Cfldap inapropriate authentication

Hello everyone,
I am trying to authenticate a user against ldap (unix and AD)
and I have a strange problem.
I tried both the AD ldap server of my company as well as the
Unix ldap.
my account works just fine, my password is along the lines of
$Word3534
when I was using only AD ldap a user had a password with a :
in it, (:Word3534) and the page gave a nice error message, by
changing to Unix LDAP this is fixed. now though my test user with a
password of Word:3534 and we get Inappropriate authentication. now
I know the password words as I tested it on several systems.
Any ideas why this is happening?
here is the code in my application.cfm

This is just a WAG, but make sure that the user is not
required to change their password at the first login. This would
mean the account is locked out even though you created it
successfully and accessed it once.

Similar Messages

CFLDAP & Expired password

Hi,
We have recently implmented CFLDAP authentication on one of
our websites & discovered a new issue of expired passwords.
I have been trying to read attrubutes like maxPwdAge or
accountExpires but not able to read the values as I guesss they are
flags. What I found on net is that coldfusion is not capable to
read ADSI & need to use java or vb object. Is that correct or
is there any other method of checking the expired password &
redirecting the page to change password form.
Thanks in advance
Any help is greatly appreciated
Thanks

alter user <username> identified by <new_password>;
to make password unexpired:
in the profile of the user--> alter profile <profile_name> LIMIT password_life_time UNLIMITED;
*not recommended

TLS Encryption CFLDAP

We have to validate against a clients ldap server using tls
encryption. Even though this is a standard protocol I cant find
that coldfusion 6.1 supports it with the cfldap tag. Does anyone
know if cf6.1 does and which attribute values would be used?

Hi there,
I'm been researching this also for the past two days, does
anyone has any information. I'm trying to secure my ldap
authentication from 5 differents ldap server. I'm trying to find an
easy way to secure this without using a bunch of third party
certificates.
tks

CFLDAP GSS-API

Anybody had any luck connecting to an AD Server via CFLDAP when it only appears to allow authentication using GSS-API?

I'm having almost the same problem.
I'm authenticating users against MS Active Directory: the Kerberos stuff works fine, but when I try to execute the LDAP query I get the following exception:
javax.naming.AuthenticationException: SASL authentication failed [Root exception is java.lang.IllegalAccessError: tried to access class sun.security.krb5.KrbKdcReq from class sun.security.krb5.internal.az]
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:411)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
This error occurs only for a few users, while for others the code works perfectly.
I've tried using both Sun's JDK (1.4.2_08) and BEA JRockit with the same result.
Thanks in advance
Alberto

Cflogin and cfldap issue with passwords

Hi everyone,
I am using CFlogin and cfldap to authenticate users and I am
having a problem.
my cfldap query runs agains the server and uses the users
username and password,
well some users use special characters and certain special
characters cause this error:
An error has occured while trying to execute query :[LDAP:
error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on
the connection., data 0, vece�].
Any ideas?
Thanks
Luma

=======================================================
SOLUTION / FIX / WORK-AROUND to
ColdFusion <CFLDAP> exception DSID-0C090627
ColdFusion version: "MX7"
Assumption_01: ColdFusion server running on Windows-based
operating system,
(for me particularly, I am currently on a
Windows-XP-Professional machine)
Assumption_02: You are running your ColdFusion server as a
DEVELOPER. Meaning you have logged onto your machine; you are doing
research / development / experimentation ColdFusion as well as
dealing with emails, etc.
This means: LDAP will be dealing with Microsoft's "Active
Directory"
<cfldap
name="ldap_Qry"
action="QUERY"
attributes="cn,department,memberof"
start="dc=uconn,dc=edu"
server="LDAP.MACHINE.ON.YOUR_NETWORK"
username="[email protected]_NETWORK"
password="#var_OperUserPassword#"
filter="(&(objectclass=user)(sAMAccountName=#UCASE(var_target_UserId)#))"
>
note: the filter is whatever you are interested in.
In my scenario, we were trying to figure out whether we could
do away having to keep a USERS_TABLE in our database to do
webApplication authentication and simply let Active_Directory do
the authentication. Why have a seperate userId/Password pair for
each and every webApplication on your intranet in addition to
network security ?
so #var_target_UserId#, for me was the input from a
databasetable:[users.username]
My educated guess on what the error means:
* you have successfully reach the LDAP server
* however before you will be allowed to perform your query,
you need to provide authentication.
* basically, LDAP server wants your username/password.
So, if your MACHINE / NETWORK UserId is [johndoe],
set #var_OperUser# to [johndoe]
set #var_OperUserPassword# to MACHINE / NETWORK PASSWORD
Speculation about PRODUCTION machines using LDAP query:
Probably the PRODUCTION's machine UserId & Password would
be used. This would allow the PRODUCTION machine to log onto the
network, access databases and send out emails.

MS ADS Authentication

Hello,
How can I realize a ADS Authentication in a Great MS ADS
System with a lot of Domain Controllers (DC)?
Top Domain is DC=corp
Down under these Domain there are the country Domains
de.corp, fr.corp, gb.corp,... and this Domains contains the
Container users where e.g. my Account resist. [email protected] The
Domains down the corp Domain trusted to the Top Domain corp.
For a allover-the-company functionally Login-Dialog I have to
realize a Dialog, who has a Dropdown with all availables Domains
(de.corp, fr.corp,...) or a Dialog wo automatically find out in
which domain the actual user resist. When I enter my Userdata to
this mask, the CF Skript have to find automatically the correct IP
or DNS Name for the DC of my Account. This will be a 2-step Login
First the Form Data post my Loginname adiedler and try to find it
recursivly from top (corp) down to user.de.corp. If found, the
CFLDAP has to get back the result set with full ADS String for my
name. Then the 2nd Step try to autenticate with the full Name and
Passwort to the ADS. Any suggestions from you?

Hi,
make sure to keep your Authentication provider in provider specific select group member search as limited where as default would be unlimited.
Once you made this changes then it will solve this issue.
Regards,
Kal

CF 8 and cfldap

I am trying to catch the "authentication failed" error. Neither <cftry><cfcatch> nor <query.RecordCount> work. How can I catch a bind failure on a wrong password otherwise?
The <cfldap>... code works perfectly fine as long as I use the correct password.
Any hints appreciated.

I have to admin I haven't done too much in terms of consuming .NET resources in CF, but we used to use a lot of COM objects. I noticed the documentation had the CreateObject type as ".NET" instead of ".dotnet" - thought maybe that might be causing a problem. You could also try type of "COM".

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Authentication - multiple domains with multiple accounts

Dear All,
Consider an environment where a user, Joe Bloggs, has an account on two Windows domains: DOMA and DOMB. DOMA is a domain that all users in the organisation are members of. DOMB is a domain used by a smaller subset of users. The user's
machine is part of the DOMB domain.
I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.
So far, I've thought of the following solutions:
1. Build a trust between the two domains. Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles. Also, DOMB is likely to be deprecated in the future.
2. Use WorkPlace Join. Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
Any ideas? Or, am I completely mad?!
Thanks in advance.

1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
An ADFS trust might be another option, although that increases your deployment footprint and complexity.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Error while authenticating a user

Dear all,
Hope you all are doing well.
Production issue :
When an user tries to login with his username and password. He is getting error message "INTERNAL ERROR OCCURED".
And the standard RFC which i'm using for authenticating user is SUSR_LOGIN_CHECK_RFC
CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'
EXPORTING
       bname                                 = ip_empid
       password                             = ip_password
EXCEPTIONS
       wait                                     = 1
       user_locked                          = 2
       user_not_active                    = 3
       password_expired                 = 4
       wrong_password                   = 5
       no_check_for_this_user         = 6
       password_attempts_limited    = 7
       internal_error                         = 8
OTHERS                                    = 9.
I want to know what is the meaning of this internal error ? something is going wrong with the standard RFC which I am referring to ? Some one please help me out..
Thanks in advance.

Hi Syed,
Really need more of a context to your problem.
1. You've posted in the SSO forum. A SSO problem or a normal SAPGUI logon problem ?
2. You say .... "And the standard RFC which i'm using for authenticating user is SUSR_LOGIN_CHECK_RFC" .... Meaning what ??? you are using a home developed solution ?
3. Problem affects one user or all users ?
4. Backend version and kernel pl level please.
Cheers,
Amerjit

Authenticating test applcation in OAM is not working

Hello OAM experts, can you please help to figure out why my test application is not getting authenticated by OAM.
I have installed IDM for fusion application and SSO login is working for all admin consoles such as WLS, EM, OAM, OIM. I have deployed test application to OAM server itself to test the authentication of protected resources.
Host identifier is already there which was create while configuring my IDM for fusion applications. I created new application domain , created resource for /text/*, created authentication policy and used LDAPScheme for authentication, created authorization policy and defined constraints by adding a group OAMAdministrators ( just for testing purpose). I also added response in the authentication policy.
Then I have configured admin.conf of OHS server to redirect http://webhost1:7777/test to oam server host and port. It is getting redicted but not to the SSO login page. The URL still shows http://webhost1:7777/test and executes the test page and displays test application. It should have been redirected to SSO login page though OAM.
At this stage I have no clue what did I miss. As I said, when I login to wls console, it gets redicted to SSO login through OAM login page and then while accessing OIM, it directly takes me to OIM application since the user has privileges and also OAM page without logging in again.
But why my test application is not redirected to OAM authentication page ?
Any help is grately appreciated.
thanks
Edited by: Jyothi on May 3, 2012 3:25 AM

Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.
I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.
I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.
Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.
Thank You.

Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.

The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

Intermittent AD Authentication failures in ISE 1.2

Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal? Any ideas?
Thanks
Jef

Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
When you say Multicast to you AD...how did you check that? We do use multicast.

Authentication Combination in ISE 1.2

Is it possible to have dual authentication using workstations auth certs and Windows domain credentials for authentication in ISE 1.2?

Hi Kevin,
This would be a client side configuration.
What type of authentication is this?
VPN? wired or wireless dot1x?
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed

ISE 1.2 Authentication fails for 2nd AD domain with the forest trust relation

We are running cisco ISE 1.2, we have new AD domain with forest trust relation between both the new and the old. authentication to with the new domain fails.
Is there any requirements or configurations change needs to be done to make it success?

Use the license that is currently on your ISE. If your account has access to download the software, then you are good. The license will not change during the upgrade. If you are using ISE 1.2 Patch 8 or above, then you are using the same Base/Plus?Apex Licensing model.
If you are not yet on Patch 8, the you are using Base/Advanced and these will be converted during the upgrade.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton

Cfldap inapropriate authentication

Similar Messages

Maybe you are looking for