CL_HTTP_CLIENT, authentication, alternatives

Similar Messages

• Authentication type for  cl_http_client= create_by_url

  Hi All,
  I am trying to understand how to set authentication type
  for "cl_http_client=>create_by_url".
  It is currently defaulting to client certificate.
  ICM log: "auth_type=3 (USE_CLIENT_CERT)) "
  I need to set to no authentication as server requires password/user as url parms.
  If I use an RFC dest I can set to "No logon" but then I cannot append user/pass to the url.
  Any help appeciated
  Thanks in advance
  Allan

  you can just use the following code sample.
  concatenate
  'http://<siteaddress>/<loginpage>?<useridparameternameincalledsystem>='
  'useridtobepassedtocalledsystem' '&<passwordfilenameincalledsystem>=<password>' into wf_String .
  call method cl_http_client=>create_by_url
      exporting
        url                = wf_string
      importing
        client             = http_client
      exceptions
        argument_not_found = 1
        plugin_not_active  = 2
        internal_error     = 3
        others             = 4.
  where did you find that its using SSL?
  in case if the called url required ssl certificate, then you can to download the certificate from that system and load it in ABAP system and use the sslid to pass it to create_by_url method.
  Regards
  Raja

• Authentication error when using CL_HTTP_CLIENT

  Hi all,
  I'm using an instruction from the blog of Thomas Jung to get an image from the content server into the cache of the ICM framework. See this [blog Thomas Jung|http://www.sdn.sap.com/irj/scn/weblogs;jsessionid=(J2EE3417200)ID0623211050DB12910368107152505592End?blog=/pub/wlg/1012].
  See also this thread: [Approach content repository other way then URL approach|https://forums.sdn.sap.com/Approach content repository other way then URL approach]
  At the point where I want to receive the response I currently get a popup where I'm asked to logon. Probably logon to the contentserver. I get this logon when the authentication on the content server is swithed on. Evwerything works fine when this authentication is switched off.
  I want to know how I can set this authentication in my instance of CL_HTTP_CLIENT in order to make the receive of the image working fine.
  Has anybody ever faced the same issue?
  Regards,
  Joost

  You have two choices.
  1.  You can feed the authentication into the CL_HTTP_CLIENT instance using the authenticate method:
  call method cl_http_client=>create
      exporting
        host               = me->ls_login_info-url
        service            = me->c_http_service_port
        scheme             = cl_http_client=>schemetype_http
      importing
        client             = me->http_client
      exceptions
        argument_not_found = 1
        plugin_not_active  = 2
        internal_error     = 3
        others             = 4.
     me->http_client->propertytype_logon_popup = me->http_client->co_disabled.
      data l_username type string.
      data l_password type string.
      l_username = 'MyUser'
      l_password = 'MyPassword'.
      call method me->http_client->authenticate
        exporting
          username             = l_username
          password             = l_password.
  2.  Second option is to use HTTP destinations from SM59.  This is a bit more managable since the password is maintained in the SM59 configuration and encrypted for you.
  cl_http_client=>create_by_destination(
      exporting
        destination              = c_destination    " Logical destination (specified in function call)
      importing
        client                   = r_api->http_client  " HTTP Client Abstraction
      exceptions
        argument_not_found       = 1
        destination_not_found    = 2
        destination_no_authority = 3
        plugin_not_active        = 4
        internal_error           = 5
        others                   = 6 ).

• Alternatives to MS workstation authentication certificates for 802.1x?

  I found out recently the hard way that the Certificate Authority bundled with Windows Server 2008 won't load the 'workstation authentication' certificate template.  (You need 2008 Enterprise/Datacentre or 2008 R2, or any edition of 2008 R2).
  Does anyone know of alternative ways of authenticating a device using 802.1x?
  thanks,
  David.

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• Lync Reverse Proxy Alternatives

  When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services. 
  TMG is way too expensive and complex for such a limited, simple use case.
  I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
  We decided to use Apache 2.2 on Windows Server 2008 R2. 
  Here's how we configured it:
  Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy. 
  http://technet.microsoft.com/en-us/library/gg398069.aspx
  Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server. 
  http://httpd.apache.org/download.cgi
  We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
  Use the Certificates MMC on your front end server to export the certificate and include the private key.
  Transfer the resultant .pfx file to your reverse proxy server.
  Use OpenSSL to convert your .pfx file to PEM:
  openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes 
  Separate the private key from the certificate using notepad: 
  Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag. 
  Save that text to a new file named
  yourcert.key. 
  Save
  yourcert.pem, which should now only include the certificate.
  Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
  for storing the certificates.
  Edit httpd.conf (typically in
  C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
  (See  http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
   for more information on each directive)
  Uncomment the following lines, which will enable proxy and SSL:
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule ssl_module modules/mod_ssl.so
  Include conf/extra/httpd-ssl.conf
  Add the following lines to configure reverse proxy behavior:
  #Be a reverse proxy, not a forward proxy
  ProxyRequests Off
  #Accept requests from any client to any URL
  <Proxy *>
  Order Deny,Allow
  Allow from all
  </Proxy>
  #Set the network buffer to improve throughput
  ProxyReceiveBufferSize 4096
  #Configure the Reverse Proxy to forward all requests to your front end server on 4443
  ProxyPass / https://yourfrontend.domain.com:4443/
  ProxyPassReverse / https://yourfrontend.domain.com:4443/
  #Preserve Host Headers for Lync
  ProxyPreserveHost On
  Optionally, configure logging directives, bindings and server name.
  Save and close httpd.conf
  Edit httpd-ssl.conf (typically in conf\extra):
  Configure the session cache:
  Uncomment:
  SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
  Comment out:
  SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
  Locate the <VirtualHost _default_:443> tag and configure the following:
  Add the following directive:
  SSLProxyEngine On
  Configure the path to your SSL Certificate saved in step 3-5 above:
  SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
  Configure the path to your private key saved in step 3-5 above:
  SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
  Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
  Optionally, configure logging directives.
  Save and close httpd-ssl.conf
  Restart the Apache2.2 service
  Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
  the reverse proxy to talk to the front end Lync server on 8080 and 4443.
  From an external connection, test connectivity through the reverse proxy:
  Test
  https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
  Test the Lync Web App by setting up an online meeting and following the URL to join the meeting. 
  You can force the use of the web app by appending ?sl= to the end of the meet.company.com link. 
  See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
  Hope this information is helpful and saves some of you some money and trouble.
  Please contact me if you need further clarification or see any mistakes in my notes.
  Best regards,
  Kenneth Walden
  Enterprise Systems Supervisor
  GSD&M
  Austin, TX

  I'd like to thank you for this article.  We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product.  Anyways, your
  blog saved me a LOT of headache.  I owe you big time. 
  AWESOME JOB. 
  -Greg
  *****EDIT***
  Decided to come back in there and post good information.  We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting.  The "DIALUP" url was working fine but the "MEETING" url was broken.  On our WFE servers we were getting
  the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON".  Once we put that in there ALL was good.
  Notice that the MEET portion was the only thing that was really broken.  So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER.  Look for
  http://10.x.x.x/meet/ or soemthing in the event logs. 
  Log Name:      Application
  Source:        ASP.NET 2.0.50727.0
  Date:          11/16/2011 1:26:35 PM
  Event ID:      1309
  Task Category: Web Event
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      OneofMyInternalWFEservers.local
  Description:
  Event code: 3005
  Event message: An unhandled exception has occurred.
  Event time: 11/16/2011 1:26:35 PM
  Event time (UTC): 11/16/2011 6:26:35 PM
  Event ID: b2039ecd0a62482284030f62e1e639d8
  Event sequence: 129
  Event occurrence: 28
  Event detail code: 0
  Application information:
      Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
      Trust level: Full
      Application Virtual Path: /meet
      Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
      Machine name: MYWFE.local
  Process information:
      Process ID: 14204
      Process name: w3wp.exe
      Account name: NT AUTHORITY\NETWORK SERVICE
  Exception information:
      Exception type: HttpException
      Exception message: Server cannot append header after HTTP headers have been sent. 
  Request information:
      Request URL:
  https://FQDN:4443/meet/MyName/456456
      User host address: gatewayIP
      User: 
      Is authenticated: False
      Authentication Type: 
      Thread account name: NT AUTHORITY\NETWORK SERVICE
  Thread information:
      Thread ID: 7
      Thread account name: NT AUTHORITY\NETWORK SERVICE
      Is impersonating: False
      Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Custom event details:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="ASP.NET 2.0.50727.0" />
      <EventID Qualifiers="32768">1309</EventID>
      <Level>3</Level>
      <Task>3</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
      <EventRecordID>4483</EventRecordID>
      <Channel>Application</Channel>
      <Computer>XXXXXXXXXXXXXXXXXX</Computer>
      <Security />
    </System>
    <EventData>
      <Data>3005</Data>
      <Data>An unhandled exception has occurred.</Data>
      <Data>11/16/2011 1:26:35 PM</Data>
      <Data>11/16/2011 6:26:35 PM</Data>
      <Data>b2039ecd0a62482284030f62e1e639d8</Data>
      <Data>129</Data>
      <Data>28</Data>
      <Data>0</Data>
      <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
      <Data>Full</Data>
      <Data>/meet</Data>
      <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
      <Data>SNKXS300</Data>
      <Data>
      </Data>
      <Data>14204</Data>
      <Data>w3wp.exe</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>HttpException</Data>
      <Data>Server cannot append header after HTTP headers have been sent.</Data>
      <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>10.71.1.1</Data>
      <Data>
      </Data>
      <Data>False</Data>
      <Data>
      </Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>7</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>False</Data>
      <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
  </Data>
    </EventData>
  </Event>

• Help needed for using BASIC authentication through JDBCRealm

  Help needed.
  Hello,
  I am doing a degree project, so far it works fine in my local machine, I need to try it on my virtual hosting (as it is a live server).
  My project requires JDBCRealm, that is BASIC authentication loading access data from mysql database. Normally this setup can be done in Server.xml file, because my Tomcat hosting is a virtual one, I only have permission to access the web.xml file.
  My question is: is it possible to get it done in an alternative way? In web.xml? Some properties file maybe?
  Thank you very much.

  You can set this up for your context using META-INF/context.xml instead of working with server.xml.
  Make a directory called META-INF under your webapp ( it'll be at the same level as WEB-INF ). Under this, add a context.xml with all your context specific configuration including the realm. A sample is below
  <?xml version="1.0" encoding="UTF-8"?>
  <Context path="/myApp" reloadable="true">
      <Realm
          className="org.apache.catalina.realm.JDBCRealm"            
          driverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"         
          connectionURL="jdbc:microsoft:sqlserver://127.0.0.1:1433;DatabaseName=myDB;SelectMethod=Cursor;"
          connectionName="username" connectionPassword="password"
          digest="MD5" userTable="users" userNameCol="userid" userCredCol="userpassword"
          userRoleTable="user_roles" roleNameCol="rolename"
      />
  </Context>Hope this helps.
  People on the forum help others voluntarily, it's not their job.
  Help them help you.
  Learn how to ask questions first: http://faq.javaranch.com/java/HowToAskQuestionsOnJavaRanch
  ----------------------------------------------------------------

• How do I protect my JNLP, my JARs etc. (with Basic Authentication)???

  hi all,
  i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
  this is the simplified folder structure of my application on the server:
  [application]
    [etc]
      xyz.xml
    [jars]
      myapp.jar
    launch.jnlp
  website.jsp
  initial start and basic authentication:*
  my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
  second start and basic authentication:*
  if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
  and now the actual problem:*
  during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
  related thougts:*
  i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
  my current solution:*
  for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
  a possible alternative:*
  i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
  the only real solution:*
  should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
  WHAT HAVE I MISSED???
  AM I COMPLETELY WRONG???
  WHAT IS THE EASIEST WAY???
  AND WHAT IS THE BEST WAY???
  thank you so much,
  stephan

  Not sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
  if you have a structure like this:
  /ctxroot/
         launch.jnlp
         /app/
             *.jar
             *.whateveryou may use in your web.xml:
       <servlet>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
       </servlet>
       <servlet-mapping>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <url-pattern>*.jnlp</url-pattern>
            <url-pattern>/app/*</url-pattern>
       </servlet-mapping>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Application</web-resource-name>
                 <url-pattern>/app/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>bla</role-name>
                 <role-name>fahsel</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Subscription</web-resource-name>
                 <url-pattern>*.jnlp</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>whatever-realm</realm-name>
       </login-config>
       <security-role><role-name>bla</role-name></security-role>
       <security-role><role-name>fahsel</role-name></security-role>
  ...Than you may use the Service stuff like:
       BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
       URL codeBase = bs.getCodeBase();
       URL pu = new URL(codeBase.toString() + "whatever.bla");
       HttpURLConnection res = (HttpURLConnection) pu.openConnection();
       res.setInstanceFollowRedirects(true);
       res.setRequestMethod("GET");
       res.setConnectTimeout(10 * 60 * 1000);
       res.connect();
       String enc = res.getContentType();
  ...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ...

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• LDAP External Authentication Multiple Search Base DNs question

  hi,
  im trying two add two LDAP search DNs to a portal 6.2 organisation.
  with one search base dn it works fine.
  when i add another, all ldap auth for that org stops working.
  the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
  can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
  thanks

  hi,
  yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
  i had to use a manual workaround like this to get the second going... :(
  External ldap authentication
  register the LDAP authentication service in the gui and setup the first DN as normal.
  create the first set of entries for the ldap host and the base dn in the gui as normal etc.
  the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
  All commands are run from the /apps/jes/SUNWam/bin directory
  1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
  ./ampassword -e directory_manager password
  More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
  2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
  3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
  ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
  If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
  You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
  Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

• Dbms authentication in OBIEE 11.1.1.7.1

  Hi all,
  I have a problem with configuring dbms authentication in obiee 11.1.1.7.1. I followed the document below, and made all the steps.
  Using Alternative Authentication Providers - 11g Release 1 (11.1.1)
  Now, my problem is none of my dbms users can login to analytics. I can login using weblogic users, but when I try to search for any of the users from analytics, I get invalid GUID error. (I refreshed GUIDs, this is not related) According to debug steps my problem should be with adapters since I can login to em console with my db users after giving privilage, but I don't know what is wrong. Error from nqserver.log is below.
  [tid: 152c] An error message was received from the BI Security Service: SecurityService::populateBIUserFromUserProfileUser XXXXXX has invalid guid 41414B494E4C49
  [tid: 152c] An error message was received from the BI Security Service: SecurityService::populateBIUserFromUserProfileUser XXXXXX has invalid guid 41414B494E4C49 [[
  [nQSError: 43113] Message returned from OBIS.
  [tid: 152c] SecurityService::populateBIUserFromUserProfileUser XXXXXX has invalid guid 47434554494E4552
  [tid: 152c]  [nQSError: 43126] Authentication failed: invalid user/password.
  [tid: 152c] SecurityService::populateBIUserFromUserProfileUser XXXXXX has invalid guid 47434554494E4552
  [tid: 152c]  [nQSError: 43126] Authentication failed: invalid user/password.
  What do you think the problem could be? Any help would be appreciated.
  Were anyone able to configure dbms authentication with 11.1.1.7.1 or 11.1.1.7?
  Regards,
  Seth

  Hi Seth,
  I also facing the same issue in 7.0 and 7.1,
  Have you resolved this issue?
  if yes, please share me the solution.
  thank you in advance.

• Authenticating agains AD with Kerberos, by a user with an explicit UPN

  Hello
  My situation :
  I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
  I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
  My users have a SamAccountName like j.doe and a UPN like [email protected] (which is their email address, on our Exchange organization)
  Now, from a Linux server (running Apache and kerberos), i can do a kinit with [email protected], but not with [email protected]
  When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
  According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
  Am i missing something ?
  Thanks in advance.

  Hi,
  Thanks for your post.
  It seems like you could not enable Kerberos authentication for users logon using their alternative UPNs.
  Please refer to the similar thread:
  Authenticating to Active Directory using an alternate UPN
  http://social.technet.microsoft.com/Forums/en-US/f93e23d7-e910-4ae7-96ba-3a8038766f9f/authenticating-to-active-directory-using-an-alternate-upn?forum=winserverDS
  Regards.
  Vivian Wang

• WS-Security, WSE, Web Services, Authentication and Flex 2

  Hey All,
  I've been working hard on getting Flex to communicate with a
  Microsoft .NET 2.0 Web Services project enabled with WSE 3.0
  WS-Security. I can't seem to get the headers into the SOAP request
  that I need.
  For example, I can get a SOAP header into the message like
  so:
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance">
  <SOAP-ENV:Header>
  <ns0:Security xmlns:ns0="
  http://tempuri.org/">
  <ns0:password>pass</ns0:password>
  <ns0:username>DOMAIN\Administrator</ns0:username>
  </ns0:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  .. but, this isn't what my WSE, WS-Security enabled service
  expects. Which is:
  <soap:Envelope xmlns:soap="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="
  http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="
  http://www.w3.org/2001/XMLSchema"
  xmlns:wsa="
  http://schemas.xmlsoap.org/ws/2004/08/addressing"
  xmlns:wsse="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <soap:Header>
  <wsa:Action>
  http://tempuri.org/HelloWorld</wsa:Action>
  <wsa:MessageID>urn:uuid:5be8b55a-df7b-4547-8def-76282fcd8b47</wsa:MessageID>
  <wsa:ReplyTo>
  <wsa:Address>
  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
  </wsa:ReplyTo>
  <wsa:To>
  http://localhost/CampaignMojoAPI.asmx</wsa:To>
  <wsse:Security soap:mustUnderstand="1">
  <wsu:Timestamp
  wsu:Id="Timestamp-aab299a8-81e3-4d8a-bfa4-555f38978584">
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  <wsu:Expires>2007-06-06T20:31:37Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:UsernameToken xmlns:wsu="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="SecurityToken-b43668b1-51a3-4ba1-a90a-69eca3b98b66">
  <wsse:Username>DOMAIN\Administrator</wsse:Username>
  <wsse:Password Type="
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#Passwor dText">pass</wsse:Password>
  <wsse:Nonce>IK4ZemfS1pj3kpdYO5+FBg==</wsse:Nonce>
  <wsu:Created>2007-06-06T20:26:37Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <HelloWorld xmlns="
  http://tempuri.org/" />
  </soap:Body>
  </soap:Envelope>
  I've tried "addSimpleHeader" and "addHeader", but both seem
  to inject nested xml elements. Can anyone help me shape this WS
  call into the format I need it in? Would it be possible to call
  this WS manually via a direct HTTP post from Flex 2?
  Thanks!,
  Sean

  Yeah,
  Hey guys - thanks for the responses. I looked into this and
  it seems no one uses WS-Security from the browser. That's why even
  Google's APIs use alternative key logins, etc. I read from one user
  that in the next version of Microsoft's AJAX platform that they
  might support it, but that's about it. For now, it looks like
  there's not even an AJAX/Javascript way to do this. If we could do
  it via Javascript, then we could use the FABridge. I don't think
  Flex supports it. I've tried to manipulate the headers into place
  via Flex classes and I don't think enough control is there to get
  the output in the form that's needed.
  I think it's possible to write it in Javascript. But right
  now my time budget just doesn't allow for it. I already spent two
  whole days re-writing how Flex makes Web Service calls so they're
  synchronous with timeouts instead of this massive amount of
  asynchronous code they want you to write, so no more
  re-writing/extending of components for me for a while.
  But if anyone wants to work together to support it via
  AJAX/Javascript, I would invest money into developing it.
  I would like a public WS-Security AJAX/Javascript framework
  for making these calls via WS-Security so I can offer customers a
  standard way of accessing/authenticating against our public API
  set. It would also make it possible for Flex to access standard web
  services with WS-Security enabled.
  Let me know what you guys think, or if anyone else has any
  good suggestions/software.
  Thanks much,
  S.

• What is the alternative to TMG/ISA For SSL-Bridging-Capable Reverse Proxy For System Center 2012 R2 IBCM?

  When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."
  Well, we don't have TMG and can't buy it since it is off the market.  Can it still be legitimately purchased through any resellers?
  We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.
  Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?
  Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?
  We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term.  Maybe we could use ISA 2006 temporarily as a stopgap if the next version
  released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.
  I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

  Hi,
  You are correct, all TMG product sales officially ended in December 2012.
  In addition, an ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources. However, it
  seems that ISA 2006 cannot support that on Windows Server 2012 R2. For more detailed information:
  Configuring the TS Gateway ISA Server Scenario
  Personally, Web application proxy would be an alternate. In addition, for the question related to Cisco product, you can contact Cisco for assistance.
  Best regards,
  Susie

• Active Directory synchronization working, authentication not on CUBM BE5000 8.6(1a)

  I successfully set up Active Directory synchronization between my CUCM BE5000 appliance running 8.6(1a) and our Windows 2008 Server Active Directory.  Users are replicating successfully, but authentication is not working even though I am using the same LDAP manager distinguished name and password for both.  I have a suspicion to the cause of this problem but for the record, the following is my relevant configuration:
  System/LDAP/LDAP System:
  LDAP Server Type Microsoft Active Directory iPlanet or Sun ONE LDAP Server OpenLDAP Microsoft Active Directory Application Mode
  LDAP Attribute for User ID userPrincipalName sAMAccountName mail employeeNumber telephoneNumber
  LDAP Server Type: Microsoft Active Directory
  LDAP Attribute for User ID: userPrincipalName
  System/LDAP/LDAP Directory:
  LDAP Configuration Name: bgctnv.local
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: DC=bgctnv,DC=local
  LDAP Server Information: bgctnv.local, port 389 (to query any domain controller in DNS; I have also tried specific IP addresses)
  System/LDAP/LDAP Authentication:
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: LDAP user search base is formed using the User ID information (pre-populated, I cannot change this)
  LDAP Server Information: bgctnv.local, port 3268
  All of my Active Directory users are now populated and active under End Users.  However, I am not able to log into /ccmuser among other things using my valid domain credentials.  I am a super user as well as a standard end user.
  Curiously, invalid usernames (userPrincipalName in my case) return the error "Log on failed - Invalid User ID or Password" while a valid username, with or without the correct password, returns only "Log on failed."  That seems to imply that some part of the authentication or LDAP bind is taking place.
  Here's the catch.  The base domain here is bgctnv.local while we use bgctnv.org as a valid and acceptable alternative UPN suffix in Active Directory.  Every Microsoft and every third-party program I have used will accept [email protected], but I'm beginning to think that CM will not, or is having some sort of translation issue.  I read that alternative suffixes can cause problems in Active Directory forests with multiple trees, but this is a vanilla, single domain environment.
  I don't even know where to look to debug this issue.  Has anyone seen this before or can anyone tell me where to look for logs?
  Thanks,
  John

  I found the following:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html
  As mentioned in the section on LDAP Synchronization, in order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM. When the user ID is the UPN, the LDAP authentication configuration page within Unified CM Administration does not allow you to enter the LDAP Search Base field, but instead it displays the note, "LDAP user search base is formed using userid information."
  This may help in some situations where there are multiple trees in an AD forest, but it is definitely not the solution.  Even with multiple trees, it is common to use alternative UPN suffixes.  Nothing in AD requires or even recommends that you exclusively use your AD domain root as the UPN suffix.
  For example, company.local may use company.com as an alternative but primary UPN suffix to provide simplicity for users.  Users can then achieve more broad SSO capabilities by using their familiar email credentials when authenticating for company.local services.
  When using UserPrincipalName as the LDAP synchronization attribute for the CM User ID, the configuration requires that the search base for authentication be derived from the UPN suffix, regardless of whether it is a single domain or multiple trees within a forest.  This makes it impossible to authenticate by UPN unless your UPN is explicitly your root domain name.  From the example above, CM would try to bind [email protected] against DC=company,DC=com instead of the correct DC=company,DC=local.
  The logical solution would be to allow the administrator the option.  Why not have a choice of whether to generate the user search base from the userid (UPN) information, or be able to specify the search base as well like it allows with any other synchronization attribute?
  Would this be a feature request, bug report, or neither?  I'd really appreciate it if Cisco considered this but I don't know the proper channel.

• Windows Integrated Authentication to SAP R/3

  Hi,
  I dont know weather this issue has to be posted here or in WAS or GUI.
  Is there any way to do the Integrates Windows Authentication to SAP R/3. Once the Users logs in to the Network domain adn then to SAP GUI, the User should not prompt for User id and should directlt take in to the Role Menu.
  I know for Portal it is possible, but i am not sure for R/3. Please let me know if there is any documentation for the same.
  Thanks & Regards
  Sumanth

  Sumath,
  there are various variants to do so:
  If your R/3 is running on Windows (and in the same / trusted domain), you can use SNC with either NTLM or Kerberos authentication
  Otherwise you can log on with SAP Logon Tickets. You mentioned already that you know NTLM/Kerberos is feasible with EP. Now, if you simply integrate your R/3 systems in EP by means of SAP logon tickets you have essentially a smooth SSO for your users.
  Finally, you can use ITS up to 6.20 on Windows to SSO to R/3 (the latter on not neccessarily on Windows, too). Simply setup webgui, active SAP logon tickets and configure the PAS service to use Windows authentication.
  Whatever you decide on, al alternatives are a piece of cake to set up.
  Regards,
  Dominik