Cross Realm Authentication

I'm brand new to Oracle and am having some problems getting things to work.
This is my setup:
I have a MS 2000 KDC (Realm A) and a third party KDC (Realm B) setup. I have an XP client in Realm A, with the
Net8 software installed and SQLPlus installed. The Oracle 8i server resides in Realm B. I have a test database
set up on the Oracle 8i server called Oracle. I created the service principal on Realm B for
Oracle/servername@REALM B. I also created a service principal on Realm A - Oracle@REALM A - and mapped it
to the service principal on Realm B.
I keep getting a 'failed to retrieve credentials' error. Has anyone done this before? Am I missing something in the
configuration files? Any help would be appreciated.
My SQLNET.ORA file on the Oracle server in Realm B is setup as follows:
AUTOMATIC_IPC=OFF
NAMES.DIRECTORY_PATH= (TNSNAMES)
sqlnet.authentication_services=(beq, thirdparty)
sqlnet.authentication_gssapi_service=oracle/servername@RealmB
sqlnet.kerberos5_conf=/krb5/krb.conf
sqlnet.kerberos5_realms=/krb5/krb.realms
sqlnet.kerberos5_keytab=/krb5/v5srvtab
My TNSNAMES.ORA file on the Oracle server in Realm B is setup as follows:
ORACLE =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = servername)(PORT =number))
(CONNECT_DATA =
(SERVICE_NAME = oracle)
INST1_HTTP =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = servername)(PORT = number))
(CONNECT_DATA =
(SERVER = SHARED)
(SERVICE_NAME =oracle)
(PRESENTATION = http://admin)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
My SQLNET.ORA file on the client in Realm A is setup as follows:
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos
NAMES.DEFAULT_DOMAIN=realma
SQLNET.AUTHENTICATION_SERVICES=(beq, kerberos5, thirdparty)
SQLNET.AUTHENTICATION_gssapi_SERVICE=oracle/servername@REALMB
SQLNET.KERBEROS5_CLOCKSKEW=1200
SQLNET.KERBEROS5_CONF=c:\etc\krb5.conf
SQLNET.KERBEROS5_REALMS=c:\etc\krb.realms
My TNSNAMES.ORA file on the client in Realm A is setup as follows:
INST1_HTTP.REALMA=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS= (PROTOCOL = TCP)(HOST=servername)(PORT=number))
(CONNECT_DATA=
(SERVER=SHARED)
(SERVICE_NAME=oracle)
(PRESENTATION= http://admin) )
ORACLE.REALMA=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS= (PROTOCOL=TCP)(HOST=servername)(PORT=number))
(CONNECT_DATA=
(SERVICE_NAME=oracle)
)

Similar Messages

Authenticating Windows via Kerberos and cross-realm trusts

So, I embarked on a project to setup a cross-realm trust between my OSX Server and an Active Directory running on a Windows 2003 server. The bottom line: it almost works.
I followed the normal steps to make this happen as though OSX was a Linux box. Active directory knows to ask the OSX Server for authentication, and is able to decrypt and parse the returned tickets.
However, I get the message "Insufficient system resources exist to complete the requested service" when any user tries to login to the AD domain using the OD credentials.
In debugging, I created a raw principal via kadmin with no attached LDAP account on the OD box, and attempted to login. It worked. Creating a user via Workgroup Manager fails.
It would seem that Apple is adding some magic to the Kerberos tickets that is making Windows angry. I suspect it is something to do with the dbprincargs, but so far, I have not found any concrete documentation that would assist me to figuring out what apple is doing here and what I can do about it (short of looking at the actual source code).
Has anyone, anywhere setup a cross realm trust between OD and AD and made it work? I know the Mac will auth from AD no problem, but I want to go the otherway: the Mac at the top of the authentication chain and the AD depending on it for credentials.
I hope I made this clear, and I'd be happy to go into more detail if it will help anyone else.

I made much progress on this matter.
I now have OD and AD running side by side using two different kerberos realms.
Mapping an OD user (actually kerberos realm) to an AD user was easy in windows, just had to enter a mapping in the user editor.
But on the mac side, how do I do the reverse operation?
anyone ?
JY

Realm authentication not working for usergroups

Hi...
I have a server running 10.4.3 (8F46). I'm running one web site, and also some AFP shares. This server is bound to our corporate Active Directory server.
I'm positive the AD integration works because my AFP shares use AD users and groups for their permissions. All but one AFP share uses an AD group for permissions. AD users are in an AD group, and they can log in to the share. It works.
Anyways.... I want my one web site to be protected, and I'd like only one AD group to be able to access it. I am familiar with Apache from FreeBSd and OpenBSD. In ServerAdmin, I created a web site, and it works. I then created a realm, and added one AD user to the users pane. From the browser, I can connect to the web site after I authenticate as the AD user (annoyingly, I have to prepend my AD domain and a backslash to my username). My AD user can connect and view the web page.
When I add an AD group to the groups pane, none of the member users can authenticate properly. If I remove the above user from the user pane, and add a group (containing said user) to the group pane, that user can no longer log in.
I've consulted the 10.4 server documentation; the WebServices pdf does not get into details with realm authentication, and covers it mostly in conjunction with WebDAV.
I find it odd that an AD user can connect when specified as a user entry, but not from within a group. It's almost as if authenticating to AD groups is broken in Apple's implementation of Apache.
Has anyone else set up authentication with websites? Ever done it with Active Directory?
Thanks
/eric

This is not limited to Active Directory as I have been unable to use groups for realm authentication with OpenLDAP either (on 10.3.9).
I assumed it would be fixed in 10.4 but I see it has not.

Weblogic.security.acl.realm.authentication... Exception

Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John

Hello All
the reason I'm moving a post-question from JMS to this section is people there
suggested this. anyway,
when I tried to use an applet which implemented MessageListener to send message,
I got the following exception ( the port 7001 had been granted to connect, resolve
in java.policy)
javax.naming.AuthenticationException [root exception is java.lang.SecurityException:Authentication
for user admin denied in realm webogic start server side trace: java.lang.SecurityException:Authentication
for user admin denied in realm weblogic at weblogic.security.acl.Realm.authentication(Realm.java
212) at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java 233) at weblogic.security.acl.internal.Security.authenticate(Security.java
135) at weblogic.kernel.bootSevicesImp.authenticat(BootServicesImp.java 119) at
weblogic.kernel.ExecuteThread.run(ExcuteThread.java:120 ..
My Question is why servlet or swing or other application out of applet don't generate
such exceptions even most codes are similar ? How to deal with this?
Thanks
John

Cross Domain authentication between Windows 2012 R2 domains

Hello,
I am trying to figure out if this is possible.
We have 2 companies that have a VPN between them.
I can ping their PCs and access their servers by name no issues.
What I am trying to do is setup a cross domain authentication.
So their credentials can be authenticated without creating an account for them on a local network. (and vise versa)
This way on our domain I can create share and they will be able to access it without needing to logon without different credentials.
Thank you.

We have Meraki with Site to Site VPN.
Site-to-site firewall
Policy
Protocol
Source
Src port
Destination
Dst port
Comment
Actions
<tfoot>
Allow
Any
Any
Any
Any
Any
Default rule
</tfoot>
Add a rule
So as you can tell we don't block anything at all.

Weblogic realm authentication failure getting connection from pool

We are getting this error when we try to get a connection from the
pool for a Tx Data Source. We are successfully getting connections
from a (non-Tx) Data Source.
java.lang.SecurityException: Authentication for user Fitness_demo
denied in realm weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.Security.doAsPrivileged(Security.java:481)
at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:127)
We have added the DB user as a user in the realm, which usually does
the trick; but in this case it does not. We are using Merant's
JSQLConnect type 2 driver for SQL Server, and we are running on
Solaris. The scenario works fine using Oracle Thin driver on Windows.
Do we need ACL entries or something? We do not have any ACL entries
now.
Thanks,
-wes

We are getting this error when we try to get a connection from the
pool for a Tx Data Source. We are successfully getting connections
from a (non-Tx) Data Source.
java.lang.SecurityException: Authentication for user Fitness_demo
denied in realm weblogic
at weblogic.security.acl.Realm.authenticate(Realm.java:212)
at weblogic.security.acl.Realm.getAuthenticatedName(Realm.java:233)
at weblogic.security.acl.internal.Security.authenticate(Security.java:125)
at weblogic.security.acl.Security.doAsPrivileged(Security.java:481)
at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:127)
We have added the DB user as a user in the realm, which usually does
the trick; but in this case it does not. We are using Merant's
JSQLConnect type 2 driver for SQL Server, and we are running on
Solaris. The scenario works fine using Oracle Thin driver on Windows.
Do we need ACL entries or something? We do not have any ACL entries
now.
Thanks,
-wes

Browsers do not remember realm authentication details

Hello,
When I try to access pages in a protected realm, I sometimes have to enter the username nad password 5 or more times. Sometimes just twice. Even if I tell my browser to remember the password/username, it still prompts me to authenticate later on. I don't think it's a browser problem because this affects Safari, Firefox (win and mac) and Internet Explorer.
Why would it try to authenticate so many times? And why doesn't it remember the authentication details? Would the webserver be sending out a different kind of identification ( or whatever?) each time, so the browser thinks it's a different site? (Perhaps related to that 16080 cache?)
Thanks for your suggestions
-Woody

Since it's affecting multiple browsers it has to be something server-side.
Realms are keyed off both the hostname and the URI in combination with the realm name. You should look at the URLs in question, make sure they all have the same realm name assigned, and check the web server logs to see what the server is saying about the authentication (e.g. look for any 'authentication failed' messages).
It is also true that the performance cache (:16080) port can affect this if you're using redirects since http://www.yoursite.net/ and http://www.yoursite.net:16080/ are completely different sites as far as the browser is concerned, and therefore would require separate sign-ins. Try turning off the performance cache to see if that helps.

MCX Does Not Apply to Cross Realm User Accounts

Here's the situation:
Kerberos realm (REALM1) set up for user account access
AD created to allow authentication via REALM1 as well as AD (REALM2)
Mac OS workstations are bound to AD and local Mac OS Kerberos configurations on the clients allow authentication using user accounts defined in REALM1.
Users are able to log in to client workstations with no issues. Kerberos works fine within AD services. What we're attempting to do it get MCX policies to somehow apply when an AD account logs in to a Mac OS X workstation. We've been using either local MCX (dslocal) or OD (via Golden Triangle).
When a native AD account or local Mac OS user account logs in to Mac OS, policies are successfully applied. However, when a user account in our MIT Kerberos Realm logs in (REALM1), no policies are applied. It appears that policies exist when using mcxquery, although these policies are not apparent to the users that log in.
I also attempted to use mcxrefresh to get a better idea (with the -a switch for authentication), but it does not work since it bases authentication on REALM2 (AD) rather than REALM1 (MIT Kerberos). Since it cannot authenticate, no policies are refreshed and nothing applies.
I'm just wondering if anyone has seen this issue and if they managed to solve it, how they solved it. We're hoping to find a solution that does not require a CoD (Cylinder of Destiny) or LDAP schema changes.
Any info is appreciated.

Hi Shiju,
Before going further, we can run command gpresult/h report.html with administrative privileges to collect group policy result report to check how group policy settings are applied.
Besides, we can try to install the following hotfix to see if it helps.
Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2
https://support.microsoft.com/en-us/kb/2738898?wa=wsignin1.0
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

BASIC/LDAP Realm Authentication

I am trying to protect access to my Web Application using BASIC
Authentication based on an LDAPRealm that I have configured. I want all
users that try to access anything in my Web App to have to log in first,
based on their information in the LDAP server.
My web.xml file looks as such.
<web-app>
<display-name>LDAPSpike</display-name>
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ActiveDirectoryCachingRealm</realm-name>
</login-config>
</web-app>
Do I need to setup a <security-constraint> tag or a <security-role> tag? if
so what role do I use? I just want ANY user the be authenticated by using
the LDAP Realm (in this case ActiveDirectory as an LDAP Server)
Thanks in advance for the help...
Frank
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Frank Febbraro
Senior Software Engineer

Plamen Petrov wrote:
I am having similar problem. I managed to grant access
to individual users and groups in the LDAP server, but
what I want to do is to give access to everyone in
the LDAP directory without explicitly specifiyng his
name or group membership.Create a group "everyone" in LDAP as a workaround.
Cheers,
Alexander Petrushko
mailto:[email protected]
Consulting Services available
Freemarker vs JSP:
http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html

Cross Instance Authentication Issues

I have the portal meta-data installed and running on an instance called DMD1 and all of our users are on a different instance called DCD1. Prior to this setup our metadata and client data was on the same instance and I would run a PSP with the ...pls/portal/schema.package.procedure.
With this setup (meta-data in one instance and client data in another) I get ie-404 errors. Can anyone direct me to a resource that would explain the configuration changes that I would have to make in order to allow PSP's on DCD1 to be available through the portal on DMD1?
I have created a DAD on the DMD1 instance with a specific USERNAME and PWD and can use that DAD to execute a PSP on DCD1 but I need each user to run the PSP as themselves.
Any assistance or resources that will provide an explanation of SSO in this type of environment will be appreciated.
Thank you,
Mark Johnson

I have found my answer, thanks to another forum.
Meta-Cross Domain Policies.
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html
Basically I can now say "f*ck you adobe. I as a college
student who likes to host things on my 150 MB of server space can
no longer host XML formatted levels for games I write. Because I am
not the administrator of the server and will never be able to
convince the administrator to let me have the MCDP file allow my
flash file to load it's levels."
F*ck you Adobe, F*ck You.

Integration of existing AD and existing OD infrastructures

We have a well established Active Directory and a well established OpenDirectory with file systems participating in each. At this time, both directories are autonomous. We need to make the existing file systems offered on the XServes in OD accessible by AD accounts with the goal of eventually removing all user accounts from OD.
The problem we've discovered is that we are unable to preserve and protect UIDs of the OD accounts using OD and the Apple Active Directory Plug-In. The result is that MaryX in AD does not have ownership of her files on the XServe because her account does not have the same UID as the MaryX account in OD.
Is there a way to create the account for MaryX in AD and establish her OD UID value there in such a way that the Apple Active Directory Plug-In on her Mac and on the XServe will allow her to access her files?
At this point, the only alternative we've found is impractical. That would require us to identify her new UID as presented by the plug-in and re-chown the entire set of file systems. That's over 30 TB of data. The same procedure would have to be performed for each existing OD account and group. We think this is an unnecessarily nasty solution and are hoping we could do something simple like extend the AD schema for POSIX compliance and get the plug-in to reference UID from there.
Suggestions? Ideas?
Thank you,
Greg Chapman

Hi
I'm guessing your environment could benefit from implementing Cross-Realm Authentication:
http://images.apple.com/server/macosx/docs/OpenDirectory_Admin_v10.5_3rdEd.pdf
Page 72. However apart from a brief mention of what it is you won't find much more. You could look at what afp548 has to offer? I found this:
http://www.afp548.com/xrealm/
Which might help? Some time ago I did this with 10.4 Server. It took some doing and worked well. You might want to consider an experienced consultant?
Tony

AD Bind to OD

I know in the past on here several of us have gotten OD to talk to AD. What I am trying to do, for fun, is do it the reverse way. Have AD talk to OD. IS this possible? If so how? I go to add an AD and go through the wizard but it doesnt seem to work. Ideas?

Hi
It can't work in the same way that OD augmenting/integrating into AD does. Mainly because Microsoft's implementation and adaptation of OpenLDAP is more extensive and less Standards based than Apple's.
If you were to look at the two schema structures themselves, you'd see Microsoft has a 'tree-like' shape whilst Apple's looks like a hedge. Besides, and as far as I know, Microsoft does not bother developing or even making available a corresponding OD plug-in, that maps like-for-like attributes and values in the same way that Apple's AD plug-in does.
As Strontium90 has pointed out, the only other 'real' alternative that does not involve an horrendous amount of work editing/amending the schemas themselves, is Cross-Realm Authentication.
It can be made to work with some effort which I have tried in a test environment. It worked well. However I've only done it once and it was with 10.4 Server and it was some time ago. An interesting experiment with not much practical purpose. As Strontium90 points out Users/Groups have to exist in both directories.
Tony

Cross-forest user administration

I have created a cross-forest trust between DSfW domain and MSAD domain. In both domains, I have added one user (call him CrossAdmin) as member of Builtin\Administrators group.
I can log in to DSfW domain as CrossAdmin and successfully administer users in MSAD domain using "Active Directory Users and Computers"). But the reverse doesn't work. If I log in to MSAD domain as CrossAdmin and in "Active Directory Users and Computers" try to switch to the DSfW domain, I get an error message:
"The domain dsfwdomain.oursite could not be found because: Access is denied".
At the same time, the following is logged to /var/log/messages on the DSfW server:
krb5kdc: [KDC] Regenerating authorization data for cross-realm client [email protected]
krb5kdc: [KDC] Failed to locate PAC principal data buffer
krb5kdc: [KDC] PAC lacks principal name authenticator
krb5kdc: [KDC] Ticket for client [email protected] is not bound to PAC
Is this a restriction by design, or can it be made to work somehow?

vatson,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://www.novell.com/support and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com

Want to pass Realm login username to php web page

I have a web directory set up as a Realm via Server Admin. I'd like to grab the authentication info (really just the username) and use it via PHP to compare against a mysql table of users to pull out username and real name so the user doesn't have to log in twice (once to access the Realm, once to authenticate to Mysql in a php form.)
I've searched the web and these discussions but have not found any documentation that tells me that I can access or display the Realm authentication username.
Is this even possible?

The PHP documentation seems to have this covered:
http://us3.php.net/manual/en/features.http-auth.php
Once the user has filled in a username and a password, the URL containing the PHP script will be called again with the predefined variables PHPAUTHUSER, PHPAUTHPW, and AUTH_TYPE set to the user name, password and authentication type respectively.
echo "<p>Hello {$SERVER['PHP_AUTHUSER']}.</p>";
echo "<p>You entered {$SERVER['PHP_AUTHPW']} as your password.</p>";

NT realm works, but appears slow and unconfigurable

Using WLS 6.1sp1 I successfully have authentication working
using the NT realm.
The most simplistic cases work but I'm having trouble with the
more complex cases. BEA does not provide examples on these:
#1. Listing Users/Groups from the console is extrememly SLOW.
Similar to Frank Febbraro's post (5-2-2001), whenever I
click on Security->Users from the console it takes 15-20
minutes to respond. Likewise, the Security-Groups option
never returns (Frank mentions it takes 30 minutes??)
#2. You can specify roles and principles, but not domains.
In the weblogic.xml descriptor I can specify principles or
roles using the <security-role-assignment>. But what I'd
like to do is not limit access to a proper NT group or
weblogic role, but rather an NT domain. That way any user
in the domain that is authenticated can access the resource.
I've heard other developers want this functionality as well.
#3. One domain works, multiple domains do not.
According to the "Managing Security Document"
(http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1052721)
you can run the weblogic server on various machines,
including a "mutually trusted domain". What is not
stated is how to authenticate using those trusted domains.
For example, logging into the web brower using HTTP
challenge/response may work for the following username:
myusername
But this will not:
mydomain/myusername
nor this:
mytrusteddomain/myusername
And from within the console the Security->Filerealm tab
only allows selection of one realm, not multiple.
Anyone know of any further reading/examples for the NT realm?
Jason

>
Hi Jason,
I'll just dive right in here.
>
#1. Listing Users/Groups from the console is extrememly SLOW.
Similar to Frank Febbraro's post (5-2-2001), whenever I
click on Security->Users from the console it takes 15-20
minutes to respond. Likewise, the Security-Groups option
never returns (Frank mentions it takes 30 minutes??)
Yes. This has been a problem for a lot of users with NTRealms. The speed
issue has something to do with the way the console loads users and
groups. BEA is looking into the issue of why it is a problem for the
console to enumerate through group and user membership.
It is fairly fast, however, when the cachingRealm is simply cleared,
because different calls are being made internally.
So although this is definitely a performance issue with the console, you
should find that there are not performance problems for the "normal"
functioning of your realm -- authentication lookups and the clearning of
the CachingRealm should be reasonably fast.
>
#2. You can specify roles and principles, but not domains.
In the weblogic.xml descriptor I can specify principles or
roles using the <security-role-assignment>. But what I'd
like to do is not limit access to a proper NT group or
weblogic role, but rather an NT domain. That way any user
in the domain that is authenticated can access the resource.
I've heard other developers want this functionality as well.
Right. It is not possible to restrict access to a certain NT domain right
now.
>
#3. One domain works, multiple domains do not.
According to the "Managing Security Document"
(http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1052721)
you can run the weblogic server on various machines,
including a "mutually trusted domain". What is not
stated is how to authenticate using those trusted domains.
For example, logging into the web brower using HTTP
challenge/response may work for the following username:
myusername
But this will not:
mydomain/myusername
nor this:
mytrusteddomain/myusername
Again, this is unfortunately expected behavior.
If you have 2 NT machines with a trust relationship, and you are using
these machines as the user/group store for WebLogic, there is no easy way
to get WebLogic to differentiate between a user/group on machine#1, versus
a user/group on machine#2. Weblogic views all users and groups,
regardless of where they are found, exactly the same -- exactly equally.
That is why you notice that specifying /mydomain/username or
mytrusteddomain/username both do not work.
>
And from within the console the Security->Filerealm tab
only allows selection of one realm, not multiple.
Right again. (Man, I seem to just be piling on the bad news right now.)
You can only have one "alternate" realm hooked into WebLogic at a time
currently.
I hope this helps answer your questions, even if most of the information
isn't exactly what you wanted to hear...
Cheers,
Joe Jerry

Cross Realm Authentication

Similar Messages

Maybe you are looking for