CSA User authentication auditing rule and Policy conflicts

Similar Messages

• User Authentication using Servlet and JSp

  Hi,
  I am developing a web app where i need to implement user Authentication to allow members to view and upload files on a certain directory say /data
  For this i am using a servlet as a controller which then forwads request to other jsps/servlets based on user response. I tried using servlet mapping in web.xml so that all browser requests would be directed to controller servlet and would branch from there on. However the problem all RequestDispatcher.forward() requests redirected to the servlet putting it in a loop.
  Is there another way to achieve this. (Apart from using form-based Basic Authentication).
  I am using Resin 1.2.8 servlet/jsp container.
  Any response as soon as possible would be appreciated.
  Thanks,
  Kushagra

  RequestDispatcher.forward() cause the HTTP request to be sent through the request processing flow as if the original request for the resource being forwarded to.
  It seems the servlet mapping you are talking about in web.xml should be made more specific. i.e. the mapping should be such that only your so called controller servlet will match up.
  You might want to specify the mapping for the controller servlet to be noticeably/effectively different from the mapping for other servlets and JSPs.

• China Direct / Indirect Tax rule and policy..

  Hi,,
  Now i am looking to work on China DirectTax.. But i am new in China Direct/Indirect Tax.
  I need the following document for China Taxation.
  1. Tax Rule/Policy
  2. Configuration document for county china version.
  Please send me the document or link directly on my mail also..
  [email protected]

  Dear Maa
  this question is not "really" related to SAP Chemical. TAx and similar topics are more "SD-FT" or "GTS" related.
  C.B.

• User authentication error after a successful authentication

  Hi,
  I have configured OAM 10g (10.1.4.3).It uses AD as the Directory server and OHS 11g (11.1.1.6) as the web server.
  Created a policy domain with the resouce URL /test.Created an authentication scheme which has the plugins: credential_mapping, validatepassword and a custom plugin which is a ".dll" file.
  So when i browse the URL http://IP:7777/test (Resource URL in policy domain), it redirects me to "/public/login.html" page which is the login page and resides in the web server. The login page consists of 3 fields: username, password and security code. This performs a 2 factor authentication. The first factor "username + password" is validated against AD, the second factor (username + security code) is validated against RADIUS, the custom plugin takes care of this.
  When the user is redirected to "/public/login.html", i can see the cookies "obFormLoginCookie" and "ObssoCookie" in the browser (mozilla). These 2 cookies are present even before the user authentication.
  User authentication works fine and user is redirected to a page which says "Authentication successful". This page doesn't have a logout button, you just have to close the page and login again.
  The next time when the user browses the URL "http://IP:7777/test (resource URL in Policy domain), it ideally has to redirect to "/public/login.html" where you have the form, but it throws an error saying "Not Found.The requested URL /test isn't found". But when i directly access the login page "/public/login.html", it would give you the login page and when i enter the credentials, this time it says "Not Found.The requested URL /access/dummy.cgi isn't found.
  /access/dummy.cgi" is the action URL present in the login page, the same is present in the authentication schemes.
  But when i clear the cookies, and login again, this time the authentication would be successful. So, i will always have to clear the cookies and login, which i think isn't feasible. Is the above mentioned error message expected? I just Couldn't understand the behaviour of these cookies in this context.
  Any ideas/suggestions would be really helpful to me.
  Thanks.
  Edited by: 886322 on Apr 12, 2012 4:11 AM

  Try to disable authorization and see if this error stops

• Configure User Authentication on SOAP Receiver Adapter

  Hi,
  I am calling a WebService that is available over the internet.  We are on PI 7.1 and I am using a Soap Receiver Adapter.  The configuration was downloaded from SAP in a partner package.  The development in the package was done on XI3. 
  I need to call the WS with user authentication.  I've selected the "Configure User Authentication" radio button and entered the username and password.  The message fail with "HTTP 401 Unauthorized" and it is because the user details are not being send from the adapter.  If I copy the XML payload to a XML tool, like Stylus Studio, I can call the webservice successfully.  I've read through numerous blogs and messages on this Forum, including adding the adapter module (MessageTransformBean) and changing the Conversion Parameters without any luck. 
  Any suggestions please?
  Thanks

  I am calling a WebService that is available over the internet.
  I copy the XML payload to a XML tool, like Stylus Studio, I can call the webservice successfully.
  normally the webservices that we use (from internet) are freely available...meaning they dont require any username/ password.
  if no credentials are required then do not select Configure User Authentication...uncheck it....if user-details are provided by the Webservice, then use these details (not your XI/ PI user details) in the channel.
  Are you using any user-name/ password while testing from SOAP tools?
  Regards,
  Abhishek.

• User Authentication Method not found?

  I'm using OSX but a co-worker is running 9.2.2 and is having trouble accessing a server on the corporate Microsoft network.
  I can get to the server using OSX but when she selects the server (which does show up in the Chooser list) she gets an error message saying that "the User Authentication Method could not be found" and she should check the AppleTalk folder in her extensions folder. AppleTalk folder? Check it for what?
  What must we do to get access to the new server?
  Thanks.

  For OS 9 to talk to an MS server requires that the server has Client Services for Macintosh fired up and yes, sometimes also that the client Mac has a Microsoft User Authentication Module installed and configured.
  Microsoft says that without the MS UAM, she should still be able to
  Log on to the special Microsoft UAM Volume on the computer running Windows 2000 Server to access the MS UAM file.
  If she can't get that far and there are no other symptoms, the network administrator needs adjust the security settings on the server, or reinstall Client Services for Macintosh…
  Then drag the MS UAM file to your AppleShare(c) Folder in your System Folder. Instructions follow. (Users outside North America, see the "International Concerns" section later in the Release Notes before proceeding.)
  To gain access to the Microsoft Authentication files on the computer running Windows 2000 Server
  1. On the Macintosh Apple menu, click Chooser.
  2. Double-click the AppleShare icon, and then click the AppleTalk(c) zone in which the computer running Windows 2000 Server, with Services for Macintosh, resides. (Ask your system administrator if you're not sure of the zone.)
  3. From the list of file servers, select the Windows 2000 Server computer, and then click OK.
  4. Click the Registered User or Guest option, as appropriate, and then click OK.
  5. Click the Microsoft UAM Volume, and then click OK.
  6. Close the Chooser dialog box.
  To install the authentication files on the Macintosh workstation
  1. On the Macintosh Desktop, double-click the Microsoft UAM Volume.
  2. Locate the "MS UAM Installer" file on the Microsoft UAM Volume, then double-click it.
  3. Click Continue in the installer welcome screen.
  The installer will report whether the installation succeeded.
  If the installation has succeeded, when Macintosh users of this workstation connect to the Windows 2000 Server computer, they will be offered Microsoft Authentication.

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• Navigation handlers and user authentication

  I've implemented a system to force user logins based on the code demonstrated here: http://www.jsftutorials.net/jsfNavigation/jsf-login-navigation-redirect.html but I've come across a problem.
  It seems the navigation handler is called only when JSF needs to resolve the outcome of an action and this means that in certain cases a user can view a secure page without having to log in. For example, using the example app from the above link, if a user goes to the start page of the project and clicks on the command buttons to access the protected pages, they are re-directed to the login page as expected. However, if they go to the url of the protected page directly (eg http://localhost:8080/jsf-loginRedirect/secure/editUserProfile.jsf ) it still displays the page.
  Currently I've got a filter in place that re-directs the user to the login page of the web app if there isn't a valid user logged in, but as this runs outside a Faces context I can't track the user's requests.
  Is there some way I can force JSF to call the navigation handler for normal get requests?

  Chops,
  There are 2 things related to this issue,
  1. When the user goes out of the application, you must invalidate the session. So that the userid will not be present in the session.
  2. You can have a phase listener that checks for User Id in session, if the user id is empty, you can re-direct the user to login page. If user id is present automatically the control will go to the navigation rule page.
  Phase Listener will enforce the user authentication.
  Hope this logic helps you to solve the issue.
  Thanks
  Prakash

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• Please guide me for user authentication and authorization in WebDynPro App

  Hi,
      I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
  I need to ask you some question to clarify my doubt :
  1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
  2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
  3.Could you please suggest the best practice for authentication and authorization in webDynPro.
  Many Thanks
  Noppong J

  in most case you don't have to write code to deal with session, authentication and authorization.
  1. yes,
  2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
  3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

• Machine and User authentication with ISE 1.2.1

  Hi ,
  Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
  Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
  Thanks 
  Pranav

  is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Problems with 802.1x MS PEAP machine and user authentication

  Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
  We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
  Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
  There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
  We are using MS-CHAPv2.

  Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
  However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
  I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
  Any idea how the domain\ can be ignored by ACS?

• XI and user authentication VS R/3 systems

  Hi *,
  I'm trying to configure this kind of scenario:
  1) user xyz sends a request to a web service, which is exposed by XI via its outbound interface
  2) XI performs all the necessary mapping stuff and via the routing procedure identifies the right inbound interface to contact.
  3) the inbound interface, via an RFC adapter, connects to an R/3 system in order to write a purchase order.
  4) RFC response is retrived via XI pipeline to the outbound response interface
  Problem: maybe xyz has not enough permission to create the purchase order, moreover the standard BAPI, which is involved in this procedure, performs an authorization check on the logged on user.
  how can R/3 system know that xyz is the user that would like to perform the purchase order creation and then correctly check xyz permissions?
  I have configured, since is mandatory, into the RFC adapter, a logon user but it shouldn't be the same that performs the web service request, in this case xyz.
  Any hints?
  Many thanks
  Cheers
  Roberto

  Hi Roberto,
  I think the easiest way to solve this problem is to write the user in the request messages.
  So you can check the user on XI in proxy or mapping.
  When the user has no permissions so the XI sends no request to R/3.
  Other idea is to configure for every user a Communication Channel and diffrent Business Receiver Systems. So the XI will read the user from message and send this to the Business System with the user specific Communication Channel.
  But i think the first idea is the better one
  Regards,
  Robin