Creating Externally Authenticated users

Similar Messages

• Externally Authenticated Users

  Dear Sirs;
  I have a windows 2003 server with Oracle Database R2 installed on it. I have been trying to create an externally authenticated user but unfortunately it is not working. Are there any special procedures that I must pay attention too? I followed all the instructions that are mentioned in the documentation in the library section.
  Thank you in advance for your help.
  Mazen

  Dear Sirs;
  I could finally solve this problem. It turned out that the registry must contain the following entry: osauth_prefix_domain with the value of 0. This entry is located in windows registry > HKEY_LOCAL_MACHINE > SOFTWARE > ORACLE > KEY_OraDb10g_home1. This entry was supposed to be there by default but for some reason it wasn't.
  Anyway thanks for everyone who considered helping.
  Mazen

• Proxy login from externally authenticated user

  Hi Experts,
  I created an externally authenticated user in database. And can login without password with below syntax.
  SQL> connect / @TESTDB
  Connected.
  SQL> show user;
  USER is "SCOTT"
  This scott user has a proxy permission to another DBuser PROXY_USER.
  I got the syntax but that works only from Database OS.
  sqlplus [proxy_user]/
  SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
  Copyright (c) 1982, 2010, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
  SQL> connect / @TESTDB
  Connected.
  But the above mentioned Proxy connectivity syntax fails with below from CLIENT
  SQL> connect [proxy_user]/ @TESTDB
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
  where <logon> ::= <username>[<password>][@<connect_identifier>] | /
  But the same syntax works from Database OS!
  I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
  My sqldeveloper version is:
  Version 2.1.1.64
  Build MAIN-64.45
  and sqlplus is:
  SQL*Plus: Release 10.2.0.1.0
  Any idea?
  Thanks.
  Edited by: Nadvi on Nov 18, 2010 3:09 PM

  Hi Nadvi
  If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
  I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
  Through the SQLDeveloper ui
  There are two ways of doing proxy logins:
  where p1 is proxy user and c1 is proxy client:
  1/single session method (if no 2nd password or distinguished name required)
  on main connection popup
  user: p1[c1]
  password: p1
  2/Two session method
  Main Connection popup
  user: p1
  password p1
  popup connection authentication
  proxy client: c1
  none or password or distinguished name
  -Turloch
  SQLDeveloper Team

• Externally Authenticated User

  Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
  Is this due to externally authenticated user id ? Does it impact the system performance ?
  Edited by: user594301 on Jan 21, 2009 3:01 AM

  Were you using lightweight sessions or connection pooling before and now initiating a new connection for each user?

• Password aging for externally authenticated user

  Hello All:
  How can we implement the password aging of externally authenticated user.
  Thanks
  San~

  If the user is externally authenticated, then the password expiry should be external. E.g for the unix account.
  "When you choose external authentication for a user, the user account is maintained by Oracle, but password administration and user authentication is performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.
  With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login. If your operating system or network service permits, you can have it authenticate users. If you do so, set the initialization parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle user names. The OS_AUTHENT_PREFIX parameter defines a prefix that Oracle adds to the beginning of every user's operating system account name. Oracle compares the prefixed user name with the Oracle user names in the database when a user attempts to connect."

• Why do we create externally identfied users ?

  RDBMS version: 11.2.0.2
  Platform : Solaris 10
  I work in a Retail Banking/financial applications environment. All our applications are in Java running from Websphere/Tibco. Our DB servers only host DBs. ie Applications are run from dedicated Linux servers.
  But, in our DB server (solaris) several Unix users are created for application. Then we create DB schemas with EXT$ prefixed
  If unix user is xpsapp, then we'll create a schema named EXT$xpsapp
  os_authent_prefix parameter set to EXT$Why do applications need this externally identified schemas ? Can't they just use a normal schema?

  Traditionally, externally authenticated accounts are used for application batch jobs and DBA utility jobs run from "cron." The shell scripts executed by "cron" invoke Oracle tools (usually sqlplus) connecting to the database "as slash" and not hardcoding a password on the command line. This has the following benefits:
  * The O/S-level password can be changed on a regular basis without any associated code (or preference file) changes
  * No hard-coded passwords are used on the command line (which can be seen with the "ps -ef" utility)
  * The batch jobs are not affected by network outages due to the bequeath connection type

• HOW TO CREATE WINDOWS AUTHENTICATION USER IN SQL SERVER AFTER INSTALLING SQL SERVER 2008

  I had an error while executing asp.net appcation from IIS as follows
  Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
  Description:
  An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
  [SqlException (0x80131904): Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.]
  Can the above problem be solved by CREATING WINDOWS AUTHENTICATION LOGIN FOR
  'IIS APPPOOL\ASP.NET v4.0'  ?
  If yes, how to create the login?
  If no,what is the best possible solution?
  Please reply as soon as possible as i am unable to run my project which I had done in my lab,in my home system.

  Hi Praveen,
  To fix this issue, you need to change the Identity of your website's Application Pool to use the
  NetworkService account (or the less secure LocalSystem account).  By default, IIS7 seems to set the Application Pools Identity to 'ApplicationPoolIdentity' instead of NetworkService or LocalSystem.
  Here's a step-by-step guide for determining your websites Application Pool, then changing its Process Model Idenitty in IIS7:
  1.Open Internet Information Services (IIS) Manger.
  2.In the Connections sidebar, drill down into Default Web Site and click on your website.
  3.Now in the Actions sidebar (on right side), click on Advance Settings... In the popup box, under General you will see your Application Pool listed for your website (in my case the app pool is: ASP.NET V4.0).
  4.Click Cancel...  If you choose, you can change the Application Pool here, but for the sake of this example we just wanted to find out what the website's App Pool was.
  Then change the app pool's (Process Model) Identity to 'NetworkService', the steps are showed as below:
  1.Open Internet Information Services (IIS) Manger.
  2.In the Connections sidebar, click on Application Pools.
  3.Now right-click on theApplication Pool that your website is using (in this case my site is using the ASP.NET v4.0 application pool), and select Advanced Settings... from the menu.
  4.In the Advanced Settings pop-up box, locate the Process Model -> Identity section and click on the Application Pool Identity.
  5.In the Application Pool Identity pop-up box, change the Built-in account to NetworkService (or if you want LocalSystem), then click OK, and click OK again to save your Advanced Settings changes.
  Hope this helps.
  Best Regards,
  Peja
  Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Granting exp/imp privilege to externally authenticated user

  DB version:11.2.0.2
  OS : AIX 6.1
  We have a DB User(schema) called OPS$appuser who is externally authenticated.
  This user should be granted privilege to perform import of scott schema's dumpfile to another schema called appschema2.
  This is what appuser will be doing at the unix command line
  $ su - appuser
  $ exp / owner=scott file=scott.dmp
  $ imp / file=scott.dmp fromuser=scott touser=appschema2in short these are the DB schemas involved
  OPS$appuser -- The user performing the exp and imp
  scott       -- The schema which is being exported
  appschema2  -- The schema which OPS$appuser imports the contents in scott.dmp to.Due to security reasons, we can't grant IMP_FULL_DATABASE privilege to OPS$appuser. So, what privilege can I give to OPS$appuser to perform the above exp and imp tasks?
  Hope the exp and imp sytax i've mentioned above are correct

  None,as imp_full_database is required for this.
  Also you would better use expdp and impdp using the network_link parameter.
  Doing so, you could write a pl/sql procedure using the dbms_data_pump API to replace the command line cr*p and there will be no commandline access required anymore.
  Sybrand Bakker
  Senior Oracle DBA

• External authentication on Essbase 9.3.1

  I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
  Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
  On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [getOSVersion]
  [Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  If I point to the current CSS file used in production Essbase 7, I get the following message:
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
  Single Sign On function call [css_init] failed with error [-1]
  [Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
  Single Sign-On Initialization Failed !
  In either case everything except External Authentication on System9 for Essbase works.
  Both shared services and Essbase are on the same 64-bit Windows box.
  Any help in resolving this will be greatly appreciated.
  Thanks,
  Vikram.

  HI:
  I recommand following these steps:
  1. Go to the box where you have your Essbase installed
  2. Pull up the Shared Services Configuration Utility
  3. Select COmponent to be registered as Essbase
  4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
  5. Re-register Essbase with Shared services
  6.Start essbase in Foreground
  It shuld Start :) good Luck..let me know If this failed..
  Thanks,
  Sriram

• BOFC 10.0 External Authentication

  Hi there,
  I have installed a BO Financial Consolidation 10.0 and a BO BI Platform 4.0 on the same machine. Now I want to set up the external authentication from FC to BI Platform.
  In the FC WebAdmin page I've configured the 'External authentication configuration string' to 'Business Objects Enterprise XI Authentication' and the CMS servername is the hostname the applications are installed on.
  This doesn't work. Maybe there is missing something. The BOFC Login doesn't accept a user that is configured in the CMC from BI Platform.
  I've searched for a long time, bud didn't find more than the short description in the instguide.
  I would be really thankful if you might help me figure out whats exaclty missing.
  Best regards

  Hello,
  In your steps you did no mention that you have created the user in BOFC10 itself
  An external user still needs to be defined in the BOFC application (as it needs a profile). On the authentication tab, you can specify that this an externally authenticated user and indicate its BOE (CMC) name/alias
  Regards
  Marc Kuipers
  SAP Support

• How to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically?

  Sharepoint 2013 online/office 365.
  I am creating site collection programmatically using sharepoint Auto hosted app.
  Now i want to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically after site collection creation.
  Is it possible through code? If yes please let me know how to do it?
  Najitha Sidhik

  For SharePoint 2013 Online, check below links:
  http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/manage-sharing-with-external-users-HA102849862.aspx
  http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manage-external-sharing-for-your-sharepoint-online-environment-HA102849864.aspx
  https://www.nothingbutsharepoint.com/sites/eusp/Pages/SharePoint-Online-2013-Sharing-with-External-Users.aspx
  http://blogs.office.com/2013/11/21/sharepoint-online-improves-external-sharing/
  Please ensure that you mark a question as Answered once you receive a satisfactory response.

• External Authentication won't correctly set USER name or Role

  I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
  Here is a little of the java on the back end (I removed my shared secret):
  public String getRoomToken(String roomID, String userName, String userID, int userRole)      {
             try {               
                           Session session = am.getSession(roomID);
               return session.getAuthenticationToken(..., "Bob", "TestID", 100);               
                           //return session.getAuthenticationToken(..., userName, userID, userRole);          
                        } catch (Exception e) {
                 // TODO Auto-generated catch block
                                 e.printStackTrace();
                      return null;
  getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
  /**      * get an external authentication token      */
  public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
       if (role < UserRole.NONE || role > UserRole.OWNER)
           throw new Error("invalid-role");
          String token = "x:" + name + "::" + this.account
           + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
          String signed = token + ":" + sign(accountSecret, token);
          // unencoded      
                 //String ext = "ext=" + signed;       
                 // encoded
         String ext = "exx=" + Utils.base64(signed);
         return ext;
  This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly.  Any help would be great, this has caused me a great deal of grief for days now...
  Thanks guys...
  Ves

  Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
  to
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
  and adding a preinitialize function of:
  protected function preInit():void
              templateID = Application.application.parameters['room'];
               token = Application.application.parameters['token'];
  oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
  Ves

• User external authentication

  hello,
  I have read documentation about the technique for SSO to enable authentication between SAP and non-SAP systems but I didn't find a solution for our problem.
  We seek a way to authenticate extern SAP users. We have two SAP systems (ERP and BI) and other non-SAP systems and we want users to authenticate once.
  For this reason we are interested in any other authentication mechanisms (eg HTTP authentication header, or otherwise) which has been possible programmatic authentication (from an external application, most likely written in. NET). We need to access the web interface for BI and ERP without the need for additional licenses (such as SAP Enterprise Portal).
  Please help me with a solution.
  Thanks you

  Hi,
  it's more complicated. First, I will tell you how it works with SAP Portal. A user authenticates against portal and he gets a logon ticket. The back end systems are configured that they accept only tickets signed by portal. So when user is pointed to a backend system it checks ticket and if everything is fine the user gets authenticated.
  So you could try to replicate this set up with your portal. The problem is that I don't know if there is a library for generating logon tickets. So you would have to figure out format of SAP logon tickets. 
  SAP provides a library that can be used to verify SAP logon tickets. So you could use the following approach. You would create a dummy service on ECC box that would require authentication. After authentication it would generate a logon ticket and redirect user to the portal. You would implement a custom logon procedure on your portal. You would just read a logon ticket (browser cookie) generated by ECC and verify it using SAP library. If everything is OK the user would get logged to portal. You would also configure BI system to accept tickets from ECC. It has some disadvantages. For example user needs to have direct access to ECC box but this could be solved using web dispatcher. Basically, you would set up ECC as an identity provider in SAML terminology.
  As you can see I ignored non-SAP systems because it really depends on what you can do with them. As I said there is a library from SAP for verifying SAP logon tickets. So you can create a custom logon procedure for all these systems.
  So to summarize it. Answer for the first question is maybe. Using SAML instead of proprietary SAP logon tickets might be more suitable. Other options could be to use proxies to do some translations between various formats. It's really hard to recommend anything without additional information. 
  Cheers

• How to display all authentication providers when creating a new user?

  I have configured active Directory with weblogic 10.3.1. Users and groups display correctly under the users and groups tab. When creating a new user only the defaultauthenticator provider is displayed in the drop-down selection. How do I get my active directory authenticator to display here also for selection?

  I'm confident that the Active Directory provider is read-only. You could write your own Authentication Provider for AD that supports create/update/delete functionality, but it is not included in the out of the box AD Authentication Provider to my knowledge.
  I know both the Default Authenticator and the database authenticator are read/write.

• While starting my iMac after new hard drive installed, I created a admin user, I then pulled over a backup from an external hard drive that brought over the previous admin user settings. Need to merge to old user with the new user

  I had to replace the hard drive in my iMac. Upon initial start up, I created a admin user name and password. Then I connected a WD external hard drive that had a back up of my orginal HD. Upon running Migration Assistant and pulling over the back up I found it pulled over the ORIGINAL user & security information from the original hard drive. In order to see iPhoto or iTunes libraies I must sign on to the "Old" user.
  I want to Merge old and new users into only 1 user or delete the original user however need to have the iPhoto/iTunes libraies accessable by the "New" user.

  Your best bet is to start over, by restoring your entire system to the exact condition it was in.  Otherwise, the transferred user account probably won't have permission to its backups.  See the pink box in Problems after using Migration Assistant for an explanation.
  See Time Machine - Frequently Asked Question #14 for details on how to do the restore.