being in the office will get a nice SSO feeling. From what i think this is not possible for external users. External users should still authenticate once on our sts
  (adfs). Lets say this is true, is it possible for ADFS to see if a user is external, and then use the User Store that belongs to that external user?
  You also must take in mind that an internal user could also be in a internet cafe, so SSO is not possible. Also this time the user should authenticate to the sts. But this time it has to use Active Directory as User Store.
  I know internal users have a username in a different format then external users. 
  Is it possible for ADFS to know which User Store to pick based on the format of the username?
  Thanks in advance for the reaction.

  Hi,
  Thank you for your posting!
  Since Active Directory Federation Service is not an extension of Active Directory schema, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy Wang

• Creating an Account/Resource Party Trust - What do I need to do?

  I have an ADFS 2.0 deployment and I am looking to create a trust with another organisation. I have an application that there user base will access using their domain credentials but they don't have an ADFS Proxy Server, only a federation server deployment.
  Therefore I am creating the relying party trust manually? What certificate do I need to import when creating the trust? Is it the service communication certificate, i.e. the certificate with my federation service name?
  kind regards
  Hendy

  Hi Hendy,
  Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Here are some references below for you:
  Certificate requirements for federation servers
  http://technet.microsoft.com/en-us/library/cc783182(v=WS.10).aspx
  Add a Relying Party Trust
  http://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust(v=WS.10).aspx
  Best Regards,
  Amy

• ADFS Taleo Relying Party Configuration

  Hi, 
  I'm trying to configure Oracle Taleo as a relying party for AD FS and the AD FS as identity provider for Taleo. 
  AD FS Configuration
  I have uploaded XML Taleo federation metadata in relying party configuration wizard and everything seems correct. I have created claim-rules to return email address in Name ID attribute with unspecified format. 
  Taleo Configuration
  When I try to sign in, browser is correclty redirected to AD FS, AD FS returns a SAML response containing email address in name ID attribute (logged with Fiddler), but Taleo returns Internal Server Error 500. 
  Do you see anything wrong in this configuration? IdP identifier? Authentication URL? and more important the certificate: it is possible to select only one certificate, so which certificate should be uploaded SSL, token encryption or token deryption? in which
  format? binary base 64?
  I'm trying to  troubleshoot this error since one week also with Taleo support, but we didn't find anything. If you have already configured Taleo or you have any idea, let me know. 

  Ok, I have an update from the vendor, it is an error log: 
  I have some error reported by our Cloud Operations team I hope they will help you get a general idea: 
  << Report from Cloud Ops>> 
  Feb 17, 2015 5:28:17 PM EST 
  Error FED-18074 Signature verification failed for provider ID http://*****.com/adfs/services/trust 
  Feb 17, 2015 5:28:17 PM EST 
  Error FED-12064 Exception: {0} 
  Feb 17, 2015 5:28:27 PM EST 
  Error FED-10146 Could not locate the X.509 certificate forhttp://****.com/adfs/services/trust, for use signing 
  Feb 17, 2015 5:28:27 PM EST 
  Error FED-12064 Exception: {0} 
  Feb 17, 2015 5:28:27 PM EST 
  Error FED-15131 Certificate was missing when trying to verify digital signature. 
  The problem is related with certificates, because we have uploaded several certificates and now I think Taleo is not able to find the right one. Since all errors are related to signing certificates maybe I have to select this one. 

• I cannot log onto the App Store, the page appears when I call it from the dock or the Apple menu. I can call the log-in box from the menu bar, but on signing in the spinning icon just keeps spinning,(not the beachball). Any suggestions? Using 10.6.7 and u

  I cannot log onto the App Store, the page appears when I call it from the dock or the Apple menu and I can call the log-in box from the menu bar, but on signing in the spinning icon just keeps spinning,(not the beachball).  Using 10.6.7 and up-to-date on all software. Any suggestions?

  Could be a third party app preventing you from being able to login.
  Mac App Store: Sign in sheet does not appear, or does not accept typed text
  If it's not a third party issue, follow the instructions here.
  Quit the MAS if it's open.
  Open a Finder window. Select your Home folder in the Sidebar on the left then open the Library folder then the Caches folder.
  Move the com.apple.appstore and the com.apple.storeagent files from the Caches folder to the Trash
  From the same Library folder open the Preferences folder.
  Move these files Preferences folder to the Trash: com.apple.appstore.plist and com.apple.storeagent.plist
  Same Library folder open the Cookies folder. Move the com.apple.appstore.plist file from the Cookies folder to the Trash.
  Relaunch the MAS.

• SERIOUS BUG - cannot log in Leopard after upgrading to 10.5.7!

  Hi all, I upgraded my Macbook Pro to 10.5.7 via Software Update, and after that I cannot log in anymore! The system boots fine, I land on the log in screen. After entering the password, it seems to be logging in, I can see the dashboard and everything, and then it automatically logs out and jumps back to the log in screen!
  I searched on Apple Support and found this -> http://support.apple.com/kb/TS1543?viewlocale=en_US, changing the password in single user mode doesn't work either!
  Hope you guys know what's going on and give me a hand! I tried to contact Apple Support but they said my AppleCare is expired and won't help!
  Thanks guy!

  Using Software Update can be finnicky!
  There are no guarantees, but following this procedure when installing updates and upgrades on your Mac, or even re-installing them, will go a long way towards avoiding unpleasant after effects and ‘post-update stress disorder’.
  It is also worth noting that it is an extreme rarity for updates to cause upsets to your system, as they have all been extensively beta-tested, but they may well reveal pre-existing ones, particularly those of which you may have been unaware. If you are actually aware of any glitches, make sure they are fixed before proceeding further.
  So before you do anything else:
  If you can, make a full backup first to an external hard disk. Ideally you should always have a bootable clone of your system that enables you to revert to the previous pre-update state.
  Turn off sleep mode for both screen and hard disk.
  Disconnect all peripherals except your keyboard and mouse.
  1. Repair Permissions (in Disk Utility)
  2. Verify the state of your hard disk using Disk Utility. If any faults are reported, restart from your install disk (holding down the C key), go to Disk Utility, and repair your startup disk. Restart again to get back to your startup disk.
  At least you can now be reasonably certain that your system does not contain any obvious faults that might cause an update/upgrade to fail.
  3. Download the correct version of the COMBO update from the Apple download site.
  The Combo updater of Leopard 10.5.7 can be found here:
  http://support.apple.com/downloads/MacOS_X_10_5_7_ComboUpdate
  If you prefer to download updates via Software Update in the Apple menu (which would ensure that the correct version for your Mac was being downloaded), it is not recommended to allow SU to install major (or even minor) updates automatically. Set Software Update to just download the updater without immediately installing it. There is always the possibility that the combined download and install (which can be a lengthy process) might be interrupted by a power outage or your cat walking across the keyboard, and an interrupted install will almost certainly cause havoc. Once it is downloaded, you can install at a time that suits you. You should make a backup copy of the updater on a CD in case you ever need a reinstall.
  Full details about the 10.5.7 update here: http://support.apple.com/kb/HT3397
  More information on using Software Updater here:
  http://support.apple.com/kb/TA24901?viewlocale=en_US
  Using the Combo updater ensures that all system files changed since the original 10.4.0 are included, and any that may have been missed out or subsequently damaged will be repaired. The Delta updater, although a temptingly smaller download, only takes you from the previous version to the new one, i.e. for example from 10.5.5 to 10.5.6. Software Update will generally download the Delta updater only. The preferable Combo updater needs to be downloaded from Apple's download site.
  Now proceed as follows:
  4. Close all applications.
  5. Unplug all peripherals except your keyboard and mouse.
  6. Install the update/upgrade. Do not under any circumstances interrupt this procedure. Do not do anything else on your computer while it is installing. Be patient.
  7. When it ask for a restart to complete the installation, click restart. This can take longer than normal, there are probably thousands of files to overwrite and place in the correct location. Do nothing while this is going on.
  8. Once your Mac is awake, repair permissions again, and you should be good to go!
  If your Mac seems slightly sluggish or ‘different’, perform a second restart. It can’t hurt and is sometimes efficacious!
  9. Open a few of your most used applications and check that all is OK. In this connection please remember that not all manufacturers of third party applications and plug-ins, add-ons, haxies etc, will have had time to do any necessary rewrites to their software to make them compliant with the latest version of your operating system. Give them a weeks or two while you regularly check their websites for updates. This applies particularly to plug-ins for Safari 3.
  N.B. Do not attempt to install two different updates at the same time as each may have different routines and requirements. Follow the above recommendations for each update in turn.
  Lastly, Apple's own article on the subject of Software Update may also be useful reading:
  http://docs.info.apple.com/article.html?artnum=106695
  If you are updating Safari (or just have):
  Input Managers from third parties can do as much harm as good. They use a security loophole to reach right into your applications' code and change that code as the application starts up. If you have installed an OS update and Safari is crashing, the very first thing to do is clear out your InputManagers folders (both in your own Library and in the top-level /Library), log out and log back in, and try again.
  So, disable all third party add-ons before updating Safari, as they may not have been updated yet for the new version. Add them back one by one. If something goes awry, remove it again and check on the software manufacturer's website for news of an update to match your version of Safari.
  Most errors reported here after an update are due to an unrepaired or undetected inherent fault in the system, and/or a third party add-on.
  Additional tips on software installation here:
  http://docs.info.apple.com/article.html?artnum=106692
  To reiterate, Input Managers reach right into an application and alter its code. This puts the behavior of the affected application outside the control and responsibility of its developers: a recipe for problems. That's not to say that issues absolutely will ensue as a result of Input Managers, but you, as a user, must decide. If the functionality of a specific Input Manager or set thereof is really important to you, you may well choose to assume the associated risk.
  Again, the advice is to remove all Input Managers from the following directories:
  • /Library/InputManagers
  • ~/Library/InputManagers
  especially prior to system updates (they can always be added back one-by-one later).

• User cannot log into ZCM Agent 11.3.1

  We just went through a domain migration. All PCs were unregistered from the old ZCM 11.2 server in the old domain before they were migrated. When we went to re-register them to the 11.3.1 ZCM server, we ran into 2 issues. Some of the systems successfully upgraded to 11.3.1 BUT users cannot log onto the ZCM 11.3.1 Agent. It's giving an error of "unable to log into the network because the login credentials or the server certificate is incorrect". The PCs that didn't not upgraded to ZCM 11.3.1 and are running 11.2.0 do not have this problem. They get authenticated appropriately. The User configuration is set to eDirectory (just like on the ZCM 11.2 server in the old domain).
  I ran "zac ci" and noticed there are old certificates from ZENworks servers that are no longer around. How do you get rid of these old references? It's picking up the new server's certificates. I ran this on my PC ZCM Agent 11.2 (won't upgrade and can authenticate into the ZCM 11.2 agent just fine) and I do not see the old certificates. I'm only seeing certificates for the new ZCM 11.3.1 server in the new domain and the eDirectory master server that the ZCM server is referencing.

  The old Trusts can be cleared using IE to managed the Trusted Root
  Stores. There are some other ways too.
  However, Having old ones should not be an issue unless the old and new
  Servers have the same name. Not 100% sure matching will cause an issue,
  but I think I have seen that before.
  It may be possible to automate the removal of the old trusts, but I
  would not worry about that until you verify it is an issue by manually
  fixing a couple and see if resolves your issue.
  Your issue may be something else.
  Reinstalling CASA is something else to try.
  On 10/9/2014 5:16 AM, hfr63 wrote:
  >
  > We just went through a domain migration. All PCs were unregistered from
  > the old ZCM 11.2 server in the old domain before they were migrated.
  > When we went to re-register them to the 11.3.1 ZCM server, we ran into 2
  > issues. Some of the systems successfully upgraded to 11.3.1 BUT users
  > cannot log onto the ZCM 11.3.1 Agent. It's giving an error of "unable
  > to log into the network because the login credentials or the server
  > certificate is incorrect". The PCs that didn't not upgraded to ZCM
  > 11.3.1 and are running 11.2.0 do not have this problem. They get
  > authenticated appropriately. The User configuration is set to
  > eDirectory (just like on the ZCM 11.2 server in the old domain).
  >
  > I ran "zac ci" and noticed there are old certificates from ZENworks
  > servers that are no longer around. How do you get rid of these old
  > references? It's picking up the new server's certificates. I ran this
  > on my PC ZCM Agent 11.2 (won't upgrade and can authenticate into the ZCM
  > 11.2 agent just fine) and I do not see the old certificates. I'm only
  > seeing certificates for the new ZCM 11.3.1 server in the new domain and
  > the eDirectory master server that the ZCM server is referencing.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• SAML Credential Mapper Relying Party "Post Form"

  Hi,
  Has anybody used Custom Post Form for SAML credential Mapper Relying Party.
  If so can you pls tell the specs. It is saml V2
  I am trying like this in a html
  <input type="hidden" name="TARGET " value="ddddd" />
  <input type="hidden" name="SAML_AssertionConsumerURL" value="ddddddd" />
  <input type="hidden" name="SAML_AssertionConsumerParams" value="homogenousMap" />
  <input type="hidden" name="SAML_ITSRequestParams" value="" />
  But everytime it gives a Internal server error in the logs
  ####<Oct 13, 2008 2:16:19 PM PDT> <Debug> <SecuritySAMLService> <pd7000163> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1223932579244> <BEA-000000> <SAMLServlet (samlits): doGet(): Unexpected throwable while handling request, returning INTERNAL_SERVER_ERROR: java.lang.NullPointerException>
  I am also not finding any details about samlits servlet.
  WEblogic front line support also does not know. No weblogic documentation on the actual implementation.
  Thanks
  Vishnu

  Vishnu, you should also try cross-posting in the WLS-Security forum.
  WebLogic Server - Security

• After 11.1 and ios 7 update, cannot log into ipad. says apple ID already in use. no issues prior to updates.

  After 11.1 and ios 7 update, cannot log into ipad. says apple ID already in use. no issues prior to updates.tried both primary and backup emails. says both already in use

  randers4, thank you for the suggestions.
  1) I have contacted Verizon and they are not blocking "premium" or 3rd party text messages.
  2) The Apple ID login issue occurs regardless of wi-fi network location, or even if I am not on wi-fi at all. Router settings are irrelevant to this problem.
  3) I have already played around extensively with date and time settings. This did not fix any issues.
  Any other suggestions? I had another call with Apple support and they are of the opinion that I may need to have the phone totally replaced, which is unacceptable unless it is free of charge.

• I cannot log into Skype on my iPhone.

  I have recently updated my IOS on my iPhone 6 and the most recent update for Skype, Since this I cannot log into Skype. I have the correct Skype ID and I know my password is corretc because I reset this today and then re-tried logging in.  Skype still doesn't recognise my details. It is getting bloody frustrating!  Anybody els e have this problem? Or can anyone help? Thanks in advance  Jonny

  I am having the same problem.  I not only cannot login to my skype account on new iphone 6, but app did not respond to a request to change password.   I  am not using 3rd party keyboard and I re-installed the app. Even though I could still login on my pc I changed my password, can login successfully on PC, but still cannot login on my iphone.... 

• ICloud had been hacked. Cannot log in to my iCloud

  My iCloud account had been hacked and now I cannot log in to my iCloud account. The people who hacked it has been change my password. What should I do now????

  Hello Yen Japan,
  It sounds like someone has unauthorized access to your Apple ID and has changed the password. I would recommend resetting your password with this article:
  Apple ID: Changing your password
  http://support.apple.com/kb/ht5624
  Go to My Apple ID (appleid.apple.com).
  Click “Manage your Apple ID” and sign in.
  If you have two-step verification turned on, you'll be asked to send a verification code to the trusted device associated with your Apple ID. If you're unable to receive messages at your trusted device, follow the guidelines for what to do if you can't sign in with two-step verification.
  Click "Password and Security".
  In the "Choose a new password" section, click Change Password.
  Enter your old password, then enter a new password and confirm the new password. Click Save when done.
  The next time you use an Apple feature or service that uses Apple ID, you'll be asked to sign in with your new Apple ID password.
  If you are able to reset your password, you may want to look into a security enhancement option we have called Two Step Verification. Here is some more information about that:
  Frequently asked questions about two-step verification for Apple ID
  http://support.apple.com/kb/ht5570
  If you are unable to reset your password, I would advise you to contact our iTunes Account Security team direcly for your region with this article:
  Apple ID: Contacting Apple for help with Apple ID account security
  http://support.apple.com/kb/HT5699
  Thank you for using Apple Support Communities.
  All the very best,
  Sterling

• Cannot log on to the internet with password and us...

  Since I have had my computer repaired due to virus, I cannot log-on to the internet using my username and password to get upgrades and apps etc.....Any ideas on how to rectify the problem.

  HI,
  I belive you mean here to acces Ovi Account.
  There has been some amount of thread for this issue in forum.
  This problem has to do with expired certificates that you have on your computer. We are working to get the problem fixed for the next release.
  To remove the problematic certificates, do the following:
  On your computer, open Control Panel and click Internet Options.
  In the Internet Properties window, select the Content tab, and click Certificates.
  In the Certificates window, select the Trusted Root Certification Authorities tab.
  To sort the certificates, click the Expiration Date column header.
  Select any GTE CyberTrust certificates that have their expiration date in the past. You should be left with one GTE CyberTrust certificate that is valid.
  Click Remove and, when asked for confirmation, click Yes.
  After the expired certificates have been removed, please restart Nokia Ovi Suite and try signing into your Nokia account again.
  I hope this helps.
  Br
  mahayv

• Cannot log on to https sites

  cannot log on to the internet with sites that start with https://
  since the last mountain lion upgrade

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login. 
  Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:
  Shut down your computer, wait 30 seconds, and then hold down the shift key while pressing the power button.
  When you see the gray Apple logo, release the shift key.
  If you are prompted to log in, type your password, and then hold down the shift key again as you click  Log in.
  *Note: If FileVault is enabled under OS X 10.7 or later, or if a firmware password is set, or if the boot volume is a software RAID, you can’t boot in safe mode. Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.  The next normal boot may also be somewhat slow.
  The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin. Test while in safe mode. Same problem? After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

• Cannot log on to my sites

  i updated firefox now when i go to my sites i cannot log on to anything except face book i cleared cookies, cache, history. cookie and third party cookies are ticked. I uninstalled firefox 4 and now and running fire fox 3.6 with still the same problem. Help i'm trying to apply for a job on seek and cannot log in. no error comes up it just has done on the left hand corner.

  Try running Firefox in [[Safe Mode]]. If it functions properly in that configuration, then one of your add-ons is the culprit.