Client Authentication certificate not working in ADFS3.0

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
working certificates.
I just get a page where a text says I should select a certificate but I never get the dialog to do so.
Any updates on this issue?

Similar Messages

Client Authentication is not working

Hi all..
I have developed a web service with server and client authentication.. I had configured OC4J 10g successfully for client authentication but the problem is: I can NOT access the webservice from the browser the server says: no_certificate. the stub client works properly. I tried to install the certificate into IE explorer but it is not working. please help me ... Thanks in advance
Khaled

Hi
How did you implement your solution to work with a client? I'm trying to authenticate users that try to access a webservice with basic authentication but I can't seem to make it work...
Thanks in advanced
Vitor

Certificate not works when deploy the store app package by powershell

I request a web service with a pfx certificate in windows store app, it works well, but after I create a package by VS2013, and
deploy the app with powershell, access web service failed, seems the certificate not works. Any hints, suggestion ? My code as below:
string certRawData = StringEncryptionHelper.Decrypt(ConfigurationLoader.ApplicationSettings.CertificateData.RawData);
string certPassword = StringEncryptionHelper.Decrypt(ConfigurationLoader.ApplicationSettings.CertificateData.Password);
await CertificateEnrollmentManager.ImportPfxDataAsync(certRawData,
certPassword,
ExportOption.Exportable,
KeyProtectionLevel.NoConsent,
InstallOptions.None,
ConfigurationLoader.ApplicationSettings.CertificateData.FriendlyName);
CertificateQuery certQuery = new CertificateQuery { FriendlyName = ConfigurationLoader.ApplicationSettings.CertificateData.FriendlyName };
IReadOnlyList<Windows.Security.Cryptography.Certificates.Certificate> certs = await CertificateStores.FindAllAsync(certQuery);
certificate = certs.FirstOrDefault();
var protolFilter = new HttpBaseProtocolFilter { ClientCertificate = certificate };
var client = new HttpClient(protolFilter);
HttpResponseMessage result = await client.GetAsync(requestUri);

Hello Mosser lee，
As this issue is related to Development, it is recommended to post in the related MSDN forum.
The professionals there will be glad to help you.
https://social.msdn.microsoft.com/Forums/en-US/home
Thanks for your understanding.
Best regards,
Fangzhou CHEN
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

MAC Authentication does not work

My MAC Authentication does not work.
I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
I can ping the ACS, I can ping my AP, I can ping my client.
I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
I have the latest drivers for both AP and my 350 Client.
I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
Station 0009.7c9f.xxxx Authentication failed
this is my config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname GOM_1200IOS
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius wlccp_rad_infra
aaa group server radius wlccp_rad_eap
aaa group server radius wlccp_rad_leap
aaa group server radius wlccp_rad_mac
aaa group server radius wlccp_rad_any
aaa group server radius wlccp_rad_acct
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret xxxxxx
username Cisco password xxxx
ip subnet-zero
iapp standby timeout 5
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
ssid GOM_1230
authentication open mac-address mac_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.43.45 255.255.240.0
no ip route-cache
ip default-gateway 172.16.47.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
access-list 700 permit 0006.25b1.2f79 0000.0000.0000
access-list 700 permit 000a.b78b.2d19 0000.0000.0000
access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end
What is wrong?
Thanks very much for your help.

I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards,

Social Client & Nokia blogs not working

from last week social client & nokia blogs not working. Facebook / Twitter / Conversations / Blog etc... are not opening. Get a blank white screen with only option to exit. Surprisingly the social widget is getting updated with posts from both Facebook & Twitter! But if i click to open then its the same issue...

Thanks Adrian,
Am from India and using N8.
First thing i checked is for updates on suite but no luck with that... Not sure if there are updates released which are not made available for users here.
Any idea on where to check if updates are available here? Or when it would be made available here?
Appreciate ur help.
Merry Christmas...
Cheers
Staty

SOAP Axis adapter_Encryption via Client Certificate not working

Dear Experts,
Could anyone please share the steps to enable encryption via client certificate in SOAP AXIS receiver adapter.
I am able to do the same using normal SOAP adapter but with AXIS framework the steps are not working.
I have come across few sdn links to configure axis framework for authentication using wsse security standard but this seems to be different as it requires user and password whereas with certificates we are not given any user/password.
Please provide some valuable inputs.
Thanks.

Hi Shikha,
see the -
Advanced Usage Questions
8. How can I configure a channel to use the encryption and ....
of the FAQ attached to the note -
1039369 - FAQ XI Axis Adapter
Regards
Kenny

Multiple Exchange accounts and client certificates not working...?

Hi all,
I have a problem with my company iPad's. I'm trying to configure 2 Exchange accounts with certificate based authentication on my iPad with the iPhone config utility. For that i have created 2 client certificates.
When I configure just 1 mailbox, does not matter which one of the 2, with the iPhone config util, it al works ok with client authentication.
When I configure 2 mailboxes, on the iPad, without client certificate authentication it al works ok.
When I configure 2 mailboxes with the 2 client certificates with the iPhone config util, both exchange accounts have the same mailbox. When I configure for example mailbox Jim and Harry with the corresponding certificates and I load it into the iPad. The exchange account of Jim has Jim his mailbox, but the exchange account of Harry also has the mailbox of Jim. And sometimes it is vice versa.....
Can anybody help me in this, we are using 4th gen iPad with MS Exchange ActiveSync 2003 SP2 en MS Forefront TMG with Kerberos delegation.
Please advice.
Cheers,
Eddy

Hi Eddy,
I have the feeling that the SSL connection after being established is only using the first authenticated certificated to connect to the exchange server.
Have you had a look over this Microsoft page:
http://technet.microsoft.com/en-us/magazine/ff472472.aspx
Are you able to test 2 accounts on one pad in a test environment preferably with SSL inspection off?
Do you have any information in the Forefront logs of the users being authenticated from the iPad? Or is one user authenticated twice?
Cheers,
IhalpU

BUG - Client Authentication doesn't work !!! [standalone 10.1.3.0.0]

i tried to enable client authentication in jdevloper oc4j with
needs-client-auth="true" but it doesnt work.. i got SSL connection but server do not request client certificate
i did not have problems with 10.1.2.0.2

FYI - It is hard to tell where you went wrong in the configuration. Typically this kind of error comes up if there is a problem with the certificate. The process of securing OC4J is detailed here:
http://download-west.oracle.com/otn_hosted_doc/ias/preview/web.1013/b14432.pdf
Perhaps you can validate what you did vs the documentation.
I cut and pasted the following from the docs so may not come out well:
Creating the Secure Web Site Configuration File
Specify the appropriate SSL settings under the <web-site> element, as illustrated in the following example.
<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/
web-site-10_0.xsd" port="4443" secure="true" display-name="My Secure Web Site">
<access-log path="../log/secure-web-access.log" />
<ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory"
keystore="../../server.keystore" keystore-password="welcome"
provider="com.sun.net.ssl.internal.ssl.Provider" />
</web-site>
Note the additions to <web-site>, shown in bold:
Add a secure attribute with the value set to true. Setting secure="true" specifies that the HTTP protocol is to use an SSL socket.
Set the port attribute to an available port. The default for SSL ports is 443; in the example above, the port attribute is set to 4443.
Add the <ssl-config> element. This element is required whenever the secure flag is set to true. This element takes the following attributes and elements:
o The optional factory attribute is used to specify the third-party SSLSecureSocketFactory implementation to use if the application is not using JSSE.
The Oracle implementation - com.evermind.ssl.JSSESSLServerSocketFactory - is used by default. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
If the application uses a third-party SSLServerSocketFactory implementation, you can use <property> subelements of <ssl-config> to send parameters to the factory.
o The keystore and keystore-password attributes specify the directory path and password for the keystore. The specified keystore must contain the certificates of any clients that are authorized to connect to OC4J through HTTPS. The value of keystore can indicate either an absolute or relative directory path and includes the file name.
o The optional provider attribute can be used to specify a security provider to use.
By default, the Sun Microsystems implementation - com.sun.net.ssl.internal.ssl.Provider - is used. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
o One or more <property> elements containing parameters to pass to the SSLSecureSocketFactory. Each element contains a name attribute and a value attribute, enabling you to specify parameters as name/value pairs.
When the Web site configuration file is ready, add a <web-site> element referencing it to server.xml, the OC4J configuration file located in the J2EE_HOME/config directory. Note that applications will not be able to bind to the Web site unless this notation exists in server.xml. For example:
<application-server ... >
<web-site path="./default-web-site.xml" />
<web-site path="./mycustom-web-site.xml" />
<web-site path="./secure-web-site.xml" />
</application-server>
When configuration is complete, OC4J listens for SSL HTTP requests on one port and non-SSL HTTP requests on another. You can disable either SSL requests or non-SSL requests by commenting out the appropriate *-web-site.xml in the server.xml configuration file.

Consuming WS using X.509 certificate not working after NetWeaver 7.02 SP08

Hi
For more than two years we have had a solution that consumes web services over HTTPS using an X.509 certificate for authentication. Now, after upgrading to NetWeaver 7.02 SP08, the web services no longer work.
Today, roughly a week after the upgrade, all the logical ports have been set by the system to an Inconsistent state, and have been renamed with a prefix of ERROR.
When I try to re-create the logical ports I cannot assign the correct PSE file from STRUST to the newly created Logical Port. Previously, we would go into SM59 and set the SSL Certificate to the PSE containing the client and root certificates. But that option is apparently no longer available, see DUETE - Logical Port for OBAfielReciever.
I have been able to get the HTTPS communication to work again by copying the SSL certificate of the service provider into the PSE ANONYMOUS. But I cannot get the soamanager to use the client certificate, so I always get a "HTTP Code 403 : Client Authentication Error" back when consuming the web service.
Any pointers on how to attach the PSE to the logical port would be appreciated.
Best regards,
Bo

Still no ideas ?

I have made the ssl certificates not work

I was notified by my customer that the certificate was due to expire, and at that I started windows SBS console (advanced Mode), and under Network -> connectivity, I selected manage certificates. I tried to renew, but since they had expired, I
was unable to renew. I then tried to request new certificate with the same key. Now I am unable to access RWW since "There is a problem with this website's security certificate", and the selection of continue to this website only allows
you to close this web page.
I have been able to look at the certificate using firefox, and it shows that it was issued to the correct CN but it says that it doesn't recognize the issuer (self issued).   Is it possible that the key has changed, and the public key installer
may not have been updated? If so, how do I update that?
Thank you
Pat

This is a self signed certificate. It does not appear that it is expired
Certificates (Local Computer) ->personal ->certificates
mail.sbm-law.com
Tosalawyers-SBMKSERVER-CA    4/28/2016
Server Authentication
Web Server
remote.sbm-law.com
Tosalawyers-SBMKSERVER-CA    4/29/2016
Server Authentication
Web Server
remote.sbm-law.com
Tosalawyers-SBMKSERVER-CA    4/29/2016
Server Authentication
Web Server
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
Sbm-law.com/remote
Tosalawyers-SBMKSERVER-CA    4/28/2015
Server Authentication
Web Server
Sites
Tosalawyers-SBMKSERVER-CA    11/25/2012 Server Authentication
Web Server
Sites
Tosalawyers-SBMKSERVER-CA    4/29/2016
Server Authentication
Web Server
Tosalawyers-SBMKSERVER-CA
Tosalawyers-SBMKSERVER-CA    11/26/2015
<All>
Tosalawyers-SBMKSERVER-CA
Tosalawyers-SBMKSERVER-CA    4/28/2019
<All>
WMSvc-WIN-FLBUWELKL17
WMSvc-WIN-FLBUWELKL17      11/19/2020
Server Authentication
The above was taken from the manage certificates and showed friendly name containing blank or none, and with nothing in status.
Thank you
Pat

Client.ole2 is not working

Hi i'm migrating to from fomrs 4.5 to 10g as DDE package are not supported in the
10g. i'm using client.ole2
I have written following code to open a stored excel sheet(which is a template for entering the data). this is not working not giving any error.
please tell me where is the error
declare
application client_ole2.obj_type;
workbooks client_OLE2.OBJ_TYPE;
workbook client_OLE2.OBJ_TYPE;
worksheets client_OLE2.OBJ_TYPE;
worksheet client_OLE2.OBJ_TYPE;
worksheet2 client_OLE2.OBJ_TYPE;
worksheet3 client_OLE2.OBJ_TYPE;
args1 client_ole2.list_type;
L_PATH VARCHAR2(100);
COMMAND1 VARCHAR2(5000);
BEGIN
l_PATH := SFN_GET_DIRECTORY_PATH('DIR0003');
COMMAND1 := L_PATH||'\Formats\EMP_NEW_UPLOAD.xls';
application := Client_OLE2.create_obj('Excel.Application');
workbooks := Client_OLE2.Get_Obj_Property(application, 'Workbooks');
args1 := Client_Ole2.create_arglist;
Client_Ole2.add_arg(args1, 'c:\emp.xls');
workbook := Client_Ole2.invoke_obj(workbooks, 'Open', args1);
worksheets := Client_Ole2.get_obj_property(workbook, 'worksheets');
CLIENT_OLE2.destroy_arglist(args1);
CLIENT_OLE2.SET_PROPERTY(application,'Visible',1);
CLIENT_OLE2.SET_PROPERTY(application,'DisplayAlerts',0);
end;

As Gerald Krieger suggests, it sounds as if you have not installed the Jacob library correctly. Most WebUtil functions, like CLIENT_GET_FILE_NAME, are included in the base 10g install -- OLE functionality, however, is not. This is because the Jacob library, which is required for OLE support, is not an Oracle product and, as such, could not legally be distributed by Oracle.
Jacob can be downloaded from http://sourceforge.net/projects/jacob-project
Configuring the OC4J for developing/testing OLE-enabled forms involves these steps:
1. Download the Jacob library and extract two files -- jacob.jar & jacob.dll
2. Place a signed copy of jacob.jar in ...\forms\java
3. Place a copy of jacob.dll in ...\forms\webutil
4. If you are not using Jacob 1.8, but are instead using a different version, you must edit ...\forms\server\webutil.cfg by locating the line which contains install.syslib.0.7.1=jacob.dll|94208|1.0|true and replacing 94208 with the size (in bytes) of your particular version of jacob.dll
If these instructions are unclear, please accept my apologies and refer to the WebUtil documentation for details.
Finally, be aware that your forms will not deploy correctly unless ...\forms\webutil.pll has been compiled. You must be connected to a WebUtil-ready database in order for webutil.pll to compile successfully.
Hope this helps,
Eric Adamson
Lansing, Michigan

NGS Sponsors authentication does not work in case user has non-English character in his password

Hi,
we are using the NAC Guest Server v 2.0.1 and have Sponsors authentication done through Radius servers. Radius servers are Microsoft IAS using AD.
Sponsors user authentication works okay in case user's password includes English characters, but does not work in case an user uses national characters like for example Umlauts in German.
On Radius server I can see these error messages:
User XXXX was denied access.
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
As soon as an user changes his password and uses English characters only, it resolves.
I guess this might be that NGS uses different coding while sending a password to Radius server, but not sure.
Appreciate if anyone knows a root cause and what could be a workaround. Unfortunately our AD policy allows users to use national characters and we can hardly change it. So a change on NGS or Radius side would be more viable.
Many thanks for your help.

A case has been opened at Cisco and it is now quite clear that it is a problem with coding.
According to Cisco development team NGS uses UTF-8 coding to send the password, of course encrypted, to the Radius server. This cannot be changed within NGS. We use Radius Microsoft IAS Version 5.2.3790.3959 running on VMWare Windows 2003 SP2. More tests are scheduled to be performed.

Authentication function not working in APEX but works in pl/sql

Greetings, Jim here.
I have written a very simple authentication funtion which uses the dbms_ldap package to authenticate using the userid and password from the login page.
I've tested this function thru pl/sql and it returns true and false accordingly.
I've created a custom authentication schema and in the authentication function I have return myfunction;
The problem is, when called thru APEX, it appears to always return true and lets the login proceed, even if the password is correct. I know its using the function due to the fact that if I enter a bogus function as the authentication function, APEX spits up a message saying so.
So, I know the function works, but I don't know why it does not work with APEX. Posting function below.
CREATE OR REPLACE FUNCTION ODBS.CUSTAPEXLOGIN (p_username IN VARCHAR2,p_password IN VARCHAR2)
RETURN BOOLEAN AS
retval PLS_INTEGER;
emp_session DBMS_LDAP.session;
ldap_host VARCHAR2(256);
ldap_port VARCHAR2(256);
ldap_user VARCHAR2(256);
ldap_passwd VARCHAR2(256);
ldap_base VARCHAR2(256);
BEGIN
ldap_host := 'oraldap';
ldap_port := '389';
ldap_user := p_username;
ldap_passwd := p_password;
ldap_base := 'cn=users,dc=company,dc=com';
emp_session := DBMS_LDAP.init(ldap_host,ldap_port);
retval := DBMS_LDAP.simple_bind_s(emp_session,('cn=' || ldap_user || ',' || ldap_base),ldap_passwd);
if retval = 0 then
return true;
else
return false;
end if;
EXCEPTION
WHEN OTHERS THEN
begin
if sqlcode = -31202 then
return false;
end if;
end;
END;
/

Hi Jim,
Can you clarify this -
The problem is, when called thru APEX, it appears to always return true and lets the login >proceed, even if the password is correctThat implies you're saying your authentication function ALWAYS returns true? Is that correct? Also 'even if the password is correct' doesn't read correctly to me, did you mean 'even if the password is incorrect'?
You then say -
now the function works, but I don't know why it does not work with APEX.So by 'does not work' you mean in APEX it is always returning true therefore allowing you to login regardless of the username/password you use? Is that correct?

MI Client 7.0 not working

Hello,
I have performed the following steps for the installation of MI client 7.0,but still the MI client is not working.
1. I have gone to the service market place http://service.sap.com/swdc, under 'Downloads' Navigate to
'SAP Software Distribution Center-> Support Packages and Patches->
Support Packages and Patches - Entry by Application Group->SAP NetWeaver and complementary products-> SAP NETWEAVER-> SAP NETWEAVER 7.0-> Entry by Component-> MI Client -> MI CLIENT 7.00-> OS Independent
2.Extracted the NWM_AWT_WIN32_uncomp.sda file and ran the setup.exe
3.Then i ran the MobileENgine,but i get a popup saying page cannot be displayed
Should i make some server setting if so where,Please help me in resolving this issue
regards
kaushik

Hi
Please check the trace file in /MI/log folder.
You can find the exact error in the trace file.
Regards

Apple 10.4 managed clients dock settings not working

I have an issues with 3 or 4 of my 10.4 clients all are managed by WGM on an apple 10.5 server. The I have managed dock settings on all apple clients are getting the proper dock settings however I have 3 or 4 clients that are not. The clients that are not getting the dock settings are in the correct computer group. And I don't see any of the clients dedicated in the computer group. And suggestions or tips would be welcome help.

THAT WORKED and all is back to normal.
By the way I did not lose any of the icons on my dock either. All the apps light up under the icon and they now mimimize correctly!!
Thank you very much capfred!!!
Chet
captfred East Coast, USA
This helped meRe: dock settings not working Sep 3, 2012 7:34 AM (in response to CaptainChet)
Try deleting com.apple.dock.plist from the preference folder located in your user Library.
You can open the hidden library in Finder's menubar, Finder > Go > hold the option key down > select Library.
Edit: you'll have to add back program icons to the dock that you moved there.

Client Authentication certificate not working in ADFS3.0

Similar Messages

Maybe you are looking for