Content Engine cannot authenticate using LDAP

Similar Messages

• SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated

  We are getting this below alert message, while using SCOM 2012 R2.  Anybody have any idea how to resolve this on the SQL box ?
  Thx...
  SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
  Service Account: NT Service\MSSQL$SQLEXPRESS
  Missing SPNs:
  Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
  Duplicate SPNs:

  To Fix this issue, You can check below links
  http://support.microsoft.com/kb/2443457/EN-US
  http://www.scomgod.com/?p=155
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• Authenticate BSP application using LDAP

  Hi,
  Thanks to Durai Raja for his earlier inputs in setting up LDAP connector in SAP. We were able to connect to our LDAP from SAP ( We use Novell eDirectory 8.5).
  I also wrote a small program as below and I am getting back results from LDAP. We want to build BSP application where users would enter LDAP User ID and password and we want to Authenticate BSP application based on this input. My questions are
  1) Is it possible to Authenticate BSP application based on LDAP user ID and password.
  2) IF so, what is the function module to use. I searched LDAP_* but did not find anything.
  3) If we authenticate using LDAP user ID and password, do we have to provide SAP User id and password in SICF and allow all users to log in using same SAP user ID and password ?
  Niranjan
  data: dns_out type table of ldap_dnii,
        ldapinfo type ldap_dnii,
        attrs_io type table of ldap_atii.
  call function 'LDAP_SIMPLEBIND'
    exporting
      serverid = 'HQLDAP'.   " Logical Server ID set in LDAP tcode
  if sy-subrc eq 0.
    call function 'LDAP_SEARCH'
      exporting
        base     = 'o=xxxxxxxx'  " Company's Base
        filter   = 'uid=xxxxxxxx'  " Novell User ID or LDAP user ID
      tables
        dns_out  = dns_out
        attrs_io = attrs_io.
    if sy-subrc eq 0.
      loop at dns_out into ldapinfo.
      endloop.
    endif.
  endif.

  Thanks Raja for your inputs. This is our requirement.
  We have about 350 SAP Users and about 700 Novell Users (computers). We want to provide Employee Personnel Information like Vacation details, Savings/Insurance details in BSP application. But half of them cannot access because they don't have access to SAP. We cannot give access to all of them since we have only 400 licenses. So, we were thinking to Authenticate against Novell Used ID and password and show them their personnel details. We have a mapping between Novell Used ID and SAP HR Empl # and so we can easily get their information. So, we want users to authenticate using Novell Used ID and password (each Novell user ID is mapped as LDAP ID) and, if it is successful, show their personnel details.
  How can we achieve this ?
  Niranjan

• ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)

  ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)
  Can anyone point me to a technical explanation of why this is true?
  All I have found so far is one small note in a help file and something that might be related under EAP-FAST explanation.
  I have posed this question to our Cisco account team but no response yet.
  Just need to have a good explanation when explaining to mgmt why we need to have a special setup for WLAN users.

  Hmmm....you should be getting more than that from debug radius and debug aaa authen if your AP is truly attempting EAP authentication. The debugs I generally use for this are 'debug aaa authen', 'debug radius', and 'debug dot11 aaa dot1x all' coupled with gathering the detailed support logs from ACS. A warning about 'debug dot11 aaa dot1x all'....it is VERY verbose and cryptic if you don't have alot of experience looking at it so it may be best to open up a TAC case. With these debugs turned on, you should see an EAPOL logon show up from the client (usually says 'received EAPOL packet...') and then a request for identity from the switch and a response from the client with a username and password. Then a series of RADIUS challenge/response packets will be passed which consists of the server cert being passed to the client for validation and then the client sending the username and password to the server. Then you will finally get an access-reject or access-accept packet from the RADIUS server. The failed and passed attempts logs in ACS can also provide good info as to what the source of the failure may be. Do you get any passed or failed attempts for these authentications?

• Erased all content on 3G but now won't sync with iTunes. Error states, "This iPhone cannot be used because the Apple Mobile Device service is not started." I don't want phone service on this old 3G. Just want to use it as an iTouch. Any suggestions?

  Erased all content on 3G but now won't sync with iTunes. Error states, "This iPhone cannot be used because the Apple Mobile Device service is not started." I don't want phone service on this old 3G. Just want to use it as an iTouch. Any suggestions?

  Type "Apple Mobile Device service " into the search bar at the top of this page by "Support"

• Should the Cisco Content Engines be used as a proxy appliance

  Should the Cisco Content Engine be use as a proxy appliance like a Blue Coat appliance, Squid cache engine, ISA server, etc...
  I am pretty sure it is but just need some feedback on past experiences. Customer would like to by a Cisco product for Web filtering/proxy.
  or is it strictly used to help with web base applications.

  HI,
  the CE is basically able to check every request it supports. If you are using 3rd level products like smartfilter, websense or webwasher you can use the features of those products to supress/forbid certain requests(i.e MSN etc.)
  Kind Regards,
  Joerg

• Use of outgoing proxy with content engine

  Hi All,
  I'm experiencing problems using the "outgoing proxy" feature with a content engine running ACNS 4.03.
  When this feature is enabled, it takes a long time to get the "execute or save to disk" popup window in the web browser, but when I get it, the file is downloaded in a few seconds.
  It seems like the CE waits for the file to be completely retrieved before delivering it to the client...
  This is not service impacting when this is a small file, but when the file is bigger than 1MB, the browser fails with a timeout.
  Can anyone help ?
  Thanks,
  Phil.

  4.01b1 code had a hardcoded proxy timeout value of 300 micro seconds. The ability to set this value was introduced in 4.03 to address symptoms like the one you are describing when the CE is not able to connect to its upstream proxy within this time constraint. (also documented the following bug : CSCdv36226 - "Need CLI to configure connection timeout for outgoing proxy"
  The fix was implemented with the addition of the follwoing command to set this value: 'http proxy outgoing connection-timeout' command:
  590(config)#http proxy outgoing connection-timeout ?
  <200-5000000> Timeout period for probing outgoing proxy servers in microseconds
  590(config)#
  I hope this helps!
  Cheers,
  Perry.

• Cannot delete Document Content Type. Getting error "Document Content Type Still in use" powershell, sharepoint 2013

  not able to delete "Document" content type from a library. I have a custom content type. I have added the custom content type to all the items of library. also, i have added the custom columns from "Document" content type to my custom
  content type. Still cannot delete the "Document" content type. I am doing the same process in different site collections and different libraries. But not able to delete in a few say- 10 in 100. Get the error - "Document content type is still
  in use"

  Hello 
  Here you go
  http://blog.octavie.nl/index.php/2012/09/14/error-the-content-type-is-in-use-explained
  https://social.technet.microsoft.com/Forums/en-US/e81020e3-2c12-4f39-a2f4-f1fd88ba6547/content-type-is-still-in-use-on-document-library
  Please remember to click 'Mark as Answer' on the answer if it helps you

• Used Adobe ID to create Behance account, but I cannot authenticate my account with Behance with my Adobe ID details.

  As per the subject line.
  I created a Behance account with my Adobe ID, but now I cannot authenticate the Account with the Behance Plugin.
  Any ideas anyone?

  See this thread....
  I cannot link Lightroom CC to my Behance account.
  All the best.
  Dean

• Windows AD cannot authenticate if BI platform UNIX?

  We were eagerly awaiting BI4 SP04 to address several SAP integration issues including the requirement  use Windows AD for single sign to SAP Enterprise Portal hosting BI4 content (dashboards/webis/Analysis for OLAP) and BEx Web analyzer, i.e. user logs on once for Windows to authenticate to all SAP systems, ECC, BW, BI, EP, etc..  We have no plans to use the BI Launch Pad.
  We are on AIX 6.1 for BI4 SP04, NW 7.3.1 and EP and BW 7.3.1 and are working through Kerberos client on AIX to Windows AD and SNC and SSO in SAP...
  Frankly we have been struggling for some time with issues on BI4 SP02 and NW 7.3 so we are frustrated when we came across the followg in SAP doc -
  Business Intelligence Platform Administrator Guide.pdf (http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf)
  Page 211
  The Windows AD security plugin cannot authenticate users if the BI platform server components are running on Unix
  Page 212
  Windows AD with Kerberos is supported if the Java application is on Unix. However, BI platform services must run on a Windows server.
  Can someone clarify these statements?  We will install Java application (NW? BI Java?) on UNIX.  We will not run BI Platform? services on Windows.
  If our requirement is to have a user only logon once  to Windows and access BI4 content in the SAP Portal, not the BI Launch Pad, MUST we run BI4 on Windows?
  Sincere thanks for your time and thoughts,
  Lee Lewis
  Summit Electric Supply
  ASUG EDW and BO SIG Volunteer - Market Leader
  [Email address removed. Please see the rules of engagement. The forum Administrator]

  Hi Ainsley,
  A work around?  Yes and no and sort of ...kind of...
  This turns out to be quite complex and tempermental.
  In short, you cannot use Windows AD authentication, but instead use LDAP (with the Microsoft Active Directory). We were able to get this to work with much effort.  The biggest limitation is that it supports a single AD forest.
  I am giving a presentation on silent single sign on for BI4 and Enterprise Portals at the SAP BO User Confernce in Orlando and  will see about posting the slides after the conference, but can share some of the resources here that we found to be most useful.  Please reach out to me if I can help further.
  Lee Lewis
  •Integrating SAP BusinessObjects BI Platform 4.x with SAP NetWeaver, Ingo Hilgefort, SapPress 2011
  •Configuring LDAP Manual Authentication and SSO for BI4 on Unix
  •1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
  •Business Intelligence Platform Administrator Guide,  SAP BusinessObjects Business Intelligence platform 4.0 Feature Pack 3,  June 2012
  •1670073 - How -To: Generate keystore and certificate in the process of configuring STS for SAP
  •1687295 - How to configure Single Sign On (SSO) on the SAP Netweaver 7.x portal to BI4
  •IBM - Configure single sign-on authentication on AIX
  •1537480 - Best Practice: How To setup Active Directory Single Sign On when BOE CMS is on Unix or Linux
  •Kerberos Explained - Microsoft Technet
  •SAP Help - Secure Network Communications (SNC)
  •Using Kerberos Authentication for Single Sign-On
  •SAP Netweaver 7.3 Configuring Kerberos Authentication
  •SAP BusinessObjects BI4 Active Directory SSO Tutorial
  • 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
  •1245218 - How to connect the LDAP plugin to Active Directory
  Lee Lewis

• How to use LDAP with Oracle forms 10g on Oracle application server

  Hi,
  I need some help on this. I have developed oracle forms 10g on application server 9iAS. The client want to use the existing LDAP authentication to the software we wrote. I do not know how I could configure to use the existing LDAP authentication . If anyone know how would I use the existing LDAP on different server to use when they logon to our menu in 10g to validate the user. Do I need to add any varibales in formweb.cfg or any other method. Please help.
  Thanks
  Luksh

  I am not quite sure if this works out of the box. According to an Oracle FAQ:
  4.2 Can I use LDAP to authenticate Forms Services?
  Not directly. However, Oracle Login Server is able to authenticate against a LDAP directory and thus a Forms application can take advantage of this in a SSO environment. But you cannot use access control information stored in a LDAP directory with Forms.

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• Assigning a login module to a single WebDynpro to authenticate against LDAP

  Hi there,
  we are running the J2EE Engine 7.0 within XI on SAP NetWeaver 2004s / Linux x86_64.
  Basically, i want to Authenticate a Java WebDynpro against an LDAP (Active Directory). With the XI Usage installed, I can not customize the UME to authenticate against an LDAP (not supported and not possible).
  Thus, I want to use a custom login module or, if suitable, a standard login module to authenticate against LDAP. I know that all WebDynpro Apps use the default authentication scheme that in turn references the authentication template "ticket".
  1) Can I use a predefined Login Module to authenticate against Active Directory LDAP or do I have to write a custom login module?
  2) Is it possible to assign a login module to a single WebDynpro and how can I do this?
  Thanks a lot in advance,
  Oliver Kalkofen

  > Thus, I want to use a custom login module or, if
  > suitable, a standard login module to authenticate
  > against LDAP.
  We have developed a custom login module which does this. It looks to the user like the BasicPasswordLoginModule provided with SAP, but the userid and password entered has to be a valid accountpassword from the Active Director domain. We use the Kerberos protocol to perform this useridpassword validation, not LDAP. The userid can be just a name, in which case the default domain (realm in Kerberos terminology) or it can be specified as user@REALM in which case a non-default realm can be used to authenticate. Once the authentication is complete, we look in USRACL table to map this Kerberos principal name onto a SAP userid so we can then create an SSO2 ticket.
  If you interested to evaluate, or get a quote for purchasing this, please contact me offline. Of course, you can develop your own if you are happy to do so. I just thought you might be interested to know of an alternative.
  Thanks,
  Tim

• SOLVED: "AuthenticationSupport service missing. Cannot authenticate request."

  A customer was installing CQ5 on a Red Hat Linux environment, and getting the following error displaying in the browser.
  AuthenticationSupport service missing. Cannot authenticate request.
  We checked the Felix Console, and all bundles were installed correctly.
  We did however find the following message in the error log:
  20.06.2012 10:49:26.689 *ERROR* [FelixStartLevel] org.apache.jackrabbit.core.RepositoryImpl failed to start Repository: Unable to register data store in cluster. javax.jcr.RepositoryException: Unable to register data store in cluster.
  Caused by: java.net.UnknownHostException: {server name}: {server name}
  This was not a clustered instance.
  On closer inspection, the error was caused by an incorrect IP address entry for {server name} in the hostnames file
  Tim Goodman

  Hello Mkiti,
      I take a look there and my host file only contains comments :s
      Heres the content:
  # Copyright (c) 1993-2009 Microsoft Corp.
  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  # For example:
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host
  # localhost name resolution is handled within DNS itself.
  #    127.0.0.1       localhost
  #    ::1             localhost
      The error only happen after I install the CQ5 update fix, from package share. I just renamed the crx-quickstart folder, the CQ create a new one and works, but my projects still in the old quickstart :s Is there a way to physically copy these projects, maybe?

• Content Engine NM ACNS/network access

  After searching Google and Cisco, here's my setup...
  2851 Router running 15.1T
  CE-NM-BP-80G-K9 in slot 1/0
  Bridge group 1 for LAN and Wireless WIC.
  Goal:  Either add the external CE interface to the LAN on the bridge group or use WCCP to cache traffic through the internal interface.
  I was able to access ACNS once, but I'm completely new to the design and it was only for testing with the IP scheme.  I reset the config, reloaded the router and now I can't access ACNS via the web gui nor can I access the network from the CE (ping or ftp).
  Interface ContentEngine 1/0 Config:
       ip address 10.0.0.1 255.255.255.0
       Service Module ip address 10.0.0.2 255.255.255.0
       Service Module external ip address 10.0.1.1 255.255.255.0
       Service Module ip default gateway 10.0.0.1
  Interface BVI1
       ip address 192.168.2.1 255.255.255.0
       using dhcp etc
  Service module config:
  CE#sh run
  ! ACNS version 5.5.3
  hostname CE
  http proxy incoming 80 8080
  ip domain-name mydomain.com
  interface FastEthernet external
  exit
  interface FastEthernet internal
  exit
  wmt evaluate
  wmt accept-license-agreement
  wmt enable
  ip name-server 8.8.8.8
  ip name-server 192.168.2.1
  wccp router-list 1 192.168.2.1
  wccp web-cache router-list-num 1
  wccp reverse-proxy router-list-num 1
  wccp wmt router-list-num 1
  wccp version 2
  username admin password 1 xxx
  username admin privilege 15
  username xxxx password 1 xxx uid 2001
  username xxxx privilege 15
  authentication login local enable primary
  authentication configuration local enable primary
  cdm ip 192.168.2.1
  ! End of ACNS configuration
  Here's what I get when attempting to ping:
  CE#ping 192.168.2.1
  connect: Network is unreachable
  CE#ping 10.0.0.1
  connect: Network is unreachable
  CE#ping 10.0.1.1
  connect: Network is unreachable
  And from the LAN:
  seth@Sony:~$ ping 192.168.2.1
  PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
  64 bytes from 192.168.2.1: icmp_req=1 ttl=255 time=1.79 ms
  ^C
  --- 192.168.2.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 1.799/1.799/1.799/0.000 ms
  seth@Sony:~$ ping 10.0.0.1
  PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
  64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.39 ms
  64 bytes from 10.0.0.1: icmp_req=2 ttl=255 time=1.93 ms
  ^C
  --- 10.0.0.1 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1001ms
  rtt min/avg/max/mdev = 1.396/1.666/1.936/0.270 ms
  seth@Sony:~$ ping 10.0.0.2
  PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
  ^C
  --- 10.0.0.2 ping statistics ---
  2 packets transmitted, 0 received, 100% packet loss, time 1006ms
  seth@Sony:~$ ping 10.0.1.1
  PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
  ^C
  --- 10.0.1.1 ping statistics ---
  2 packets transmitted, 0 received, 100% packet loss, time 1007ms
  Page cannot be displayed when attempting to hit the CE on port 8001 or securely at 8003 although the CE shows it's listening
  CE#sh gui-server     
  GUI Server is enabled
  Listen on port 8001
  Secured GUI Server is enabled
  Secured GUI Listen on port 8003
  Let me know if there's some other pertinent info, but what am I missing?

  SOLVED --
  The mistake was my own...in writing this post and re-testing, I realized I had made a foolish mistake. I applied an access-list (which I forgot to include) to the "ip wccp web-cache redirect-list bypass_content_engine" in the global config of the router.
  When I installed service 95 for spoofing, I automatically added the same access list to it as well.
  This was not a good thing since the access list denied packets with a destination of our internal IP addresses from going through the content engine. This worked fine on the way *out* of the router. But as the now-spoofed packets returned, their destination was an inside IP address and they were pretty much discarded. Foolish Mistake!
  Removing the ACL from the "ip wccp 95" statement in the global config fixed the issue and I am spoofing fine.
  Sorry to waste time...
  David Hunter