CertPrincipalName forced to wrong setting on server with wildcard SSL cert
Dears
After testing Exchange 2013 for a couple of weeks with a limited amount of IT personnel, we have migrated the first batch of users from 2010 to 2013.
That was the biggest mistake we've done this.. week..
The error is identified as an autodiscover/ssl problem. No matter what I specify in CertPrincipalName on CAS, Outlook resets itself to msstd:server.domain.com
I have tried with "none" and "msstd:*.domain.com" but it always resets to msstd:server.domain.com
Outlook Autoconfigure test returns the correct value. Any ideas?
All our clients are not domain members, so setting this with GPO is not an option.
I have compared how autodiscover works for clients on 2013 and on 2010. It is definitely server related. Clients still on a 2010 mb server get's the correct value msstd:*.domain.com.
The only difference I see in the autodiscover xml is that on 2013 there is two extra blocks of data for protocol "EXHTTP". One of these blocks does not contain the CertPrincipalName value.
<Protocol>
<Type>EXHTTP</Type>
<Server>mailbox.domain.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://ex02.domain.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://ex02.domain.com/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://ex02.domain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.com</EcpUrl-extinstall>
<OOFUrl>https://ex02.domain.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://ex02.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mailbox.domain.com/OAB/3abb5758-f1c7-4246-9f9f-bbf390f5febb/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
Similar Messages
-
How to set VPN server with static IP without DHCP on
I set up a new Mac mini server with OS X 10.9.1 and Server App 3.0.1
My ISP gave me a static bublic IP address.
I have on:
- web server
- mail server
- DNS server
without using DHCP, but now i want to set up L2TP/IPSec VPN server and it requires that i give start IP address of the VPN server.
Can i use VPN server w/out DHCP server on?
If yes, how?
If not, when i turn on the DHCP server, what i have to do with web, mail servers?To run a public VPN server, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic. -
URL problems with SQL Server Reporting Services 2012 with wildcard SSL certificate
Hi,
I have single server, domain member, with SQL Server 2012 SP1 Reporting Services.
I am trying to get work with url: https://reports.mydomain.com
I have valid wildcard certificate (*.mydomain.com) implemented and configured URLs in Configuration Manager.
https://reports.mydomain.com/ReportServer - works fine
https://reports.3pro.hr/Reports/ - I got error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
In rsreportserver.config I have:
<Add Key="SecureConnectionLevel" Value="2"/>
When looking my ReportServerService_date.log file I have something like:
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
Also, error shown in log file:
appdomainmanager!ReportManager_0-2!4c50!03/10/2013-20:24:53:: e ERROR: Remote certificate error RemoteCertificateNameMismatch encountered for url https://localhost/ReportServer/ReportService2010.asmx.
ui!ReportManager_0-2!4c50!03/10/2013-20:24:54:: e ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
Btw, is there a way to delete/disable access using https://localhost and/or servername (not FQDN) since SSL will not work in this way for me, and I want access only by full url - https://reports.mydomain.com , not localhost ..
-- Hrvoje KusuljaI spent one of my 4 free support incidents with Microsoft (part of MSDN subscription) this year to get this investigated. The tech support person helped me through several issues but had to leave to attend some training, and I got past the last hurdle
before she called me back. Here are the steps that resolved this issue for me. I know for sure that step 5 was necessary. Step 1 may not apply to you, and steps 2-4 may or may not have been necessary (they didn't immediately fix the issue,
but I didn't roll them back either so they may have been necessary.)
Step 1:
Ensure you are editing the correct rsreportserver.config file. I had been making changes to a file that was installed in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\WebServices\Reporting, but that was a rsreportserver.config
file for some sharepoint integration that I'm not using. The correct path on my system was E:\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\rsreportserver.config, but yours may vary. If you can't figure it out, look in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
SQL Server\MSRS11.MSSQLSERVER\Setup in the key named SQLPath, and then go to the ReportServer subdirectory of that path.
Step 2:
In rsreportserver.config, ensure that SecureConnectionLevel is set to the value 3. Was set to 0 in my configuration. Corrected line in your rsreportserver.confiog file should look like:
<Add Key="SecureConnectionLevel" Value="3"/>
Step 3:
In rsreportserver.config, add the correct value to the <URLRoot> element (which already exists in the file.) In my configuration, this value was blank. The value should be the fully qualified path to your report server, with a hostname that
is valid for your certificate. For example, if my cert matches *.mydomain.local:
<UrlRoot>
https://myserver.mydomain.local/ReportServer
</UrlRoot>
Step 4:
Ensure that your certificate exists in Trusted Root Certification Authorities in certmgr for the local machine. I had the certificate installed as a Personal certificate for the local machine, which I still think was correct (the certificate wasn't actually
the problem and worked correctly for Report Server, and the failure was caused by SSRS incorrectly making a https request to a localhost URL), but she had me remove the certificate from Personal and add it to Trusted Root Certificate Authorities. That
broke things and the cert was no longer listed as a cert I could bind to, so we then copied it so it existed in both Personal and Trusted Root Certificate Authorities. This is how I left it, not sure if that was necessary.
Step 5:
This was the fix that finally got things to work. In rsreportserver.config, add the same value to the <ReportServerUrl> element (which also already exists in the file) that you added in step 3. In my configuration, this value was also blank.
The corrected value should be the same as in step 3, for example:
<ReportServerUrl>
https://myserver.mydomain.local/ReportServer
</ReportServerUrl>
Then restart your report server (stop & then start in Report Server Configuration Manager), and the problem should go away. At least it did for me.
Good luck! -
Getting sec_error_inadequate_cert_type with Private SSL Cert
Howdy,
I run a Private Certificate Authority for my personal use and just to learn about SSL Certs. However, with the current build of FireFox I'm on ( 31 ) I can no longer visit sites I've secured with SSL Certs signed by this certificate authority, even though these SSL certs work just perfectly fine in Chrome and Internet Explorer. I keep getting a "sec_error_inadequate_cert_type" error. I can only assume that the certs I've been issuing are incorrect in some way, but the error is so vague and the error page doesn't specify more.
I only discovered this when I realized some of my SSL certs had expired, and I went to re-issue them.
One of the certs that hasn't expired yet but is experiencing problems can be found here:
* https://forums.silicateillusion.org
One of the Certs I've tried re-issuing, matching fields included as closely as I can to a Google SSL cert that I looked up is here:
* https://phpmyadmin.endofevolution.com
These certificates were generated using the application called SimpleAuthority, found here: http://simpleauthority.com/
A Site like Networking4All.com seems to believe the Certs are valid, excepting the CA that is Self Signed: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=phpmyadmin.endofevolution.com&protocol=https
Interestingly enough, using a different site like SSLShopper shows an error similar to FF31: http://www.sslshopper.com/ssl-checker.html#hostname=https://phpmyadmin.endofevolution.com
The certs are running on an Apache Web server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.10
The CA Cert is in FireFox's store as trusted.
If needed, I can provide certs.''SniperFodder [[#answer-626818|said]]''
<blockquote>
I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
"Certificate type not approved for application."
</blockquote> -
Move wildcard SSL cert from 10.7 to 10.6 server
I purchased and configured a wildcard cert (*.example.com) on my 10.7 server. I now want to import this cert onto my 10.6 servers (all using the same domain) and I can't seem to get it to work.
I exported both the cert and the private key file from the 10.7 server, however when trying to import the private key into the system keychain on the 10.6 server, I get this error: An error has occurred. Unable to import an item. The contents of this item cannot be retrieved.
Any ideas?Check permissions on the crt and key you are trying to import, maybe change to 777
How specifically did you export the cert/key from 10.7 ?
I always copy them from /etc/certificates, change permissions, then I like to remove the passphrase (more on that if needed).. then I end up with a cert/key with read permissions and no pass... makes import simple to any service (OS X or other) -
Use of Wildcard SSL cert with DRM
DRM needs a URL to be embedded in the protected PDF document(e.g., mysite.mycompany.com). The SSL certificate for the URL must be from a trusted provider (e.g., Verisign). My question is will Adobe Reader accept for DRM a wild card SSL certificate (e.g., *.mycompany.com) from a trusted provider?
Hi,
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Does anyone know if the NAC appliance supports EV SSL certs; especially version v4.7.x.
Any insight into older versions (4.1.3 and higher) for compatibility would be appreciated. Thanks!
benHello! The higher key length is a problem on an older version (4.1.3), not 4.7.x; etc where you can specify it. 4.1.3 you cannot specify it and it's not strong enough.
Ben -
I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root: myname
admin: myname
sysadmin: myname
certadmin: myname
webmaster: myname
my_alternate: myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080 # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost # Default is localhost
REMOTEPORT_DEFAULT=3128 # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
-p) shift; # -p option
SSHPORT=$1;
shift;;
*) TUNNEL_DETAILS=$1; # 1st argument option
shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])} # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*} # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%@} # delete @
if [ "$CAR" != "" ] # leading or trailing port specified
then
USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ] # no hostname given
then
HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
&& echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
|| echo "SSH tunnel FAIL." -
ppl i fed up with my mac air while using my exchange email account, it takes ages to refresh and it doesn't send or receive instantly , no clue although that the same setting and server names has been set up on my iPhone and it is working totally fine
Install ClamXav and run a scan with that. It should pick up any trojans.
17" 2.2GHz i7 Quad-Core MacBook Pro 8G RAM 750G HD + OCZ Vertex 3 SSD Boot HD
Got problems with your Apple iDevice-like iPhone, iPad or iPod touch? Try Troubleshooting 101 -
How to set up SAPconnect with email server
Hi,
Does any one know <b>how to set up SAPconnect with email server</b>
We are using workflow and when it fails it we are sending the notification mail to the user on his company mail id, i.e. [email protected]
This is working in the current production system. We are doing the new development which will replace the current production system. The existing Basis team does not know how it was setup in production system and how to set it up in the new system.
When we send any mail notification from workflow we can see the mail in SCOT transaction but it is not received at the specified mail address.
Can any one provide the configuration steps or any document for this.
Thanks in advance..
PratikHi Pratik,
Check the following link:-
/people/thomas.jung3/blog/2004/09/08/sending-e-mail-from-abap--version-610-and-higher--bcs-interface
http://help.sap.com/saphelp_nw04/helpdata/en/2b/d925bf4b8a11d1894c0000e8323c4f/frameset.htm
these link will help u to config SMTP.
And one more thing u have to do..
Go to SE11 n open Table sxnodes in change mode.
And change F_ESMTP field to false i.e. BLANK for the Field NODE = SMTP.
Hope this will work For U.
Regards
Sachin Dhingra -
y Time Capsule is working fine with ethernet connection, but it is no longer working with wifi, probably because of my wrong setting; is there a way to reset wifi setting without losing backuped data? Thanks you all
Giancarlo Messalli wrote:
1) are you sure a reset holding the reset button will not delete my data?
Absolutely sure.. There is no connection at all.. reset is only the router side of the TC.
For the hard disk to be erased you need to access the airport utility disk page.. request erase and confirm the operation.
2) I can access to time capsule by ethernet but I am not able to input the corret setting by myself
Thank you again
I am uncertain why if you have access you cannot change settings.. but that is why you reset things so any of those problems should be fixed.
Here is the Apple info on reset.
http://support.apple.com/kb/ht3728
And here is the quote from the horse's mouth so to speak.
Factory default reset: Perform this reset if you wish to repurpose the AirPort Base Station or Time Capsule and want to remove all personal profiles and settings first. This reset resets the device to its state when you first purchased it. Data stored on internal or external hard drives connected to the device will not be erased. If you choose, you may manually erase the hard drive using AirPort Utility. -
How to set SQL Server Login MUST_CHANGE, CHECK_POLICY, CHECK_EXPIRATION all to OFF with T-SQL. SSMS will not allow me to change policies to OFF. Error: 15128 - The CHECK_POLICY and CHECK_EXPIRATION options cannot be turned OFF when MUST_CHANGE is
on. I am attempting to change these options in a test environment. Thanks, RichardIt appears you have to change the password first(it could the same password but an alter command needs to be done)
check this : http://www.sqldbadiaries.com/2010/11/07/the-check_policy-and-check_expiration-options-cannot-be-turned-off-when-must_change-is-on/
http://sqldbpool.com/2012/10/08/the-check_policy-and-check_expiration-options-cannot-be-turned-off-when-must_change-is-on-microsoft-sql-server-error-15128/
Hope it Helps!! -
Need help setting up web server with WRT54GS
Hello,
I am trying to set up a web server with my linksys router. For the network settings, I have used 192.168.001.150 as my primary IP (192.168.1.150, all 3 numerical characters have to be filled in), 255.255.255.000 as my primary netmask and 192.168.001.001 (192.168.1.1) as my gateway. I have gone into my router and then enabled port fowarding for port 80 to 192.168.1.150 but I still cannot access my web server. What could be the problem?
Any help would be greatly appreciated. I'm trying to set up this server so I can test scripts and things.bump
-
My school has a website. The professor uploads files in Word. When I click on the link at home using Pages, the download window opens with nothing in it and Safari opens with a blank in the address book. What Could be wrong? Wrong set up?
Hi Jo,
If I'm interpreting this correctly, the Word file downloads correctly, but when you open it in Pages, the link(s) which your instructor has embedded in the Word file are not correctly translated into Pages.
If the link shows the actual address, you should be able to copy that and paste it into the location bar in Safari, press return, and get to the website that way.
An alternate route might be to download one of the open source Office applications, OpenOffice.org, LibreOffice, or NeoOffice. These are written to more closely emulate the behaviours of MS Word than Pages, and may provide better support for links embedded in Word files.
Regards,
Barry -
HOWTO: Setting up Server-Side Authentication with SSL
This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
1. Log on to the database server with an administrative login.
Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
2. Create an Oracle wallet and set up the required certificates
(i) Open the Oracle Wallet Manager:
Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
(ii) Create a new wallet (Wallet -> New).
(iii) When prompted, elect to generate a certificate request.
(iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
(v) Export the certificate request to file (Operations -> Export Certificate Request).
(vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
(vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
3. Configure the listener for SSL.
(i) Open the Oracle Net8 Assistant:
Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
(ii) Select Net8 Configuration -> Local -> Profile.
(iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
(iv) Select the Server radio button.
(v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
(vi) Uncheck the Require Client Authentication checkbox.
(vii) Select Net8 Configuration -> Listeners -> [listener name].
(viii) Add a new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2484
(ix) Add a second new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2482
Check the Dedicate this endpoint to IIOP connections checkbox.
(x) Save the Net8 configuration (File p Save Network Configuration).
(xi) Restart the listener service.
4. Configure the database to accept SSL connections.
(i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
(ii) At the bottom of the file, uncomment the line that reads
mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
(iii) Save the file and restart the database service.
5. Test the SSL confi guration using the Net8 Assistant.
(i) Open the Oracle Net8 Assistant.
(ii) Select Net8 Configuration -> Local -> Service Naming.
(iii) Add a new net service (Edit p Create).
Net service name: [SID].auth (e.g. iasdb.auth)
Protocol: TCP/IP with SSL
Host: [database server] (e.g. oraserver)
Port: 2484
Service Name/SID: [SID] (e.g. iasdb.orion.internal)
Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
(iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
nullDear Alex,
Thank you for reaching the Small Business Support Community.
I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side. If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.
Maybe you are looking for
-
Get Updated values in valueChangeListener of af:selectManyShuttle
I am using Jdeveloper 11.1.1.3.0 I have applied the valueChangeListener in selectManyShuttle to get the values in backing bean. But the problem is, it's not giving me the updated values. For example, for the 1st time, the left side list is empty. So,
-
I purchased a macbook pro but couldnt download apps. Facts: 1. I already have an apple ID with my Ipad, which has my old (prepaid) credit card number and security code as payment information 2. I lost my credit card including all info: card number, e
-
Analysis Services Processing Task - Error processing
Hi all, I have a SSIS package containing an Analysis Services Processing Task. In case it fails, I want to insert the error messages in a table. I have create an SSIS package that fails because of dimension values that are not in the fact table. The
-
Can you create a datamerge to the pasteboard?
Using InDesign CS5 is there anyway you can create a datamerge to the pasteboard? I want to place the docket number in the bleed section for newspaper ad series. When I try to create a merged document, I am notified that there are no placeholders pres
-
Is there a way i can delete triples of a photo with out doing it all day
hello my son transfered all my pics to external HD I transfered them back to my mac into Iphoto & when I looked omg all my pics have doubles or triples is there some way I can delete the doubles & triples with out being here all day doing it by hand